Ryuk ã¯ãããæ°å¹Žã§æãæåãªã©ã³ãµã ãŠã§ã¢ ãªãã·ã§ã³ã® 2018 ã€ã§ãã XNUMX幎ã®å€ã«ç»å ŽããŠä»¥æ¥ã
1. äžè¬æ å ±
ãã®ææžã«ã¯ãRyuk ã©ã³ãµã ãŠã§ã¢ã®äºçš®ãšããã«ãŠã§ã¢ãã·ã¹ãã ã«ããŒãããããŒããŒã®åæãå«ãŸããŠããŸãã
Ryuk ã©ã³ãµã ãŠã§ã¢ã¯ 2018 幎ã®å€ã«åããŠåºçŸããŸããã Ryuk ãšä»ã®ã©ã³ãµã ãŠã§ã¢ã®éãã® XNUMX ã€ã¯ãäŒæ¥ç°å¢ãžã®æ»æãç®çãšããŠãããšããããšã§ãã
2019 幎åã°ããµã€ããŒç¯çœªã°ã«ãŒãã¯ãã®ã©ã³ãµã ãŠã§ã¢ã䜿çšããŠå€æ°ã®ã¹ãã€ã³äŒæ¥ãæ»æããŸããã
ç±³ã 1: Ryuk ã©ã³ãµã ãŠã§ã¢æ»æã«é¢ãã El Confidencial ããã®æç² [1]
ç±³ã 2: Ryuk ã©ã³ãµã ãŠã§ã¢ã䜿çšããŠå®è¡ãããæ»æã«é¢ãã El PaÃs ããã®æç² [2]
ä»å¹ŽãRyuk ã¯ããŸããŸãªåœã®å€æ°ã®äŒæ¥ãæ»æããŸããã 以äžã®å³ãããããããã«ããã€ããäžåœãã¢ã«ãžã§ãªã¢ãã€ã³ããæã倧ããªè¢«å®³ãåããŸããã
ãµã€ããŒæ»æã®æ°ãæ¯èŒãããšãRyuk ãæ°çŸäžã®ãŠãŒã¶ãŒã«åœ±é¿ãäžããèšå€§ãªéã®ããŒã¿ã䟵害ããæ·±å»ãªçµæžçæ倱ããããããããšãããããŸãã
ç±³ã 3: Ryuk ã®ã°ããŒãã«ãªæŽ»åã®å³ã
ç±³ã 4: Ryuk ã®è¢«å®³ãæã倧ãã 16 ãåœ
ç±³ã 5: Ryuk ã©ã³ãµã ãŠã§ã¢ã«ãã£ãŠæ»æããããŠãŒã¶ãŒã®æ° (æ°çŸäžäºº)
ãã®ãããªè
åšã®éåžžã®åäœåçã«ããã°ããã®ã©ã³ãµã ãŠã§ã¢ã¯ãæå·åãå®äºãããšãæå·åããããã¡ã€ã«ãžã®ã¢ã¯ã»ã¹ã埩å
ããã«ã¯ãæå®ãããã¢ãã¬ã¹ã«ãããã³ã€ã³ã§æ¯æãå¿
èŠããã身代ééç¥ã被害è
ã«è¡šç€ºããŸãã
ãã®ãã«ãŠã§ã¢ã¯ãæåã«å°å
¥ãããŠä»¥æ¥ãå€åããŠããŸãã
ãã®ææžã§åæããããã®è
åšã®äºçš®ã¯ã2020 幎 XNUMX æã®æ»æè©Šè¡äžã«çºèŠãããŸããã
ãã®ãã«ãŠã§ã¢ã¯ãã®è€éããããAPT ã°ã«ãŒããšããŠãç¥ãããçµç¹åããããµã€ããŒç¯çœªã°ã«ãŒãã«ãããã®ã§ãããšèããããŠããŸãã
Ryuk ã³ãŒãã®äžéšã¯ãå¥ã®ããç¥ãããã©ã³ãµã ãŠã§ã¢ã§ãã Hermes ã®ã³ãŒããšæ§é ãšé¡èãªé¡äŒŒæ§ãæã£ãŠãããå€ãã®åäžã®æ©èœãå ±æããŠããŸãã ããããRyuk ãåœåãHermes ã©ã³ãµã ãŠã§ã¢ã®èåŸã«ãããšçãããŠããåæé®®ã®ã°ã«ãŒã Lazarus ãšé¢é£ä»ããããŠããçç±ã§ãã
ãã®åŸãCrowdStrike ã® Falcon X ãµãŒãã¹ã¯ãRyuk ãå®éã«ã¯ WIZARD SPIDER ã°ã«ãŒãã«ãã£ãŠäœæããããšææããŸãã [4]ã
ãã®ä»®å®ãè£ä»ãã蚌æ ãããã€ããããŸãã ãŸãããã®ã©ã³ãµã ãŠã§ã¢ã¯ãŠã§ããµã€ãexploit.inã§å®£äŒãããŸããããã®ãŠã§ããµã€ãã¯ãã·ã¢ã®æåãªãã«ãŠã§ã¢åžå Žã§ããã以åã¯ãã·ã¢ã®ããã€ãã®APTã°ã«ãŒããšé¢é£ä»ããããŠããŸããã
