Kupambana kwa ziwopsezo za ransomware pamabungwe padziko lonse lapansi kukupangitsa kuti owukira ambiri alowe mumasewerawa. Mmodzi mwa osewera atsopanowa ndi gulu lomwe likugwiritsa ntchito ProLock ransomware. Idawonekera mu Marichi 2020 ngati wolowa m'malo mwa pulogalamu ya PwndLocker, yomwe idayamba kugwira ntchito kumapeto kwa 2019. Zowukira za ProLock ransomware zimayang'ana makamaka mabungwe azachuma ndi azaumoyo, mabungwe aboma, ndi malo ogulitsa. Posachedwa, ogwiritsira ntchito ProLock adagonjetsa m'modzi mwa opanga ma ATM akuluakulu, Diebold Nixdorf.
Mu positi iyi Oleg Skulkin, katswiri wotsogolera wa Computer Forensics Laboratory ya Gulu-IB, imakhudza njira zoyambira, njira ndi njira (TTPs) zomwe zimagwiritsidwa ntchito ndi oyendetsa ProLock. Nkhaniyi ikumaliza ndi kuyerekeza ndi MITER ATT & CK Matrix, nkhokwe ya anthu onse yomwe imaphatikiza njira zowukira zomwe zimagwiritsidwa ntchito ndi magulu osiyanasiyana apakompyuta.
Kupeza koyambira
Ogwiritsa ntchito a ProLock amagwiritsa ntchito ma vector awiri akuluakulu osagwirizana: QakBot (Qbot) Trojan ndi ma seva osatetezedwa a RDP okhala ndi mawu achinsinsi ofooka.
Kunyengerera kudzera pa seva ya RDP yopezeka kunja ndikotchuka kwambiri pakati pa ogwiritsa ntchito ma ransomware. Nthawi zambiri, owukira amagula mwayi wopeza seva yosokoneza kuchokera kwa anthu ena, koma imathanso kupezeka ndi mamembala pawokha.
Vector yochititsa chidwi kwambiri yosagwirizana ndi pulogalamu yaumbanda ya QakBot. M'mbuyomu, Trojan iyi idalumikizidwa ndi banja lina la ransomware - MegaCortex. Komabe, tsopano imagwiritsidwa ntchito ndi ogwira ntchito a ProLock.
Nthawi zambiri, QakBot imagawidwa kudzera muzachinyengo. Imelo yachinyengo ikhoza kukhala ndi chikalata cholumikizidwa cha Microsoft Office kapena ulalo wa fayilo yomwe ili mumtambo wosungira, monga Microsoft OneDrive.
Palinso milandu yodziwika kuti QakBot idadzazidwa ndi Trojan ina, Emotet, yomwe imadziwika kwambiri chifukwa chochita nawo kampeni yomwe imagawa Ryuk ransomware.
Kuphedwa
Pambuyo kutsitsa ndikutsegula chikalata chomwe chili ndi kachilomboka, wogwiritsa ntchito amalimbikitsidwa kuti alole ma macros kuti ayendetse. Ngati zikuyenda bwino, PowerShell imayambitsidwa, yomwe ikulolani kuti mutsitse ndikuyendetsa malipiro a QakBot kuchokera ku seva yolamulira ndi yolamulira.
Ndikofunika kuzindikira kuti zomwezo zimagwiranso ntchito ku ProLock: malipiro amachotsedwa pa fayilo BMP kapena JPG ndikutsitsa kukumbukira pogwiritsa ntchito PowerShell. Nthawi zina, ntchito yokonzedwa imagwiritsidwa ntchito kuyambitsa PowerShell.
Batch script yomwe ikuyenda ProLock kudzera pamwambo wantchito:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.batKuphatikizana mu dongosolo
Ngati ndi kotheka kusokoneza seva ya RDP ndikupeza mwayi, ndiye kuti maakaunti ovomerezeka amagwiritsidwa ntchito kuti apeze ma netiweki. QakBot imadziwika ndi njira zingapo zolumikizirana. Nthawi zambiri, Trojan iyi imagwiritsa ntchito kiyi ya Run registry ndikupanga ntchito mu scheduler:
Kukanikiza Qakbot ku dongosolo pogwiritsa ntchito kiyi ya Run registry
Nthawi zina, zikwatu zoyambira zimagwiritsidwanso ntchito: njira yachidule imayikidwa pamenepo yomwe imalozera ku bootloader.
