A new ransomware inonzi Nemty yaonekwa pane network, iyo inonzi inotsiva GrandCrab kana Buran. Iyo malware inonyanya kugoverwa kubva kune yenhema PayPal webhusaiti uye ine akati wandei anonakidza maficha. Details pamusoro pekuti iyi ransomware inoshanda sei iri pasi pekuchekwa.
New Nemty ransomware yakawanikwa nemushandisi
Zvakati wandei zvinonakidza zveNemty zvinoratidza kuti yakagadziridzwa nevanhu vakafanana kana nema cybercriminals ane hukama neBuran uye GrandCrab.
- SaGandCrab, Nemty ane zai reIsita - chinongedzo kumufananidzo weMutungamiriri weRussia Vladimir Putin nejee rinonyadzisa. Iyo legacy GandCrab ransomware yaive nemufananidzo une mavara akafanana.
- Zvigadzirwa zvemutauro zvezvirongwa zvese zviri zviviri zvinonongedza kune vakafanana vanyori vanotaura chiRussia.
- Iyi ndiyo yekutanga ransomware kushandisa 8092-bit RSA kiyi. Kunyangwe pasina chikonzero mune izvi: kiyi ye1024-bit yakakwana zvakakwana kudzivirira kubva pakubira.
- SaBuran, iyo ransomware yakanyorwa muObject Pascal uye yakanyorwa muBorland Delphi.
Static analysis
Kuitwa kwekodhi yakaipa kunoitika mumatanho mana. Danho rekutanga nderekumhanyisa cashback.exe, PE32 faira rekuita pasi peMS Windows ine saizi ye1198936 bytes. Kodhi yayo yakanyorwa muVisual C ++ uye yakagadzirwa muna Gumiguru 14, 2013. Iyo ine archive iyo inongoburitswa otomatiki kana iwe uchimhanyisa cashback.exe. Iyo software inoshandisa raibhurari yeCabinet.dll nemabasa ayo FDICreate(), FDIDestroy() nemamwe kuwana mafaera kubva ku.cab archive.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
Mushure mekusunungura iyo archive, mafaera matatu achaonekwa.
Tevere, temp.exe inotangwa, iyo PE32 faira inogoneka pasi peMS Windows ine saizi ye307200 bytes. Iyo kodhi yakanyorwa muVisual C ++ uye yakarongedzwa neMPRESS packer, packer yakafanana neUPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
Nhanho inotevera ndeye ironman.exe. Kana yangotangwa, temp.exe inobvisa iyo yakamisikidzwa data mu temp uye inoitumidza kuti ironman.exe, 32 byte PE544768 faira rinogoneka. Iyo kodhi inounganidzwa muBorland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
Nhanho yekupedzisira ndeyekutangazve iyo ironman.exe faira. Panguva yekumhanya, inoshandura kodhi yayo uye inomhanya pachayo kubva mundangariro. Iyi vhezheni ye ironman.exe ine hutsinye uye ine basa rekunyorera.
Attack vector
Parizvino, iyo Nemty ransomware inogoverwa kuburikidza newebhusaiti pp-back.info.
Cheni yakakwana yehutachiona inogona kutariswa pa
Kuiswa
Cashback.exe - kutanga kwekurwisa. Sezvambotaurwa, cashback.exe inosunungura iyo .cab faira yairi. Inobva yagadzira forodha TMP4351$.TMP yefomu %TEMP%IXxxx.TMP, apo xxx inhamba kubva 001 kusvika 999.
Tevere, kiyi registry inoiswa, inoita seizvi:
βrundll32.exeβ βC:Windowssystem32advpack.dll,DelNodeRunDLL32 βC:UsersMALWAR~1AppDataLocalTempIXPxxx.TMPββ
Inoshandiswa kudzima mafaira asina kuvharwa. Pakupedzisira, cashback.exe inotanga iyo temp.exe maitiro.
Temp.exe ndiyo nhanho yechipiri mumaketani ehutachiona
Iyi ndiyo nzira yakatangwa neiyo cashback.exe faira, nhanho yechipiri yehutachiona hwekuuraya. Inoedza kudhawunirodha AutoHotKey, chishandiso chekushandisa zvinyorwa paWindows, uye mhanyisa WindowSpy.ahk script iri muchikamu chezviwanikwa chefaira rePE.
Iyo WindowSpy.ahk script inobvisa iyo temp faira mu ironman.exe uchishandisa iyo RC4 algorithm uye password IwantAcake. Kiyi kubva papassword inowanikwa uchishandisa iyo MD5 hashing algorithm.
temp.exe yobva yadaidza iyo ironman.exe maitiro.
