Ihe mgbapụta ọhụrụ akpọrọ Nemty apụtala na netwọkụ ahụ, nke a na-eche na ọ ga-anọchi anya GrandCrab ma ọ bụ Buran. A na-ekesa malware site na webụsaịtị PayPal adịgboroja ma nwee ọtụtụ atụmatụ na-atọ ụtọ. Nkọwa gbasara otu ransomware a si arụ ọrụ dị n'okpuru ịkpụ.
Nemty ransomware ọhụrụ nke onye ọrụ chọpụtara Septemba 7, 2019. Ekesara malware site na webụsaịtị , ọ dịkwa ike maka ransomware ịbanye na kọmpụta site na ngwa RIG irigbu. Ndị mwakpo ahụ ji usoro injinia mmekọrịta mmadụ na ibe ya manye onye ọrụ ka ọ gbaa faịlụ cashback.exe, nke o kwuru na ọ nwetara site na webụsaịtị PayPal. Ọ na-achọsikwa ike na Nemty kwuputara ọdụ ụgbọ mmiri na-ezighi ezi maka ọrụ proxy mpaghara Tor, nke na-egbochi malware izipu. data na ihe nkesa. Ya mere, onye ọrụ ga-ebugote faịlụ ezoro ezo na netwọk Tor n'onwe ya ma ọ bụrụ na o bu n'obi ịkwụ ụgwọ ihe mgbapụta wee chere maka nkwụsị nke ndị mwakpo ahụ.
Ọtụtụ ihe na-atọ ụtọ gbasara Nemty na-atụ aro na ndị otu ahụ ma ọ bụ ndị omekome cyber metụtara Buran na GrandCrab mepụtara ya.
- Dị ka GandCrab, Nemty nwere akwa Ista - njikọ na foto Onye isi ala Russia Vladimir Putin na njakịrị rụrụ arụ. Ihe nketa GandCrab ransomware nwere onyonyo nwere otu ederede.
- Ihe odide asụsụ nke mmemme abụọ a na-arụtụ aka n'otu ndị edemede na-asụ Russian.
- Nke a bụ ihe mgbapụta mbụ iji igodo 8092-bit RSA. Agbanyeghị na enweghị isi na nke a: igodo 1024-bit zuru oke iji chebe onwe ya pụọ na hacking.
- Dịka Buran, edere ihe mgbapụta ahụ na Object Pascal wee chịkọta ya na Borland Delphi.
Nyocha static
Mmegbu nke koodu ọjọọ na-apụta na nkeji anọ. Nzọụkwụ mbụ bụ ịgba ọsọ cashback.exe, faịlụ PE32 nwere ike ime n'okpuru MS Windows nwere nha 1198936 bytes. Edere koodu ya na Visual C++ wee chịkọta ya na Ọktoba 14, 2013. Ọ nwere ebe nchekwa na-ebupụ na-akpaghị aka mgbe ị na-agba cashback.exe. Akụrụngwa na-eji ọba akwụkwọ Cabinet.dll na ọrụ ya FDICreate(), FDIDEstroy() na ndị ọzọ iji nweta faịlụ site na ebe nchekwa .cab.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
Mgbe ịmepechara ebe nchekwa ahụ, faịlụ atọ ga-apụta.
Na-esote, ewepụtara temp.exe, faịlụ PE32 nwere ike ime n'okpuru MS Windows nwere nha 307200 bytes. Edere koodu ahụ na Visual C++ ma tinye ya na ngwugwu MPRESS, ngwugwu yiri UPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
Nzọụkwụ ọzọ bụ ironman.exe. Ozugbo ewepụtara ya, temp.exe na-ewepụ data agbakwunyere na temp wee nyegharịa ya ka ọ bụrụ ironman.exe, faịlụ 32 byte PE544768 nwere ike ime ya. Achịkọtara koodu a na Borland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
Nzọụkwụ ikpeazụ bụ ịmalitegharị faịlụ ironman.exe. N'oge ọ na-agba ọsọ, ọ na-agbanwe koodu ya ma na-agba ọsọ onwe ya site na ebe nchekwa. Ụdị ironman.exe a dị njọ ma na-ahụ maka izo ya ezo.