Chitetezo chodutsa
Polankhulana ndi seva yolamula ndi yowongolera, QakBot nthawi ndi nthawi amayesa kudzisintha yokha, kotero kuti asadziwike, pulogalamu yaumbanda imatha kusintha mtundu wake wapano ndi watsopano. Mafayilo omwe amatha kuchitika amasainidwa ndi siginecha yosokoneza kapena yabodza. Malipiro oyambilira omwe ali ndi PowerShell amasungidwa pa seva ya C&C ndikuwonjezera PNG. Kuphatikiza apo, pambuyo pa kuphedwa imasinthidwa ndi fayilo yovomerezeka calc.exe.
Komanso, kubisala zoyipa, QakBot amagwiritsa ntchito njira yojambulira code munjira, pogwiritsa ntchito bwankhalin.exe.
Monga tafotokozera, malipiro a ProLock amabisika mkati mwa fayilo BMP kapena JPG. Izi zitha kuwonedwanso ngati njira yolambalala chitetezo.
Kupeza ziphaso
QakBot ili ndi magwiridwe antchito a keylogger. Kuphatikiza apo, imatha kutsitsa ndikuyendetsa zolemba zina, mwachitsanzo, Invoke-Mimikatz, mtundu wa PowerShell wa ntchito yotchuka ya Mimikatz. Zolemba zoterezi zitha kugwiritsidwa ntchito ndi omwe akuwukira kutaya zidziwitso.
Network intelligence
Pambuyo popeza mwayi wopeza maakaunti abwino, oyendetsa ProLock amawunikiranso maukonde, omwe angaphatikizepo kuyang'ana padoko ndi kusanthula chilengedwe cha Active Directory. Kuphatikiza pa zolemba zosiyanasiyana, owukira amagwiritsa ntchito AdFind, chida china chodziwika pakati pamagulu a ransomware, kuti apeze zambiri za Active Directory.
Kukwezeleza kwa netiweki
Mwachikhalidwe, imodzi mwa njira zodziwika bwino zotsatsira maukonde ndi Remote Desktop Protocol. ProLock analinso chimodzimodzi. Zigawenga zimakhalanso ndi zolemba mu zida zawo kuti athe kupeza mwayi wakutali kudzera pa RDP kuti akwaniritse omwe ali nawo.
BAT script kuti mupeze mwayi kudzera pa protocol ya RDP:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
Kuti alembe zolembedwa patali, ogwiritsira ntchito ProLock amagwiritsa ntchito chida china chodziwika, PsExec utility kuchokera ku Sysinternals Suite.
ProLock imayendera makamu pogwiritsa ntchito WMIC, yomwe ndi mawonekedwe a mzere wolamula kuti agwire ntchito ndi Windows Management Instrumentation subsystem. Chida ichi chikuchulukirachulukira kwambiri pakati pa ogwiritsa ntchito ransomware.
Kusonkhanitsa deta
Monga ena ambiri ogwiritsira ntchito ransomware, gulu lomwe likugwiritsa ntchito ProLock limasonkhanitsa deta kuchokera pa intaneti yowonongeka kuti awonjezere mwayi wawo wolandira dipo. Asanatulutsidwe, zomwe zasonkhanitsidwa zimasungidwa pogwiritsa ntchito chida cha 7Zip.
Exfiltration
Kuti atumize deta, oyendetsa ProLock amagwiritsa ntchito Rclone, chida cha mzere wolamula chomwe chimapangidwira kugwirizanitsa mafayilo ndi mautumiki osiyanasiyana osungira mitambo monga OneDrive, Google Drive, Mega, ndi zina.
Mosiyana ndi anzawo, ogwiritsira ntchito ProLock alibebe tsamba lawolo kuti asindikize zomwe zabedwa zamakampani omwe anakana kulipira dipo.
