Magniber勒索軟件借助微軟的漏洞實施攻擊 - 山西鑫鼎宸科技股份有限公司

我的位置：

Magniber勒索軟件借助微軟的漏洞實施攻擊

預警來源：深信服發布時間：2023-04-11

惡意文件分析

惡意事件描述

深信服深盾終端實驗室在近期的運營工作中，捕獲了的Magniber勒索家族的最新變種，此次捕獲的樣本通過MSI進行傳播，同時使用微軟的漏洞CVE-2023-24880（注：3月14日官方已發布補?。﹣砝@過 SmartScreen從受感染的網站下載和安裝Magniber勒索軟件，CVE-2023-24880漏洞由CVE-2022-44698漏洞未完全修復引起的。

CVE-2023-24880 利用了Windows SmartScreen 安全功能的繞過。SmartScreen是Windows版本 10 和 11中的一項安全功能，主要用于檢測和阻止網絡釣魚和惡意軟件的下載和安裝。繞過該功能即代表允許攻擊者在沒有任何安全警告的情況下下載Magniber勒索軟件。

該漏洞已在今年3月15日進行及時響應，相關鏈接如下所示：

https://mp.weixin.qq.com/s/f4uA3Loc2ooG_1_tcvxnUA

惡意事件分析

在所有的勒索家族中，Magniber絕對是最獨樹一幟的存在，樣本本身使用了大量的混淆、解碼，通過采用新的混淆技術和規避方法不斷更新其策略，極度干擾研究人員的分析工作。其次使用漏洞，Magniber Ransomware 近年來一直通過 IE (Internet Explorer) 漏洞傳播，但自 IE 停止支持后，Magniber Ransomware 在 Microsoft Edge 和 Google Chrome 瀏覽器中以 Windows 安裝包文件 (.msi) 的形式分發。

樣本啟動后，會加密系統中的部分文件，并釋放勒索信以誘使受害者通過勒索信中的聯系方式與攻擊者進行溝通及繳納贖金，其中被加密文件添加擴展“mhkgchqs”，勒索信文件名為“README.html”，勒索信中并未表明贖金金額及支付方式。

MSI文件分析

攻擊者正在使用無效但自制的驗證碼簽名的 MSI 文件。格式錯誤的簽名會導致 SmartScreen 返回錯誤，當不受信任的文件包含 Web 標記（MotW）時，該錯誤會導致不會向用戶顯示安全警告對話框，實則已經從 Internet 下載了潛在的惡意文件。

使用Orca打開MSI文件查看表的結構和內容。發現MSI會調用CustomAction屬性執行MSI內嵌DLL的導出函數j6tow27o。

SetProgramFilesFolder：將該程序的文件夾設置為LocalAppData目錄，即“C:\Users\用戶名\AppData\Local”。

Ucjvnpaclba：獲取二進制文件ilzwngaiyktz，type為65表示該文件為dll類型，Target表示導出函數為j6tow27o。

Windows系統版本判斷

查看Windows系統版本，只針對Windows10、Windows11、Windows Server 2022系統進行加密

該代碼通過XOR解碼過程遍歷循環語句 (do-while)，并將勒索軟件shllcode注入當前正在運行的白進程中。

該病毒會釋放DLL格式的文件，該文件導入表、執行主體在DLL主函數中，釋放shellcode到內存并執行，無文件加載能夠降低自身被內存代碼檢測引擎發現的風險，同時Magniber并不直接通過調用API實現相應功能，而是模擬相應API在ntdll中的行為，傳入參數，然后指定syscall ID，直接調用syscall，同樣可以實現直接調用系統API的作用。

反調試

Magniber 使用 NtDelayExecution 以隨機間隔休眠以逃避分析。隨機休眠間隔可能會阻止沙盒或防病毒檢測成功。

持久化

在HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 注冊表中添加一個鍵值，其中ouPBdEoNXxUS.3fr文件為密鑰文件

