惡意事件描述
深信服深盾終端實(shí)驗(yàn)室在近期的運(yùn)營(yíng)工作中,捕獲了的Magniber勒索家族的最新變種,此次捕獲的樣本通過(guò)MSI進(jìn)行傳播,同時(shí)使用微軟的漏洞CVE-2023-24880(注:3月14日官方已發(fā)布補(bǔ)?。﹣?lái)繞過(guò) SmartScreen從受感染的網(wǎng)站下載和安裝Magniber勒索軟件,CVE-2023-24880漏洞由CVE-2022-44698漏洞未完全修復(fù)引起的。
CVE-2023-24880 利用了Windows SmartScreen 安全功能的繞過(guò)。SmartScreen是Windows版本 10 和 11中的一項(xiàng)安全功能,主要用于檢測(cè)和阻止網(wǎng)絡(luò)釣魚(yú)和惡意軟件的下載和安裝。繞過(guò)該功能即代表允許攻擊者在沒(méi)有任何安全警告的情況下下載Magniber勒索軟件。
該漏洞已在今年3月15日進(jìn)行及時(shí)響應(yīng),相關(guān)鏈接如下所示:
https://mp.weixin.qq.com/s/f4uA3Loc2ooG_1_tcvxnUA
在所有的勒索家族中,Magniber絕對(duì)是最獨(dú)樹(shù)一幟的存在,樣本本身使用了大量的混淆、解碼,通過(guò)采用新的混淆技術(shù)和規(guī)避方法不斷更新其策略,極度干擾研究人員的分析工作。其次使用漏洞,Magniber Ransomware 近年來(lái)一直通過(guò) IE (Internet Explorer) 漏洞傳播,但自 IE 停止支持后,Magniber Ransomware 在 Microsoft Edge 和 Google Chrome 瀏覽器中以 Windows 安裝包文件 (.msi) 的形式分發(fā)。
樣本啟動(dòng)后,會(huì)加密系統(tǒng)中的部分文件,并釋放勒索信以誘使受害者通過(guò)勒索信中的聯(lián)系方式與攻擊者進(jìn)行溝通及繳納贖金,其中被加密文件添加擴(kuò)展“mhkgchqs”,勒索信文件名為“README.html”,勒索信中并未表明贖金金額及支付方式。
MSI文件分析
攻擊者正在使用無(wú)效但自制的驗(yàn)證碼簽名的 MSI 文件。格式錯(cuò)誤的簽名會(huì)導(dǎo)致 SmartScreen 返回錯(cuò)誤,當(dāng)不受信任的文件包含 Web 標(biāo)記 (MotW) 時(shí),該錯(cuò)誤會(huì)導(dǎo)致不會(huì)向用戶顯示安全警告對(duì)話框,實(shí)則已經(jīng)從 Internet 下載了潛在的惡意文件。
使用Orca打開(kāi)MSI文件查看表的結(jié)構(gòu)和內(nèi)容。發(fā)現(xiàn)MSI會(huì)調(diào)用CustomAction屬性執(zhí)行MSI內(nèi)嵌DLL的導(dǎo)出函數(shù)j6tow27o。
SetProgramFilesFolder:將該程序的文件夾設(shè)置為L(zhǎng)ocalAppData目錄,即“C:\Users\用戶名\AppData\Local”。
Ucjvnpaclba:獲取二進(jìn)制文件ilzwngaiyktz,type為65表示該文件為dll類型,Target表示導(dǎo)出函數(shù)為j6tow27o。
Windows系統(tǒng)版本判斷
查看Windows系統(tǒng)版本,只針對(duì)Windows10、Windows11、Windows Server 2022系統(tǒng)進(jìn)行加密
該代碼通過(guò)XOR解碼過(guò)程遍歷循環(huán)語(yǔ)句 (do-while),并將勒索軟件shllcode注入當(dāng)前正在運(yùn)行的白進(jìn)程中。
該病毒會(huì)釋放DLL格式的文件,該文件導(dǎo)入表、執(zhí)行主體在DLL主函數(shù)中,釋放shellcode到內(nèi)存并執(zhí)行,無(wú)文件加載能夠降低自身被內(nèi)存代碼檢測(cè)引擎發(fā)現(xiàn)的風(fēng)險(xiǎn),同時(shí)Magniber并不直接通過(guò)調(diào)用API實(shí)現(xiàn)相應(yīng)功能,而是模擬相應(yīng)API在ntdll中的行為,傳入?yún)?shù),然后指定syscall ID,直接調(diào)用syscall,同樣可以實(shí)現(xiàn)直接調(diào)用系統(tǒng)API的作用。
反調(diào)試
Magniber 使用 NtDelayExecution 以隨機(jī)間隔休眠以逃避分析。隨機(jī)休眠間隔可能會(huì)阻止沙盒或防病毒檢測(cè)成功。
持久化
在HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 注冊(cè)表中添加一個(gè)鍵值,其中ouPBdEoNXxUS.3fr文件為密鑰文件
繞過(guò)UAC
在注冊(cè)表中寫入下載Magniber勒索軟件的命令
上述寫入注冊(cè)表的內(nèi)容能夠?qū)崿F(xiàn),當(dāng)系統(tǒng)重新啟動(dòng)時(shí),注冊(cè)到 Run 鍵的 .3fr 文件擴(kuò)展名與指定同時(shí)激活的注冊(cè)表一起執(zhí)行,導(dǎo)致每次系統(tǒng)重新啟動(dòng)時(shí)都會(huì)下載Magniber勒索軟件并實(shí)施加密活動(dòng)。