ãã®äºå®ã¯ãRyuk ã Lazarus APT ã°ã«ãŒãã«ãã£ãŠéçºãããå¯èœæ§ããããšããçè«ãé€å€ããŸãã ããã¯ã°ã«ãŒãã®éå¶æ¹æ³ã«é©åããŸããã
ããã«ãRyuk ã¯ããã·ã¢ããŠã¯ã©ã€ãããã©ã«ãŒã·ã®ã·ã¹ãã ã§ã¯åäœããªãã©ã³ãµã ãŠã§ã¢ã§ãããšå®£äŒãããŸããã ãã®åäœã¯ãRyuk ã®äžéšã®ããŒãžã§ã³ã«ããæ©èœã«ãã£ãŠæ±ºå®ãããã©ã³ãµã ãŠã§ã¢ãå®è¡ãããŠããã·ã¹ãã ã®èšèªããã§ãã¯ããã·ã¹ãã ã«ãã·ã¢èªããŠã¯ã©ã€ãèªããŸãã¯ãã©ã«ãŒã·èªãå«ãŸããŠããå Žåã¯ã©ã³ãµã ãŠã§ã¢ã®å®è¡ãåæ¢ããŸãã æåŸã«ãWIZARD SPIDER ããŒã ã«ãã£ãŠãããã³ã°ããããã·ã³ã®å°é家ã«ããåæã«ãããHermes ã©ã³ãµã ãŠã§ã¢ã®äºçš®ãšã㊠Ryuk ã®éçºã«äœ¿çšããããšãããããã€ãã®ãã¢ãŒãã£ãã¡ã¯ãããæããã«ãªããŸããã
äžæ¹ãå°é家ã®ã¬ããªãšã©ã»ãã³ã©ãªæ°ãšã«ãã¢ãŒãã»ãã«ãã£ã³ã¹æ°ã¯ãã©ã³ãµã ãŠã§ã¢ã¯APTã°ã«ãŒãã®CryptoTechã«ãã£ãŠéçºãããå¯èœæ§ããããšç€ºåãã[5]ã
ããã¯ãRyuk ã®åºçŸã®æ°ãæåã«ããã®ã°ã«ãŒããåããµã€ãã®ãã©ãŒã©ã ã«ãHermes ã©ã³ãµã ãŠã§ã¢ã®æ°ããŒãžã§ã³ãéçºãããšããæ
å ±ãæçš¿ãããšããäºå®ã«åºã¥ããŠããŸãã
äœäººãã®ãã©ãŒã©ã ãŠãŒã¶ãŒã¯ãCryptoTech ãå®éã« Ryuk ãäœæããã®ãã©ããçåãåããŠããŸããã ãã®åŸããã®ã°ã«ãŒãã¯èªããåŒè·ããã©ã³ãµã ãŠã§ã¢ã® 100% ãèªåãã¡ãéçºãããšãã蚌æ ããããšè¿°ã¹ãŸããã
2. ç¹åŸŽ
ãŸãããŒãããŒããŒããå§ããŸããããŒãããŒããŒã®ä»äºã¯ãRyuk ã©ã³ãµã ãŠã§ã¢ã®ãæ£ãããããŒãžã§ã³ãèµ·åã§ããããã«ãããŒãããŒããŒãååšããã·ã¹ãã ãèå¥ããããšã§ãã
ããŒãããŒããŒã®ããã·ã¥ã¯æ¬¡ã®ãšããã§ãã
MD5 A73130B0E379A989CBA3D695A157A495
SHA256 EF231EE1A2481B7E627921468E79BB4369CCFAEB19A575748DD2B664ABC4F469
ãã®ããŠã³ããŒããŒã®ç¹åŸŽã® XNUMX ã€ã¯ãã¡ã¿ããŒã¿ãå«ãŸããŠããªãããšã§ãã ãã®ãã«ãŠã§ã¢ã®äœæè ã¯ããã«ãŠã§ã¢ã«ãããªãæ å ±ãå«ããŠããŸããã
å Žåã«ãã£ãŠã¯ããŠãŒã¶ãŒãæ£èŠã®ã¢ããªã±ãŒã·ã§ã³ãå®è¡ããŠãããšæãããããã«ã誀ã£ãããŒã¿ãå«ãŸããããšããããŸãã ãã ããåŸã§èª¬æããããã«ãææã«ãŠãŒã¶ãŒã®æäœãé¢äžããªãå Žå (ãã®ã©ã³ãµã ãŠã§ã¢ã®å Žåã®ããã«)ãæ»æè ã¯ã¡ã¿ããŒã¿ã䜿çšããå¿ èŠããããšã¯èããŸããã
ç±³ã 6: ãµã³ãã«ã¡ã¿ããŒã¿
ãµã³ãã«ã¯ 32 ããã圢åŒã§ã³ã³ãã€ã«ãããŠããããã32 ããã ã·ã¹ãã ãš 64 ããã ã·ã¹ãã ã®äž¡æ¹ã§å®è¡ã§ããŸãã
3. äŸµå ¥ãã¯ãã«
Ryuk ãããŠã³ããŒãããŠå®è¡ãããµã³ãã«ã¯ããªã¢ãŒãæ¥ç¶ãä»ããŠã·ã¹ãã ã«äŸµå ¥ããäºåç㪠RDP æ»æãéããŠã¢ã¯ã»ã¹ ãã©ã¡ãŒã¿ãååŸããŸããã