繞過UAC

在注冊表中寫入下載Magniber勒索軟件的命令

上述寫入注冊表的內容能夠實現，當系統重新啟動時，注冊到 Run 鍵的 .3fr 文件擴展名與指定同時激活的注冊表一起執行，導致每次系統重新啟動時都會下載Magniber勒索軟件并實施加密活動。

高級遠程線程注入

blackbox.dll可用于繞過軟件安全措施,一般用于注入惡意代碼或執行其他非法操作。fwcwsp.dll 文件是 Windows 操作系統中的一個 DLL 文件，它是 Windows Firewall 的一部分，用于提供網絡連接的安全性。

1、遍歷進程

解密代碼后，首先會枚舉受感染系統上所有正在運行的進程以識別勒索軟件可以在其中注入shellcode的進程,Magniber將解壓后的shellcode注入滿足以下條件的進程

進程名是否大于6字節

該進程未在WoW64環境中運行。WoW64 是 Windows 操作系統的一個子系統，可以在 64 位 Windows 操作系統上執行 32 位應用程序

2、遠程注入

注入過程如下所示：

NtOpenProcess：打開目標進程

NtAllocateVirtualMemory：在目標進程中為即將寫入的shellcode分配內存空間

NtWriteVirtualMemory：將shellcode寫入分配的內存區域。

NtProtectVirtualMemory：修改內存保護屬性

NtCreateThreadEx：創建遠程線程，執行shellcode

隨后將帶有勒索加密功能的shellcode注入到符合條件的進程中（如：sihost.exe）RWX屬性的內存中。但由于它使用系統調用，因而無法直接通過調試器監控內存寫入來跟蹤注入的shellcode。相反可以直接通過運行msi程序，然后使用procexp等進程監視器掛起進程然后dump寫入的shellcode。

通過查看該shellcode的字符串發現被混淆后的勒索信內容

加密

避免加密的目錄和文件

documents and settings/appdata/local settings/sample music/sample pictures/sample videos/tor browser/recycle/windows/boot/intel/msocache/perflogs/program files/programdata/recovery/system volume information/winnt/README.html