高級(jí)遠(yuǎn)程線程注入
blackbox.dll可用于繞過(guò)軟件安全措施,一般用于注入惡意代碼或執(zhí)行其他非法操作。fwcwsp.dll 文件是 Windows 操作系統(tǒng)中的一個(gè) DLL 文件,它是 Windows Firewall 的一部分,用于提供網(wǎng)絡(luò)連接的安全性。
1、遍歷進(jìn)程
解密代碼后,首先會(huì)枚舉受感染系統(tǒng)上所有正在運(yùn)行的進(jìn)程以識(shí)別勒索軟件可以在其中注入shellcode的進(jìn)程,Magniber將解壓后的shellcode注入滿足以下條件的進(jìn)程
進(jìn)程名是否大于6字節(jié)
該進(jìn)程未在WoW64環(huán)境中運(yùn)行。WoW64 是 Windows 操作系統(tǒng)的一個(gè)子系統(tǒng),可以在 64 位 Windows 操作系統(tǒng)上執(zhí)行 32 位應(yīng)用程序
2、遠(yuǎn)程注入
注入過(guò)程如下所示:
NtOpenProcess:打開(kāi)目標(biāo)進(jìn)程
NtAllocateVirtualMemory:在目標(biāo)進(jìn)程中為即將寫入的shellcode分配內(nèi)存空間
NtWriteVirtualMemory:將shellcode寫入分配的內(nèi)存區(qū)域。
NtProtectVirtualMemory:修改內(nèi)存保護(hù)屬性
NtCreateThreadEx:創(chuàng)建遠(yuǎn)程線程,執(zhí)行shellcode
隨后將帶有勒索加密功能的shellcode注入到符合條件的進(jìn)程中(如:sihost.exe)RWX屬性的內(nèi)存中。但由于它使用系統(tǒng)調(diào)用,因而無(wú)法直接通過(guò)調(diào)試器監(jiān)控內(nèi)存寫入來(lái)跟蹤注入的shellcode。相反可以直接通過(guò)運(yùn)行msi程序,然后使用procexp等進(jìn)程監(jiān)視器掛起進(jìn)程然后dump寫入的shellcode。
通過(guò)查看該shellcode的字符串發(fā)現(xiàn)被混淆后的勒索信內(nèi)容
documents and settings/appdata/local settings/sample music/sample pictures/sample videos/tor browser/recycle/windows/boot/intel/msocache/perflogs/program files/programdata/recovery/system volume information/winnt/README.html
加密的文件后綴
.abm/.abs/.abw/.accdb/.act/.adn/.adp/.aes/.aft/.afx/.agif/.agp/.ahd/.ai/.aic/.aim/.albm/.alf/.adn/.adp/.aes/.aft/.afx/.agif/.agp/.ahd/.ai/.aic/.aim/.albm/.alf/.ans/.apd/.apm/.apng/.aps/.agif/.agp/.ahd/.ai/.aic/.aim/.albm/.alf/.ans/.apd/.apm/.apng/.aps/.apt/.apx/.arc/.art/.arw/.aim/.albm/.alf/.ans/.apd/.apm/.apng/.aps/.apt/.apx/.arc/.art/.arw/.asc/.ase/.asf/.ask/.asm/.apm/.apng/.aps/.apt/.apx/.arc/.art/.arw/.asc/.ase/.asf/.ask/.asm/.asp/.asw/.asy/.aty/.avi/.arc/.art/.arw/.asc/.ase/.asf/.ask/.asm/.asp/.asw/.asy/.aty/.avi/.awdb/.awp/.awt/.aww/.azz/.asf/.ask/.asm/.asp/.asw/.asy/.aty/.avi/.awdb/.awp/.awt/.aww/.azz/.bad/.bak/.bay/.bbs/.bdb/.asy/.aty/.avi/.awdb/.awp/.awt/.aww/.azz/.bad/.bak/.bay/.bbs/.bdb/.bdp/.bdr/.bean/.bib/.bmp/.awt/.aww/.azz/.bad/.bak/.bay/.bbs/.bdb/.bdp/.bdr/.bean/.bib/.bmp/.bmx/.bna/.bnd/.boc/.bok/.bay/.bbs/.bdb/.bdp/.bdr/.bean/.bib/.bmp/.bmx/.bna/.bnd/.boc/.bok/.brd/.brk/.brn/.brt/.bss/.bean/.bib/.bmp/.bmx/.bna/.bnd/.boc/.bok/.brd/.brk/.brn/.brt/.bss/.btd/.bti/.btr/.c/.ca/.bnd/.boc/.bok/.brd/.brk/.brn/.brt/.bss/.btd/.bti/.btr/.c/.ca/.cals/.can/.cd/.cdb/.cdc/.brn/.brt/.bss/.btd/.bti/.btr/.c/.ca/.cals/.can