Kukwaniritsa cholinga chomaliza
Zambiri zikatulutsidwa, gululo limatumiza ProLock pamanetiweki amabizinesi. Fayilo ya binary imachotsedwa mufayilo yokhala ndi zowonjezera PNG kapena JPG pogwiritsa ntchito PowerShell ndikulowetsa kukumbukira:
Choyamba, ProLock imathetsa njira zomwe zatchulidwa pamndandanda womangidwa (zochititsa chidwi, zimangogwiritsa ntchito zilembo zisanu ndi chimodzi za dzina la ndondomeko, monga "winwor"), ndikuthetsa ntchito, kuphatikizapo zokhudzana ndi chitetezo, monga CSFalconService ( CrowdStrike Falcon) pogwiritsa ntchito lamulo net kusiya.
Kenako, monganso mabanja ena ambiri a ransomware, owukira amagwiritsa ntchito vssadmin kuchotsa makopi azithunzi za Windows ndikuchepetsa kukula kwawo kuti makope atsopano asapangidwe:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unboundedProLock imawonjezera zowonjezera .proLock, .pr0Lock kapena .proL0ck pa fayilo iliyonse yosungidwa ndikuyika fayiloyo [MMENE MUNGAPEZE MAFAyilo].TXT ku chikwatu chilichonse. Fayiloyi ili ndi malangizo amomwe mungasinthire mafayilo, kuphatikiza ulalo wopita patsamba lomwe wozunzidwayo akuyenera kulowetsa ID yapadera ndikulandila zambiri zolipira:
Chitsanzo chilichonse cha ProLock chimakhala ndi zambiri za kuchuluka kwa dipo - pamenepa, ma bitcoins 35, omwe ali pafupifupi $ 312.
Pomaliza
Ogwiritsa ntchito ambiri a ransomware amagwiritsa ntchito njira zofanana kuti akwaniritse zolinga zawo. Panthawi imodzimodziyo, njira zina zimakhala zosiyana ndi gulu lililonse. Pakalipano, pali chiwerengero chochulukira cha magulu a cybercriminal omwe amagwiritsa ntchito ransomware pamakampeni awo. Nthawi zina, ogwiritsira ntchito omwewo amatha kuchita nawo ziwonetsero pogwiritsa ntchito mabanja osiyanasiyana a ransomware, chifukwa chake tidzawona kuphatikizika kwamachitidwe, njira ndi njira zomwe zimagwiritsidwa ntchito.
Kupanga mapu ndi MITER ATT&CK Mapping
Njira
njira
Kufikira Koyamba (TA0001)
Ntchito Zakunja Zakutali (T1133), Spearphishing Attachment (T1193), Spearphishing Link (T1192)
Kuphedwa (TA0002)
Powershell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)
Kulimbikira (TA0003)
Makiyi a Registry Run / Foda Yoyambira (T1060), Ntchito Yokhazikika (T1053), Maakaunti Ovomerezeka (T1078)
Chitetezo (TA0005)
Kusaina Khodi (T1116), Deobfuscate/Decode Files or Information (T1140), Disable Security Tools (T1089), File Deletion (T1107), Masquerading (T1036), Process Injection (T1055)
Credential Access (TA0006)
Credential Dumping (T1003), Brute Force (T1110), Input Capture (T1056)
Kupeza (TA0007)
Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Service Scanning (T1046), Network Share Discovery (T1135), Remote System Discovery (T1018)
Lateral Movement (TA0008)
Remote Desktop Protocol (T1076), Remote File Copy (T1105), Windows Admin Shares (T1077)
Zosonkhanitsira (TA0009)
Deta yochokera ku Local System (T1005), Data kuchokera ku Network Shared Drive (T1039), Data Staged (T1074)
Command and Control (TA0011)
Doko Lomwe Limagwiritsidwa Ntchito (T1043), Web Service (T1102)
Exfiltration (TA0010)
Data Compressed (T1002), Transfer Data to Cloud Account (T1537)
Impact (TA0040)
Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)
Source: www.habr.com