äžçäžã®çµç¹ã«å¯Ÿããã©ã³ãµã ãŠã§ã¢æ»æã®æåã«ããããŸããŸãå€ãã®æ°ããªæ»æè
ãã²ãŒã ã«åå ããããã«ãªã£ãŠããŸãã ãããã®æ°ãããã¬ãŒã€ãŒã® 2020 ã€ã¯ãProLock ã©ã³ãµã ãŠã§ã¢ã䜿çšããã°ã«ãŒãã§ãã 2019幎æ«ã«éçšãéå§ããPwndLockerããã°ã©ã ã®åŸç¶ãšããŠXNUMX幎XNUMXæã«ç»å Žããã ProLock ã©ã³ãµã ãŠã§ã¢æ»æã¯ãäž»ã«éèæ©é¢ãå»çæ©é¢ãæ¿åºæ©é¢ãå°å£²æ¥çãæšçãšããŠããŸãã æè¿ãProLock ãªãã¬ãŒã¿ãŒã¯æ倧æã® ATM ã¡ãŒã«ãŒã® XNUMX ã€ã§ãã Diebold Nixdorf ãžã®æ»æã«æåããŸããã
ãã®æçš¿ã§ã¯ ãªã¬ã°ã»ã¹ã«ã«ãã³æ°ãã°ã«ãŒã IB ã³ã³ãã¥ãŒã¿ãŒãã©ã¬ã³ãžãã¯ç 究æã®äž»ä»»ã¹ãã·ã£ãªã¹ãã§ã¯ãProLock ãªãã¬ãŒã¿ãŒã䜿çšããåºæ¬çãªæŠè¡ããã¯ããã¯ãæé (TTP) ã«ã€ããŠèª¬æããŸãã ãã®èšäºã¯ãããŸããŸãªãµã€ããŒç¯çœªã°ã«ãŒãã䜿çšããæšçåæ»ææŠè¡ããŸãšããå
¬éããŒã¿ããŒã¹ã§ãã MITRE ATT&CK Matrix ãšã®æ¯èŒã§ç· ããããããŠããŸãã
åæã¢ã¯ã»ã¹ã®ååŸ
ProLock ãªãã¬ãŒã¿ãŒã¯ãäž»ãªäŸµå®³ã® XNUMX ã€ã®äž»ãªãã¯ãã«ãã€ãŸã QakBot (Qbot) ããã€ã®æšéŠ¬ãšã匱ããã¹ã¯ãŒããæã€ä¿è·ãããŠããªã RDP ãµãŒããŒã䜿çšããŸãã
å€éšããã¢ã¯ã»ã¹å¯èœãª RDP ãµãŒããŒãä»ãã䟵害ã¯ãã©ã³ãµã ãŠã§ã¢ ãªãã¬ãŒã¿ãŒã®éã§éåžžã«äžè¬çã§ãã éåžžãæ»æè ã¯äŸµå®³ããããµãŒããŒãžã®ã¢ã¯ã»ã¹ããµãŒãããŒãã£ããè³Œå ¥ããŸãããã°ã«ãŒãã®ã¡ã³ããŒãç¬èªã«ã¢ã¯ã»ã¹ãååŸããããšãã§ããŸãã
äžæ¬¡äŸµå®³ã®ããã«èå³æ·±ããã¯ãã«ã¯ãQakBot ãã«ãŠã§ã¢ã§ãã 以åã¯ããã®ããã€ã®æšéŠ¬ã¯å¥ã®ã©ã³ãµã ãŠã§ã¢ ãã¡ããªã§ãã MegaCortex ã«é¢é£ä»ããããŠããŸããã ãã ããçŸåšã¯ ProLock ãªãã¬ãŒã¿ãŒã«ãã£ãŠäœ¿çšãããŠããŸãã
éåžžãQakBot ã¯ãã£ãã·ã³ã° ãã£ã³ããŒã³ãéããŠé åžãããŸãã ãã£ãã·ã³ã°ã¡ãŒã«ã«ã¯ãMicrosoft Office ããã¥ã¡ã³ããæ·»ä»ãããŠããããMicrosoft OneDrive ãªã©ã®ã¯ã©ãŠã ã¹ãã¬ãŒãž ãµãŒãã¹ã«ãããã¡ã€ã«ãžã®ãªã³ã¯ãå«ãŸããŠããå ŽåããããŸãã
