Katleho ea litlhaselo tsa ransomware ho mekhatlo ea lefats'e ka bophara e etsa hore bahlaseli ba bacha ba bangata ba kene papaling. E 'ngoe ea libapali tsena tse ncha ke sehlopha se sebelisang ransomware ea ProLock. E hlahile ka Hlakubele 2020 e le mohlahlami oa lenaneo la PwndLocker, le qalileng ho sebetsa bofelong ba 2019. Litlhaselo tsa ProLock ransomware li shebane haholo le mekhatlo ea lichelete le ea bophelo bo botle, mekhatlo ea mmuso le lefapha la mabenkele. Haufinyane tjena, basebetsi ba ProLock ba ile ba atleha ho hlasela e mong oa baetsi ba ATM ba kholo ka ho fetisisa, Diebold Nixdorf.
Ka poso ena Oleg Skulkin, setsebi se etelletseng pele sa Computer Forensics Laboratory ea Group-IB, e akaretsa maqheka, mekhoa le mekhoa ea motheo (TTPs) e sebelisoang ke basebetsi ba ProLock. Sengoliloeng se phethela ka ho bapisa le MITER ATT&CK Matrix, polokelong ea litaba ea sechaba e bokellang maqheka a hlaselang a sebelisoang ke lihlopha tse fapaneng tsa li-cybercriminal.
Ho fumana sebaka sa pele
Basebelisi ba ProLock ba sebelisa li-vector tse peli tsa mantlha tsa ho sekisetsa tsa mantlha: QakBot (Qbot) Trojan le li-server tse sa sireletsoang tsa RDP tse nang le li-password tse fokolang.
Ho sekisetsa ka seva ea RDP e fumanehang kantle ho tumme haholo har'a basebelisi ba thekollo. Ka tloaelo, bahlaseli ba reka ho fihlella seva e senyehileng ho tsoa ho batho ba boraro, empa e ka boela ea fumanoa ke litho tsa sehlopha ka bobona.
Vector e khahlisang haholoanyane ea ho sekisetsa ea mantlha ke malware a QakBot. Pejana, Trojan ena e ne e amahanngoa le lelapa le leng la ransomware - MegaCortex. Leha ho le joalo, e se e sebelisoa ke basebelisi ba ProLock.
Ka tloaelo, QakBot e ajoa ka matšolo a phishing. E ka 'na eaba lengolo-tsoibila la phishing le na le tokomane e khomaretsoeng ea Microsoft Office kapa sehokelo sa faele e fumanehang sebakeng sa polokelo ea leru, joalo ka Microsoft OneDrive.
Ho boetse ho na le linyeoe tse tsebahalang tsa hore QakBot e kentsoe Trojan e 'ngoe, Emotet, e tsebahalang haholo ka ho nka karolo matšolong a abang Ryuk ransomware.
Ho phethahala
Kamora ho jarolla le ho bula tokomane e tšoaelitsoeng, mosebelisi o khothalletsoa ho lumella li-macros ho sebetsa. Haeba e atlehile, PowerShell e qalisoa, e tla u lumella ho khoasolla le ho tsamaisa phallo ea QakBot ho tsoa ho seva sa taelo le taolo.
Ke habohlokoa ho hlokomela hore se tšoanang se sebetsa ho ProLock: moputso o ntšitsoe ho file BMP kapa JPG ebe e kenngoa mohopolong o sebelisa PowerShell. Maemong a mang, mosebetsi o hlophisitsoeng o sebelisoa ho qala PowerShell.
Batch script e tsamaisang ProLock ka kemiso ea mosebetsi:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.batHo kopanya tsamaisong
Haeba ho khonahala ho sekisetsa seva sa RDP le ho fumana phihlello, joale liakhaonto tse sebetsang li sebelisoa ho fumana marang-rang. QakBot e tšoauoa ka mekhoa e fapaneng ea ho hokela. Hangata, Trojan ena e sebelisa konopo ea Run registry mme e etsa mesebetsi ho kemiso:
Ho tobetsa Qakbot ho sistimi u sebelisa konopo ea Run registry
Maemong a mang, ho sebelisoa li-folders tsa ho qala: ho behiloe tsela e khuts'oane moo e supang bootloader.