/.cd/.cdb/.cdc/.cdg/.cdmm/.cdmt/.cdmz/.cdr/.btr/.c/.ca/.cals/.can/.cd/.cdb/.cdc/.cdg/.cdmm/.cdmt/.cdmz/.cdr/.cdt/.cf/.cfu/.cgm/.cimg/.cd/.cdb/.cdc/.cdg/.cdmm/.cdmt/.cdmz/.cdr/.cdt/.cf/.cfu/.cgm/.cimg/.cin/.cit/.ckp/.class/.clkw/.cdmt/.cdmz/.cdr/.cdt/.cf/.cfu/.cgm/.cimg/.cin/.cit/.ckp/.class/.clkw/.cma/.cmx/.cnm/.cnv/.colz/.cfu/.cgm/.cimg/.cin/.cit/.ckp/.class/.clkw/.cma/.cmx/.cnm/.cnv/.colz/.cpc/.cpd/.cpg/.cpp/.cps/.ckp/.class/.clkw/.cma/.cmx/.cnm/.cnv/.colz/.cpc/.cpd/.cpg/.cpp/.cps/.cpx/.crd/.crt/.crw/.cs/.cnm/.cnv/.colz/.cpc/.cpd/.cpg/.cpp/.cps/.cpx/.crd/.crt/.crw/.cs/.csr/.csv/.csy/.ct/.cvg/.cpg/.cpp/.cps/.cpx/.crd/.crt/.crw/.cs/.csr/.csv/.csy/.ct/.cvg/.cvi/.cvs/.cvx/.cwt/.cxf/.crt/.crw/.cs/.csr/.csv/.csy/.ct/.cvg/.cvi/.cvs/.cvx/.cwt/.cxf/.cyi/.dad/.daf/.db/.dbc/.csy/.ct/.cvg/.cvi/.cvs/.cvx/.cwt/.cxf/.cyi/.dad/.daf/.db/.dbc/.dbf/.dbk/.dbs/.dbt/.dbv/.cvx/.cwt/.cxf/.cyi/.dad/.daf/.db/.dbc/.dbf/.dbk/.dbs/.dbt/.dbv/.dbx/.dca/.dcb/.dch/.dcr/.daf/.db/.dbc/.dbf/.dbk/.dbs/.dbt/.dbv/.dbx/.dca/.dcb/.dch/.dcr/.dcs/.dct/.dcx/.dd/.dds/.dbs/.dbt/.dbv/.dbx/.dca/.dcb/.dch/.dcr/.dcs/.dct/.dcx/.dd/.dds/.ded/.der/.dgn/.dgs/.dgt/.dcb/.dch/.dcr/.dcs/.dct/.dcx/.dd/.dds/.ded/.der/.dgn/.dgs/.dgt/.dhs/.dib/.dif/.dip/.diz/.dcx/.dd/.dds/.ded/.der/.dgn/.dgs/.dgt/.dhs/.dib/.dif/.dip/.diz/.djv/.djvu/.dmi/.dmo/.dnc/.dgn/.dgs/.dgt/.dhs/.dib/.dif/.dip/.diz/.djv/.djvu/.dmi/.dmo/.dnc/.dne/.doc/.docb/.docm/.docx/.dif/.dip/.diz/.djv/.djvu/.dmi/.dmo/.dnc/.dne/.doc/.docb/.docm/.docx/.docz/.dot/.dotm/.dotx/.dpp/.dmi/.dmo/.dnc/.dne/.doc/.docb/.docm/.docx/.docz/.dot/.dotm/.dotx/.dpp/.dpx/.dqy/.drw/.drz/.dsk/.docb/.docm/.docx/.docz/.dot/.dotm/.dotx/.dpp/.dpx/.dqy/.drw/.drz/.dsk/.dsn/.dsv/.dt/.dta/.dtsx/.dotm/.dotx/.dpp/.dpx/.dqy/.drw/.drz/.dsk/.dsn/.dsv/.dt/.dta/.dtsx/.dtw/.dv/.dvi/.dwg/.dx/.drw/.drz/.dsk/.dsn/.dsv/.dt/.dta/.dtsx/.dtw/.dv/.dvi/.dwg/.dx/.dxb/.dxf/.eco/.ecw/.ecx/.dt/.dta/.dtsx/.dtw/.dv/.dvi/.dwg/.dx/.dxb/.dxf/.eco/.ecw/.ecx/.edb/.efd/.egc/.eio/.eip/.dvi/.dwg/.dx/.dxb/.dxf/.eco/.ecw/.ecx/.edb/.efd/.egc/.eio/.eip/.eit/.em/.emd/.emf/.emlx/.eco/.ecw/.ecx/.edb/.efd/.egc/.eio/.eip/.eit/.em/.emd/.emf/.emlx/.ep/.epf/.epp/.eps/.epsf/.egc/.eio/.eip/.eit/.em/.emd/.emf/.emlx/.ep/.epf/.epp/.eps/.epsf/.eq/.erf/.err/.etf/.etx/.emd/.emf/.emlx/.ep/.epf/.epp/.eps/.epsf/.eq/.erf/.err/.etf/.etx/.euc/.exr/.fa/.faq/.fax/.epp/.eps/.epsf/.eq/.erf/.err/.etf/.etx/.euc/.exr/.fa/.faq/.fax/.fb/.fbx/.fcd/.fcf/.fdf/.err/.etf/.etx/.euc/.exr/.fa/.faq/.fax/.fb/.fbx/.fcd/.fcf/.fdf/.fdr/.fds/.fdt/.fdx/.fdxt/.fa/.faq/.fax/.fb/.fbx/.fcd/.fcf/.fdf/.fdr/.fds/.fdt/.fdx/.fdxt/.fes/.fft/.fi/.fic/.fid/.fcd/.fcf/.fdf/.fdr/.fds/.fdt/.fdx/.fdxt/.fes/.fft/.fi/.fic/.fid/.fif/.fig/.fla/.flr/.flv/.fdt/.fdx/.fdxt/.fes/.fft/.fi/.fic/.fid/.fif/.fig/.fla/.flr/.flv/.fmv/.fo/.fodt/.fpos/.fpt/.fi/.fic/.fid/.fif/.fig/.fla/.flr/.flv/.fmv/.fo/.fodt/.fpos/.fpt/.fpx/.frm/.frt/.frx/.ftn/.fla/.flr/.flv/.fmv/.fo/.fodt/.fpos/.fpt/.fpx/.frm/.frt/.frx/.ftn/.fwdn/.fxc/.fxg/.fzb/.fzv/.fodt/.fpos/.fpt/.fpx/.frm/.frt/.frx/.ftn/.fwdn/.fxc/.fxg/.fzb/.fzv/.gcdp/.gdb/.gdoc/.gem/.geo/.frt/.frx/.ftn/.fwdn/.fxc/.fxg/.fzb/.fzv/.gcdp/.gdb/.gdoc/.gem/.geo/.gfb/.gfie/.ggr/.gif/.gih/.fxg/.fzb/.fzv/.gcdp/.gdb/.gdoc/.gem/.geo/.gfb/.gfie/.ggr/.gif/.gih/.gim/.gio/.glox/.gpd/.gpg/.gdoc/.gem/.geo/.gfb/.gfie/.ggr/.gif/.gih/.gim/.gio/.glox/.gpd/.gpg/.gpn/.gro/.grob/.grs/.gsd/.ggr/.gif/.gih/.gim/.gio/.glox/.gpd/.gpg/.gpn/.gro/.grob/.grs/.gsd/.gthr/.gtp/.gv/.gwi/.gz/.glox/.gpd/.gpg/.gpn/.gro/.grob/.grs/.gsd/.gthr/.gtp/.gv/.gwi/.gz/.h/.hbk/.hdb/.hdp/.hdr/.grob/.grs/.gsd/.gthr/.gtp/.gv/.gwi/.gz/.h/.hbk/.hdb/.hdp/.hdr/.hht/.his/.hp/.hpg/.hpi/.gv/.gwi/.gz/.h/.hbk/.hdb/.hdp/.hdr/.hht/.his/.hp/.hpg/.hpi/.hs/.htc/.hwp/.hz/.ib/.hdb/.hdp/.hdr/.hht/.his/.hp/.hpg/.hpi/.hs/.htc/.hwp/.hz/.ib/.ibd/.icn/.icon/.icpr/.idc/.hp/.hpg/.hpi/.hs/.htc/.hwp/.hz/.ib/.ibd/.icn/.icon/.icpr/.idc/.idea/.idx/.igt/.igx/.ihx/.hwp/.hz/.ib/.ibd/.icn/.icon/.icpr/.idc/.idea/.idx/.igt/.igx/.ihx/.ii/.iiq/.imd/.info/.ink/.icon/.icpr/.idc/.idea/.idx/.igt/.igx/.ihx/.ii/.iiq/.imd/.info/.ink/.ipf/.ipx/.iso/.itdb/.itw/.igt/.igx/.ihx/.ii/.iiq/.imd/.info/.ink/.ipf/.ipx/.iso/.itdb/.itw/.iwi/.j/.jar/.jas/.java/.imd/.info/.ink/.ipf/.ipx/.iso/.itdb/.itw/.iwi/.j/.jar/.jas/.java/.jbig/.jbmp/.jbr/.jfif/.jia/.iso/.itdb/.itw/.iwi/.j/.jar/.jas/.java/.jbig/.jbmp/.jbr/.jfif/.jia/.jis/.jng/.joe/.jpe/.jpeg/.jar/.jas/.java/.jbig/.jbmp/.jbr/.jfif/.jia/.jis/.jng/.joe/.jpe/.jpeg/.jpg/.jps/.jpx/.jrtf/.js/.jbr/.jfif/.jia/.jis/.jng/.joe/.jpe/.jpeg/.jpg/.jps/.jpx/.jrtf/.js/.jsp/.jtf/.jtx/.jw/.jxr/.joe/.jpe/.jpeg/.jpg/.jps/.jpx/.jrtf/.js/.jsp/.jtf/.jtx/.jw/.jxr/.kdb/.kdbx/.kdc/.kdi/.kdk/.jpx/.jrtf/.js/.jsp/.jtf/.jtx/.jw/.jxr/.kdb/.kdbx/.kdc/.kdi/.kdk/.kes/.ke/.kic/.klg/.knt/.jtx/.jw/.jxr/.kdb/.kdbx/.kdc/.kdi/.kdk/.kes/.ke/.kic/.klg/.knt/.kon/.kpg/.kwd/.lay/.lbm/.kdc/.kdi/.kdk/.kes/.ke/.kic/.klg/.knt/.kon/.kpg/.kwd/.lay/.lbm/.lbt/.ldf/.lgc/.lis/.lit/.kic/.klg/.knt/