I-ransomware entsha ebizwa ngokuthi i-Nemty ivele kunethiwekhi, okuthiwa ilandela i-GrandCrab noma i-Buran. Uhlelo olungayilungele ikhompuyutha lusatshalaliswa ikakhulukazi kuwebhusayithi ye-PayPal mbumbulu futhi inezici eziningi ezithakazelisayo. Imininingwane mayelana nokuthi le ransomware isebenza kanjani ingaphansi kokusikwa.
I-Nemty ransomware entsha itholwe umsebenzisi Septhemba 7, 2019. Uhlelo olungayilungele ikhompuyutha yasatshalaliswa ngewebhusayithi , kuyenzeka futhi ukuthi i-ransomware ingene kukhompuyutha ngekhithi yokuxhaphaza ye-RIG. Abahlaseli basebenzise izindlela zobunjiniyela bomphakathi ukuphoqa umsebenzisi ukuthi asebenzise ifayela le-cashback.exe, okusolwa ukuthi ulithole kuwebhusayithi ye-PayPal. Kuyathakazelisa futhi ukuthi u-Nemty ucacise imbobo engalungile yesevisi yommeleli wendawo i-Tor, evimbela uhlelo olungayilungele ikhompuyutha ekuthumeleni. idatha kuseva. Ngakho-ke, umsebenzisi kuzodingeka alayishe amafayela abethelwe kunethiwekhi ye-Tor ngokwakhe uma ehlose ukukhokha isihlengo futhi alinde ukukhishwa kwemfihlo kubahlaseli.
Amaqiniso amaningana anentshisekelo nge-Nemty aphakamisa ukuthi yasungulwa abantu abafanayo noma izigebengu ze-inthanethi ezihlotshaniswa ne-Buran kanye ne-GrandCrab.
- NjengeGandCrab, uNemty uneqanda lePhasika - isixhumanisi sesithombe sikaMongameli waseRussia u-Vladimir Putin nehlaya elingcolile. I-GandCrab ransomware yefa ibe nesithombe esinombhalo ofanayo.
- Izinto zobuciko zolimi zazo zombili izinhlelo zikhomba kubabhali abafanayo abakhuluma isiRashiya.
- Lena i-ransomware yokuqala ukusebenzisa ukhiye we-RSA ongu-8092-bit. Noma lingekho iphuzu kulokhu: ukhiye we-1024-bit wanele ukuvikela ekugetshengeni.
- NjengoBuran, i-ransomware ibhalwe ku-Object Pascal futhi yahlanganiswa e-Borland Delphi.
Ukuhlaziya okumile
Ukwenziwa kwekhodi enonya kwenzeka ngezigaba ezine. Isinyathelo sokuqala ukusebenzisa i-cashback.exe, ifayela elisebenzisekayo le-PE32 ngaphansi kwe-MS Windows enosayizi wamabhayithi angu-1198936. Ikhodi yayo yabhalwa ku-Visual C++ futhi yahlanganiswa ngo-Okthoba 14, 2013. Iqukethe ingobo yomlando ekhishwa ngokuzenzakalelayo lapho usebenzisa i-cashback.exe. Isofthiwe isebenzisa umtapo wezincwadi we-Cabinet.dll kanye nemisebenzi yawo FDICreate(), FDIDestroy() kanye neminye ukuze ithole amafayela kungobo yomlando ye-.cab.
SHA-256: A127323192ABED93AED53648D03CA84DE3B5B006B641033EB46A520B7A3C16FC
Ngemva kokukhipha ingobo yomlando, kuzovela amafayela amathathu.
Okulandelayo, i-tem.exe yethulwa, ifayela elisebenzisekayo le-PE32 ngaphansi kwe-MS Windows enosayizi wamabhayithi angu-307200. Ikhodi ibhalwe nge-Visual C++ futhi ihlanganiswe ne-MPRESS packer, ipakethe efana ne-UPX.
SHA-256: EBDBA4B1D1DE65A1C6B14012B674E7FA7F8C5F5A8A5A2A9C3C338F02DD726AAD
Isinyathelo esilandelayo ironman.exe. Uma seyethuliwe, i-temp.exe isusa ukubethela idatha eshumekiwe ku-temp futhi iyiqambe kabusha ithi ironman.exe, ifayela elisebenzisekayo elingu-32 byte PE544768. Ikhodi ihlanganiswe e-Borland Delphi.
