Mtundu watsopano wa ransomware encrypts mafayilo ndikuwonjezera ".SaveTheQueen" yowonjezera kwa iwo, kufalikira kudzera mufoda ya netiweki ya SYSVOL pa Active Directory domain controller.
Makasitomala athu adakumana ndi pulogalamu yaumbandayi posachedwa. Timapereka kusanthula kwathu kwathunthu, zotsatira zake ndi ziganizo pansipa.
Kuzindikira
M'modzi mwa makasitomala athu adalumikizana nafe atakumana ndi mtundu watsopano wa ransomware womwe ukuwonjezera ".SaveTheQueen" kumafayilo atsopano obisidwa m'malo awo.
Pakufufuza kwathu, kapena m'malo mofufuza komwe kumayambitsa matenda, tidapeza kuti kugawa ndikutsata omwe ali ndi kachilomboka kunachitika pogwiritsa ntchito netiweki chikwatu SYSVOL pa domain controller ya kasitomala.
SYSVOL ndi foda yofunikira kwa wolamulira aliyense wa domeni yomwe imagwiritsidwa ntchito popereka Zinthu za Gulu la Policy (GPOs) ndi zolemba za logon ndi logoff kumakompyuta omwe ali mu domain. Zomwe zili mufodayi zabwerezedwa pakati pa olamulira madomeni kuti agwirizanitse detayi pamasamba onse a bungwe. Kulembera ku SYSVOL kumafuna maudindo apamwamba, komabe, chikasokonezedwa, katunduyu amakhala chida champhamvu kwa omwe akuwaukira omwe angagwiritse ntchito kuti afalitse malipiro oyipa mwachangu komanso moyenera.
Unyolo wowerengera wa Varonis udathandizira kuzindikira zotsatirazi:
- Akaunti yogwiritsa ntchito yomwe ili ndi kachilombo idapanga fayilo yotchedwa "ola lililonse" mu SYSVOL
- Mafayilo ambiri a log adapangidwa mu SYSVOL - iliyonse imatchedwa dzina lachida cha domain
- Maadiresi ambiri a IP anali kupeza fayilo ya "ola lililonse".
Tidawona kuti mafayilo a chipika adagwiritsidwa ntchito kutsata njira ya matenda pazida zatsopano, ndikuti "ola lililonse" inali ntchito yomwe idakonzedwa yomwe inkalipira ndalama zoyipa pazida zatsopano pogwiritsa ntchito Powershell script - zitsanzo "v3" ndi "v4".
Wowukirayo ayenera kuti adapeza ndikugwiritsa ntchito mwayi wa woyang'anira domain kuti alembe mafayilo ku SYSVOL. Pa omwe ali ndi kachilombo, wowukirayo adagwiritsa ntchito nambala ya PowerShell yomwe idapanga ntchito kuti atsegule, kutsitsa, ndikuyambitsa pulogalamu yaumbanda.
Kutsitsa pulogalamu yaumbanda
Tinayesa njira zingapo zofotokozera zitsanzo sizinathandize:
Tinatsala pang'ono kusiya pamene tinaganiza zoyesa njira ya "Magic" ya zozizwitsa
zofunikira ndi GCHQ. Matsenga amayesa kuyerekeza kubisa kwa fayilo pokakamiza mwankhanza mapasiwedi amitundu yosiyanasiyana yobisa komanso kuyeza kwa entropy.
Ndemanga za womasulira Onani и . Nkhaniyi ndi ndemanga sizikukhudzana ndi zokambirana za olemba tsatanetsatane wa njira zomwe zimagwiritsidwa ntchito mu pulogalamu yachitatu kapena eni ake.
Matsenga adatsimikiza kuti packer ya GZip ya base64 idagwiritsidwa ntchito, kotero tidatha kutsitsa fayiloyo ndikupeza nambala ya jakisoni.
Dropper: “Kuderali kuli mliri! Katemera wamba. Matenda a Mapazi ndi Pakamwa"
Chotsitsacho chinali fayilo ya .NET yokhazikika popanda chitetezo chilichonse. Pambuyo powerenga gwero code ndi tinazindikira kuti cholinga chake chokha chinali kulowetsa shellcode mu ndondomeko ya winlogon.exe.
Shellcode kapena zovuta zosavuta
Tidagwiritsa ntchito chida cholembera cha Hexacorn − kuti "muphatikize" chipolopolo kukhala fayilo yotheka kuti muyike zolakwika ndikusanthula. Kenako tidazindikira kuti idagwira ntchito pamakina onse a 32 ndi 64 bit.
Kulemba ngakhale chipolopolo chophweka mu kumasulira kwa chinenero cha mbadwa kungakhale kovuta, koma kulemba shellcode yathunthu yomwe imagwira ntchito pamitundu yonse ya machitidwe imafuna luso lapamwamba, kotero tinayamba kudabwa ndi kukhwima kwa wowukirayo.
Pamene tidasiyanitsa shellcode yopangidwa pogwiritsa ntchito , tinaona kuti akukweza .NET malaibulale amphamvu , monga clr.dll ndi mscoreei.dll. Izi zimawoneka zachilendo kwa ife - nthawi zambiri owukira amayesa kupanga chipolopolo kukhala chaching'ono momwe angathere poyitana ntchito za OS m'malo mozikweza. Nchifukwa chiyani wina angafune kuyika magwiridwe antchito mu shellcode? Windows, m'malo moyimbira foni mwachindunji mukapempha?
