Kumanani ndi Nemty ransomware kuchokera patsamba labodza la PayPal
Chiwombolo chatsopano chotchedwa Nemty chawonekera pamanetiweki, omwe akuyenera kukhala wolowa m'malo wa GrandCrab kapena Buran. Pulogalamu yaumbanda imagawidwa kwambiri kuchokera patsamba labodza la PayPal ndipo ili ndi zinthu zingapo zosangalatsa. Tsatanetsatane wa momwe ransomware iyi imagwirira ntchito ili pansi.
Nemty ransomware yatsopano yopezeka ndi ogwiritsa ntchito nao_sec Seputembara 7, 2019. Pulogalamu yaumbanda idagawidwa kudzera patsamba obisika ngati PayPal, ndizothekanso kuti ransomware ilowe pakompyuta kudzera pa RIG exploit kit. Owukirawo adagwiritsa ntchito njira zamaukadaulo kukakamiza wogwiritsa ntchito kuti agwiritse ntchito fayilo ya cashback.exe, yomwe akuti adalandira kuchokera patsamba la PayPal. Ndizodabwitsanso kuti Nemty adatchula doko lolakwika la service proxy Tor, zomwe zimalepheretsa pulogalamu yaumbanda kutumiza. data ku seva. Chifukwa chake, wogwiritsa ntchitoyo amayenera kuyika mafayilo obisika ku netiweki ya Tor yekha ngati akufuna kulipira dipo ndikudikirira kuti omwe akuukirawo atsitsidwe.
Zosangalatsa zingapo za Nemty zikuwonetsa kuti idapangidwa ndi anthu omwewo kapena zigawenga zapaintaneti zomwe zimagwirizana ndi Buran ndi GrandCrab.
Monga GandCrab, Nemty ali ndi dzira la Isitala - cholumikizira chithunzi cha Purezidenti waku Russia Vladimir Putin ndi nthabwala yonyansa. Cholowa cha GandCrab ransomware chinali ndi chithunzi chokhala ndi mawu omwewo.
Zolemba zamapulogalamu onsewa zimalozera kwa olemba olankhula Chirasha omwewo.
Ichi ndi chiwombolo choyamba kugwiritsa ntchito kiyi ya 8092-bit RSA. Ngakhale palibe chifukwa pa izi: kiyi ya 1024-bit ndiyokwanira kuteteza ku kubedwa.
Monga Buran, chiwombolocho chinalembedwa mu Object Pascal ndipo chinapangidwa ku Borland Delphi.
Static Analysis
Kuchita kwa code yoyipa kumachitika mu magawo anayi. Gawo loyamba ndikuyendetsa cashback.exe, fayilo yotheka ya PE32 pansi pa MS Windows yokhala ndi kukula kwa ma byte 1198936. Khodi yake idalembedwa mu Visual C ++ ndipo idapangidwa pa Okutobala 14, 2013. Ili ndi zolemba zakale zomwe zimangotulutsidwa zokha mukathamanga cashback.exe. Mapulogalamuwa amagwiritsa ntchito laibulale ya Cabinet.dll ndi ntchito zake FDICreate(), FDIDestroy() ndi ena kuti apeze mafayilo kuchokera ku .cab archive.
Kenako, temp.exe imayambitsidwa, fayilo yotheka ya PE32 pansi pa MS Windows yokhala ndi kukula kwa ma byte 307200. Khodiyo imalembedwa mu Visual C ++ ndipo imapakidwa ndi MPRESS packer, paketi yofanana ndi UPX.
The unyolo wathunthu matenda akhoza kuonedwa pa app.any.run sandbox.
kolowera
Cashback.exe - chiyambi cha kuukira. Monga tanenera kale, cashback.exe imatsegula fayilo ya .cab yomwe ili. Kenako imapanga foda ya TMP4351$.TMP ya mawonekedwe %TEMP%IXxxx.TMP, pomwe xxx ndi nambala yochokera ku 001 mpaka 999.
Kenako, kiyi ya registry imayikidwa, yomwe imawoneka motere:
Iyi ndi njira yomwe idakhazikitsidwa ndi fayilo ya cashback.exe, gawo lachiwiri la kupha kachilomboka. Imayesa kutsitsa AutoHotKey, chida chogwiritsira ntchito zolemba pa Windows, ndikuyendetsa WindowSpy.ahk script yomwe ili mu gawo lazothandizira pa fayilo ya PE.
Zolemba za WindowSpy.ahk zimachotsa fayilo ya temp mu ironman.exe pogwiritsa ntchito algorithm ya RC4 ndi mawu achinsinsi a IwantAcake. Chinsinsi cha mawu achinsinsi chimapezeka pogwiritsa ntchito MD5 hashing algorithm.
temp.exe ndiye imayitana njira ya ironman.exe.
Ironman.exe - sitepe yachitatu
Ironman.exe amawerenga zomwe zili mu fayilo ya iron.bmp ndikupanga fayilo ya iron.txt yokhala ndi cryptolocker yomwe idzayambitsidwe pambuyo pake.
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY
Obfuscation
Kuti abise ma URL ndi deta yokhazikika, Nemty amagwiritsa ntchito base64 ndi RC4 encoding algorithm yokhala ndi fuckav keyword.
