Impumelelo yohlaselo lwe-ransomware kwimibutho yehlabathi ibangela ukuba abahlaseli abaninzi ngakumbi nangakumbi bangene kumdlalo. Omnye waba badlali batsha liqela elisebenzisa iProLock ransomware. Ibonakale ngoMatshi ka-2020 njengendlalifa yenkqubo yePwndLocker, eyaqala ukusebenza ekupheleni kuka-2019. Uhlaselo lweProLock ransomware lujolise ikakhulu kwimibutho yezemali kunye nezempilo, iiarhente zikarhulumente, kunye necandelo lokuthengisa. Kutshanje, abaqhubi beProLock bahlasele ngempumelelo enye yee-ATM ezinkulu, iDiebold Nixdorf.
Kule post Oleg Skulkin, ingcali ekhokelayo kwiLebhu yeComputer Forensics yeQela-IB, igubungela amaqhinga asisiseko, ubuchule kunye neenkqubo (TTPs) ezisetyenziswa ngabaqhubi beProLock. Eli nqaku liqukumbela ngokuthelekisa kwi-MITER ATT & CK Matrix, i-database yoluntu eqokelela amaqhinga okuhlaselwa okujoliswe kuwo asetyenziswa ngamaqela ahlukeneyo e-cybercriminal.
Ukufumana ufikelelo lokuqala
Abaqhubi beProLock basebenzisa iivektha ezimbini eziphambili zokuthomalalisa okuphambili: iQakBot (Qbot) Trojan kunye neeseva zeRDP ezingakhuselekanga ezinamagama ayimfihlo abuthathaka.
Ukulalanisa nge-server ye-RDP efikelelekayo ngaphandle idume kakhulu phakathi kwabaqhubi be-ransomware. Ngokuqhelekileyo, abahlaseli bathenga ukufikelela kwiseva ethotyiweyo kumaqela esithathu, kodwa inokufunyanwa ngamalungu eqela ngokwawo.
Ivector enomdla ngakumbi ye-primary compromise yi-QakBot malware. Ngaphambili, le Trojan yayinxulunyaniswa nolunye usapho lwe-ransomware - iMegaCortex. Nangona kunjalo, ngoku isetyenziswa ngabaqhubi beProLock.
Ngokuqhelekileyo, i-QakBot isasazwa ngamaphulo okukhwabanisa. I-imeyile yenkohliso inokuqulatha uxwebhu oluncanyathiselwe lwe-Microsoft Office okanye ikhonkco kwifayile ebekwe kwinkonzo yokugcina ilifu, efana neMicrosoft OneDrive.
Kukho neemeko ezaziwayo zeQakBot ezilayishwa enye iTrojan, i-Emotet, eyaziwa ngokubanzi ngokuthatha inxaxheba kumaphulo asasaza iRyuk ransomware.
Intsebenzo
Emva kokukhuphela kunye nokuvula uxwebhu olusulelekileyo, umsebenzisi uyacelwa ukuba avumele ii-macros zisebenze. Ukuba uphumelele, i-PowerShell iqalisiwe, eya kukuvumela ukuba ukhuphele kwaye usebenzise i-QakBot payload ukusuka kumyalelo kunye nomncedisi wokulawula.
Kubalulekile ukuba uqaphele ukuba okufanayo kusebenza kwiProLock: intlawulo yokuhlawula ikhutshwe kwifayile Bmp okanye JPG kwaye ilayishwe kwimemori usebenzisa iPowerShell. Kwezinye iimeko, umsebenzi ocwangcisiweyo usetyenziselwa ukuqalisa i-PowerShell.
Iskripthi sebhetshi esiqhuba iProLock ngomcwangcisi womsebenzi:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.batUkudityaniswa kwenkqubo
Ukuba kunokwenzeka ukuphazamisa iseva ye-RDP kwaye ufumane ukufikelela, ngoko ii-akhawunti ezisebenzayo zisetyenziselwa ukufikelela kwinethiwekhi. I-QakBot ibonakaliswe ngeendlela ezahlukeneyo zokuncamathela. Amaxesha amaninzi, le Trojan isebenzisa isitshixo se-Run registry kwaye yenza imisebenzi kumcwangcisi:
Ukuqhobosha iQakbot kwisixokelelwano usebenzisa iqhosha le-Baleka lobhaliso
Kwezinye iimeko, iziqulathi zeefayili zokuqalisa nazo ziyasetyenziswa: indlela emfutshane ibekwe apho ekhomba kwisilayidi sokuqala.