Ironman.exe - danho rechitatu
Ironman.exe inoverenga zviri mukati me iron.bmp faira uye inogadzira iron.txt faira ine cryptolocker iyo ichatangwa inotevera.
Mushure meizvi, hutachiona hunoisa iron.txt mundangariro uye hunotangazve se ironman.exe. Mushure meizvi, iron.txt inodzimwa.
ironman.exe ndicho chikamu chikuru cheNEMTY ransomware, iyo inovhara mafaera pakombuta yakakanganiswa. Malware inogadzira chimumumu chinonzi ruvengo.
Chinhu chekutanga chaanoita ndechekuona nzvimbo yekombuta. Nemty inovhura bhurawuza uye inowana iyo IP iri pa
- Russia
- Belarus
- Ukraine
- Kazakhstan
- Tajikistan
Zvingangodaro, vanogadzira havadi kukwezva kutarisisa kwevemutemo munyika dzavanogara, uye saka usavhare mafaira munzvimbo dzavo dze "kumba".
Kana IP kero yemunhu akabatwa isiri yerondedzero iri pamusoro, saka hutachiona hunovharira ruzivo rwemushandisi.
Kudzivirira kudzoreredza faira, makopi emumvuri wavo anobviswa:
Inobva yagadzira runyoro rwemafaira uye maforodha asingazovharirwe, pamwe nerondedzero yemafaira ekuwedzera.
- mahwindo
- $RECYCLE.BIN
- rsa
- NTDETECT.COM
- etc
- MSDOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- desktop.ini
- SYS CONFIG.
- BOOTSECT.BAK
- bootmgr
- programdata
- app data
- osoft
- Common Files
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY
Obfuscation
Kuvanza maURL uye yakamisikidzwa dhata yekumisikidza, Nemty inoshandisa base64 uye RC4 encoding algorithm ine fuckav keyword.
Iyo decryption maitiro uchishandisa CryptStringToBinary ndeaya anotevera
Encryption
Nemty inoshandisa matatu-layer encryption:
- AES-128-CBC yemafaira. Iyo 128-bit AES kiyi inogadzirwa zvisina tsarukano uye inoshandiswa zvakafanana kune ese mafaera. Inochengetwa mufaira rekugadzirisa pakombiyuta yemushandisi. Iyo IV inogadzirwa zvisina tsarukano kune yega yega faira uye inochengetwa mune encrypted faira.
- RSA-2048 yefaira encryption IV. Peya yakakosha yemusangano inogadzirwa. Kiyi yepachivande yechikamu inochengetwa mufaira rekugadzirisa pakombiyuta yemushandisi.
- RSA-8192. Iyo master public kiyi yakavakirwa muchirongwa uye inoshandiswa encrypt iyo faira yekumisikidza, inochengeta kiyi yeAES uye kiyi yakavanzika yeRSA-2048 chikamu.
- Nemty inotanga kugadzira 32 bytes yedata isina kurongeka. Mabhaiti gumi nematanhatu ekutanga anoshandiswa sekiyi yeAES-16-CBC.
Yechipiri encryption algorithm ndeyeRSA-2048. Iwo makiyi maviri anogadzirwa neiyo CryptGenKey () basa uye inounzwa kunze neiyo CryptImportKey () basa.
Kana makiyi maviri echikamu agadzirwa, kiyi yeruzhinji inounzwa muMS Cryptographic Service Provider.
Muenzaniso wekiyi yeruzhinji yakagadzirwa yechikamu:
Tevere, kiyi yakavanzika inopinzwa muCSP.
Muenzaniso wekiyi yakavanzika yakagadzirwa yechikamu:
Uye yekupedzisira inouya RSA-8192. Kiyi huru yeruzhinji inochengetwa mu encrypted form (Base64 + RC4) mu .data chikamu chefaira rePE.
Iyo RSA-8192 kiyi mushure meiyo base64 decoding uye RC4 decryption ine fuckav password inoita seizvi.
Nekuda kweizvozvo, iyo yese encryption maitiro anoita seizvi:
- Gadzira kiyi ye128-bit AES iyo ichashandiswa kuvharidzira mafaera ese.
- Gadzira IV yefaira rega rega.
- Kugadzira maviri akakosha echikamu cheRSA-2048.
- Decryption yekiyi iripo yeRSA-8192 uchishandisa base64 uye RC4.
- Encrypt zviri mukati mefaira uchishandisa iyo AES-128-CBC algorithm kubva padanho rekutanga.
- IV encryption uchishandisa RSA-2048 yeruzhinji kiyi uye base64 encoding.