ç±³ã 7: ã¢ã¿ãã¯ã¬ãžã¹ã¿ãŒ
æ»æè
ã¯ãªã¢ãŒãããã·ã¹ãã ã«ãã°ã€ã³ããããšã«æåããŸããã ãã®åŸã圌ã¯ãµã³ãã«ã䜿çšããŠå®è¡å¯èœãã¡ã€ã«ãäœæããŸããã
ãã®å®è¡å¯èœãã¡ã€ã«ã¯ãå®è¡åã«ãŠã€ã«ã¹å¯Ÿçãœãªã¥ãŒã·ã§ã³ã«ãã£ãŠãããã¯ãããŸããã
ç±³ã 8: ãã¿ãŒã³ããã¯
ç±³ã 9: ãã¿ãŒã³ããã¯
æªæã®ãããã¡ã€ã«ããããã¯ããããšãæ»æè ã¯å®è¡å¯èœãã¡ã€ã«ã®æå·åãããããŒãžã§ã³ãããŠã³ããŒãããããšããŸããããããããããã¯ãããŸããã
ç±³ã 10: æ»æè
ãå®è¡ããããšãããµã³ãã«ã®ã»ãã
æåŸã«ã圌ã¯æå·åãããã³ã³ãœãŒã«ãéããŠå¥ã®æªæã®ãããã¡ã€ã«ãããŠã³ããŒãããããšããŸãã
PowerShell ã¯ãŠã€ã«ã¹å¯Ÿçä¿è·ããã€ãã¹ããŸãã ãããã圌ããããã¯ãããŸããã
ç±³ã 11: æªæã®ããã³ã³ãã³ãããããã¯ããã PowerShell
ç±³ã 12: æªæã®ããã³ã³ãã³ãããããã¯ããã PowerShell
4.ããŒããŒ
å®è¡ãããšãReadMe ãã¡ã€ã«ããã©ã«ããŒã«æžã蟌ãŸããŸãã ã®ïŒ tempïŒ ãããã¯ãªã¥ãŒã¯ã®å žåã§ãã ãã®ãã¡ã€ã«ã¯ãprotonmail ãã¡ã€ã³ã®é»åã¡ãŒã« ã¢ãã¬ã¹ãå«ã身代éã¡ã¢ã§ããããã®ãã«ãŠã§ã¢ ãã¡ããªã§ã¯éåžžã«äžè¬çã§ãã [ã¡ãŒã«ä¿è·]
ç±³ã 13: 身代éã®èŠæ±
ããŒãããŒããŒã®å®è¡äžã«ãã©ã³ãã ãªååã§ããã€ãã®å®è¡å¯èœãã¡ã€ã«ãèµ·åãããããšãããããŸãã é ããã©ã«ããŒã«ä¿åãããŸã ãããªãã¯ãã ãããã®ãªãã·ã§ã³ããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã§ã¢ã¯ãã£ãã«ãªã£ãŠããªãå Žåã¯ã ãé ããã¡ã€ã«ãšãã©ã«ãã衚瀺ãããããã®åŸããããã¯é衚瀺ã®ãŸãŸã«ãªããŸãã ããã«ã芪ãã¡ã€ã«ã® 64 ããããšã¯ç°ãªãããããã®ãã¡ã€ã«ã¯ 32 ãããã§ãã
ç±³ã 14: ãµã³ãã«ã«ãã£ãŠèµ·åãããå®è¡å¯èœãã¡ã€ã«
äžã®ç»åã§ãããããã«ãRyuk 㯠icacls.exe ãèµ·åããŸããããã¯ãã¹ãŠã® ACL (ã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ã) ãå€æŽããããã«äœ¿çšããããã©ã°ãžã®ã¢ã¯ã»ã¹ãšå€æŽãä¿èšŒãããŸãã
ãã¹ãŠã®ãŠãŒã¶ãŒã®äžã§ããšã©ãŒ (/C) ã«é¢ä¿ãªããã¡ãã»ãŒãž (/Q) ã衚瀺ããã«ãããã€ã¹äžã®ãã¹ãŠã®ãã¡ã€ã« (/T) ãžã®å®å šãªã¢ã¯ã»ã¹æš©ãäžããããŸãã
ç±³ã 15: ãµã³ãã«ã§èµ·åãããicacls.exeã®å®è¡ãã©ã¡ãŒã¿
Ryuk ã¯ãå®è¡ããŠãã Windows ã®ããŒãžã§ã³ããã§ãã¯ããããšã«æ³šæããããšãéèŠã§ãã ãã®ããã«åœŒã¯
ã䜿çšããŠããŒãžã§ã³ãã§ãã¯ãå®è¡ããŸã GetVersionExWããã©ã°ã®å€ããã§ãã¯ããŸãã lpããŒãžã§ã³æ
å ±Windows ã®çŸåšã®ããŒãžã§ã³ãããæ°ãããã©ããã瀺ããŸã Windows XPã®.