Tšireletso ea Bypass
Ka ho buisana le seva sa taelo le taolo, QakBot nako le nako e leka ho inchafatsa, kahoo e le ho qoba ho fumanoa, malware a ka nkela mofuta oa eona oa hajoale sebaka ka e ncha. Lifaele tse ka sebetsoang li saennoe ka tekeno e sekiselitsoeng kapa e ferekaneng. Lekhetho la pele le laetsoeng ke PowerShell le bolokiloe ho seva sa C&C ka katoloso PNG. Ho phaella moo, ka mor'a ho bolaoa ho nkeloa sebaka ke faele e amohelehang calc.exe.
Hape, ho pata ts'ebetso e mpe, QakBot e sebelisa mokhoa oa ho kenya khoutu lits'ebetsong, ho sebelisa explorer.exe.
Joalokaha ho boletsoe, moputso oa ProLock o patiloe ka har'a faele BMP kapa JPG. Sena se ka boela sa nkoa e le mokhoa oa ho qoba tšireletso.
Ho fumana mangolo a bopaki
QakBot e na le ts'ebetso ea keylogger. Ho phaella moo, e ka khoasolla le ho tsamaisa lingoloa tse ling, mohlala, Invoke-Mimikatz, mofuta oa PowerShell oa sesebelisoa se tummeng sa Mimikatz. Mengolo e joalo e ka sebelisoa ke bahlaseli ho lahla lintlha.
Bohlale ba marang-rang
Kamora ho fumana li-account tse lehlohonolo, basebelisi ba ProLock ba etsa tlhahlobo ea marang-rang, e ka kenyelletsang tlhahlobo ea boema-kepe le tlhahlobo ea tikoloho ea Active Directory. Ntle le lingoloa tse fapaneng, bahlaseli ba sebelisa AdFind, sesebelisoa se seng se tsebahalang har'a lihlopha tsa ransomware, ho bokella tlhahisoleseling mabapi le Active Directory.
Kholiso ea marang-rang
Ka tloaelo, e 'ngoe ea mekhoa e tsebahalang haholo ea ho phahamisa marang-rang ke Remote Desktop Protocol. ProLock e ne e se mokhelo. Bahlaseli ba bile ba na le mengolo ka pokellong ea bona ea lihlomo ho fumana phihlello e hole ka RDP ho lebisa mabotho.
script ea BAT bakeng sa ho fihlella ka protocol ea RDP:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
Ho phethela lingoliloeng ba le hole, basebelisi ba ProLock ba sebelisa sesebelisoa se seng se tsebahalang, sesebelisoa sa PsExec se tsoang ho Sysinternals Suite.
ProLock e sebetsa ho mabotho a sebelisang WMIC, e leng sebopeho sa mola oa taelo bakeng sa ho sebetsa le Windows Management Instrumentation subsystem. Sesebelisoa sena se ntse se ata haholo har'a basebelisi ba ransomware.
Pokello ea lintlha
Joalo ka basebelisi ba bang ba bangata ba thekollo, sehlopha se sebelisang ProLock se bokella data ho tsoa marang-rang a sekiselitsoeng ho eketsa menyetla ea bona ea ho fumana thekollo. Pele o hlakoloa, data e bokelletsoeng e bolokoa ho sebelisoa sesebelisoa sa 7Zip.
Exfiltration
Ho kenya data, basebelisi ba ProLock ba sebelisa Rclone, sesebelisoa sa line sa taelo se etselitsoeng ho hokahanya lifaele le lits'ebeletso tse fapaneng tsa polokelo ea leru tse kang OneDrive, Google Drive, Mega, joalo-joalo. Bahlaseli ba lula ba reha faele e sebetsang ho etsa hore e shebahale eka ke lifaele tsa sistimi e nepahetseng.
Ho fapana le lithaka tsa bona, basebelisi ba ProLock ba ntse ba se na sebaka sa bona sa marang-rang sa ho phatlalatsa lintlha tse utsoitsoeng tsa lik'hamphani tse hanneng ho lefa thekollo.