.kon/.kpg/.kwd/.lay/.lbm/.lbt/.ldf/.lgc/.lis/.lit/.ljp/.lmk/.lnt/.lrc/.lst/.kwd/.lay/.lbm/.lbt/.ldf/.lgc/.lis/.lit/.ljp/.lmk/.lnt/.lrc/.lst/.ltr/.ltx/.lue/.luf/.lwo/.lgc/.lis/.lit/.ljp/.lmk/.lnt/.lrc/.lst/.ltr/.ltx/.lue/.luf/.lwo/.lwp/.lws/.lyt/.lyx/.ma/.lnt/.lrc/.lst/.ltr/.ltx/.lue/.luf/.lwo/.lwp/.lws/.lyt/.lyx/.ma/.mac/.man/.map/.maq/.mat/.lue/.luf/.lwo/.lwp/.lws/.lyt/.lyx/.ma/.mac/.man/.map/.maq/.mat/.max/.mb/.mbm/.mbox/.mdb/.lyt/.lyx/.ma/.mac/.man/.map/.maq/.mat/.max/.mb/.mbm/.mbox/.mdb/.mdf/.mdn/.mdt/.me/.mef/.map/.maq/.mat/.max/.mb/.mbm/.mbox/.mdb/.mdf/.mdn/.mdt/.me/.mef/.mel/.mft/.mgcb/.mgmf/.mgmt/.mbm/.mbox/.mdb/.mdf/.mdn/.mdt/.me/.mef/.mel/.mft/.mgcb/.mgmf/.mgmt/.mgmx/.mgtx/.mid/.min/.mkv/.mdt/.me/.mef/.mel/.mft/.mgcb/.mgmf/.mgmt/.mgmx/.mgtx/.mid/.min/.mkv/.mm/.mmat/.mnr/.mnt/.mos/.mgcb/.mgmf/.mgmt/.mgmx/.mgtx/.mid/.min/.mkv/.mm/.mmat/.mnr/.mnt/.mos/.mov/.mpeg/.mpf/.mpg/.mpo/.mid/.min/.mkv/.mm/.mmat/.mnr/.mnt/.mos/.mov/.mpeg/.mpf/.mpg/.mpo/.mrg/.mrxs/.msg/.mud/.mwb/.mnr/.mnt/.mos/.mov/.mpeg/.mpf/.mpg/.mpo/.mrg/.mrxs/.msg/.mud/.mwb/.mwp/.mx/.my/.myd/.myi/.mpf/.mpg/.mpo/.mrg/.mrxs/.msg/.mud/.mwb/.mwp/.mx/.my/.myd/.myi/.ncr/.nct/.ndf/.nef/.nfo/.msg/.mud/.mwb/.mwp/.mx/.my/.myd/.myi/.ncr/.nct/.ndf/.nef/.nfo/.njx/.nlm/.now/.nrw/.nsf/.my/.myd/.myi/.ncr/.nct/.ndf/.nef/.nfo/.njx/.nlm/.now/.nrw/.nsf/.nyf/.nzb/.obj/.oce/.oci/.ndf/.nef/.nfo/.njx/.nlm/.now/.nrw/.nsf/.nyf/.nzb/.obj/.oce/.oci/.ocr/.odb/.odg/.odm/.odo/.now/.nrw/.nsf/.nyf/.nzb/.obj/.oce/.oci/.ocr/.odb/.odg/.odm/.odo/.odp/.ods/.odt/.of/.oft/.obj/.oce/.oci/.ocr/.odb/.odg/.odm/.odo/.odp/.ods/.odt/.of/.oft/.omf/.oplc/.oqy/.ora/.orf/.odg/.odm/.odo/.odp/.ods/.odt/.of/.oft/.omf/.oplc/.oqy/.ora/.orf/.ort/.orx/.ost/.ota/.otg/.odt/.of/.oft/.omf/.oplc/.oqy/.ora/.orf/.ort/.orx/.ost/.ota/.otg/.oti/.otp/.ots/.ott/.ovp/.oqy/.ora/.orf/.ort/.orx/.ost/.ota/.otg/.oti/.otp/.ots/.ott/.ovp/.ovr/.owc/.owg/.oyx/.ozb/.ost/.ota/.otg/.oti/.otp/.ots/.ott/.ovp/.ovr/.owc/.owg/.oyx/.ozb/.ozj/.ozt/.p/.pa/.pan/.ots/.ott/.ovp/.ovr/.owc/.owg/.oyx/.ozb/.ozj/.ozt/.p/.pa/.pan/.pano/.pap/.paq/.pas/.pbm/.owg/.oyx/.ozb/.ozj/.ozt/.p/.pa/.pan/.pano/.pap/.paq/.pas/.pbm/.pcd/.pcs/.pdb/.pdd/.pdf/.p/.pa/.pan/.pano/.pap/.paq/.pas/.pbm/.pcd/.pcs/.pdb/.pdd/.pdf/.pdm/.pds/.pdt/.pef/.pem/.paq/.pas/.pbm/.pcd/.pcs/.pdb/.pdd/.pdf/.pdm/.pds/.pdt/.pef/.pem/.pff/.pfi/.pfs/.pfv/.pfx/.pdb/.pdd/.pdf/.pdm/.pds/.pdt/.pef/.pem/.pff/.pfi/.pfs/.pfv/.pfx/.pgf/.pgm/.phm/.php/.pic/.pdt/.pef/.pem/.pff