Windows XP ããåŸã®ããŒãžã§ã³ãå®è¡ããŠãããã©ããã«å¿ããŠãããŒã ããŒããŒã¯ããŒã«ã« ãŠãŒã¶ãŒ ãã©ã«ã㌠(ãã®å Žåã¯ãã©ã«ããŒ) ã«æžã蟌ã¿ãŸãã ïŒ
å
Œ
±ïŒ
.
ç±³ã 17: ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®ããŒãžã§ã³ã確èªãã
æžã蟌ãŸããŠãããã¡ã€ã«ã¯ Ryuk ã§ãã 次ã«ãããèªäœã®ã¢ãã¬ã¹ããã©ã¡ãŒã¿ãšããŠæž¡ããŠå®è¡ããŸãã
ç±³ã 18: ShellExecute çµç±ã§ Ryuk ãå®è¡ãã
Ryuk ãæåã«è¡ãããšã¯ãå ¥åãã©ã¡ãŒã¿ãåãåãããšã§ãã ä»åã¯ãããèªäœã®ãã¬ãŒã¹ãåé€ããããã«äœ¿çšããã XNUMX ã€ã®å ¥åãã©ã¡ãŒã¿ãŒ (å®è¡å¯èœãã¡ã€ã«èªäœãšãããã㌠ã¢ãã¬ã¹) ããããŸãã
ç±³ã 19: ããã»ã¹ã®äœæ
ãŸããå®è¡å¯èœãã¡ã€ã«ãå®è¡ãããšãèªèº«ãåé€ãããããå®è¡ããããã©ã«ããŒã«èªèº«ã®ååšã®çè·¡ãæ®ããªãããšãããããŸãã
ç±³ã 20: ãã¡ã€ã«ã®åé€
5. ãªã¥ãŒã¯
5.1 ãã¬ãŒã³ã¹
Ryuk ã¯ãä»ã®ãã«ãŠã§ã¢ãšåæ§ã«ãã§ããã ãé·ãã·ã¹ãã äžã«çãŸãããšããŸãã äžã§ç€ºããããã«ããã®ç®æšãéæãã XNUMX ã€ã®æ¹æ³ã¯ãå®è¡å¯èœãã¡ã€ã«ãå¯ãã«äœæããŠå®è¡ããããšã§ãã ãããè¡ãã«ã¯ãã¬ãžã¹ã㪠ããŒãå€æŽããã®ãæãäžè¬çãªæ¹æ³ã§ãã çŸåšã®ããŒãžã§ã³ã®å®è¡.
ãã®å Žåããã®ç®çã®ããã«æåã®ãã¡ã€ã«ãèµ·åãããããšãããããŸãã VWjRF.exe
(ãã¡ã€ã«åã¯ã©ã³ãã ã«çæãããŸã) ãèµ·åããŸã cmd.exeã.