Ho fihlela sepheo sa ho qetela
Hang ha data e se e hlakisitsoe, sehlopha se sebelisa ProLock ho pholletsa le marang-rang a khoebo. Faele ea binary e ntšoa ho file e nang le katoloso PNG kapa JPG ho sebelisa PowerShell le ho kenngoa mohopolong:
Pele ho tsohle, ProLock e felisa lits'ebetso tse boletsoeng lethathamong le hahelletsoeng (ho khahlisang ke hore e sebelisa feela litlhaku tse tšeletseng tsa lebitso la ts'ebetso, joalo ka "winwor"), mme e felisa lits'ebeletso, ho kenyelletsa le tse amanang le ts'ireletso, joalo ka CSFalconService ( CrowdStrike Falcon) sebelisa taelo setopong.
Joale, joalo ka malapa a mang a mangata a thekollo, bahlaseli ba sebelisa kannete ho hlakola likopi tsa moriti oa Windows le ho fokotsa boholo ba tsona e le hore likopi tse ncha li se ke tsa etsoa:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unboundedProLock e eketsa katoloso .proLock, .pr0Notlela kapa .proL0ck faeleng e 'ngoe le e 'ngoe e patiloeng ebe o beha faele [TSELA YA HO HLAHLOBA DIFAELE].TXT foldareng ka 'ngoe. Faele ena e na le litaelo tsa mokhoa oa ho hlakola lifaele, ho kenyelletsa le sehokelo sa sebaka seo motho ea hlokofalitsoeng a tlamehang ho kenya ID e ikhethang le ho fumana leseli la tefo:
Ketsahalo e 'ngoe le e' ngoe ea ProLock e na le tlhahisoleseding mabapi le chelete ea thekollo - tabeng ena, li-bitcoins tse 35, tse ka bang $ 312.
fihlela qeto e
Basebelisi ba bangata ba thekollo ba sebelisa mekhoa e tšoanang ho fihlela sepheo sa bona. Ka nako e ts'oanang, mekhoa e meng e ikhetha ho sehlopha ka seng. Hajoale, ho na le palo e ntseng e eketseha ea lihlopha tsa cybercriminal tse sebelisang ransomware matšolong a tsona. Maemong a mang, basebetsi ba tšoanang ba ka 'na ba ameha litlhaselong tse sebelisang malapa a sa tšoaneng a ransomware, kahoo re tla bona ho fetana ka maqheka, mekhoa le mekhoa e sebelisoang.
Ho etsa 'mapa ka MITER ATT&CK Mapping
Leqheka
Lewa
Phihlello ea Pele (TA0001)
Litšebeletso tsa Kantle tsa Remote (T1133), Sehlomathiso sa Spearphishing (T1193), Spearphishing Link (T1192)
Phethahatso (TA0002)
Powershell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)
Ho phehella (TA0003)
Linotlolo tsa Registry Run / Sefoldara ea ho Qala (T1060), Mosebetsi o Reriloeng (T1053), Liakhaonto tse sebetsang (T1078)
Ho Qoba Tšireletso (TA0005)
Ho Saena Khoutu (T1116), Deobfuscate/Decode Files or Information (T1140), Disable Security Tools (T1089), File Deletion (T1107), Masquerading (T1036), Process Injection (T1055)
Phihlello ea Boitsebiso (TA0006)
Credential Dumping (T1003), Brute Force (T1110), Input Capture (T1056)
Discovery (TA0007)
Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Service Scanning (T1046), Network Share Discovery (T1135), Remote System Discovery (T1018)
Lateral Movement (TA0008)
Remote Desktop Protocol (T1076), Remote File Copy (T1105), Windows Admin Shares (T1077)
Pokello (TA0009)
Lintlha tse tsoang ho Local System (T1005), Data ho tsoa ho Network Shared Drive (T1039), Data Staged (T1074)
Taolo le Taolo (TA0011)
Boemakepe bo Tlwaelehileng bo Sebediswa (T1043), Tshebeletso ya Webo (T1102)
Exfiltration (TA0010)
Data Compressed (T1002), Fetisetsa Data ho Cloud Account (T1537)
Impact (TA0040)
Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490)
Source: www.habr.com