/.pfi/.pfs/.pfv/.pfx/.pgf/.pgm/.phm/.php/.pic/.pict/.pix/.pjpg/.pjt/.plt/.pfs/.pfv/.pfx/.pgf/.pgm/.phm/.php/.pic/.pict/.pix/.pjpg/.pjt/.plt/.pm/.pmg/.png/.pni/.pnm/.phm/.php/.pic/.pict/.pix/.pjpg/.pjt/.plt/.pm/.pmg/.png/.pni/.pnm/.pntg/.pnz/.pobj/.pop/.pot/.pjpg/.pjt/.plt/.pm/.pmg/.png/.pni/.pnm/.pntg/.pnz/.pobj/.pop/.pot/.potm/.potx/.ppam/.ppm/.pps/.png/.pni/.pnm/.pntg/.pnz/.pobj/.pop/.pot/.potm/.potx/.ppam/.ppm/.pps/.ppsm/.ppsx/.ppt/.pptm/.pptx/.pobj/.pop/.pot/.potm/.potx/.ppam/.ppm/.pps/.ppsm/.ppsx/.ppt/.pptm/.pptx/.prt/.prw/.psd/.psdx/.pse/.ppam/.ppm/.pps/.ppsm/.ppsx/.ppt/.pptm/.pptx/.prt/.prw/.psd/.psdx/.pse/.psid/.psp/.pst/.psw/.ptg/.ppt/.pptm/.pptx/.prt/.prw/.psd/.psdx/.pse/.psid/.psp/.pst/.psw/.ptg/.pth/.ptx/.pu/.pvj/.pvm/.psd/.psdx/.pse/.psid/.psp/.pst/.psw/.ptg/.pth/.ptx/.pu/.pvj/.pvm/.pvr/.pwa/.pwi/.pwr/.px/.pst/.psw/.ptg/.pth/.ptx/.pu/.pvj/.pvm/.pvr/.pwa/.pwi/.pwr/.px/.pxr/.pza/.pzp/.pzs/.qd/.pu/.pvj/.pvm/.pvr/.pwa/.pwi/.pwr/.px/.pxr/.pza/.pzp/.pzs/.qd/.qmg/.qpx/.qry/.qvd/.rad/.pwi/.pwr/.px/.pxr/.pza/.pzp/.pzs/.qd/.qmg/.qpx/.qry/.qvd/.rad/.rar/.ras/.raw/.rb/.rctd/.pzp/.pzs/.qd/.qmg/.qpx/.qry/.qvd/.rad/.rar/.ras/.raw/.rb/.rctd/.rcu/.rd/.rdb/.rft/.rgb/.qry/.qvd/.rad/.rar/.ras/.raw/.rb/.rctd/.rcu/.rd/.rdb/.rft/.rgb/.rgf/.rib/.ric/.riff/.ris/.raw/.rb/.rctd/.rcu/.rd/.rdb/.rft/.rgb/.rgf/.rib/.ric/.riff/.ris/.rix/.rle/.rli/.rng/.rpd/.rdb/.rft/.rgb/.rgf/.rib/.ric/.riff/.ris/.rix/.rle/.rli/.rng/.rpd/.rpf/.rpt/.rri/.rs/.rsb/.ric/.riff/.ris/.rix/.rle/.rli/.rng/.rpd/.rpf/.rpt/.rri/.rs/.rsb/.rsd/.rsr/.rst/.rt/.rtd/.rli/.rng/.rpd/.rpf/.rpt/.rri/.rs/.rsb/.rsd/.rsr/.rst/.rt/.rtd/.rtf/.rtx/.run/.rw/.rzk/.rri/.rs/.rsb/.rsd/.rsr/.rst/.rt/.rtd/.rtf/.rtx/.run/.rw/.rzk/.rzn/.saf/.sam/.sbf/.scad/.rst/.rt/.rtd/.rtf/.rtx/.run/.rw/.rzk/.rzn/.saf/.sam/.sbf/.scad/.scc/.sch/.sci/.scm/.sct/.run/.rw/.rzk/.rzn/.saf/.sam/.sbf/.scad/.scc/.sch/.sci/.scm/.sct/.scv/.scw/.sdb/.sdf/.sdm/.sam/.sbf/.scad/.scc/.sch/.sci/.scm/.sct/.scv/.scw/.sdb/.sdf/.sdm/.sdoc/.sdw/.sep/.sfc/.sfw/.sci/.scm/.sct/.scv/.scw/.sdb/.sdf/.sdm/.sdoc/.sdw/.sep/.sfc/.sfw/.sgm/.sh/.sig/.skm/.sla/.sdb/.sdf/.sdm/.sdoc/.sdw/.sep/.sfc/.sfw/.sgm/.sh/.sig/.skm/.sla/.sld/.sldm/.sldx/.slk/.sln/.sep/.sfc/.sfw/.sgm/.sh/.sig/.skm/.sla/.sld/.sldm/.sldx/.slk/.sln/.sls/.smf/.sms/.snt/.sob/.sig/.skm/.sla/.sld/.sldm/.sldx/.slk/.sln/.sls/.smf/.sms/.snt/.sob/.spa/.spe/.sph/.spj/.spp/.sldx/.slk/.sln/.sls/.smf/.sms/.snt/.sob/.spa/.spe/.sph/.spj/.spp/.spq/.spr/.sq/.sqb