Ukhuseleko lokugqitha
Ngokunxibelelana nomyalelo kunye nomncedisi wolawulo, iQakBot ngamaxesha athile izama ukuzihlaziya, ukuze ugweme ukubhaqwa, i-malware inokutshintsha indawo yayo yangoku entsha. Iifayile eziphunyeziweyo zisayinwa ngomsayino ochanisiweyo okanye womgunyathi. Umthwalo wokuqala olayishwe yiPowerShell ugcinwe kwiseva yeC&C kunye nolwandiso PNG. Ukongezelela, emva kokuphunyezwa kutshintshwa ifayile esemthethweni calc.exe.
Kwakhona, ukufihla umsebenzi okhohlakeleyo, i-QakBot isebenzisa ubuchule bokufaka ikhowudi kwiinkqubo, usebenzisa explorer.exe.
Njengoko kukhankanyiwe, umvuzo weProLock ufihliwe ngaphakathi kwefayile Bmp okanye JPG. Oku kunokuqwalaselwa njengendlela yokukhusela ukhuseleko.
Ukufumana iziqinisekiso
I-QakBot inokusebenza kwe-keylogger. Ukongeza, inokukhuphela kwaye iqhube izikripthi ezongezelelweyo, umzekelo, i-Invoke-Mimikatz, inguqulo ye-PowerShell ye-Mimikatz eyaziwayo. Izikripthi ezinjalo zinokusetyenziswa ngabahlaseli ukulahla iziqinisekiso.
Ubukrelekrele benethiwekhi
Emva kokufumana ukufikelela kwii-akhawunti ezinelungelo, abaqhubi beProLock benza i-network reconnaissance, enokuthi ibandakanye ukuskena kwe-port kunye nohlalutyo lwemeko ye-Active Directory. Ukongeza kwimibhalo eyahlukeneyo, abahlaseli basebenzisa i-AdFind, esinye isixhobo esidumileyo phakathi kwamaqela e-ransomware, ukuqokelela ulwazi malunga ne-Active Directory.
Unyuso lwenethiwekhi
Ngokwesiko, enye yeendlela ezidumileyo zokunyuswa kwenethiwekhi yiProtocol yeRemote Desktop. I-ProLock yayingenjalo. Abahlaseli bade babe nemibhalo kwi-arsenal yabo ukuze bafumane ufikelelo olukude nge-RDP ukuya kwiinginginya ekujoliswe kuzo.
Iscript seBAT sokufumana ufikelelo nge-RDP protocol:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
Ukuphumeza ukude izikripthi, abasebenzisi beProLock basebenzisa esinye isixhobo esidumileyo, into eluncedo ye-PsExec evela kwiSysinternals Suite.
I-ProLock iqhuba kwiinginginya zisebenzisa i-WMIC, elujongano lomgca womyalelo wokusebenza kunye nesistim esezantsi yoLawulo lweSixhobo seWindows. Esi sixhobo siya ngokuya sithandwa kakhulu phakathi kwabasebenzisi be-ransomware.
Ukuqokelelwa kwedatha
Njengabanye abaninzi abaqhubi be-ransomware, iqela elisebenzisa i-ProLock liqokelela idatha kwinethiwekhi ephazamisekileyo ukunyusa amathuba abo okufumana intlawulelo. Ngaphambi kokukhutshwa, idatha eqokelelweyo igcinwa kusetyenziswa i-7Zip eluncedo.
Exfiltration
Ukulayisha idatha, abaqhubi beProLock basebenzisa i-Rclone, isixhobo somgca womyalelo olungiselelwe ukuvumelanisa iifayile kunye neenkonzo ezahlukeneyo zokugcina ifu ezifana ne-OneDrive, i-Google Drive, i-Mega, njl.
Ngokungafaniyo noontanga babo, abaqhubi beProLock abakabi nayo eyabo iwebhusayithi yokupapasha idatha ebiweyo yeenkampani ezithe zala ukuhlawula intlawulelo.
Ukufezekisa injongo yokugqibela
Nje ukuba idatha ikhutshiwe, iqela lithumela iProLock kuyo yonke inethiwekhi yeshishini. Ifayile yokubini itsalwa kwifayile enolwandiso PNG okanye JPG usebenzisa i-PowerShell kwaye ifakwe kwimemori:
Okokuqala, i-ProLock iphelisa iinkqubo ezichazwe kuluhlu olwakhiweyo (olunomdla, lusebenzisa kuphela iileta ezintandathu zegama lenkqubo, njenge "winwor"), kwaye iphelisa iinkonzo, kubandakanywa nezo zihambelana nokhuseleko, njenge-CSFalconService (i-CSFalconService) CrowdStrike Falcon) usebenzisa umyalelo umnatha uyeke.
