صورة: http://u.damasgate.com/001/3/r91h7dxrphd73trqauz8.png صورة: http://u.damasgate.com/001/3/f838drhm8qc3ukvcvk09.png The-return-of-mamba-ransomwareمواضيع ذات صله بالمقاله*مثبــت:* مكافح فايروسات الفدية Ransomware Defender 3.5.7 (http://www.damasgate.com/vb/t410057/) *مثبــت:* 4 برامج من الشركات الكبرى Bitdefender-Kaspersky-Malwarebytes-Cybereason لمكافحة فيرس الفدية WannaCry (http://www.damasgate.com/vb/t412854/) ---اقتباس---يفضل فتح التحديثات دائما لمتابعة الجديد بقاعدة البيانات للشركة :thumbs-up:---نهاية الاقتباس--- *Attack Geography*We are currently observing attacks against corporations that are located in:* Brazil* Saudi Arabia*Attack Vector* As usual, this group gains access to an organization’s network and uses the psexec utility to execute the ransomware. Also, it is important to mention that for each machine in the victim’s network, the threat executor generates a password for the DiskCryptor utility. This password is passed via command line arguments to the ransomware dropper.صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-2.png Example of malware execution *Technical Analysis* In a nutshell, the malicious activity can be separated into two stages:Stage 1 (Preparation):* Create folder “C:\xampp\http“* Drop DiskCryptor components into the folder* Install DiskCryptor driver* Register system service called *DefragmentService** Reboot victim machineStage 2 (Encryption):* Setup bootloader to MBR and encrypt disk partitions using DiskCryptor software* Clean up* Reboot victim machine*Stage 1 (Preparation)* As the trojan uses the DiskCryptor utility, the first stage deals with installing this tool on a victim machine. The malicious dropper stores DiskCryptor’s modules in their own resources.صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-3.png DiskCryptor modulesDepending on OS information, the malware is able to choose between 32- or 64-bit DiskCryptor modules. The necessary modules will be dropped into the “C:\xampp\http” folder.صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-4.png The malware drops the necessary modulesAfter that, it launches the dropped DiskCryptor installer.صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-5.png The call of the DiskCryptor installerWhen DiskCryptor is installed, the malware creates a service that has SERVICE_ALL_ACCESS and SERVICE_AUTO_START parameters.صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-6.png The creation of the malicious service’s functionThe last step of Stage 1 is to reboot the system.صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-7.png Force reboot function*Stage 2 (Encryption)* Using the DiskCryptor software, the malware sets up a new bootloader to MBR.صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-8.png The call for setting up a bootloader to MBRThe bootloader contains the ransom message for the victim. صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-9.png Ransomware noteAfter the bootloader is set, disk partitions would be encrypted using a password, previously specified as a command line argument for the dropper.صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-10.png The call tree of encryption processesWhen the encryption ends, the system will be rebooted, and a victim will see a ransom note on the screen.صورة: https://cdn.securelist.com/files/2017/08/170809_mamba_returns-11.png Ransom notesKaspersky Lab products detect this threat with the help of the System Watcher component with the following verdict: PDM:Trojan.Win32.Generic.*Decryption*Unfortunately, there is no way to decrypt data that has been encrypted using the DiskCryptor utility because this legitimate utility uses strong encryption algorithms. *IOCs:* 79ED93DF3BEC7CD95CE60E6EE35F46A1
أكثر...
أكثر...