ç±³ã 21: VWjRF.exeã®å®è¡
次ã«ã³ãã³ããå ¥åããŸã RUN ååä»ããsvchos"ããããã£ãŠããã€ã§ãã¬ãžã¹ã㪠ããŒã確èªãããå Žåã¯ããã®ååã svchost ãšé¡äŒŒããŠããããããã®å€æŽãç°¡åã«èŠéãå¯èœæ§ããããŸãããã®ããŒã®ãããã§ãRyuk ã¯ã·ã¹ãã å ã«ç¢ºå®ã«ååšããŸããã·ã¹ãã ããŸã ååšããŠããªãå Žåã¯ããŸã ææããŠããå Žåãã·ã¹ãã ãåèµ·åãããšãå®è¡å¯èœãã¡ã€ã«ãåè©Šè¡ãããŸãã
ç±³ã 22: ãµã³ãã«ã¯ã¬ãžã¹ã㪠ããŒã«ååšããããšã確èªããŸã
ãã®å®è¡å¯èœãã¡ã€ã«ã XNUMX ã€ã®ãµãŒãã¹ãåæ¢ããŠããããšãããããŸãã
"ãªãŒãã£ãªãšã³ããã€ã³ããã«ããŒãã¯ãã®åã®éãã·ã¹ãã ãªãŒãã£ãªã«çžåœããŸããã
ç±³ã 23: ãµã³ãã«ã¯ã·ã¹ãã ãªãŒãã£ãªãµãŒãã¹ãåæ¢ããŸã
О ãµã ã¹ã³ãã¢ã«ãŠã³ã管çãµãŒãã¹ã§ãã ããã XNUMX ã€ã®ãµãŒãã¹ãåæ¢ããã®ã¯ Ryuk ã®ç¹åŸŽã§ãã ãã®å Žåãã·ã¹ãã ã SIEM ã·ã¹ãã ã«æ¥ç¶ãããŠãããšãã©ã³ãµã ãŠã§ã¢ã¯ SIEM ã·ã¹ãã ãžã®éä¿¡ãåæ¢ããããšããŸãã
ç±³ã 24: ãµã³ãã«ã Samss ãµãŒãã¹ãåæ¢ãã
5.2 æš©é
äžè¬ã«ãRyuk ã¯ãããã¯ãŒã¯å
ã暪æ¹åã«ç§»åããããšã«ãã£ãŠéå§ããããã次ã®ãããªå¥ã®ãã«ãŠã§ã¢ã«ãã£ãŠèµ·åãããŸãã
å®è£ ããã»ã¹ã®å段éãšããŠã圌ã次ã®ããã»ã¹ãå®è¡ããã®ãèŠãããŸãã èªå·±ã«ãªãããŸãããã¯ãã¢ã¯ã»ã¹ ããŒã¯ã³ã®ã»ãã¥ãªã㣠ã³ã³ãã³ããã¹ããªãŒã ã«æž¡ãããããã§ããã«ååŸãããããšãæå³ããŸãã çŸåšã®ã¹ã¬ããã®ååŸ.
ç±³ã 25: ImpersonateSelf ãåŒã³åºã
次ã«ãã¢ã¯ã»ã¹ ããŒã¯ã³ãã¹ã¬ããã«é¢é£ä»ããããããšãããããŸãã ãŸãããã©ã°ã® XNUMX ã€ã å¿ èŠãªã¢ã¯ã»ã¹ãã¹ã¬ãããæã€ã¢ã¯ã»ã¹ãå¶åŸ¡ããããã«äœ¿çšã§ããŸãã ãã®å Žåãedx ãåãåãå€ã¯æ¬¡ã®ããã«ãªããŸãã TOKEN_ALL_ACCESS ãããã¯ããã§ãªãã - TOKEN_WRITE.
ç±³ã 26: ãããŒããŒã¯ã³ã®äœæ
ããããã°åœŒã¯äœ¿ãã§ããã SeDebugPrivilege ãããŠãã¹ã¬ããã«å¯Ÿãããããã°æš©éãååŸããããã«åŒã³åºããè¡ããŸãããã®çµæã PROCESS_ALL_ACCESSãå¿ èŠãªããã»ã¹ã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸãã ããã§ãæå·åããã°ã©ã ããã§ã«æºåãããã¹ããªãŒã ãæã£ãŠãããšãããšãæ®ã£ãŠããã®ã¯æçµæ®µéã«é²ãããšã ãã§ãã
ç±³ã 27: SeDebugPrivilege ãšæš©éææ Œé¢æ°ã®åŒã³åºã
äžæ¹ã§ã¯ãLookupPrivilegeValueW ã䜿çšããŠãå¢å ãããæš©éã«é¢ããå¿
èŠãªæ
å ±ãæäŸããŸãã
ç±³ã 28: æš©éææ Œã®ããã®æš©éã«é¢ããæ
å ±ã®èŠæ±
äžæ¹ãç§ãã¡ã¯ã AdjustTokenPrivilegesããã«ãããã¹ããªãŒã ã«å¿ èŠãªæš©å©ãååŸã§ããããã«ãªããŸãã ãã®å ŽåãæãéèŠãªããšã¯ã ãã¥ãŒã¹ããŒãããã®ãã©ã°ãæš©éãä»äžããŸãã