QakBot ã«ãRyuk ã©ã³ãµã ãŠã§ã¢ãé åžãããã£ã³ããŒã³ã«åå ããããšã§åºãç¥ãããŠããå¥ã®ããã€ã®æšéŠ¬ã§ãã Emotet ãèªã¿èŸŒãŸããŠããã±ãŒã¹ãç¥ãããŠããŸãã
å®è¡
ææããããã¥ã¡ã³ããããŠã³ããŒãããŠéããšããã¯ãã®å®è¡ãèš±å¯ããããã«æ±ããããŸãã æåãããšãPowerShell ãèµ·åããã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒãã QakBot ãã€ããŒããããŠã³ããŒãããŠå®è¡ã§ããããã«ãªããŸãã
ProLock ã«ãåãããšãåœãŠã¯ãŸããŸãããã€ããŒãã¯ãã¡ã€ã«ããæœåºãããããšã«æ³šæããããšãéèŠã§ãã BMP ãŸã㯠JPG PowerShell ã䜿çšããŠã¡ã¢ãªã«ããŒããããŸãã å Žåã«ãã£ãŠã¯ãPowerShell ãèµ·åããããã«ã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ã䜿çšãããŸãã
ã¿ã¹ã¯ ã¹ã±ãžã¥ãŒã©ãéã㊠ProLock ãå®è¡ããããã ã¹ã¯ãªãã:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.bat
ã·ã¹ãã å ã§ã®çµ±å
RDP ãµãŒããŒã䟵害ããŠã¢ã¯ã»ã¹ãååŸã§ããå Žåã¯ãæå¹ãªã¢ã«ãŠã³ãã䜿çšããŠãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããŸãã QakBot ã¯ãããŸããŸãªæ¥ç¶ã¡ã«ããºã ãç¹åŸŽã§ãã ã»ãšãã©ã®å Žåããã®ããã€ã®æšéŠ¬ã¯ Run ã¬ãžã¹ã㪠ããŒã䜿çšããã¹ã±ãžã¥ãŒã©ã«ã¿ã¹ã¯ãäœæããŸãã
Run ã¬ãžã¹ã㪠ããŒã䜿çšã㊠Qakbot ãã·ã¹ãã ã«åºå®ãã
å Žåã«ãã£ãŠã¯ãã¹ã¿ãŒãã¢ãã ãã©ã«ããŒã䜿çšãããŸããããŒãããŒããŒãæãã·ã§ãŒãã«ãããããã«é 眮ãããŸãã
ãã€ãã¹ä¿è·
QakBot ã¯ã³ãã³ã ã¢ã³ã ã³ã³ãããŒã« ãµãŒããŒãšéä¿¡ããããšã§å®æçã«èªèº«ã®æŽæ°ãè©Šã¿ãããããã«ãŠã§ã¢ã¯æ€åºãé¿ããããã«èªèº«ã®çŸåšã®ããŒãžã§ã³ãæ°ããããŒãžã§ã³ã«çœ®ãæããããšãã§ããŸãã å®è¡å¯èœãã¡ã€ã«ã¯ã䟵害ããã眲åãŸãã¯åœé ããã眲åã§çœ²åãããŠããŸãã PowerShell ã«ãã£ãŠããŒããããåæãã€ããŒãã¯ãæ¡åŒµåä»ã㧠C&C ãµãŒããŒã«ä¿åãããŸãã PNGã ãŸããå®è¡åŸã¯æ£èŠã®ãã¡ã€ã«ã«çœ®ãæããããŸã CALC.EXE.
ãŸããæªæã®ããã¢ã¯ãã£ããã£ãé ãããã«ãQakBot ã¯ããã»ã¹ã«ã³ãŒããæ¿å ¥ããææ³ã䜿çšããŸãã explorer.exeã®.
