Kubudirira kwekurwiswa kweransomware kumasangano pasi rose kuri kuita kuti varwisi vatsva vawedzere kupinda mumutambo. Mumwe wevatambi vatsva iboka rinoshandisa ProLock ransomware. Yakaonekwa munaKurume 2020 semutsivi wechirongwa chePwndLocker, icho chakatanga kushanda mukupera kwa2019. Kurwiswa kweProLock ransomware kunonyanya kunanga masangano ezvemari uye ehutano, masangano ehurumende, uye chikamu chezvitoro. Munguva ichangopfuura, ProLock vanoshanda vakabudirira kurwisa imwe yevagadziri vakuru veATM, Diebold Nixdorf.
Mutsamba iyi Oleg Skulkin, nyanzvi inotungamira yeComputer Forensics Laboratory yeBoka-IB, inovhara maitiro ekutanga, matekiniki uye maitiro (TTPs) anoshandiswa neProLock vanoshanda. Chinyorwa ichi chinopedzisa nekuenzanisa neMITER ATT & CK Matrix, dhatabhesi yeruzhinji inounganidza nzira dzekurwisa dzakanangwa dzinoshandiswa nemapoka akasiyana e-cybercriminal.
Kuwana mukana wekutanga
Vashandisi veProLock vanoshandisa maviri mavheji makuru ekutanga kukanganisa: iyo QakBot (Qbot) Trojan uye isina kudzivirirwa RDP maseva ane asina kusimba mapassword.
Kukanganisa kuburikidza neyekunze inowanikwa RDP server inonyanya kufarirwa pakati pevashandisi ve ransomware. Kazhinji, vanorwisa vanotenga kupinda kune yakakanganiswa server kubva kune vechitatu mapato, asi inogona zvakare kuwanikwa nenhengo dzeboka ivo pachavo.
Imwe inonakidza vector yekukanganisa kwekutanga ndeye QakBot malware. Pakutanga, iyi Trojan yaibatanidzwa neimwe mhuri yerekoloware - MegaCortex. Nekudaro, ikozvino yave kushandiswa neProLock vanoshanda.
Kazhinji, QakBot inogoverwa kuburikidza nekuita phishing. E-mail yehutsotsi inogona kunge iine gwaro rakabatanidzwa reMicrosoft Office kana chinongedzo kune faira riri mune yegore yekuchengetedza sevhisi, seMicrosoft OneDrive.
Kune zvakare nyaya dzinozivikanwa dzeQakBot dziri kutakurwa neimwe Trojan, Emotet, iyo inozivikanwa zvakanyanya nekutora chikamu mumishandirapamwe yakagovera Ryuk ransomware.
Performance
Mushure mekudhawunirodha nekuvhura gwaro rine hutachiona, mushandisi anokurudzirwa kubvumidza macros kumhanya. Kana ikabudirira, PowerShell inotangwa, iyo ichakubvumidza iwe kurodha uye kumhanya iyo QakBot payload kubva kune yekuraira uye control server.
Izvo zvakakosha kuti uzive kuti zvakafanana zvinoshanda kune ProLock: iyo payload inotorwa kubva mufaira BMP kana JPG uye kurodha mundangariro uchishandisa PowerShell. Mune zvimwe zviitiko, basa rakarongwa rinoshandiswa kutanga PowerShell.
Batch script inomhanya ProLock kuburikidza nemugadziri webasa:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.batKubatanidza muhurongwa
Kana zvichikwanisika kukanganisa iyo RDP server uye kuwana mukana, saka maakaunti anoshanda anoshandiswa kuwana mukana kunetiweki. QakBot inoratidzwa nemhando dzakasiyana dzekubatanidza nzira. Kazhinji, iyi Trojan inoshandisa kiyi yeRun registry uye inogadzira mabasa mune scheduler:
Kupinza Qakbot kune sisitimu uchishandisa Run registry kiyi
Mune zvimwe zviitiko, maforodha ekutanga anoshandiswawo: nzira yekudimbudzira inoiswa ipapo inonongedza kubootloader.
Bypass protection
Nekutaurirana nemirairo uye sevha yekudzora, QakBot nguva nenguva inoedza kuzvivandudza, saka kuitira kudzivirira kuonekwa, iyo malware inogona kutsiva yayo yazvino vhezheni neitsva. Mafaira anogona kuteedzerwa anosainwa neyakakanganiswa kana yekunyepedzera siginicha. Iyo yekutanga payload yakatakurwa nePowerShell inochengetwa paC&C server nekuwedzera PNG. Mukuwedzera, mushure mekuurayiwa inotsiviwa nefaira repamutemo calc.exe.
Zvakare, kuvanza kuita kwakashata, QakBot inoshandisa hunyanzvi hwekupinza kodhi mumatanho, uchishandisa explorer.exe.
Sezvataurwa, iyo ProLock payload yakavanzwa mukati mefaira BMP kana JPG. Izvi zvinogonawo kutorwa senzira yekunzvenga kudzivirira.
Kuwana zvitupa
QakBot ine keylogger mashandiro. Mukuwedzera, inogona kudhawunirodha uye kumhanya mamwe zvinyorwa, semuenzaniso, Invoke-Mimikatz, PowerShell vhezheni yeakakurumbira Mimikatz utility. Manyoro akadaro anogona kushandiswa nevanorwisa kurasa magwaro.
network intelligence
Mushure mekuwana mukana kune akasarudzika maakaundi, ProLock vanoshanda vanoita network reconnaissance, iyo inogona kusanganisira port scanning uye kuongororwa kweActive Directory nharaunda. Pamusoro pezvinyorwa zvakasiyana-siyana, vanorwisa vanoshandisa AdFind, chimwe chishandiso chakakurumbira pakati pemapoka erekoloware, kuunganidza ruzivo nezve Active Directory.