ç±³ã 29: ããŒã¯ã³ã®æš©éã®èšå®
5.3 å®è£
ãã®ã»ã¯ã·ã§ã³ã§ã¯ããã®ã¬ããŒãã§åè¿°ããå®è£ ããã»ã¹ããµã³ãã«ãã©ã®ããã«å®è¡ãããã瀺ããŸãã
å®è£ ããã»ã¹ãšãšã¹ã«ã¬ãŒã·ã§ã³ã®äž»ãªç®çã¯ã次ã®æ å ±ã«ã¢ã¯ã»ã¹ã§ããããã«ããããšã§ãã ã·ã£ããŠã³ããŒã ãããè¡ãã«ã¯ãããŒã«ã« ãŠãŒã¶ãŒãããé«ãæš©éãæã€ã¹ã¬ãããæäœããå¿ èŠããããŸãã ãã®ãããªé«ãæš©éãååŸãããšããªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã®ä»¥åã®åŸ©å ãã€ã³ãã«æ»ããªãããããã«ãã³ããŒãåé€ããä»ã®ããã»ã¹ã«å€æŽãå ããŸãã
ãã®ã¿ã€ãã®ãã«ãŠã§ã¢ã§ã¯ããããããšã§ããã äœæããŒã«ãã«ã32ã¹ãããã·ã§ãããã®ãããçŸåšå®è¡äžã®ããã»ã¹ã®ã¹ãããã·ã§ãããååŸãã次ã䜿çšããŠãããã®ããã»ã¹ã«ã¢ã¯ã»ã¹ããããšããŸãã ãªãŒãã³ããã»ã¹ã ããã»ã¹ã«ã¢ã¯ã»ã¹ã§ããããã«ãªããšããã®æ å ±ãå«ãããŒã¯ã³ãéããŠããã»ã¹ ãã©ã¡ãŒã¿ãŒãååŸããŸãã
ç±³ã 30: ã³ã³ãã¥ãŒã¿ããããã»ã¹ãååŸãã
CreateToolhelp140002Snapshot ã䜿çšããŠãã«ãŒãã³ 9D32C ã§å®è¡äžã®ããã»ã¹ã®ãªã¹ããååŸããæ¹æ³ãåçã«ç¢ºèªã§ããŸãã ããããåãåã£ãåŸã圌ã¯ãªã¹ãã調ã¹ãæåãããŸã§ OpenProcess ã䜿çšããŠããã»ã¹ã XNUMX ã€ãã€éãããšããŸãã ãã®å Žåã圌ãæåã«éãããšãã§ããããã»ã¹ã¯ã ãã¿ã¹ã¯ãã¹ã.exeã.
ç±³ã 31: åçã«ããã·ãŒãžã£ãå®è¡ããŠããã»ã¹ãååŸãã
ãã®åŸãããã»ã¹ ããŒã¯ã³æ å ±ãèªã¿åããåŒã³åºããŠããããšãããããŸãã OpenProcessToken ãã©ã¡ãŒã¿ä»ã20008"
ç±³ã 32: ããã»ã¹ããŒã¯ã³æ
å ±ã®èªã¿åã
ãŸããæ³šå ¥ãããããã»ã¹ãããã§ãªãããšããã§ãã¯ããŸãã Csrss.exe-, ãšã¯ã¹ãããŒã©ãŒ.exeãlsaas.exe ãŸãã¯åœŒã«ã¯äžé£ã®æš©å©ããã NT åœå±.
ç±³ã 33: é€å€ãããããã»ã¹
ããã»ã¹ããŒã¯ã³æ å ±ã䜿çšããŠãæåã«ãã§ãã¯ãã©ã®ããã«å®è¡ãããããåçã«ç¢ºèªã§ããŸãã 140002D9C ããã»ã¹ã®å®è¡ã«æš©éã䜿çšãããŠããã¢ã«ãŠã³ããã¢ã«ãŠã³ãã§ãããã©ããã確èªãããã NT åœå±.
ç±³ã 34ïŒNTæš©éãã§ãã¯
ãããŠãã®åŸãæé ã®å€ã§ããããããã§ã¯ãªãããšã確èªããŸã csrss.exeãexplorer.exe ãŸã㯠lsaas.exe.
ç±³ã 35ïŒNTæš©éãã§ãã¯
ããã»ã¹ã®ã¹ãããã·ã§ãããååŸããããã»ã¹ãéããŠãé€å€ãããŠããªãããšã確èªããããæ¿å ¥ãããããã»ã¹ãã¡ã¢ãªã«æžã蟌ãæºåãæŽããŸãã
ãããè¡ãã«ã¯ããŸãã¡ã¢ãªå ã«é åãäºçŽããŸã (VirtualAllocEx)ãããã«æžã蟌ã¿ãŸã(æžã蟌ã¿ããã»ã¹ã¡ã¢ãª) ã¹ã¬ãããäœæããŸã (ãªã¢ãŒãã¹ã¬ããã®äœæïŒã ãããã®é¢æ°ãæäœããã«ã¯ã以åã«æ¬¡ã®ã³ãã³ãã䜿çšããŠååŸãããéžæããããã»ã¹ã® PID ã䜿çšããŸãã CreateToolhelp32Snapshot.