- Kuwedzera encrypted IV kusvika kumagumo kwefaira rega rega rakavharidzirwa.
- Kuwedzera kiyi yeAES uye RSA-2048 chikamu yakavanzika kiyi kune iyo config.
- Kugadzirisa data kunotsanangurwa muchikamu
Kuunganidza kwemashoko nezvekombuta ine hutachiona yakavharidzirwa uchishandisa kiyi huru yeruzhinji RSA-8192. - Iyo encrypted faira inoita seizvi:
Muenzaniso wemafaira akavharidzirwa:
Kuunganidza ruzivo nezvekombuta ine hutachiona
Iyo ransomware inounganidza makiyi ekudzima mafaira ane hutachiona, saka anorwisa anogona chaizvo kugadzira decryptor. Uye zvakare, Nemty inounganidza data remushandisi senge username, zita rekombuta, chimiro chehardware.
Inodaidza iyo GetLogicalDrives (), GetFreeSpace (), GetDriveType () mabasa ekuunganidza ruzivo nezve madhiraivha ekombuta ine hutachiona.
Mashoko akaunganidzwa anochengetwa mufaira rekugadzirisa. Mushure mekuita decode tambo, tinowana runyorwa rwema parameter mufaira rekugadzirisa:
Muenzaniso kugadzirisa komputa ine hutachiona:
Iyo template yekumisikidza inogona kumiririrwa sezvizvi:
{"General": {"IP":"[IP]", "Nyika":"[Nyika]", "ComputerName":"[ComputerName]", "Username":"[Username]", "OS": "[OS]", "isRU":false, "version":"1.4", "CompID":"{[CompID]}", "FileID":"_NEMTY_[FileID]_", "UserID":"[ UserID]", "kiyi":"[kiyi]", "pr_kiyi":"[pr_key]
Nemty inochengeta data rakaunganidzwa mufomati yeJSON mufaira %USER%/_NEMTY_.nemty. FileID ine mavara manomwe akareba uye anogadzirwa zvisina tsarukano. Semuenzaniso: _NEMTY_tgdLYrd_.nemty. Iyo FileID inowedzerwawo kumagumo eiyo encrypted faira.
Shoko rorudzikinuro
Mushure mekuvharidzira mafaera, faira _NEMTY_[FileID]-DECRYPT.txt rinobuda padesktop rine zvinotevera zvirimo:
Pakupera kwefaira kune ruzivo rwakavharidzirwa nezvekombuta ine hutachiona.
Network kutaurirana
Iyo ironman.exe maitiro anorodha iyo Tor browser kugovera kubva kukero
Nemty anobva aedza kutumira data yekumisikidza ku127.0.0.1:9050, uko inotarisira kuwana inoshanda Tor browser proxy. Nekudaro, nekusarudzika iyo Tor proxy inoteerera pachiteshi 9150, uye port 9050 inoshandiswa neTor daemon paLinux kana Nyanzvi Bundle paWindows. Saka, hapana data inotumirwa kune server yeanorwisa. Panzvimbo iyoyo, mushandisi anogona kudhawunirodha faira rekugadzirisa nekushanyira Tor decryption sevhisi kuburikidza neiyi link inopihwa mumeseji yerudzikinuro.
Kubatanidza kuTor proxy:
HTTP GET inogadzira chikumbiro ku127.0.0.1:9050/public/gate?data=
Pano iwe unogona kuona akavhurika TCP ports anoshandiswa neTORlocal proxy:
Nemty decryption service pane Tor network:
Unogona kurodha foto yakavharidzirwa (jpg, png, bmp) kuti uedze iyo decryption service.
Mushure meizvi, murwi anokumbira kubhadhara rudzikinuro. Muchiitiko chekusabhadhara mutengo unopetwa kaviri.
mhedziso
Parizvino, hazvigoneke kubvisa mafaera akavharidzirwa neNemty pasina kubhadhara rudzikinuro. Iyi vhezheni yerudzikinuro ine zvakajairika maficha neBuran ransomware uye yekare GandCrab: kuunganidzwa muBorland Delphi nemifananidzo ine iwo mameseji mamwe chete. Mukuwedzera, iyi ndiyo yekutanga encryptor inoshandisa 8092-bit RSA key, iyo, zvakare, haina pfungwa, sezvo 1024-bit kiyi yakakwana yekudzivirira. Chekupedzisira, uye zvinonakidza, inoedza kushandisa chiteshi chisiri icho chenzvimbo yeTor proxy sevhisi.
Zvisinei, mhinduro
Source: www.habr.com