/.srw/.sms/.snt/.sob/.spa/.spe/.sph/.spj/.spp/.spq/.spr/.sq/.sqb/.srw/.ssa/.ssk/.st/.stc/.std/.sph/.spj/.spp/.spq/.spr/.sq/.sqb/.srw/.ssa/.ssk/.st/.stc/.std/.sti/.stm/.stn/.stp/.str/.sq/.sqb/.srw/.ssa/.ssk/.st/.stc/.std/.sti/.stm/.stn/.stp/.str/.stw/.sty/.sub/.suo/.svf/.st/.stc/.std/.sti/.stm/.stn/.stp/.str/.stw/.sty/.sub/.suo/.svf/.svg/.svgz/.swf/.sxc/.sxd/.stn/.stp/.str/.stw/.sty/.sub/.suo/.svf/.svg/.svgz/.swf/.sxc/.sxd/.sxg/.sxi/.sxm/.sxw/.tab/.sub/.suo/.svf/.svg/.svgz/.swf/.sxc/.sxd/.sxg/.sxi/.sxm/.sxw/.tab/.tar/.tbk/.tcx/.tdf/.tdt/.swf/.sxc/.sxd/.sxg/.sxi/.sxm/.sxw/.tab/.tar/.tbk/.tcx/.tdf/.tdt/.te/.tex/.text/.tgz/.thp/.sxm/.sxw/.tab/.tar/.tbk/.tcx/.tdf/.tdt/.te/.tex/.text/.tgz/.thp/.tif/.tiff/.tlb/.tlc/.tm/.tcx/.tdf/.tdt/.te/.tex/.text/.tgz/.thp/.tif/.tiff/.tlb/.tlc/.tm/.tmd/.tmv/.tmx/.tne/.tpc/.text/.tgz/.thp/.tif/.tiff/.tlb/.tlc/.tm/.tmd/.tmv/.tmx/.tne/.tpc/.trm/.tvj/.udb/.ufr/.unx/.tlb/.tlc/.tm/.tmd/.tmv/.tmx/.tne/.tpc/.trm/.tvj/.udb/.ufr/.unx/.uof/.uop/.uot/.upd/.usr/.tmx/.tne/.tpc/.trm/.tvj/.udb/.ufr/.unx/.uof/.uop/.uot/.upd/.usr/.utxt/.vb/.vbr/.vbs/.vcd/.udb/.ufr/.unx/.uof/.uop/.uot/.upd/.usr/.utxt/.vb/.vbr/.vbs/.vcd/.vct/.vdb/.vdi/.vec/.vm/.uot/.upd/.usr/.utxt/.vb/.vbr/.vbs/.vcd/.vct/.vdb/.vdi/.vec/.vm/.vmdk/.vmx/.vnt/.vob/.vpd/.vbr/.vbs/.vcd/.vct/.vdb/.vdi/.vec/.vm/.vmdk/.vmx/.vnt/.vob/.vpd/.vrm/.vrp/.vsd/.vsdm/.vsdx/.vdi/.vec/.vm/.vmdk/.vmx/.vnt/.vob/.vpd/.vrm/.vrp/.vsd/.vsdm/.vsdx/.vsm/.vstm/.vstx/.vue/.vw/.vnt/.vob/.vpd/.vrm/.vrp/.vsd/.vsdm/.vsdx/.vsm/.vstm/.vstx/.vue/.vw/.wav/.wbk/.wcf/.wdb/.wgz/.vsd/.vsdm/.vsdx/.vsm/.vstm/.vstx/.vue/.vw/.wav/.wbk/.wcf/.wdb/.wgz/.wire/.wks/.wma/.wmdb/.wmv/.vstx/.vue/.vw/.wav/.wbk/.wcf/.wdb/.wgz/.wire/.wks/.wma/.wmdb/.wmv/.wn/.wp/.wpa/.wpd/.wpg/.wcf/.wdb/.wgz/.wire/.wks/.wma/.wmdb/.wmv/.wn/.wp/.wpa/.wpd/.wpg/.wps/.wpt/.wpw/.wri/.wsc/.wma/.wmdb/.wmv/.wn/.wp/.wpa/.wpd/.wpg/.wps/.wpt/.wpw/.wri/.wsc/.wsd/.wsh/.wtx/.x/.xar/.wpa/.wpd/.wpg/.wps/.wpt/.wpw/.wri/.wsc/.wsd/.wsh/.wtx/.x/.xar/.xd/.xdb/.xlc/.xld/.xlf/.wpw/.wri/.wsc/.wsd/.wsh/.wtx/.x/.xar/.xd/.xdb/.xlc/.xld/.xlf/.xlgc/.xlm/.xls/.xlsb/.xlsm/.wtx/.x/.xar/.xd/.xdb/.xlc/.xld/.xlf/.xlgc/.xlm/.xls/.xlsb/.xlsm/.xlsx/.xlt/.xltm/.xltx/.xlw/.xlc/.xld/.xlf/.xlgc/.xlm/.xls/.xlsb/.xlsm/.xlsx/.xlt/.xltm/.xltx/.xlw/.xps/.xwp/.xyp/.xyw/.ya/.xls/.xlsb/.xlsm/.xlsx/.xlt/.xltm/.xltx/.xlw/.xps/.xwp/.xyp/.xyw/.ya/.ybk/.ym/.zabw/.zdb/.zdc/.xltm/.xltx/.xlw/.xps/.xwp/.xyp/.xyw/.ya/.ybk/.ym/.zabw/.zdb/.zdc/.zip/.zw/.xyp/.xyw/.ya/.ybk/.ym/.zabw/.zdb/.zdc/.zip/.zw/.zabw/.zdb/.zdc/.zip/.zw