Monga momwe zinakhalira, wolemba pulogalamu yaumbanda sanalembe zipolopolo zovuta izi - mapulogalamu okhudzana ndi ntchitoyi adagwiritsidwa ntchito kumasulira mafayilo ndi zolemba zomwe zingagwiritsidwe ntchito kukhala shellcode.
Tinapeza chida , yomwe tinkaganiza kuti ikhoza kupanga shellcode yofanana. Nawa mafotokozedwe ake kuchokera ku GitHub:
Donut imapanga x86 kapena x64 shellcode kuchokera ku VBScript, JScript, EXE, DLL (kuphatikiza ma .NET assemblies). Shellcode iyi ikhoza kulowetsedwa mu njira iliyonse. Windows kuchita mu
kukumbukira zosowa.
Kuti titsimikizire chiphunzitso chathu, tinapanga kachidindo kathu pogwiritsa ntchito Donut ndikufanizira ndi chitsanzo - ndipo... inde, tidapeza chigawo china cha zida zogwiritsidwa ntchito. Zitatha izi, tinatha kuchotsa ndi kusanthula choyambirira .NET wapamwamba executable.
Chitetezo cha code
Fayiloyi idagwiritsidwa ntchito molakwika :
ConfuserEx ndi pulojekiti yotseguka ya .NET yoteteza ma code a zochitika zina. Gulu la mapulogalamuwa limalola opanga kuti ateteze ma code awo kuti asamangidwenso pogwiritsa ntchito njira monga kusinthana ndi zilembo, kubisala kwa lamulo loyendetsa, ndi kubisala njira. Olemba pulogalamu yaumbanda amagwiritsa ntchito obfuscators kuti apewe kuzindikirika ndikupanga uinjiniya wosinthika kukhala wovuta kwambiri.
Zikomo tinatsegula code:
Zotsatira - payload
The payload chifukwa ndi losavuta ransomware virus. Palibe njira yowonetsetsera kukhalapo mudongosolo, palibe kulumikizana ndi malo olamulira - kubisa kwakale kwa asymmetric kumapangitsa kuti deta ya wozunzidwayo isawerengedwe.
Ntchito yayikulu imasankha mizere yotsatirayi ngati magawo:
- Zowonjezera mafayilo kuti mugwiritse ntchito pambuyo pa kubisa (SaveTheQueen)
- Imelo ya wolemba kuti ayike mufayilo yachiwombolo
- Kiyi yapagulu imagwiritsidwa ntchito kubisa mafayilo
Ndondomeko yokha ikuwoneka motere:
- Pulogalamu yaumbanda imayang'ana ma drive am'deralo ndi olumikizidwa pa chipangizo cha wozunzidwayo
- Imasaka mafayilo oti mubisike
- Imayesa kuyimitsa njira yomwe ikugwiritsa ntchito fayilo yomwe yatsala pang'ono kubisa
- Imatchulanso fayiloyo kukhala "OriginalFileName.SaveTheQueenING" pogwiritsa ntchito ntchito ya MoveFile ndikuyibisa.
- Fayiloyo ikasungidwa ndi kiyi yapagulu ya wolemba, pulogalamu yaumbanda imayitchanso, tsopano kukhala "FileName Yoyambirira.SaveTheQueen"
- Fayilo yokhala ndi chiwombolo imalembedwa kufoda yomweyi
Kutengera kugwiritsidwa ntchito kwa "CreateDecryptor" mbadwa, imodzi mwazinthu za pulogalamu yaumbanda ikuwoneka kuti ili ndi njira yosinthira yomwe imafunikira kiyi yachinsinsi.
Ransomware virus SIKUYAMBIRA mafayilo, zosungidwa muakalozera:
C: mawindo
C: Mapulogalamu a Pulogalamu
C: Mafayilo a Pulogalamu (x86)
C: Ogwiritsa \ AppData
C: inetpub
Iyenso SAMASINTHA mitundu ya mafayilo awa:EXE, DLL, MSI, ISO, SYS, CAB.
Zotsatira ndi zomaliza
Ngakhale chiwombolocho chinalibe zinthu zachilendo, wowukirayo adagwiritsa ntchito Active Directory kuti agawire chotsitsacho, ndipo pulogalamu yaumbandayo idatipatsa zopinga zosangalatsa, ngati zinali zosavuta, pakuwunika.
Tikuganiza kuti yemwe adayambitsa pulogalamu yaumbanda ndi:
- Analemba kachilombo ka ransomware ndi jekeseni womangidwa mu winlogon.exe, komanso
kusungitsa mafayilo ndi ntchito ya decryption - Anabisa nambala yoyipa pogwiritsa ntchito ConfuserEx, adasintha zotsatira zake pogwiritsa ntchito Donut ndikubisanso chotsitsa cha base64 Gzip.
- Adapeza mwayi wapamwamba m'malo omwe wozunzidwayo adawagwiritsa ntchito kukopera
encrypted pulogalamu yaumbanda ndi ntchito zomwe zakonzedwa kufoda ya netiweki ya SYSVOL ya oyang'anira madambwe - Thamangani script ya PowerShell pazida zam'manja kuti mufalitse pulogalamu yaumbanda ndikujambulitsa zomwe zikuchitika muzolemba mu SYSVOL
Ngati muli ndi mafunso okhuza kusiyanasiyana kwa kachilombo ka ransomware, kapena kafukufuku wina aliyense wazamalamulo ndi cybersecurity wochitidwa ndi magulu athu, kapena pempho , pomwe timayankha mafunso nthawi zonse mu gawo la Q&A.
Source: www.habr.com