Njira yosinthira pogwiritsa ntchito CryptStringToBinary ili motere
Kubisa
Nemty amagwiritsa ntchito kubisa kwa magawo atatu:
AES-128-CBC yamafayilo. Kiyi ya 128-bit AES imapangidwa mwachisawawa ndipo imagwiritsidwa ntchito chimodzimodzi pamafayilo onse. Izo zimasungidwa mu fayilo kasinthidwe pa kompyuta wosuta. IV imapangidwa mwachisawawa pafayilo iliyonse ndikusungidwa mufayilo yosungidwa.
RSA-2048 ya kubisa mafayilo IV. Magulu awiri ofunikira a gawoli amapangidwa. Kiyi yachinsinsi ya gawoli imasungidwa mufayilo yosinthira pakompyuta ya wogwiritsa ntchito.
RSA-8192. Kiyi yapagulu ya master imapangidwa mu pulogalamuyi ndipo imagwiritsidwa ntchito kubisa fayilo yosinthira, yomwe imasunga kiyi ya AES ndi kiyi yachinsinsi ya gawo la RSA-2048.
Nemty imapanga ma byte 32 a data mwachisawawa. Ma byte 16 oyamba amagwiritsidwa ntchito ngati kiyi ya AES-128-CBC.
Algorithm yachiwiri ya encryption ndi RSA-2048. Makiyi awiriwa amapangidwa ndi ntchito ya CryptGenKey () ndikutumizidwa ndi CryptImportKey () ntchito.
Makiyi a gawoli akapangidwa, kiyi yapagulu imatumizidwa ku MS Cryptographic Service Provider.
Chitsanzo cha kiyi yopangidwa ndi anthu pagawo:
Kenako, kiyi yachinsinsi imatumizidwa ku CSP.
Chitsanzo cha kiyi yachinsinsi yopangidwa pagawo:
Ndipo potsiriza akubwera RSA-8192. Chinsinsi chachikulu cha anthu chimasungidwa mu mawonekedwe obisika (Base64 + RC4) mu gawo la .data la fayilo ya PE.
Makiyi a RSA-8192 pambuyo pa decoding base64 ndi RC4 decryption yokhala ndi mawu achinsinsi a fuckav amawoneka chonchi.
Zotsatira zake, ndondomeko yonse ya encryption ikuwoneka motere:
IV encryption pogwiritsa ntchito RSA-2048 public key and base64 encoding.
Kuonjezera encrypted IV kumapeto kwa fayilo iliyonse yobisidwa.
Kuwonjezera kiyi ya AES ndi kiyi yachinsinsi ya RSA-2048 pakusintha.
Zambiri zamasinthidwe zomwe zafotokozedwa mugawo Kusonkhanitsa uthenga za makompyuta omwe ali ndi kachilombo amasungidwa pogwiritsa ntchito kiyi yayikulu ya RSA-8192.
Fayilo yosungidwa ikuwoneka motere:
Chitsanzo cha mafayilo obisika:
Kusonkhanitsa zambiri za kompyuta kachilombo
The ransomware imasonkhanitsa makiyi kuti asinthe mafayilo omwe ali ndi kachilomboka, kuti wowukirayo azitha kupanga decryptor. Kuphatikiza apo, Nemty imasonkhanitsa deta ya ogwiritsa ntchito monga dzina lolowera, dzina la kompyuta, mbiri ya hardware.
Imayitanitsa GetLogicalDrives(), GetFreeSpace(), GetDriveType() ntchito kuti atolere zambiri zama drive omwe ali ndi kachilomboka.
Zomwe zasonkhanitsidwa zimasungidwa mufayilo yokonzekera. Titasankha chingwecho, timapeza mndandanda wa magawo mu fayilo yosinthira:
Chitsanzo cha kasinthidwe ka kompyuta yomwe ili ndi kachilombo:
The template yokonzekera ikhoza kuyimiridwa motere:
Nemty ndiye amayesa kutumiza deta yosinthira ku 127.0.0.1:9050, kumene ikuyembekeza kupeza wogwirizira wa Tor browser. Komabe, mwachisawawa wothandizira wa Tor amamvetsera pa doko 9150, ndipo port 9050 imagwiritsidwa ntchito ndi Tor daemon pa Linux kapena Expert Bundle pa Windows. Chifukwa chake, palibe deta yomwe imatumizidwa ku seva ya wowukirayo. M'malo mwake, wogwiritsa ntchito amatha kutsitsa fayilo yosinthira pamanja poyendera ntchito ya Tor decryption kudzera pa ulalo womwe waperekedwa mu uthenga wa dipo.
Kulumikiza ku projekiti ya Tor:
HTTP GET imapanga pempho ku 127.0.0.1:9050/public/gate?data=
Apa mutha kuwona madoko otseguka a TCP omwe amagwiritsidwa ntchito ndi woyimira TORlocal:
Pakadali pano, sikutheka kutulutsa mafayilo osungidwa ndi Nemty osalipira dipo. Mtundu uwu wa ransomware uli ndi zofananira ndi Buran ransomware ndi GandCrab yakale: kuphatikiza ku Borland Delphi ndi zithunzi zomwe zili ndi mawu omwewo. Kuphatikiza apo, iyi ndiye encryptor yoyamba yomwe imagwiritsa ntchito fungulo la 8092-bit RSA, lomwe, silipanganso tanthauzo lililonse, popeza kiyi ya 1024-bit ndi yokwanira kuteteza. Pomaliza, komanso chosangalatsa, imayesa kugwiritsa ntchito doko lolakwika pa ntchito ya proxy ya Tor.