I-ransomware entsha ebizwa ngokuba yi-Nemty ivele kwinethiwekhi, ekucingelwa ukuba ilandela i-GrandCrab okanye i-Buran. I-malware isasazwa kakhulu kwiwebhusayithi ye-PayPal yobuxoki kwaye inenani leempawu ezinomdla. Iinkcukacha malunga nendlela le ntlawulo isebenza ngayo iphantsi kokusikwa.
I-Nemty ransomware entsha efunyenwe ngumsebenzisi NgoSeptemba 7, 2019. I-malware yasasazwa ngewebhusayithi , kuyenzeka kwakhona ukuba iransomware ingene kwikhompyuter nge-RIG exploit kit. Abahlaseli basebenzisa iindlela zobunjineli bezentlalo ukunyanzela umsebenzisi ukuba aqhube ifayile ye-cashback.exe, ekutyholwa ukuba uyifumene kwiwebhusayithi ye-PayPal. Kwakhona kunomdla wokuba i-Nemty ichaze i-port engalunganga yenkonzo ye-proxy yendawo ye-Tor, ethintela i-malware ekuthumeleni. idatha kumncedisi. Ke ngoko, umsebenzisi kuya kufuneka alayishe iifayile ezifihliweyo kwinethiwekhi yeTor ngokwakhe ukuba ujonge ukuhlawula intlawulelo kwaye alinde ukubethelwa kwemfihlo kubahlaseli.
Iinyani ezininzi ezinomdla malunga ne-Nemty zibonisa ukuba yaphuhliswa ngabantu abafanayo okanye ngabaphuli mthetho be-cyber abanxulunyaniswa neBuran kunye neGrandCrab.
- NjengoGandCrab, uNemty uneqanda le-Ista- ikhonkco kumfanekiso kaMongameli waseRussia uVladimir Putin kunye neqhula elibi. Ilifa le-GandCrab ransomware inomfanekiso onombhalo ofanayo.
- Izinto ezenziwe ngolwimi zazo zombini iinkqubo zikhomba kwababhali abafanayo abathetha isiRashiya.
- Le yiransomware yokuqala ukusebenzisa iqhosha le-8092-bit RSA. Nangona kungekho sizathu koku: isitshixo se-1024-bit sanele ngokwaneleyo ukukhusela ngokuchasene nokugqekeza.
- NjengoBuran, i-ransomware ibhalwe kwi-Object Pascal kwaye ihlanganiswe e-Borland Delphi.
Uhlalutyo olungatshintshiyo
Ukuphunyezwa kwekhowudi enobungozi kwenzeka kwizigaba ezine. Isinyathelo sokuqala kukuqhuba i-cashback.exe, ifayile ye-PE32 ephunyezwayo phantsi kwe-MS Windows enobungakanani be-1198936 bytes. Ikhowudi yayo yabhalwa kwi-Visual C ++ kwaye ihlanganiswe ngo-Oktobha 14, 2013. Iqulethe i-archive ekhutshwa ngokuzenzekelayo xa usebenzisa i-cashback.exe. Isoftware isebenzisa ithala leencwadi leCabinet.dll kunye nemisebenzi yalo FDICreate(), FDIDestroy() kunye nezinye ukufumana iifayile kwindawo yogcino .cab.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
Emva kokukhupha i-archive, iifayile ezintathu ziya kuvela.
Okulandelayo, i-temp.exe iqalisiwe, ifayile ye-PE32 ephunyezwayo phantsi kwe-MS Windows enobungakanani be-307200 bytes. Ikhowudi ibhalwe kwi-Visual C ++ kwaye ihlanganiswe ne-MPRESS packer, ipakethe efana ne-UPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
Inyathelo elilandelayo ironman.exe. Nje ukuba iqaliswe, i-temp.exe isusa ukubethelwa kwedatha efakwe kwi-temp kwaye ithiywe kwakhona kwi-ironman.exe, ifayile ye-32 byte PE544768 ephunyeziweyo. Ikhowudi ihlanganiswe eBorland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
Inyathelo lokugqibela kukuqala kwakhona ifayile ye ironman.exe. Ngexesha lokuqhuba, iguqula ikhowudi yayo kwaye iziqhubele kwimemori. Olu guqulelo lwe-ironman.exe lukhohlakele kwaye lunoxanduva loguqulelo oluntsonkothileyo.
Vector yohlaselo
Okwangoku, i-Nemty ransomware isasazwa kwiwebhusayithi pp-back.info.