ç±³ã 36: ã³ãŒããåã蟌ã
ããã§ã¯ãããã»ã¹ PID ã䜿çšããŠé¢æ°ãåŒã³åºãæ¹æ³ãåçã«èŠ³å¯ã§ããŸãã VirtualAllocExã
ç±³ã 37: VirtualAllocEx ãåŒã³åºã
5.4 æå·å
ãã®ã»ã¯ã·ã§ã³ã§ã¯ããã®ãµã³ãã«ã®æå·åéšåãèŠãŠãããŸãã 次ã®å³ã§ã¯ããããšãã XNUMX ã€ã®ãµãã«ãŒãã³ã衚瀺ãããŸããLoadLibrary_EncodeString"ãããŠ"ãšã³ã³ãŒãæ©èœããæå·åæé ã®å®è¡ãæ
åœããŸãã
ç±³ã 38: æå·åæé
æåã«ãã€ã³ããŒããDLLãã³ãã³ãããã¡ã€ã«ãCSP ãªã©ãå¿ èŠãªãã®ãã¹ãŠã®é£èªåã解é€ããããã«åŸã§äœ¿çšãããæååãããŒãããæ¹æ³ã確èªããŸãã
ç±³ã 39: é£èªå解é€åè·¯
次ã®å³ã¯ãã¬ãžã¹ã¿ R4 ã§é£èªåã解é€ããæåã®ã€ã³ããŒãã瀺ããŠããŸãã LoadLibraryã ããã¯åŸã§å¿ èŠãª DLL ãããŒãããããã«äœ¿çšãããŸãã ã¬ãžã¹ã¿ R12 ã«ã¯å¥ã®è¡ã衚瀺ãããŸããããã¯ãé£èªå解é€ãå®è¡ããããã«åã®è¡ãšãšãã«äœ¿çšãããŸãã
ç±³ã 40: åçé£èªå解é€
ããã¯ã¢ããã埩å ãã€ã³ããã»ãŒã ããŒã ã¢ãŒããç¡å¹ã«ããããã«åŸã§å®è¡ããã³ãã³ãã®ããŠã³ããŒããç¶è¡ãããŸãã
ç±³ã 41: ã³ãã³ãã®ããŒã
次ã«ã3 ã€ã®ãã¡ã€ã«ãããããããå ŽæãããŒãããŸãã Windows.batãrun.sct О START.BAT.
ç±³ã 42: ãã¡ã€ã«ã®å Žæ
ããã 3 ã€ã®ãã¡ã€ã«ã¯ãåå Žæãæã€æš©éã確èªããããã«äœ¿çšãããŸãã å¿ èŠãªæš©éãå©çšã§ããªãå ŽåãRyuk ã¯å®è¡ãåæ¢ããŸãã
XNUMX ã€ã®ãã¡ã€ã«ã«å¯Ÿå¿ããè¡ã®èªã¿èŸŒã¿ãç¶ããããŸãã åãã decrypt_information.htmlã«ã¯ããã¡ã€ã«ãå埩ããããã«å¿ èŠãªæ å ±ãå«ãŸããŠããŸãã XNUMXçªã ãããªãã¯ãRSAå ¬éããŒãå«ãŸããŠããŸãã
ç±³ã 43: è¡åŸ©å·åæ
å ±.html
äžçªç®ã UNIQUE_ID_DO_NOT_REMOVEã次ã®ã«ãŒãã³ã§æå·åãå®è¡ããããã«äœ¿çšãããæå·åããŒãå«ãŸããŠããŸãã
ç±³ã 44: è¡ã®äžæã® ID ã¯åé€ããªãã§ãã ãã
æåŸã«ãå¿ èŠãªã€ã³ããŒãããã³ CSP ãšãšãã«å¿ èŠãªã©ã€ãã©ãªãããŠã³ããŒãããŸã (Microsoft æ¡åŒµ RSA О AESæå·ãããã€ããŒ).
ç±³ã 45: ã©ã€ãã©ãªã®ããŒã
ãã¹ãŠã®é£èªå解é€ãå®äºãããšãæå·åã«å¿
èŠãªã¢ã¯ã·ã§ã³ã®å®è¡ã«é²ã¿ãŸããã€ãŸãããã¹ãŠã®è«çãã©ã€ãã®åæãåã®ã«ãŒãã³ã§ããŒãããããã®ã®å®è¡ãã·ã¹ãã å
ã®ãã¬ãŒã³ã¹ã®åŒ·åãRyukReadMe.html ãã¡ã€ã«ã®åé€ãæå·åããã¹ãŠã®ãããã¯ãŒã¯ ãã©ã€ãã®åæã§ãã ãæ€åºãããããã€ã¹ãšãã®æå·åã«ç§»è¡ããŸãã
ãã¹ãŠã¯ããŒãããå§ãŸããŸããcmd.exeãããš RSA å
¬éã㌠ã¬ã³ãŒãã
ç±³ã 46: æå·åã®æºå
次ã«ã次ã䜿çšããŠãã¹ãŠã®è«çãã©ã€ããååŸããŸãã è«çãã©ã€ãã®ååŸ ãã¹ãŠã®ããã¯ã¢ããã埩å ãã€ã³ããã»ãŒã ããŒã ã¢ãŒããç¡å¹ã«ããŸãã
ç±³ã 47: å埩ããŒã«ã®éã¢ã¯ãã£ãå
ãã®åŸãäžã§èŠãããã«ã·ã¹ãã å ã§ã®ååšã匷åããæåã®ãã¡ã€ã«ãæžã蟌ã¿ãŸãã RyukReadMe.html в TEMP.