加密的文件后綴

.abm/.abs/.abw/.accdb/.act/.adn/.adp/.aes/.aft/.afx/.agif/.agp/.ahd/.ai/.aic/.aim/.albm/.alf/.adn/.adp/.aes/.aft/.afx/.agif/.agp/.ahd/.ai/.aic/.aim/.albm/.alf/.ans/.apd/.apm/.apng/.aps/.agif/.agp/.ahd/.ai/.aic/.aim/.albm/.alf/.ans/.apd/.apm/.apng/.aps/.apt/.apx/.arc/.art/.arw/.aim/.albm/.alf/.ans/.apd/.apm/.apng/.aps/.apt/.apx/.arc/.art/.arw/.asc/.ase/.asf/.ask/.asm/.apm/.apng/.aps/.apt/.apx/.arc/.art/.arw/.asc/.ase/.asf/.ask/.asm/.asp/.asw/.asy/.aty/.avi/.arc/.art/.arw/.asc/.ase/.asf/.ask/.asm/.asp/.asw/.asy/.aty/.avi/.awdb/.awp/.awt/.aww/.azz/.asf/.ask/.asm/.asp/.asw/.asy/.aty/.avi/.awdb/.awp/.awt/.aww/.azz/.bad/.bak/.bay/.bbs/.bdb/.asy/.aty/.avi/.awdb/.awp/.awt/.aww/.azz/.bad/.bak/.bay/.bbs/.bdb/.bdp/.bdr/.bean/.bib/.bmp/.awt/.aww/.azz/.bad/.bak/.bay/.bbs/.bdb/.bdp/.bdr/.bean/.bib/.bmp/.bmx/.bna/.bnd/.boc/.bok/.bay/.bbs/.bdb/.bdp/.bdr/.bean/.bib/.bmp/.bmx/.bna/.bnd/.boc/.bok/.brd/.brk/.brn/.brt/.bss/.bean/.bib/.bmp/.bmx/.bna/.bnd/.boc/.bok/.brd/.brk/.brn/.brt/.bss/.btd/.bti/.btr/.c/.ca/.bnd/.boc/.bok/.brd/.brk/.brn/.brt/.bss/.btd/.bti/.btr/.c/.ca/.cals/.can/.cd/.cdb/.cdc/.brn/.brt/.bss/.btd/.bti/.btr/.c/.ca/.cals/.can/.cd/.cdb/.cdc/.cdg/.cdmm/.cdmt/.cdmz/.cdr/.btr/.c/.ca/.cals/.can/.cd/.cdb/.cdc/.cdg/.cdmm/.cdmt/.cdmz/.cdr/.cdt/.cf/.cfu/.cgm/.cimg/.cd/.cdb/.cdc/.cdg/.cdmm/.cdmt/.cdmz/.cdr/.cdt/.cf/.cfu/.cgm/.cimg/.cin/.cit/.ckp/.class/.clkw/.cdmt/.cdmz/.cdr/.cdt/.cf/.cfu/.cgm/.cimg/.cin/.cit/.ckp/.class/.clkw/.cma/.cmx/.cnm/.cnv/.colz/.cfu/.cgm/.cimg/.cin/.cit/.ckp/.class/.clkw/.cma/.cmx/.cnm/.cnv/.colz/.cpc/.cpd/.cpg/.cpp/.cps/.ckp/.class/.clkw/.cma/.cmx/.cnm/.cnv/.colz/.cpc/.cpd/.cpg/.cpp/.cps/.cpx/.crd/.crt/.crw/.cs/.cnm/.cnv/.colz/.cpc/.cpd/.cpg/.cpp/.cps/.cpx/.crd/.crt/.crw/.cs/.csr/.csv/.csy/.ct/.cvg/.cpg/.cpp/.cps/.cpx/.crd/.crt/.crw/.cs/.csr/.csv/.csy/.ct/.cvg/.cvi/.cvs/.cvx/.cwt/.cxf/.crt/.crw/.cs/.csr/.csv/.csy/.ct/.cvg/.cvi/.cvs/.cvx/.cwt/.cxf/.cyi/.dad/.daf/.db/.dbc/.csy/.ct/.cvg/.cvi/.cvs/.cvx/.cwt/.cxf/.cyi/.dad/.daf/.db/.dbc/.dbf/.dbk/.dbs/.dbt/.dbv/.cvx/.cwt/.cxf/.cyi/.dad/.daf/.db/.dbc/.dbf/.dbk/.dbs/.dbt/.dbv/.dbx/.dca/.dcb/.dch/.dcr/.daf/.db/.dbc/.dbf/.dbk/.dbs/.dbt/.dbv/.dbx/.dca/.dcb/.dch/.dcr/.dcs/.dct/.dcx/.dd/.dds/.dbs/.dbt/.dbv/.dbx/.dca/.dcb/.dch/.dcr/.dcs/.dct/.dcx/.dd/.dds/.ded/.der/.dgn/.dgs/.dgt/.dcb/.dch/.dcr/.dcs/.dct/.dcx/.dd/.dds/.ded/.der/.dgn/.dgs/.dgt/.dhs/.dib/.dif/.dip/.diz/.dcx/.dd/.dds/.ded/.der/.dgn/.dgs/.dgt/.dhs/.dib/.dif/.dip/.diz/.djv/.djvu/.dmi/.dmo/.dnc/.dgn/.dgs/.dgt/.dhs/.dib/.dif/.dip/.diz/.djv/.djvu/.dmi/.dmo/.dnc/.dne/.doc/.docb/.docm/.docx/.dif/.dip/.diz/.djv/.djvu/.dmi/.dmo/.dnc/.dne/.doc/.docb/.docm/.docx/.docz/.dot/.dotm/.dotx/.dpp/.dmi/.dmo/.dnc/.dne/.doc/.docb/.docm/.docx/.docz/.dot/.dotm/.dotx/.dpp/.dpx/.dqy/.drw/.drz/.dsk/.docb/.docm/.docx/.docz/.dot/.dotm/.dotx/.dpp/.dpx/.dqy/.drw/.drz/.dsk/.dsn/.dsv/.dt/.dta/.dtsx/.dotm/.dotx/.dpp/.dpx/.dqy/.drw/.drz/.dsk/.dsn/.dsv/.dt/.dta/.dtsx/.dtw/.dv/.dvi/.dwg/.dx/.drw/.drz/.dsk/.dsn/.dsv/.dt/.dta/.dtsx/.dtw/.dv/.dvi/.dwg/.dx/.dxb/.dxf/.eco/.ecw/.ecx/.dt/.dta/.dtsx/.dtw/.dv/.dvi/.dwg/.dx/.dxb/.dxf/.eco/.ecw/.ecx/.edb/.efd/.egc/.eio/.eip/.dvi/.dwg/.dx/.dxb/.dxf/.eco/.ecw/.ecx/.edb/.efd/.egc/.eio/.eip/.eit/.em/.emd/.emf/.emlx/.eco/.ecw/.ecx/.edb/.efd/.egc/.eio/.eip/.eit/.em/.emd/.emf/.emlx/.ep/.epf/.epp/.eps/.epsf/.egc/.eio/.eip/.eit/.em/.emd/.emf/.emlx/.ep/.epf/.epp/.eps/.epsf/.eq/.erf/.err/.etf/.etx/.emd/.emf/.emlx/.ep/.epf/.epp/.eps/.epsf/.eq/.erf/.err/.etf/.etx/.euc/.exr/.fa/.faq/.fax/.epp/.eps/.epsf/.eq/.erf/.err/.etf/.etx/.euc/.exr/.fa/.faq/.fax/.fb/.fbx/.fcd/.fcf/.fdf/.err/.etf/.etx/.euc/.exr/.fa/.faq/.fax/.fb/.fbx/.fcd/.fcf/.fdf/.fdr/.fds/.fdt/.fdx/.fdxt/.fa/.faq/.fax/.fb/.fbx/.fcd/.fcf/.fdf/.fdr/.fds/.fdt/.fdx/.fdxt/.fes/.fft/.fi/.fic/.fid/.fcd/.fcf/.fdf/.fdr/.fds/.fdt/.fdx/.fdxt/.fes/.fft/.fi/.fic/.fid/.fif/.fig/.fla/.flr/.flv/.fdt/.fdx/.fdxt/.fes/.fft/.fi/.fic/.fid/.fif/.fig/.fla/.flr/.flv/.fmv/.fo/.fodt/.fpos/.fpt/.fi/.fic/.fid/.fif/.fig/.fla/.flr/.flv/.fmv/.fo/.fodt/.fpos/.fpt/.fpx/.frm/.frt/.frx/.ftn/.fla/.flr/.flv/.fmv/.fo/.fodt/.fpos/.fpt/.fpx/.frm/.frt/.frx/.ftn/.fwdn/.fxc/.fxg/.fzb/.fzv/.fodt/.fpos/.fpt/.fpx/.frm/.frt/.frx/.ftn/.fwdn/.fxc/.fxg/.fzb/.fzv/.gcdp/.gdb/.gdoc/.gem/.geo/.frt/.frx/.ftn/.fwdn/.fxc/.fxg/.fzb/.fzv/.gcdp/.gdb/.gdoc/.gem/.geo/.gfb/.gfie/.ggr/.gif/.gih/.fxg/.fzb/.fzv/.gcdp/.gdb/.gdoc/.gem/.geo/.gfb/.gfie/.ggr/.gif/.gih/.gim/.gio/.glox/.gpd/.gpg/.gdoc/.gem/.geo/.gfb/.gfie/.ggr/.gif/.gih/.gim/.gio/.glox/.gpd/.gpg/.gpn/.gro/.grob/.grs/.gsd/.ggr/.gif/.gih/.gim/.gio/.glox/.gpd/.gpg/.gpn/.gro/.grob/.grs/.gsd/.gthr/.gtp/.gv/.gwi/.gz/.glox/.gpd/.gpg/.gpn/.gro/.grob/.grs/.gsd/.gthr/.gtp/.gv/.gwi/.gz/.h/.hbk/.hdb/.hdp/.hdr/.grob/.grs/.gsd/.gthr/.gtp/.gv/.gwi/.gz/.h/.hbk/.hdb/.hdp/.hdr/.hht/.his/.hp/.hpg/.hpi/.gv/.gwi/.gz/.h/.hbk/.hdb/.hdp/.hdr/.hht/.his/.hp/.hpg/.hpi/.hs/.htc/.hwp/.hz/.ib/.hdb/.hdp/.hdr/.hht/.his/.hp/.hpg/.hpi/.hs/.htc/.hwp/.hz/.ib/.ibd/.icn/.icon/.icpr/.idc/.hp/.hpg/.hpi/.hs/.htc/.hwp/.hz/.ib/.ibd/.icn/.icon/.icpr/.idc/.idea/.idx/.igt/.igx/.ihx/.hwp/.hz/.ib/.ibd/.icn/.icon/.icpr/.idc/.idea/.idx/.igt/.igx/.ihx/.ii/.iiq/.imd/.info/.ink/.icon/.icpr/.idc/.idea/.idx/.igt/.igx/.ihx/.ii/.iiq/.imd/.info/.ink/.ipf/.ipx/.iso/.itdb/.itw/.igt/.igx/.ihx/.ii/.iiq/.imd/.info/.ink/.ipf/.ipx/.iso/.itdb/.itw/.iwi/.j/.jar/.jas/.java/.imd/.info/.ink/.ipf/.ipx/.iso/.itdb/.itw/.iwi/.j/.jar/.jas/.java/.jbig/.jbmp/.jbr/.jfif/.jia/.iso/.itdb/.itw/.iwi/.j/.jar/.jas/.java/.jbig/.jbmp/.jbr/.jfif/.jia/.jis/.jng/.joe/.jpe/.jpeg/.jar/.jas/.java/.jbig/.jbmp/.jbr/.jfif/.jia/.jis/.jng/.joe/.jpe/.jpeg/.jpg/.jps/.jpx/.jrtf/.js/.jbr/.jfif/.jia/.jis/.jng/.joe/.jpe/.jpeg/.jpg/.jps/.jpx/.jrtf/.js/.jsp/.jtf/.jtx/.jw/.jxr/.joe/.jpe/.jpeg/.jpg/.jps/.jpx/.jrtf/.js/.jsp/.jtf/.jtx/.jw/.jxr/.kdb/.kdbx/.kdc/.kdi/.kdk/.jpx/.jrtf/.js/.jsp/.jtf/.jtx/.jw/.jxr/.kdb/.kdbx/.kdc/.kdi/.kdk/.kes/.ke/.kic/.klg/.knt/.jtx/.jw/.jxr/.kdb/.kdbx/.kdc/.kdi/.kdk/.kes/.ke/.kic/.klg/.knt/.kon/.kpg/.kwd/.lay/.lbm/.kdc/.kdi/.kdk/.kes/.ke/.kic/.klg/.knt/.kon/.kpg/.kwd/.lay/.lbm/.lbt/.ldf/.lgc/.lis/.lit/.kic/.klg/.knt/.kon/.kpg/.kwd/.lay/.lbm/.lbt/.ldf/.lgc/.lis/.lit/.ljp/.lmk/.lnt/.lrc/.lst/.kwd/.lay/.lbm/.lbt/.ldf/.lgc/.lis/.lit/.ljp/.lmk/.lnt/.lrc/.lst/.ltr/.ltx/.lue/.luf/.lwo/.lgc/.lis/.lit/.ljp/.lmk/.lnt/.lrc/.lst/.ltr/.ltx/.lue/.luf/.lwo/.lwp/.lws/.lyt/.lyx/.ma/.lnt/.lrc/.lst/.ltr/.ltx/.lue/.luf/.lwo/.lwp/.lws/.lyt/.lyx/.ma/.mac/.man/.map/.maq/.mat/.lue/.luf/.lwo/.lwp/.lws/.lyt/.lyx/.ma/.mac/.man/.map/.maq/.mat/.max/.mb/.mbm/.mbox/.mdb/.lyt/.lyx/.ma/.mac/.man/.map/.maq/.mat/.max/.mb/.mbm/.mbox/.mdb/.mdf/.mdn/.mdt/.me/.mef/.map/.maq/.mat/.max/.mb/.mbm/.mbox/.mdb/.mdf/.mdn/.mdt/.me/.mef/.mel/.mft/.mgcb/.mgmf/.mgmt/.mbm/.mbox/.mdb/.mdf/.mdn/.mdt/.me/.mef/.mel/.mft/.mgcb/.mgmf/.mgmt/.mgmx/.mgtx/.mid/.min/.mkv/.mdt/.me/.mef/.mel/.mft/.mgcb/.mgmf/.mgmt/.mgmx/.mgtx/.mid/.min/.mkv/.mm/.mmat/.mnr/.mnt/.mos/.mgcb/.mgmf/.mgmt/.mgmx/.mgtx/.mid/.min/.mkv/.mm/.mmat/.mnr/.mnt/.mos/.mov/.mpeg/.mpf/.mpg/.mpo/.mid/.min/.mkv/.mm/.mmat/.mnr/.mnt/.mos/.mov/.mpeg/.mpf/.mpg/.mpo/.mrg/.mrxs/.msg/.mud/.mwb/.mnr/.mnt/.mos/.mov/.mpeg/.mpf/.mpg/.mpo/.mrg/.mrxs/.msg/.mud/.mwb/.mwp/.mx/.my/.myd/.myi/.mpf/.mpg/.mpo/.mrg/.mrxs/.msg/.mud/.mwb/.mwp/.mx/.my/.myd/.myi/.ncr/.nct/.ndf/.nef/.nfo/.msg/.mud/.mwb/.mwp/.mx/.my/.myd/.myi/.ncr/.nct/.ndf/.nef/.nfo/.njx/.nlm/.now/.nrw/.nsf/.my/.myd/.myi/.ncr/.nct/.ndf/.nef/.nfo/.njx/.nlm/.now/.nrw/.nsf/.nyf/.nzb/.obj/.oce/.oci/.ndf/.nef/.nfo/.njx/.nlm/.now/.nrw/.nsf/.nyf/.nzb/.obj/.oce/.oci/.ocr/.odb/.odg/.odm/.odo/.now/.nrw/.nsf/.nyf/.nzb/.obj/.oce/.oci/.ocr/.odb/.odg/.odm/.odo/.odp/.ods/.odt/.of/.oft/.obj/.oce/.oci/.ocr/.odb/.odg/.odm/.odo/.odp/.ods/.odt/.of/.oft/.omf/.oplc/.oqy/.ora/.orf/.odg/.odm/.odo/.odp/.ods/.odt/.of/.oft/.omf/.oplc/.oqy/.ora/.orf/.ort/.orx/.ost/.ota/.otg/.odt/.of/.oft/.omf/.oplc/.oqy/.ora/.orf/.ort/.orx/.ost/.ota/.otg/.oti/.otp/.ots/.ott/.ovp/.oqy/.ora/.orf/.ort/.orx/.ost/.ota/.otg/.oti/.otp/.ots/.ott/.ovp/.ovr/.owc/.owg/.oyx/.ozb/.ost/.ota/.otg/.oti/.otp/.ots/.ott/.ovp/.ovr/.owc/.