SHA-256: 2C41B93ADD9AC5080A12BF93966470F8AB3BDE003001492A10F63758867F2A88
Isinyathelo sokugcina ukuqala kabusha ifayela le-ironman.exe. Ngesikhathi sokusebenza, iguqula ikhodi yayo futhi izisebenze isuka enkumbulweni. Le nguqulo ye-ironman.exe inonya futhi inesibopho sokubethela.
I-vector yokuhlasela
Okwamanje, i-Nemty ransomware isatshalaliswa ngewebhusayithi pp-back.info.
Iketango eliphelele lokutheleleka lingabukwa ku ibhokisi lesihlabathi.
setting
I-Cashback.exe - ukuqala kokuhlasela. Njengoba sekushiwo, i-cashback.exe ikhipha ifayela elithi .cab eliqukethe. Bese idala ifolda ethi TMP4351$.TMP yefomu elithi %TEMP%IXxxx.TMP, lapho i-xxx iyinombolo esuka ku-001 kuya ku-999.
Okulandelayo, ukhiye wokubhalisa ufakiwe, obukeka kanjena:
βrundll32.exeβ βC:Windowssystem32advpack.dll,DelNodeRunDLL32 βC:UsersMALWAR~1AppDataLocalTempIXPxxx.TMPββ
Isetshenziselwa ukususa amafayela angapakishiwe. Ekugcineni, i-cashback.exe iqala inqubo ye-tem.exe.
I-Temp.exe iyisigaba sesibili kuchungechunge lokutheleleka
Lena inqubo eyethulwe ifayela le-cashback.exe, isinyathelo sesibili sokubulawa kwegciwane. Izama ukulanda i-AutoHotKey, ithuluzi lokuqalisa imibhalo ku-Windows, futhi isebenzise umbhalo we-WindowSpy.ahk otholakala engxenyeni yezinsiza zefayela le-PE.
Iskripthi se-WindowSpy.ahk sisusa ukubethela kwefayela lethempeli ku-ironman.exe kusetshenziswa i-algorithm ye-RC4 kanye ne-password ethi IwantAcake. Ukhiye ovela kuphasiwedi utholwa kusetshenziswa i-algorithm ye-MD5 hashing.
temp.exe bese ibiza inqubo ye-ironman.exe.
Ironman.exe - isinyathelo sesithathu
I-Ironman.exe ifunda okuqukethwe kwefayela le-iron.bmp futhi idale ifayela le-iron.txt eline-cryptolocker elizokwethulwa ngokulandelayo.
Ngemva kwalokhu, igciwane lilayisha i-iron.txt kumemori bese liyiqala kabusha njenge- ironman.exe. Ngemva kwalokhu, i-iron.txt iyasuswa.
I-ironman.exe iyingxenye eyinhloko ye-NEMTY ransomware, ebethela amafayela kukhompuyutha ethintekile. Uhlelo olungayilungele ikhompuyutha ludala isimungulu esibizwa ngokuthi inzondo.
Into yokuqala eyenzayo ukucacisa indawo yekhompiyutha. UNemty uvula isiphequluli futhi athole ukuthi i-IP ivuliwe . Esizeni [IP]/countryName Izwe linqunywa ku-IP etholiwe, futhi uma ikhompuyutha itholakala kwesinye sezifunda ezisohlwini olungezansi, ukusetshenziswa kwekhodi yohlelo olungayilungele ikhompuyutha kuyama:
- ERussia
- I-Belarus
- Ukraine
- ΠΠ°Π·Π°Ρ ΡΡΠ°Π½
- I-Tajikistan
Ngokunokwenzeka, onjiniyela abafuni ukuheha ukunaka kwezikhungo zokugcinwa komthetho emazweni abahlala kuwo, ngakho-ke ababetheli amafayela ezindaweni zabo βzasekhayaβ.
Uma ikheli le-IP lesisulu lingelona elohlu olungenhla, igciwane libethela ulwazi lomsebenzisi.
Ukuze uvimbele ukutholwa kwefayela, amakhophi ethunzi awo ayasuswa:
Ibe isidala uhlu lwamafayela namafolda angeke abethelwe, kanye nohlu lwezandiso zefayela.
- windows
- $RECYCLE.BIN
- rsa
- I-NTDETECT.COM
- njll
- MSDOS.SYS
- IO.SYS
- boot.ini AUTOEXEC.BAT ntuser.dat
- desktop.ini
- I-SYS CONFIG.