Ikhonkco elipheleleyo losulelo linokujongwa ibhokisi yesanti.
isicwangciso
I-Cashback.exe - ukuqala kohlaselo. Njengoko sele kukhankanyiwe, i-cashback.exe ikhupha ifayile ye-.cab equletheyo. Emva koko yenza ifolda ye-TMP4351$.TMP yohlobo lwe-%TEMP%IXxxx.TMP, apho i-xxx linani elisuka ku-001 ukuya ku-999.
Okulandelayo, iqhosha lokubhalisa lifakiwe, elikhangeleka ngolu hlobo:
βrundll32.exeβ βC:Windowssystem32advpack.dll,DelNodeRunDLL32 βC:UsersMALWAR~1AppDataLocalTempIXPxxx.TMPββ
Isetyenziselwa ukucima iifayile ezingapakishwanga. Ekugqibeleni, cashback.exe iqala inkqubo ye temp.exe.
I-Temp.exe linqanaba lesibini kwikhonkco losulelo
Le yinkqubo eqaliswe yifayile ye-cashback.exe, inyathelo lesibini lokubulawa kwentsholongwane. Izama ukukhuphela i-AutoHotKey, isixhobo sokusebenzisa izikripthi kwi-Windows, kwaye iqhube iskripthi se-WindowSpy.ahk ebekwe kwicandelo lezixhobo zefayile ye-PE.
I-WindowSpy.ahk iskripthi sisusa ifayile ye temp kwi ironman.exe usebenzisa i-algorithm ye-RC4 kunye negama lokugqitha le-IwantAcake. Isitshixo esivela kwigama lokugqitha sifunyenwe kusetyenziswa i-algorithm ye-hashing ye-MD5.
temp.exe emva koko ibize inkqubo ye-ironman.exe.
Ironman.exe - inyathelo lesithathu
I-Ironman.exe ifunda imixholo yefayile ye-iron.bmp kwaye yenza ifayile ye-iron.txt ene-cryptolocker eya kuqaliswa ngokulandelayo.
Emva koku, intsholongwane ilayisha i-iron.txt kwinkumbulo kwaye iyiqale kwakhona njenge ironman.exe. Emva koku, iron.txt iyacinywa.
ironman.exe yeyona ndawo iphambili ye-NEMTY ransomware, efihla iifayile kwikhompyuter echaphazelekayo. I-Malware yenza isimumu esibizwa ngokuba yintiyo.
Into yokuqala eyenzayo kukuqinisekisa indawo yekhompyuter yekhompyuter. I-Nemty ivula isikhangeli kwaye ifumanise i-IP . Kwisiza [IP]/countryName Ilizwe limiselwe kwi-IP efunyenweyo, kwaye ukuba ikhompuyutha ibekwe kwenye yeengingqi ezidweliswe ngezantsi, ukwenziwa kwekhowudi yemalware kuyayeka:
- Russia
- Belarus
- Ukraine
- Kazakhstan
- ETajikistan
Okunokwenzeka ukuba, abaphuhlisi abafuni ukutsala ingqalelo yee-arhente zokunyanzeliswa komthetho kumazwe abo ahlala kuwo, kwaye ke ngoko musa ukufihla iifayile kwiindawo zabo "zekhaya".
Ukuba idilesi ye-IP yexhoba ayiyololuhlu olungentla, ngoko ke intsholongwane ifihla ulwazi lomsebenzisi.
Ukuthintela ukubuyiswa kwefayile, iikopi zabo zesithunzi ziyacinywa:
Emva koko yenza uluhlu lweefayile kunye neefolda ezingayi kuguqulelwa ngokuntsonkothileyo, kunye noluhlu lwezandiso zefayile.
- windows
- $RECYCLE.BIN
- Rsa
- NTDETECT.COM
- njl
- MSDOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- desktop.ini
- SYS CONFIG.
- BOOTSECT.BAK
- imboniselo
- inkqubodata
- idatha yosetyeniso
- osoft
- Iifayile eziqhelekileyo
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY I-Obfuscation
Ukufihla ii-URL kunye nedatha yokucwangcisa edibeneyo, i-Nemty isebenzisa i-base64 kunye ne-RC4 ye-encoding algorithm kunye negama elingundoqo le-fuckav.