該樣本采用典型的 RSA+AES模式結(jié)合的加密算法對(duì)文件進(jìn)行加密,并且采用了多線程的方式加速加密過(guò)程,樣本加密的總體流程如下:
1) 遍歷文件和文件夾,判斷當(dāng)前要加密的文件后綴是否在黑名單中,如果在則進(jìn)行加密。
2) 隨機(jī)生成 AES 加密所需要的 Key 和 IV。
3) 使用 AES 加密算法對(duì)當(dāng)前文件進(jìn)行加密。
4) 使用使用 CryptoAPI通過(guò)內(nèi)置的 RSA 公鑰對(duì) AES 的 Key 和 IV 進(jìn)行加密,它每次迭代加密大小相等的數(shù)據(jù)塊(1,048,576字節(jié))
5) 將被加密的文件添加擴(kuò)展名 .mhkgchqs。
6) 加密操作完成后,在各個(gè)文件夾下創(chuàng)建 README.html 勒索信。
Sha256
MSI
e25443afb01606f6cbd8efdfc2eecb1c67d0c9122cc27b01dd28aecce50d4339
1c290d16344bfb15ee27b6efc21dc973151c7c4a717ce254fe3c2554d258a3ed
22bd495b318471d6183904e5f2bed598cb4ef685672350d51ab7bd53fe841277
42db5cec13c4a0a1964dac11759029e59e3c819c282dbab6ecf266dfe24622ef
77436ce13e345b39525806708becc20c3f527b8c1d5a84523bcbcef5d8c18102
8efb4e8bc17486b816088679d8b10f8985a31bc93488c4b65116f56872c1ff16
98d3fca413a3bbd7566b1fc26bf18e96ad590185a5e30355d4fb724c285a5f9c
c0b21eb4ddfbd0138bc6a6b1dacdd7c70312e154da788abb4ab0abe6cabadf6b
cf90ffcf978ec1d052d0a6c2365273f1cac9966eff066baffca0db9d48640f25
DLL
07c8ab61570fe9ec86e168aa96c58fe24246b35db78241fe7c83928ed559b3f6
1c303d6ba7fd9dc1c84bf5311657d0ea08924fe59ea047055f9e6341de1f8931
1deaa7f390951217266bbb432f62b7d54823ac525687024aee4bbc24c5bea943
3aa29b6b4a9e39b3c3f3f12ca56cbe19178815c6d4d86c9f14d463dd21fc773e
441634c99c59f57271a68c841fa4ab33e01762d4991e7465e6bd37ef7305356e
586294d477b30613fbb31cf222d16cf2396ba9ce5d5665b6556a5901c248c50f
7a46fe71b140677f1eb29da8ae6f72f9636e2f53e8f49cd81ebb38e54bf8c65c
a05352ca7f5049f607d26785e5d42fa51df0b158db4fc1db2b2f91eb4762e46d
defed38da9110f4820f60f3545384202ada94e97676301f15ef298f3fe876575
ip
45.32.88.152
ATT&CK
1、避免打開(kāi)可疑或來(lái)歷不明的郵件,尤其是其中的鏈接和附件等,如一定要打開(kāi)未知文件,請(qǐng)先使用殺毒軟件進(jìn)行掃描查殺。
2、重要的數(shù)據(jù)最好雙機(jī)備份或云備份。
【深信服終端檢測(cè)響應(yīng)平臺(tái)EDR】
已支持查殺攔截此次事件使用的病毒文件,請(qǐng)更新軟件(如有定制請(qǐng)先咨詢售后再更新版本)和病毒庫(kù)至最新版本,并接入深信服安全云腦,及時(shí)查殺新威脅;
【深信服下一代防火墻AF】的安全防護(hù)規(guī)則更新至最新版本,接入深信服安全云腦,“云鑒” 服務(wù)即可輕松抵御此高危風(fēng)險(xiǎn)。
【深信服安全感知管理平臺(tái)SIP】建議用戶及時(shí)更新規(guī)則庫(kù),接入深信服安全云腦,并聯(lián)動(dòng)【深信服下一代防火墻AF】實(shí)現(xiàn)對(duì)高危風(fēng)險(xiǎn)的入侵防護(hù)。
【深信服安全托管服務(wù)MSS】以保障用戶網(wǎng)絡(luò)安全“持續(xù)有效”為目標(biāo),通過(guò)將用戶安全設(shè)備接入安全運(yùn)營(yíng)中心,依托于XDR安全能力平臺(tái)和MSSP安全服務(wù)平臺(tái)實(shí)現(xiàn)有效協(xié)同的“人機(jī)共智”模式,圍繞資產(chǎn)、脆弱性、威脅、事件四個(gè)要素為用戶提供7*24H的安全運(yùn)營(yíng)服務(wù),快速擴(kuò)展持續(xù)有效的安全運(yùn)營(yíng)能力,保障可承諾的風(fēng)險(xiǎn)管控效果。