åè¿°ããããã«ãProLock ãã€ããŒãã¯ãã¡ã€ã«å ã«é ãããŠããŸãã BMP ãŸã㯠JPGã ããã¯ãä¿è·ãåé¿ããæ¹æ³ãšããŠãèããããŸãã
è³æ Œæ å ±ã®ååŸ
QakBot ã«ã¯ããŒãã¬ãŒæ©èœããããŸãã ããã«ãæå㪠Mimikatz ãŠãŒãã£ãªãã£ã® PowerShell ããŒãžã§ã³ã§ãã Invoke-Mimikatz ãªã©ã®è¿œå ã®ã¹ã¯ãªãããããŠã³ããŒãããŠå®è¡ã§ããŸãã ãã®ãããªã¹ã¯ãªããã¯ãæ»æè ãè³æ Œæ å ±ããã³ãããããã«äœ¿çšãããå¯èœæ§ããããŸãã
ãããã¯ãŒã¯ã€ã³ããªãžã§ã³ã¹
ProLock ãªãã¬ãŒã¿ãŒã¯ãç¹æš©ã¢ã«ãŠã³ããžã®ã¢ã¯ã»ã¹ãååŸããåŸãããŒã ã¹ãã£ã³ã Active Directory ç°å¢ã®åæãªã©ã®ãããã¯ãŒã¯åµå¯ãå®è¡ããŸãã æ»æè ã¯ãããŸããŸãªã¹ã¯ãªããã«å ããŠãã©ã³ãµã ãŠã§ã¢ ã°ã«ãŒãã®éã§äººæ°ã®ããå¥ã®ããŒã«ã§ãã AdFind ã䜿çšããŠãActive Directory ã«é¢ããæ å ±ãåéããŸãã
ãããã¯ãŒã¯ããã¢ãŒã·ã§ã³
åŸæ¥ããããã¯ãŒã¯ ããã¢ãŒã·ã§ã³ã®æãäžè¬çãªæ¹æ³ã® XNUMX ã€ã¯ãªã¢ãŒã ãã¹ã¯ããã ãããã³ã«ã§ãã ããããã¯ãäŸå€ã§ã¯ãããŸããã§ããã æ»æè ã¯ãRDP çµç±ã§ã¿ãŒã²ãã ãã¹ããžã®ãªã¢ãŒã ã¢ã¯ã»ã¹ãååŸããããã®ã¹ã¯ãªãããä¿æããŠããŸãã
RDP ãããã³ã«çµç±ã§ã¢ã¯ã»ã¹ãååŸããããã® BAT ã¹ã¯ãªãã:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
ã¹ã¯ãªããããªã¢ãŒãã§å®è¡ããããã«ãProLock ãªãã¬ãŒã¿ãŒã¯å¥ã®äžè¬çãªããŒã«ã§ãã Sysinternals Suite ã® PsExec ãŠãŒãã£ãªãã£ã䜿çšããŸãã
ProLock ã¯ãWindows Management Instrumentation ãµãã·ã¹ãã ãæäœããããã®ã³ãã³ã ã©ã€ã³ ã€ã³ã¿ãŒãã§ã€ã¹ã§ãã WMIC ã䜿çšãããã¹ãäžã§å®è¡ãããŸãã ãã®ããŒã«ã¯ã©ã³ãµã ãŠã§ã¢éå¶è ã®éã§ã人æ°ãé«ãŸã£ãŠããŸãã
ããŒã¿åé
ä»ã®å€ãã®ã©ã³ãµã ãŠã§ã¢ ãªãã¬ãŒã¿ãŒãšåæ§ã«ãProLock ã䜿çšããã°ã«ãŒãã¯ã䟵害ããããããã¯ãŒã¯ããããŒã¿ãåéããŠã身代éãåãåãå¯èœæ§ãé«ããŸãã æœåºåã«ãåéãããããŒã¿ã¯ 7Zip ãŠãŒãã£ãªãã£ã䜿çšããŠã¢ãŒã«ã€ããããŸãã
çªç