- BOOTSECT.BAK
- imvu
- Uhlelo lwedatha
- I-app data
- osoft
- Amafayela Ajwayelekile
log LOG CAB cab CMD cmd COM com cpl
CPL exe EXE ini INI dll DDL lnk LNK url
URL ttf TTF DECRYPT.txt NEMTY Obfuscation
Ukuze ufihle ama-URL nedatha yokucushwa eshumekiwe, i-Nemty isebenzisa i-algorithm yombhalo wekhodi we-base64 ne-RC4 ngegama elingukhiye le-fuckav.
Inqubo yokukhipha ikhodi usebenzisa i-CryptStringToBinary imi kanje
Ukubethela
I-Nemty isebenzisa ukubethela kwezendlalelo ezintathu:
- I-AES-128-CBC yamafayela. Ukhiye we-128-bit AES ukhiqizwa ngokungahleliwe futhi usetshenziswa ngendlela efanayo kuwo wonke amafayela. Igcinwe efayeleni lokumisa kukhompuyutha yomsebenzisi. I-IV ikhiqizwa ngokungahleliwe kufayela ngalinye futhi igcinwe efayelini elibethelwe.
- I-RSA-2048 yokubethela ifayela IV. Ipheya eyinhloko yeseshini iyakhiqizwa. Ukhiye oyimfihlo weseshini ugcinwa kufayela lokumisa kukhompuyutha yomsebenzisi.
- I-RSA-8192. Ukhiye oyinhloko wasesidlangalaleni wakhelwe ohlelweni futhi usetshenziselwa ukubethela ifayela lokumisa, eligcina ukhiye we-AES nokhiye oyimfihlo weseshini ye-RSA-2048.
- I-Nemty kuqala ikhiqiza amabhayithi angu-32 edatha engahleliwe. Amabhayithi okuqala angu-16 asetshenziswa njengokhiye we-AES-128-CBC.
I-algorithm yesibili yokubethela yi-RSA-2048. Ipheya yokhiye ikhiqizwa umsebenzi we-CryptGenKey() futhi ingeniswe ngumsebenzi we-CryptImportKey().
Uma ipheya yokhiye yeseshini isikhiqiziwe, ukhiye osesidlangalaleni ungeniswa ku-MS Cryptographic Service Provider.
Isibonelo sokhiye osesidlangalaleni okhiqiziwe weseshini:
Okulandelayo, ukhiye oyimfihlo ungeniswa ku-CSP.
Isibonelo sokhiye oyimfihlo okhiqiziwe weseshini:
Futhi ekugcineni kufika i-RSA-8192. Ukhiye oyinhloko osesidlangalaleni ugcinwe ngendlela ebethelwe (Base64 + RC4) esigabeni .datha sefayela le-PE.
Ukhiye we-RSA-8192 ngemva kokukhishwa kwekhodi kwe-base64 kanye nokukhishwa kwekhodi kwe-RC4 ngephasiwedi ye-fuckav ibonakala kanje.
Ngenxa yalokho, yonke inqubo yokubethela ibukeka kanjena:
- Khiqiza ukhiye we-128-bit AES ozosetshenziselwa ukubethela wonke amafayela.
- Dala i-IV yefayela ngalinye.
- Ukudala ipheya eyinhloko yeseshini ye-RSA-2048.
- Ukukhipha ukubethela kokhiye okhona we-RSA-8192 kusetshenziswa i-base64 ne-RC4.
- Bethela okuqukethwe kwefayela usebenzisa i-algorithm ye-AES-128-CBC kusukela esinyathelweni sokuqala.
- Ukubethela kwe-IV kusetshenziswa ukhiye womphakathi we-RSA-2048 kanye nombhalo wekhodi we-base64.
- Ukwengeza i-IV ebethelwe ekugcineni kwefayela ngalinye elibethelwe.
- Ukwengeza ukhiye we-AES kanye nokhiye oyimfihlo weseshini ye-RSA-2048 ekucushweni.
- Idatha yokumisa echazwe esigabeni mayelana nekhompyutha ethelelekile zibethelwa kusetshenziswa ukhiye omkhulu womphakathi u-RSA-8192.
- Ifayela elibethelwe libukeka kanje:
Isibonelo samafayela abethelwe:
Iqoqa ulwazi mayelana nekhompyutha enegciwane
I-ransomware iqoqa okhiye ukuze kususwe ukubethela kwamafayela anegciwane, ukuze umhlaseli akwazi ukudala i-decryptor. Ngaphezu kwalokho, i-Nemty iqoqa idatha yomsebenzisi njengegama lomsebenzisi, igama lekhompyutha, iphrofayela yezingxenyekazi zekhompuyutha.