Mmegide vector
Ugbu a, a na-ekesa Nemty ransomware site na webụsaịtị pp-back.info.
Enwere ike ịlele yinye ọrịa zuru oke na igbe ájá.
ọnọdụ
Cashback.exe - mmalite nke mbuso agha. Dịka e kwuworo, cashback.exe na-ebupụ faịlụ .cab dị n'ime ya. Ọ na-emepụta folda TMP4351$.TMP nke ụdị %TEMP%IXxxx.TMP, ebe xxx bụ ọnụọgụ sitere na 001 ruo 999.
Ọzọ, etinyere igodo ndekọ, nke dị ka nke a:
"rundll32.exe" "C:Windowssystem32advpack.dll,DelNodeRunDLL32"C:UsersMALWAR~1AppDataLocalTempIXPxxx.TMP"
A na-eji ya ihichapụ faịlụ ndị anaghị achịkọta. N'ikpeazụ, cashback.exe na-amalite usoro temp.exe.
Temp.exe bụ ọkwa nke abụọ na agbụ ọrịa
Nke a bụ usoro ewepụtara site na faịlụ cashback.exe, nzọụkwụ nke abụọ nke ogbugbu nje. Ọ na-agbalị ibudata AutoHotKey, ngwá ọrụ maka ịgba ọsọ scripts na Windows, na-agba ọsọ WindowSpy.ahk script dị na akụrụngwa ngalaba nke PE faịlụ.
Edemede WindowSpy.ahk decrypt faịlụ temp na ironman.exe site na iji RC4 algọridim na paswọọdụ IwantAcake. A na-enweta igodo sitere na paswọọdụ site na iji MD5 hashing algọridim.
temp.exe wee kpọọ usoro ironman.exe.
Ironman.exe - nzọụkwụ nke atọ
Ironman.exe na-agụ ọdịnaya nke faịlụ iron.bmp wee mepụta faịlụ iron.txt na cryptolocker nke a ga-ebido na-esote.
Mgbe nke a gasịrị, nje ahụ na-ebuba iron.txt n'ime ebe nchekwa wee malitegharịa ya dị ka ironman.exe. Mgbe nke a gasịrị, a na-ehichapụ iron.txt.
ironman.exe bụ akụkụ bụ isi nke NEMTY ransomware, nke na-ezochi faịlụ na kọmputa emetụtara. Malware na-emepụta mutex a na-akpọ asị.
Ihe mbụ ọ na-eme bụ ikpebi ebe kọmputa dị. Nemty mepee ihe nchọgharị ahụ wee chọpụta IP dị na ya . Na saịtị [IP]/Aha obodo a na-ekpebi obodo a site na IP enwetara, ma ọ bụrụ na kọmputa dị n'otu mpaghara edepụtara n'okpuru, njedebe nke koodu malware kwụsịrị:
- Russia
- Belarus
- Ukraine
- Kazakhstan
- Tajikistan
O yikarịrị, ndị mmepe anaghị achọ ịdọta uche nke ụlọ ọrụ mmanye iwu na obodo ha, yabụ anaghị ezobe faịlụ na mpaghara "ụlọ" ha.
Ọ bụrụ na adreesị IP onye ahụ abanyeghị na ndepụta dị n'elu, nje virus na-ezochi ozi onye ọrụ.
Iji gbochie mgbake faịlụ, a na-ehichapụ mbipụta ndò ha:
Ọ na-emepụta ndepụta faịlụ na nchekwa ndị na-agaghị ezoro ezo, yana ndepụta ndọtị faịlụ.
- windows
- $MKWUO.BIN
- RSA
- NTDETECT.COM
- Ntinye
- MSOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- desktọpụ
- SYS CONFIG.
- BOOTSECT.BAK
- bootmgr
- data mmemme
- ngwa
- osoft
- Faịlụ ndị nkịtị
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY Mkpuchi
Iji zoo URL na data nhazi agbakwunyere, Nemty na-eji isi okwu fuckav eme ihe ndabere64 na RC4.