ããŒã¿ãã¢ããããŒãããããã«ãProLock ãªãã¬ãŒã¿ãŒã¯ãOneDriveãGoogle DriveãMega ãªã©ã®ããŸããŸãªã¯ã©ãŠã ã¹ãã¬ãŒãž ãµãŒãã¹ãšãã¡ã€ã«ãåæããããã«èšèšãããã³ãã³ã ã©ã€ã³ ããŒã«ã§ãã Rclone ã䜿çšããŸããæ»æè ã¯åžžã«å®è¡å¯èœãã¡ã€ã«ã®ååãå€æŽããŠãæ£èŠã®ã·ã¹ãã ãã¡ã€ã«ã®ããã«èŠããŸãã
åæ¥è ãšã¯ç°ãªããProLock ãªãã¬ãŒã¿ãŒã¯èº«ä»£éã®æ¯æããæåŠããäŒæ¥ã®çãŸããããŒã¿ãå ¬éããç¬èªã® Web ãµã€ãããŸã æã£ãŠããŸããã
æçµç®æšã®éæ
ããŒã¿ãæœåºããããšãããŒã ã¯äŒæ¥ãããã¯ãŒã¯å šäœã« ProLock ãå°å ¥ããŸãã ãã€ã㪠ãã¡ã€ã«ã¯æ¡åŒµåãä»ããŠãããã¡ã€ã«ããæœåºãããŸãã PNG ãŸã㯠JPG PowerShell ã䜿çšããŠã¡ã¢ãªã«æ¿å ¥ããŸãã
ãŸããProLock ã¯çµã¿èŸŒã¿ãªã¹ãã§æå®ãããããã»ã¹ãçµäºã (èå³æ·±ãããšã«ãããã»ã¹åã«ã¯ãwinworããªã©ã® XNUMX æåã®ã¿ã䜿çšãããŸã)ãCSFalconService ãªã©ã®ã»ãã¥ãªãã£é¢é£ã®ãµãŒãã¹ãå«ããµãŒãã¹ãçµäºããŸã ( CrowdStrike Falcon) ã³ãã³ãã䜿çšãã ãããã¹ããã.
ãã®åŸãä»ã®å€ãã®ã©ã³ãµã ãŠã§ã¢ ãã¡ããªãšåæ§ã«ãæ»æè 㯠VSSADMIN Windows ã·ã£ã㊠ã³ããŒãåé€ããæ°ããã³ããŒãäœæãããªãããã«ãµã€ãºãå¶éããã«ã¯ã次ã®ããã«ããŸãã
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
ProLock ã¯æ¡åŒµæ©èœãè¿œå ããŸã .proLock, .pr0ãã㯠ãŸã㯠.proL0ck åæå·åãã¡ã€ã«ã«ãã¡ã€ã«ãé 眮ããŸã [ãã¡ã€ã«ã®åŸ©å æ¹æ³].TXT åãã©ã«ãã«ã ãã®ãã¡ã€ã«ã«ã¯ã被害è ãäžæã® ID ãå ¥åããŠæ¯æãæ å ±ãåãåãå¿ èŠããããµã€ããžã®ãªã³ã¯ãå«ãããã¡ã€ã«ã埩å·ããæ¹æ³ã«é¢ããæé ãå«ãŸããŠããŸãã
ProLock ã®åã€ã³ã¹ã¿ã³ã¹ã«ã¯ã身代éã®é¡ã«é¢ããæ
å ±ãå«ãŸããŠããŸãããã®å Žåã35 ãããã³ã€ã³ãã€ãŸãçŽ 312 ãã«ã§ãã
ãŸãšã
å€ãã®ã©ã³ãµã ãŠã§ã¢ãªãã¬ãŒã¿ã¯ãåæ§ã®ææ³ã䜿çšããŠç®çãéæããŠããŸãã åæã«ãåã°ã«ãŒãã«åºæã®ãã¯ããã¯ãããã€ããããŸãã çŸåšãã©ã³ãµã ãŠã§ã¢ããã£ã³ããŒã³ã«äœ¿çšãããµã€ããŒç¯çœªã°ã«ãŒãã®æ°ãå¢å ããŠããŸãã å Žåã«ãã£ãŠã¯ãåããªãã¬ãŒã¿ãŒãç°ãªãã©ã³ãµã ãŠã§ã¢ ãã¡ããªã䜿çšããæ»æã«é¢äžããŠããå¯èœæ§ãããããã䜿çšãããæŠè¡ãæè¡ãæé ã®éè€ããŸããŸãèŠãããããã«ãªããŸãã