Ibiza imisebenzi ye-GetLogicalDrives(), GetFreeSpace(), GetDriveType() ukuze iqoqe ulwazi mayelana namadrayivu ekhompyutha ethelelekile.
Ulwazi oluqoqiwe lugcinwa efayeleni lokumisa. Ngemva kokukhipha ikhodi, sithola uhlu lwamapharamitha kufayela lokumisa:
Isibonelo sokucushwa kwekhompyutha enegciwane:
Isifanekiso sokucushwa singamelwa kanje:
{"Okujwayelekile": {"IP":"[IP]", "Country":"[Country]", "ComputerName":"[ComputerName]", "Igama lomsebenzisi":"[Igama lomsebenzisi]", "OS": "[OS]", "isRU":false, "version":"1.4", "CompID":"{[CompID]}", "FileID":"_NEMTY_[FileID]_", "UserID":"[ UserID]", "key":"[key]", "pr_key":"[pr_key]
I-Nemty igcina idatha eqoqwe ngefomethi ye-JSON kufayela elithi %USER%/_NEMTY_.nemty. I-FileID inezinhlamvu ezingu-7 ubude futhi yenziwa ngokungahleliwe. Isibonelo: _NEMTY_tgdLYrd_.nemty. I-FileID iphinde yengezwe ekugcineni kwefayela elibethelwe.
Umlayezo wesihlengo
Ngemva kokubethela amafayela, ifayela elithi _NEMTY_[FileID]-DECRYPT.txt livela kudeskithophu nokuqukethwe okulandelayo:
Ekupheleni kwefayela kukhona ulwazi olubethelwe mayelana nekhompyutha enegciwane.
Ukuxhumana kwenethiwekhi
Inqubo ye-ironman.exe ilanda ukusatshalaliswa kwesiphequluli se-Tor ekhelini bese uzama ukuyifaka.
I-Nemty bese izama ukuthumela idatha yokumisa ku-127.0.0.1:9050, lapho ilindele ukuthola ummeleli wesiphequluli se-Tor osebenzayo. Nokho, ngokuzenzakalelayo ummeleli we-Tor ulalela ku-port 9150, futhi i-port 9050 isetshenziswa i-Tor daemon ku-Linux noma i-Expert Bundle ku-Windows. Ngakho, ayikho idatha ethunyelwa kuseva yomhlaseli. Esikhundleni salokho, umsebenzisi angadawuniloda ifayela lokucushwa mathupha ngokuvakashela isevisi ye-Tor decryption ngesixhumanisi esinikezwe kumlayezo wesihlengo.
Ixhuma kummeleli we-Tor:
I-HTTP GET idala isicelo ku-127.0.0.1:9050/public/gate?data=
Lapha ungabona izimbobo ze-TCP ezivulekile ezisetshenziswa ummeleli we-TORlocal:
Isevisi yokuqanjwa kwe-Nemty kunethiwekhi ye-Tor:
Ungalayisha isithombe esibethelwe (jpg, png, bmp) ukuze uhlole isevisi yokubhala.
Ngemva kwalokhu, umhlaseli ucela ukukhokha isihlengo. Uma kwenzeka ukungakhokhi intengo iphindwe kabili.
isiphetho
Okwamanje, akunakwenzeka ukususa ukubethela amafayela abethelwe ngu-Nemty ngaphandle kokukhokha isihlengo. Le nguqulo ye-ransomware inezici ezivamile ne-Buran ransomware kanye ne-GandCrab ephelelwe yisikhathi: ukuhlanganiswa e-Borland Delphi nemifanekiso enombhalo ofanayo. Ngaphezu kwalokho, lena i-encryptor yokuqala esebenzisa ukhiye we-RSA we-8092-bit, futhi, ongenzi lutho, njengoba ukhiye we-1024-bit wanele ukuvikela. Okokugcina, futhi okuthakazelisayo, izama ukusebenzisa imbobo engafanele yesevisi yendawo yommeleli we-Tor.
Nokho, izixazululo ΠΈ vimbela i-Nemty ransomware ukuthi ingafinyeleli kuma-PC omsebenzisi nedatha, futhi abahlinzeki bangavikela amakhasimende abo nge . Igcwele inikeza hhayi kuphela isipele, kodwa futhi isivikelo usebenzisa , ubuchwepheshe obukhethekile obususelwe kubuhlakani bokwenziwa kanye ne-heuristics yokuziphatha ekuvumela ukuthi unciphise uhlelo olungayilungele ikhompuyutha okwamanje.
Source: www.habr.com