Usoro ntọhapụ site na iji CryptStringToBinary bụ nke a
Izo ya ezo
Nemty na-eji izo ya ezo nke oyi akwa atọ:
- AES-128-CBC maka faịlụ. A na-emepụta igodo 128-bit AES na enweghị usoro ma jiri ya mee ihe maka faịlụ niile. A na-echekwa ya na faịlụ nhazi na kọmputa onye ọrụ. A na-emepụta IV na enweghị usoro maka faịlụ ọ bụla ma chekwaa ya na faịlụ ezoro ezo.
- RSA-2048 maka izo ya ezo faịlụ IV. A na-emepụta otu ụzọ igodo maka nnọkọ ahụ. A na-echekwa igodo nzuzo maka nnọkọ ahụ na faịlụ nhazi na kọmputa onye ọrụ.
- RSA-8192. A na-arụ igodo ọha na eze n'ime mmemme ahụ ma jiri ya na-ezochi faịlụ nhazi ahụ, nke na-echekwa igodo AES na igodo nzuzo maka nnọkọ RSA-2048.
- Nemty buru ụzọ wepụta 32 bytes nke data random. A na-eji bytes iri na isii mbụ dị ka igodo AES-16-CBC.
Algọridim nzuzo nke abụọ bụ RSA-2048. Eji ọrụ CryptGenKey() mepụta ụzọ igodo ahụ wee bubata ya site na ọrụ CryptImportKey().
Ozugbo emepụtara ụzọ igodo ụzọ nnọkọ ahụ, a na-ebubata igodo ọha n'ime onye na-eweta ọrụ Cryptographic MS.
Ọmụmaatụ nke igodo ọha ewepụtara maka nnọkọ:
Na-esote, a na-ebuba igodo nzuzo na CSP.
Ọmụmaatụ nke igodo nzuzo ewepụtara maka nnọkọ:
Nke ikpeazụ na-abịa RSA-8192. A na-echekwa igodo ọha na eze n'ụdị ezoro ezo (Base64 + RC4) na ngalaba .data nke faịlụ PE.
Igodo RSA-8192 ka emechara ngbanwe base64 na RC4 decryption na paswọọdụ fuckav dị ka nke a.
N'ihi ya, usoro nzuzo niile dị ka nke a:
- Mepụta igodo 128-bit AES nke a ga-eji zoo faịlụ niile.
- Mepụta IV maka faịlụ ọ bụla.
- Ịmepụta otu ụzọ igodo maka nnọkọ RSA-2048.
- Decryption nke igodo RSA-8192 dị na iji base64 na RC4.
- Debe ọdịnaya faịlụ site na iji AES-128-CBC algọridim site na nzọụkwụ mbụ.
- IV izo ya ezo site na iji RSA-2048 ọha igodo na base64 encoding.
- Na-agbakwụnye IV ezoro ezo na njedebe nke faịlụ ọ bụla ezoro ezo.
- Na-agbakwunye igodo AES na igodo nnọkọ RSA-2048 na nhazi ahụ.
- Data nhazi akọwara na ngalaba A na-ezobe ihe gbasara kọmputa ndị butere ọrịa site na iji igodo ọha RSA-8192.
- Faịlụ ezoro ezo dị ka nke a:
Ọmụmaatụ nke faịlụ ezoro ezo:
Ịnakọta ozi gbasara kọmputa nje
Ihe mgbapụta ahụ na-anakọta igodo iji mebie faịlụ ndị butere, yabụ onye mwakpo ahụ nwere ike mepụta decryptor n'ezie. Na mgbakwunye, Nemty na-anakọta data onye ọrụ dị ka aha njirimara, aha kọmputa, profaịlụ ngwaike.
Ọ na-akpọ ọrụ GetLogicalDrives(), GetFreeSpace(), GetDriveType() ọrụ iji nakọta ozi gbasara draịva nke kọmputa nje.