ç±³ã 48: 身代ééç¥ã®å
Ž
次ã®å³ã§ã¯ããã¡ã€ã«ã®äœæãã³ã³ãã³ãã®ããŠã³ããŒããæžã蟌ã¿ã®æ§åãããããŸãã
ç±³ã 49: ãã¡ã€ã«ã³ã³ãã³ãã®ããŒããšæžã蟌ã¿
ãã¹ãŠã®ããã€ã¹ã§åãã¢ã¯ã·ã§ã³ãå®è¡ã§ããããã«ããããã«ã圌ã¯æ¬¡ã®ããã«äœ¿çšããŸãã
"icacls.exeããäžã§ç€ºããããã«ã
ç±³ã 50: icalcls.exe ã®äœ¿çš
ãããŠæåŸã«ãã*.exeããã*.dllããã¡ã€ã«ãã·ã¹ãã ãã¡ã€ã«ãããã³æå·åããããã¯ã€ã ãªã¹ãã®åœ¢åŒã§æå®ããããã®ä»ã®å Žæãé€ããã¡ã€ã«ã®æå·åãéå§ããŸãã ãããè¡ãã«ã¯ãã€ã³ããŒãã䜿çšããŸãã CryptAcquireContextW (AES ããã³ RSA ã®äœ¿çšãæå®ãããŠããå Žå)ã CryptDeriveKeyãCryptGenKey, ã¯ãªãããã¹ããã€ã㌠çãŸããWNetEnumResourceW ã䜿çšããŠãæ€åºããããããã¯ãŒã¯ ããã€ã¹ã«å°éç¯å²ãæ¡åŒµããããããæå·åããããšããŸãã
ç±³ã 51: ã·ã¹ãã ãã¡ã€ã«ã®æå·å
6. ã€ã³ããŒããšå¯Ÿå¿ãããã©ã°
以äžã®è¡šã¯ããµã³ãã«ã§äœ¿çšãããæãé¢é£æ§ã®é«ãã€ã³ããŒããšãã©ã°ããªã¹ããããã®ã§ãã
7.IOC
ãªãã¡ã¬ã³ã¹
- usersPublicrun.sct
- ã¹ã¿ãŒã ã¡ãã¥ãŒããã°ã©ã Startupstart.bat AppDataRoamingMicrosoftWindowsStart
- ã¡ãã¥ãŒããã°ã©ã ã¹ã¿ãŒãã¢ããstart.bat
Ryuk ã©ã³ãµã ãŠã§ã¢ã«é¢ããæè¡ã¬ããŒãã¯ããŠã€ã«ã¹å¯Ÿçç 究æ PandaLabs ã®å°é家ã«ãã£ãŠãŸãšããããŸããã
8. ãªã³ã¯
1. ãEveris y Prisa Radio sufren ungrave ciberataque que secuestra sus sistemasãhttps://www. elconfidential.com/tecnologia/2019-11-04/everis-la-ser-ciberataque-ransomware-15_2312019/ãPublicada el 04/11/2019ã
2. ãUnvirus de origen ruso ataca a importantes empresas españolasã https://elpais.com/tecnologia/2019/11/04/actualidad/1572897654_ 251312.htmlãPublicada el 04/11/2019ã
3. ãVB2019 è«æ: æ»ç¥ã®åŸ©è®: Ryuk ãã«ãŠã§ã¢ã®ãã³ã°ããŒã«ã https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/ãPublicada el 11 /12幎2019æ
4. ãRyuk ã«ãã倧ç©ç©ã: ãã 10 ã€ã®å©çãããããã¿ãŒã²ãããçµã£ãã©ã³ãµã ãŠã§ã¢ãhttps://www. ã¯ã©ãŠãã¹ãã©ã€ã¯.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ãPublicada el 01/2019/XNUMXã
5. ãVB2019 è«æ: æ»ç¥ã®åŸ©è®: Ryuk ãã«ãŠã§ã¢ã®ãã³ã°ããŒã«ã https://www. virusbulletin.com/virusbulletin/2019/10/vb2019-paper-shinigamis-revenge-long-tail-r
åºæïŒ habr.com