Inkqubo yoguqulelo lwentsokolo usebenzisa i-CryptStringToBinary imi ngolu hlobo lulandelayo
Uguqulelo oluntsonkothileyo
I-Nemty isebenzisa uguqulelo oluntsonkothileyo olunemigangatho emithathu:
- AES-128-CBC yeefayile. Isitshixo se-128-bit AES senziwa ngokungenamkhethe kwaye sisetyenziswa ngokufanayo kuzo zonke iifayile. Igcinwe kwifayile yoqwalaselo kwikhompyuter yomsebenzisi. I-IV yenziwe ngokungakhethiyo kwifayile nganye kwaye igcinwe kwifayile efihliweyo.
- I-RSA-2048 yoguqulelo oluntsonkothileyo lwefayile IV. Isibini esiphambili seseshoni siyenziwa. Iqhosha labucala leseshoni ligcinwe kwifayile yoqwalaselo kwikhompyuter yomsebenzisi.
- RSA-8192. Isitshixo sikawonke-wonke sakhiwe kwinkqubo kwaye isetyenziselwa ukubethela ifayile yoqwalaselo, egcina isitshixo se-AES kunye nesitshixo esiyimfihlo kwiseshoni ye-RSA-2048.
- I-Nemty kuqala ivelisa iibytes ezingama-32 zedatha engacwangciswanga. I-16 bytes yokuqala isetyenziswa njengeqhosha le-AES-128-CBC.
I-algorithm yesibini ye-encryption yi-RSA-2048. Isibini esingundoqo senziwe ngu CryptGenKey () umsebenzi kwaye uthathwa ngaphandle ngu CryptImportKey () umsebenzi.
Emva kokuba isibini esibalulekileyo seseshoni senziwe, isitshixo sikawonke-wonke singeniswa kwi-MS Cryptographic Service Provider.
Umzekelo wesitshixo sikawonke-wonke esenziweyo seseshoni:
Okulandelayo, iqhosha labucala lingeniswa kwi-CSP.
Umzekelo weqhosha labucala elenziweyo leseshoni:
Kwaye okokugqibela kuza iRSA-8192. Isitshixo esiphambili sikawonke-wonke sigcinwe kwifom efihliweyo (Base64 + RC4) kwicandelo .data lefayile ye-PE.
Isitshixo se-RSA-8192 emva kwe-base64 decoding kunye ne-RC4 decryption kunye ne-fuckav password ijongeka ngolu hlobo.
Ngenxa yoko, yonke inkqubo yoguqulelo oluntsonkothileyo ijongeka ngolu hlobo:
- Yenza iqhosha le-128-bit AES eliza kusetyenziswa ukufihla zonke iifayile.
- Yenza i-IV yefayile nganye.
- Ukudala isibini esiphambili seseshoni ye-RSA-2048.
- Ukukhutshwa kwemfihlo kweqhosha elikhoyo le-RSA-8192 kusetyenziswa i-base64 kunye ne-RC4.
- Fihla imixholo yefayile usebenzisa i-algorithm ye-AES-128-CBC ukusuka kwinqanaba lokuqala.
- I-encryption ye-IV usebenzisa i-RSA-2048 isitshixo sikawonke-wonke kunye ne-base64 encoding.
- Ukongeza i-IV efihliweyo ekupheleni kwefayile nganye efihliweyo.
- Ukongeza iqhosha le-AES kunye neseshini ye-RSA-2048 isitshixo sabucala kuqwalaselo.
- Idatha yoqwalaselo echazwe kwicandelo malunga nekhompyuter eyosulelekileyo ziguqulelwe ngokuntsonkothileyo kusetyenziswa isitshixo sikawonke-wonke esingundoqo RSA-8192.
- Ifayile efihliweyo ibonakala ngolu hlobo:
Umzekelo weefayile ezifihliweyo:
Ukuqokelela ulwazi malunga nekhompyuter eyosulelekileyo
I-ransomware iqokelela izitshixo zokucima iifayile ezisulelekileyo, ukuze umhlaseli akwazi ukwenza i-decryptor. Ukongeza, i-Nemty iqokelela idatha yomsebenzisi efana negama lomsebenzisi, igama lekhompyuter, iprofayile yehardware.
Ibiza i GetLogicalDrives(), GetFreeSpace(), GetDriveType() imisebenzi ukuqokelela ulwazi malunga ne drives ze computer eyosulelekileyo.