A na-echekwa ozi anakọtara na faịlụ nhazi. N'ịbụ onye depụtachara eriri ahụ, anyị na-enweta ndepụta paramita na faịlụ nhazi:
Nhazi ihe atụ nke kọmputa butere ọrịa:
Enwere ike ịnọchite anya template nhazi dị ka ndị a:
{"General": {"IP":"[IP]", "Mba":"[Mba]", "ComputerAha":"[ComputerName]", "Aha njirimara":"[Aha njirimara]", "OS": "[OS]", "isRU":false, "ụdị":"1.4", "CompID":"{[CompID]}", "FileID":"_NEMTY_[FileID]_", "UserID":"[ UserID]", "igodo":"[igodo]", "pr_key":"[pr_key]
Nemty na-echekwa data anakọtara n'ụdị JSON na faịlụ %USER%/_NEMTY_.nemty. FileID dị mkpụrụedemede 7 ogologo yana emepụtara na-enweghị usoro. Ọmụmaatụ: _NEMTY_tgdLYrd_.nemty. A na-etinyekwa faịlụ ID ahụ na njedebe nke faịlụ ezoro ezo.
Ozi mgbapụta
Mgbe izochiri faịlụ ndị ahụ, faịlụ _NEMTY_[FileID] -DECRYPT.txt ga-egosi na desktọpụ nwere ọdịnaya ndị a:
Na njedebe nke faịlụ ahụ enwere ozi ezoro ezo gbasara kọmputa nje.
Mmekọrịta netwọkụ
Usoro ironman.exe na-ebudata nkesa ihe nchọgharị Tor na adreesị ahụ ma gbalịa ịwụnye ya.
Nemty wee gbalịa iziga data nhazi na 127.0.0.1:9050, ebe ọ na-atụ anya ịchọta proxy nchọgharị Tor na-arụ ọrụ. Agbanyeghị, na ndabara Tor proxy na-ege ntị na ọdụ ụgbọ mmiri 9150, na ọdụ ụgbọ mmiri 9050 bụ Tor daemon na Linux ma ọ bụ Ọkachamara Bundle na Windows. Yabụ, ọ nweghị data ezigara na sava onye mwakpo ahụ. Kama, onye ọrụ nwere ike iji aka budata faịlụ nhazi site na ịga na ọrụ decryption Tor site na njikọ enyere na ozi mgbapụta ahụ.
Jikọọ na Tor proxy:
HTTP GET na-emepụta arịrịọ 127.0.0.1:9050/ọha/ọha?data=
Ebe ị nwere ike ịhụ ọdụ ụgbọ mmiri TCP mepere emepe nke ndị TORlocal proxy na-eji:
Ọrụ decryption Nemty na netwọk Tor:
Ị nwere ike bulite foto ezoro ezo (jpg, png, bmp) iji nwalee ọrụ nkwụsị.
Mgbe nke a gasịrị, onye mwakpo ahụ rịọrọ ka ọ kwụọ ụgwọ ihe mgbapụta. Ọ bụrụ na akwụghị ụgwọ a na-agbakọ ọnụ ahịa ahụ okpukpu abụọ.
nkwubi
Ugbu a, ọ gaghị ekwe omume ikpughe faịlụ Nemty ezoro ezo na-akwụghị ihe mgbapụta. Ụdị ransomware a nwere njiri mara ya na Buran ransomware na GandCrab nke emechiela: mkpokọta na Borland Delphi na onyonyo nwere otu ederede. Tụkwasị na nke a, nke a bụ onye mbụ encryptor nke na-eji igodo 8092-bit RSA, nke ọzọ, enweghị isi, ebe ọ bụ na igodo 1024-bit zuru ezu maka nchebe. N'ikpeazụ, na ihe na-akpali mmasị, ọ na-agbalị iji ọdụ ụgbọ mmiri na-ezighi ezi maka ọrụ proxy Tor mpaghara.
Otú ọ dị, ngwọta и gbochie Nemty ransomware ka ọ ghara iru PC na data onye ọrụ, ndị na-eweta ya nwere ike iji chebe ndị ahịa ha . Juputara na-enye ọ bụghị naanị ndabere, kamakwa nchebe iji , Teknụzụ pụrụ iche dabere na ọgụgụ isi mmadụ na omume heuristics nke na-enye gị ohere iwepu ọbụna malware amabeghị.
isi: www.habr.com