Network promotion
Nechinyakare, imwe yedzakanyanya kufarirwa nzira dzekusimudzira network ndeye Remote Desktop Protocol. ProLock yakanga isiri iyo. Vanorwisa vanotova nemagwaro mune yavo arsenal kuti vawane kure kure kuburikidza neRDP kunongedza mauto.
BAT script yekuwana mukana kuburikidza neRDP protocol:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
Kuti unyore kure kure, vashandisi veProLock vanoshandisa chimwe chishandiso chakakurumbira, PsExec utility kubva kuSysinternals Suite.
ProLock inomhanya pane mauto uchishandisa WMIC, inova yekuraira mutsara interface yekushanda neWindows Management Instrumentation subsystem. Ichi chishandiso chiri kuwedzerawo mukurumbira pakati pevashandisi veransomware.
Data collection
Kufanana nevamwe vazhinji vashandisi veRansomware, boka rinoshandisa ProLock rinounganidza data kubva kune yakakanganiswa network kuti vawedzere mikana yavo yekugamuchira rudzikinuro. Usati waburitswa, iyo data yakaunganidzwa inochengetwa uchishandisa iyo 7Zip utility.
Exfiltration
Kuti uise data, vashandi veProLock vanoshandisa Rclone, mutsara wemirairo wakagadzirirwa kuwiriranisa mafaera neakasiyana siyana ekuchengetedza makore masevhisi akadai seOneDrive, Google Drive, Mega, nezvimwewo.
Kusiyana nevezera ravo, ProLock vanoshanda havasati vaine yavo webhusaiti yekuburitsa data rakabiwa remakambani akaramba kubhadhara rudzikinuro.
Kuzadzisa chinangwa chekupedzisira
Kana iyo data yaburitswa, timu inotumira ProLock mukati mebhizinesi network. Iyo bhinari faira inotorwa kubva mufaira ine kuwedzera PNG kana JPG uchishandisa PowerShell uye jekiseni mundangariro:
Chekutanga, ProLock inomisa maitiro akatsanangurwa mune yakavakirwa-mukati runyorwa (zvinonakidza, inongoshandisa mavara matanhatu ezita rekuita, senge "winwor"), uye inomisa masevhisi, kusanganisira ayo ane hukama nekuchengetedza, senge CSFalconService ( CrowdStrike Falcon) uchishandisa murairo mambure mira.
Zvadaro, sekune dzimwe mhuri dzakawanda dzerudzikinuro, vanorwisa vanoshandisa vssadmin kudzima makopi emumvuri weWindows uye kudzikisira saizi yavo kuitira kuti makopi matsva asagadzirwa:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unboundedProLock inowedzera kuwedzera .proLock, .pr0Lock kana .proL0ck kune imwe neimwe yakavharidzirwa faira uye inoisa iyo faira [KUNzveresa MAFAIRE].TXT kune imwe neimwe folda. Iri faira rine rairo rekuti unganyora sei mafaera, kusanganisira chinongedzo chesaiti iyo munhu anenge abatwa anofanirwa kuisa ID yakasarudzika uye kugamuchira ruzivo rwekubhadhara:
Chiitiko chega chega cheProLock chine ruzivo nezve huwandu hwerudzikinuro - mune iyi kesi, makumi matatu neshanu bitcoins, angangoita $35.
mhedziso
Vazhinji vashandisi ve ransomware vanoshandisa nzira dzakafanana kuzadzisa zvinangwa zvavo. Panguva imwecheteyo, mamwe maitiro akasiyana kune rimwe nerimwe boka. Parizvino, kune huwandu huri kukura hwemapoka e-cybercriminal anoshandisa ransomware mumishandirapamwe yavo. Mune zvimwe zviitiko, vashandisi vakafanana vanogona kuve nechekuita mukurwiswa vachishandisa mhuri dzakasiyana dzeransomware, saka isu tichawedzera kuona kupindirana mumatekiniki, matekiniki uye maitiro anoshandiswa.
Mepu ine MITER ATT&CK Mepu
Zano
chidobi
Kutanga Kuwana (TA0001)
External Remote Services (T1133), Spearphishing Attachment (T1193), Spearphishing Link (T1192)
Kuuraya (TA0002)
Powershell (T1086), Scripting (T1064), Mushandisi Kuuraya (T1204), Windows Management Instrumentation (T1047)
Kushingirira (TA0003)
Registry Run Keys / Folder Yekutanga (T1060), Basa Rakarongwa (T1053), Maakaundi Anoshanda (T1078)
Defense Evhasion (TA0005)
Kusaina Kodhi (T1116), Deobfuscate/Decode Mafaira kana Ruzivo (T1140), Disable Security Tools (T1089), File Deletion (T1107), Masquerading (T1036), Process Injection (T1055)
Credential Access (TA0006)
Credential Dumping (T1003), Brute Force (T1110), Input Capture (T1056)
Kuwanikwa (TA0007)
Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Service Scanning (T1046), Network Share Discovery (T1135), Remote System Discovery (T1018)
Lateral Movement (TA0008)
Remote Desktop Protocol (T1076), Remote File Copy (T1105), Windows Admin Shares (T1077)
Kuunganidzwa (TA0009)
Dhata kubva kuNzvimbo Yenharaunda (T1005), Dhata kubva kune Network Shared Drive (T1039), Data Staged (T1074)
Command and Control (TA0011)
Inowanzo Kushandiswa Chiteshi (T1043), Webhu Service (T1102)
Exfiltration (TA0010)
Data Yakadzvanywa (T1002), Tumira Data kuCloud Account (T1537)
Impact (TA0040)
Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)
Source: www.habr.com