Ke, njengezinye iintsapho ezininzi ze-ransomware, abahlaseli basebenzisa vsokshin ukucima iikopi zesithunzi zeWindows kunye nokunciphisa ubungakanani bazo ukuze iikopi ezintsha zingadalwa:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unboundedI-ProLock yongeza ulwandiso .proLock, .pr0Tshixa okanye .proL0ck kwifayile nganye efihliweyo kwaye ibeke ifayile [INDLELA YOKUFUMANA IIFAYILI].TXT kwifolda nganye. Le fayile iqulethe imiyalelo yendlela yokucima iifayile, kuquka ikhonkco kwindawo apho ixhoba kufuneka lifake i-ID ekhethekileyo kwaye lifumane ulwazi lwentlawulo:
Umzekelo ngamnye weProLock unolwazi malunga nesixa sentlawulelo - kule meko, i-bitcoins ye-35, malunga ne-$ 312.
isiphelo
Abaqhubi abaninzi be-ransomware basebenzisa iindlela ezifanayo ukufezekisa iinjongo zabo. Kwangaxeshanye, ezinye iindlela zobuchule zizodwa kwiqela ngalinye. Okwangoku, kukho inani elikhulayo lamaqela e-cybercriminal asebenzisa i-ransomware kumaphulo abo. Kwezinye iimeko, abaqhubi abafanayo banokubandakanyeka ekuhlaselweni kusetyenziswa iintsapho ezahlukeneyo ze-ransomware, ngoko ke siya kubona ukwanda kubuchule, ubuchule kunye neenkqubo ezisetyenziswayo.
Imephu nge MITER ATT&CK Mapping
Iqhinga
ubuchule
Ufikelelo lokuqala (TA0001)
Iinkonzo zangaphandle ezikude (T1133), iSpearphishing Attachment (T1193), Spearphishing Link (T1192)
Uzalisekiso (TA0002)
I-Powershell (T1086), i-Scripting (T1064), ukusetyenziswa koMsebenzisi (T1204), i-Windows Management Instrumentation (T1047)
Ukuzingisa (TA0003)
Amaqhosha oBhalisa oBhalisa amaqhosha / isiqulathi seefayili sokuQalisa (T1060), uMsebenzi oCwangcisiweyo (T1053), ii-Akhawunti eziSebenzayo (T1078)
Ukuphepha ukhuseleko (TA0005)
Ukusayinwa kweKhowudi (T1116), i-Deobfuscate/Decode Files okanye iNgcaciso (T1140), Ukukhubaza izixhobo zoKhuseleko (T1089), ukucinywa kweFayile (T1107), iMasquerading (T1036), i-Process Injection (T1055)
UFikelelo lweNqinisekiso (TA0006)
I-Credential Dumping (T1003), iBrute Force (T1110), i-Input Capture (T1056)
Ukufunyanwa (TA0007)
Ukufunyanwa kweakhawunti (T1087), ukuFunyaniswa kweTrasti yeDomain (T1482), iFayile kunye neDiscovery Directory (T1083), iNetwork Service Scanning (T1046), iNethiwekhi yeSabelo sokuFunyaniswa (T1135), iRemote System Discovery (T1018)
Intshukumo yeLateral (TA0008)
IProtokholi yeDesktop ekude (T1076), iKopi yeFayile eKude (T1105), iZabelo zoLawulo lweWindows (T1077)
Ingqokelela (TA0009)
Idatha esuka kwiNkqubo yeNdawo (T1005), iDatha esuka kwiNethiwekhi eKwabelwana ngayo kwiDrive (T1039), iDatha ehleliweyo (T1074)
Umyalelo noLawulo (TA0011)
Izibuko elisetyenziswa ngokuqhelekileyo (T1043), iNkonzo yeWebhu (T1102)
Ukukhutshwa (TA0010)
Data Compressed (T1002), Transfer Data to Cloud Account (T1537)
Impembelelo (TA0040)
Idatha Efihliweyo yeMpembelelo (T1486), Inhibit System Recovery (T1490)
umthombo: www.habr.com