REvil(又名Sodinokibi)勒索病毒團夥近期活躍度非常高,上個月才加密并竊取了某計算機巨頭企業機密數據的REvil,在本月又入侵了蘋果代工廠要價5000萬美元,堪稱勒索病毒界的“勞模”。
《3.25 億!REvil 勒索團夥又出動,深信服 EDR 來給用戶打個“勒索病毒預防針”》
深信服終端安全團隊一直對REvil勒索病毒團夥的技術應用和模式發展進行深度追蹤,同時捕獲到了本次攻擊事件中的勒索病毒母體,通過技術分析發現,REvil在免殺技術上做了部分改進,母體和組件都僞造了數字簽名,通過文件釋放和DLL調用的方式分級觸發,并通過多層payload解密才得到功能代碼。
除此以外分析人員發現,本次的病毒文件與此前針對國内企業的病毒文件還存在一些細節差異,排除加密的目錄關鍵字中不再包含"tencent fies","wechat files"等中國普遍使用的軟件目錄。
技術分析REvil勒索病毒母體分為EXE和DLL兩個部分,都先封裝在一個名為svchost.exe的可執行文件中,三個文件都僞造了數字簽名,其中svchost.exe和MpSvc.dll用了同樣的僞造簽名,而MsMpEng.exe則僞造了微軟的簽名:
雙擊運行svchost.exe後,會從資源中讀取MsMpEng.exe和MpSvc.dll:
将兩個文件釋放到temp目錄下,并調用cmd,利用/c參數後台執行MsMpEng.exe:
而MsMpEng.exe也沒有實質性的惡意功能,隻是加載了MpSvc.dll中的導出函數ServiceCrtMain():
MpSvc.dll中解密了兩層payload後開始執行惡意功能,首先從内存中解密出需要用到的字符資源合集:
分别在HKEY_LOCAL_MACHINE\SOFTWARE和HKEY_LOCAL_USER\SOFTWARE下查找注冊表項BlackLivesMatter的x4WHjRs值,若不存在該值,則生成7位加密後綴,随後創建該鍵值,值設置為加密後綴:
采集基本的主機信息,包括用戶名、主機名、磁盤類型以及注冊表項的值:
hKey = HKEY_LOCAL_MACHINE
Subkey = "SYSTEM\CurrentControlSet\services\Tcpip\Parameters"
ValueName = "Domain"
hKey = HKEY_CURRENT_USER
Subkey = "Control Panel\International"
ValueName = "LocaleName"
hKey = HKEY_LOCAL_MACHINE
Subkey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion"
ValueName = "productName"
創建互斥體,防止重複執行:
使用函數SHEmptyRecycleBinW清空回收站,并使用SetThreadExecutionState防止主機進入休眠狀态:
為自身進程提權:
枚舉出終端上的服務,查看服務名是否在以下列表中,有則進行删除:
"svc": ["sophos", "svc$", "sql", "mepocs", "vss", "backupбмукшефы", "veeam", "memtas"]
遍曆進程,查看是否存在以下進程,如有則終止:
"prc":["allegro","steam","xtop","ocssd","xfssvccon","onenote","isqlplussvc","msaccess","powerpnt","cad","sqbcoreservice","thunderbird","oracle","infopath","dbeng50","pro_comm_msg","agntsvc","thebat","firefox","ocautoupds","winword","synctime","tbirdconfig","mspub","visio","sql","ocomm","orcad","mydesktopservice","dbsnmp","outlook","cadence","excel","wordpad","creoagent","encsvc","mydesktopqos"]
遍曆目錄進行加密,同時排除以下目錄;與針對中國用戶不同的是,排除的目錄關鍵字中不再包含"tencent fies","wechat files"等中國普遍使用的軟件目錄:
"wht":{"fld":["google","windows.old","programdata","system volume information","application data","program files (x86)","intel","boot","$windows.~bt","tor browser","program files","windows","perflogs","$windows.~ws","msocache","appdata","mozilla"]
排除以下文件:
"fls":["ntuser.ini","ntldr","bootmgr","ntuser.dat.log","ntuser.dat","thumbs.db","autorun.inf","bootfont.bin","desktop.ini","boot.ini","iconcache.db","bootsect.bak"]
排除以下後綴:
"ext":["ldf","adv","shs","cmd","ico","msc","hlp","drv","lock","nls","theme","lnk","nomedia","diagcab","ics","bat","rtp","spl","wpx","idx","icl","dll","themepack","scr","msi","key","mpa","cab","prf","ps1","bin","msstyles","msu","cpl","ani","386","sys","diagpkg","exe","mod","rom","icns","hta","msp","ocx","diagcfg","cur","com","deskthemepack"]
在每個目錄下釋放勒索信息txt文件:
加密後修改主機桌面為标志性的藍色背景:
如果NET字段配置為True的時候(默認為false),将向C&C端發送受害主機基本信息和生成的Key,域名配置包含了1229個域名字符:
1.日常生活工作中的重要的數據文件資料設置相應的訪問權限,關閉不必要的文件共享功能并且定期進行非本地備份;
2.使用高強度的主機密碼,并避免多台設備使用相同密碼,不要對外網直接映射3389等端口,防止暴力破解;
3.避免打開來曆不明的郵件、鍊接和網址附件等,盡量不要在非官方渠道下載非正版的應用軟件,發現文件類型與圖标不相符時應先使用安全軟件對文件進行查殺;
4.定期檢測系統漏洞并且及時進行補丁修複。
,更多精彩资讯请关注tft每日頭條,我们将持续为您更新最新资讯!
zpostcode 
Recruit 
weather 
mreligion 
Yellowpages 
sport 
constellation 
shopping 
name 
game 
directory 
literature 
Word 
tour 
furnish 
Lottery 
tftnews 
lyrics 
News 
digital 
car 
dir 
Edu 
Finance 