MITRE ATT&CK ãããã³ã°ã«ãããããã³ã°
æŠè¡
æè¡
åæã¢ã¯ã»ã¹ (TA0001)
å€éšãªã¢ãŒã ãµãŒãã¹ (T1133)ãã¹ãã¢ãã£ãã·ã³ã° ã¢ã¿ããã¡ã³ã (T1193)ãã¹ãã¢ãã£ãã·ã³ã° ãªã³ã¯ (T1192)
å®è¡(TA0002)
Powershell (T1086)ãã¹ã¯ãªããã£ã³ã° (T1064)ããŠãŒã¶ãŒå®è¡ (T1204)ãWindows Management Instrumentation (T1047)
æ°žç¶æ§ (TA0003)
ã¬ãžã¹ããªå®è¡ã㌠/ ã¹ã¿ãŒãã¢ãã ãã©ã«ã㌠(T1060)ãã¹ã±ãžã¥ãŒã«ãããã¿ã¹ã¯ (T1053)ãæå¹ãªã¢ã«ãŠã³ã (T1078)
é²åŸ¡åé¿(TA0005)
ã³ãŒã眲å (T1116)ããã¡ã€ã«ãŸãã¯æ
å ±ã®é£èªå解é€/ãã³ãŒã (T1140)ãã»ãã¥ãªã㣠ããŒã«ã®ç¡å¹å (T1089)ããã¡ã€ã«åé€ (T1107)ããã¹ã«ã¬ãŒã (T1036)ãããã»ã¹ ã€ã³ãžã§ã¯ã·ã§ã³ (T1055)
è³æ Œæ
å ±ãžã®ã¢ã¯ã»ã¹ (TA0006)
è³æ Œæ
å ±ãã³ãã³ã° (T1003)ããã«ãŒã ãã©ãŒã¹ (T1110)ãå
¥åãã£ãã㣠(T1056)
ãã£ã¹ã«ããªãŒ (TA0007)
ã¢ã«ãŠã³ãæ€åº (T1087)ããã¡ã€ã³ä¿¡é Œæ€åº (T1482)ããã¡ã€ã«ããã³ãã£ã¬ã¯ããªæ€åº (T1083)ããããã¯ãŒã¯ ãµãŒãã¹ ã¹ãã£ã³ (T1046)ããããã¯ãŒã¯å
±ææ€åº (T1135)ããªã¢ãŒã ã·ã¹ãã æ€åº (T1018)
暪移å(TA0008)
ãªã¢ãŒã ãã¹ã¯ããã ãããã³ã« (T1076)ããªã¢ãŒã ãã¡ã€ã« ã³ã㌠(T1105)ãWindows 管çå
±æ (T1077)
ã³ã¬ã¯ã·ã§ã³ (TA0009)
ããŒã«ã« ã·ã¹ãã ããã®ããŒã¿ (T1005)ããããã¯ãŒã¯å
±æãã©ã€ãããã®ããŒã¿ (T1039)ãã¹ããŒãžã³ã°ãããããŒã¿ (T1074)
ã³ãã³ãã¢ã³ãã³ã³ãããŒã« (TA0011)
ãã䜿çšãããããŒã (T1043)ãWeb ãµãŒãã¹ (T1102)
çªç (TA0010)
ããŒã¿å§çž® (T1002)ãããŒã¿ãã¯ã©ãŠã ã¢ã«ãŠã³ãã«è»¢é (T1537)
ã€ã³ãã¯ã(TA0040)
圱é¿ãäžããããã«ããŒã¿ãæå·å (T1486)ãã·ã¹ãã å埩ãçŠæ¢ (T1490)
åºæïŒ habr.com