Ulwazi oluqokelelweyo lugcinwe kwifayile yoqwalaselo. Emva kokuba sigqibe umtya, sifumana uluhlu lweeparamitha kwifayile yoqwalaselo:
Umzekelo wobumbeko lwekhompyuter eyosulelekileyo:
Ithempleyithi yoqwalaselo inokumelwa ngolu hlobo lulandelayo:
{"Ngokubanzi": {"IP":"[IP]", "Ilizwe":"[Ilizwe]", "Igama leKhompyutha":"[Igama leKhompyutha]", "Igama lomsebenzisi":"[Igama lomsebenzisi]", "OS": "[OS]", "isRU":false, "version":"1.4", "CompID":"{[CompID]}", "FileID":"_NEMTY_[FileID]_", "UserID":"[ UserID]", "isitshixo":"[isitshixo]", "pr_key":"[pr_key]
I-Nemty igcina idatha eqokelelweyo kwifomati ye-JSON kwifayile %USER%/_NEMTY_.nemty. I-FileID ineempawu ezi-7 ubude kwaye zenziwe ngokungaqhelekanga. Umzekelo: _NEMTY_tgdLYrd_.nemty. I-FileID iphinda ifakwe ekupheleni kwefayile efihliweyo.
Umyalezo wentlawulelo
Emva koguqulelo oluntsonkothileyo lwefayile, ifayile _NEMTY_[FileID]-DECRYPT.txt ivela kwidesktop inomxholo olandelayo:
Ekupheleni kwefayile kukho ulwazi olufihliweyo malunga nekhompyuter eyosulelekileyo.
Unxibelelwano lwenethiwekhi
Inkqubo ye-ironman.exe ikhuphela ukuhanjiswa kwesikhangeli seTor kwidilesi kwaye izama ukuyifaka.
I-Nemty izama ukuthumela idatha yoqwalaselo kwi-127.0.0.1:9050, apho ilindele ukufumana i-proxy ye-Tor browser esebenzayo. Nangona kunjalo, ngokungagqibekanga i-proxy yeTor imamela kwi-port 9150, kwaye i-port 9050 isetyenziswa yiTor daemon kwiLinux okanye kwiNgcali yeNgcali kwiWindows. Ngaloo ndlela, akukho datha ethunyelwa kwiseva yomhlaseli. Endaweni yoko, umsebenzisi unokukhuphela ifayile yoqwalaselo ngesandla ngokundwendwela inkonzo yeTor decryption ngekhonkco elinikezwe kumyalezo wentlawulelo.
Ukuqhagamshela kwiproxy yeTor:
I-HTTP GET yenza isicelo kwi-127.0.0.1:9050/public/gate?data=
Apha ungabona izibuko ze-TCP ezivulekileyo ezisetyenziswa ngummeli weTORlocal:
Inkonzo ye-Nemty decryption kwinethiwekhi yeTor:
Ungalayisha ifoto efihliweyo (jpg, png, bmp) ukuvavanya inkonzo yoguqulelo oluntsonkothileyo.
Emva koko, umhlaseli ucela ukuhlawula intlawulelo. Kwimeko yokungahlawuli ixabiso liphindwe kabini.
isiphelo
Okwangoku, akunakwenzeka ukuba uguqule iifayile ezifihliweyo nguNemty ngaphandle kokuhlawula intlawulelo. Le nguqulo ye-ransomware ineempawu eziqhelekileyo kunye ne-Buran ransomware kunye ne-GandCrab ephelelwe lixesha: ukuhlanganiswa e-Borland Delphi kunye nemifanekiso enesicatshulwa esifanayo. Ukongeza, lo ngumbhalo wokuqala osebenzisa iqhosha le-RSA le-8092-bit, eliphinda lingenzi ngqiqo, ekubeni isitshixo se-1024-bit sanele ukukhusela. Okokugqibela, kwaye okubangela umdla, izama ukusebenzisa izibuko elingalunganga kwinkonzo yeproxy yeTor yendawo.
Nangona kunjalo, izisombululo ΠΈ thintela i-Nemty ransomware ekufikeleleni kwiiPC zabasebenzisi kunye nedatha, kwaye ababoneleli banokukhusela abathengi babo ... Igcwele ayinikezeli kuphela ugcino, kodwa nokhuseleko usebenzisa , itekhnoloji ekhethekileyo esekwe kubukrelekrele bokwenziwa kunye ne-heuristics yokuziphatha ekuvumela ukuba uthintele ne-malware engaziwayo.
umthombo: www.habr.com