owg/.oyx/.ozb/.ozj/.ozt/.p/.pa/.pan/.ots/.ott/.ovp/.ovr/.owc/.owg/.oyx/.ozb/.ozj/.ozt/.p/.pa/.pan/.pano/.pap/.paq/.pas/.pbm/.owg/.oyx/.ozb/.ozj/.ozt/.p/.pa/.pan/.pano/.pap/.paq/.pas/.pbm/.pcd/.pcs/.pdb/.pdd/.pdf/.p/.pa/.pan/.pano/.pap/.paq/.pas/.pbm/.pcd/.pcs/.pdb/.pdd/.pdf/.pdm/.pds/.pdt/.pef/.pem/.paq/.pas/.pbm/.pcd/.pcs/.pdb/.pdd/.pdf/.pdm/.pds/.pdt/.pef/.pem/.pff/.pfi/.pfs/.pfv/.pfx/.pdb/.pdd/.pdf/.pdm/.pds/.pdt/.pef/.pem/.pff/.pfi/.pfs/.pfv/.pfx/.pgf/.pgm/.phm/.php/.pic/.pdt/.pef/.pem/.pff/.pfi/.pfs/.pfv/.pfx/.pgf/.pgm/.phm/.php/.pic/.pict/.pix/.pjpg/.pjt/.plt/.pfs/.pfv/.pfx/.pgf/.pgm/.phm/.php/.pic/.pict/.pix/.pjpg/.pjt/.plt/.pm/.pmg/.png/.pni/.pnm/.phm/.php/.pic/.pict/.pix/.pjpg/.pjt/.plt/.pm/.pmg/.png/.pni/.pnm/.pntg/.pnz/.pobj/.pop/.pot/.pjpg/.pjt/.plt/.pm/.pmg/.png/.pni/.pnm/.pntg/.pnz/.pobj/.pop/.pot/.potm/.potx/.ppam/.ppm/.pps/.png/.pni/.pnm/.pntg/.pnz/.pobj/.pop/.pot/.potm/.potx/.ppam/.ppm/.pps/.ppsm/.ppsx/.ppt/.pptm/.pptx/.pobj/.pop/.pot/.potm/.potx/.ppam/.ppm/.pps/.ppsm/.ppsx/.ppt/.pptm/.pptx/.prt/.prw/.psd/.psdx/.pse/.ppam/.ppm/.pps/.ppsm/.ppsx/.ppt/.pptm/.pptx/.prt/.prw/.psd/.psdx/.pse/.psid/.psp/.pst/.psw/.ptg/.ppt/.pptm/.pptx/.prt/.prw/.psd/.psdx/.pse/.psid/.psp/.pst/.psw/.ptg/.pth/.ptx/.pu/.pvj/.pvm/.psd/.psdx/.pse/.psid/.psp/.pst/.psw/.ptg/.pth/.ptx/.pu/.pvj/.pvm/.pvr/.pwa/.pwi/.pwr/.px/.pst/.psw/.ptg/.pth/.ptx/.pu/.pvj/.pvm/.pvr/.pwa/.pwi/.pwr/.px/.pxr/.pza/.pzp/.pzs/.qd/.pu/.pvj/.pvm/.pvr/.pwa/.pwi/.pwr/.px/.pxr/.pza/.pzp/.pzs/.qd/.qmg/.qpx/.qry/.qvd/.rad/.pwi/.pwr/.px/.pxr/.pza/.pzp/.pzs/.qd/.qmg/.qpx/.qry/.qvd/.rad/.rar/.ras/.raw/.rb/.rctd/.pzp/.pzs/.qd/.qmg/.qpx/.qry/.qvd/.rad/.rar/.ras/.raw/.rb/.rctd/.rcu/.rd/.rdb/.rft/.rgb/.qry/.qvd/.rad/.rar/.ras/.raw/.rb/.rctd/.rcu/.rd/.rdb/.rft/.rgb/.rgf/.rib/.ric/.riff/.ris/.raw/.rb/.rctd/.rcu/.rd/.rdb/.rft/.rgb/.rgf/.rib/.ric/.riff/.ris/.rix/.rle/.rli/.rng/.rpd/.rdb/.rft/.rgb/.rgf/.rib/.ric/.riff/.ris/.rix/.rle/.rli/.rng/.rpd/.rpf/.rpt/.rri/.rs/.rsb/.ric/.riff/.ris/.rix/.rle/.rli/.rng/.rpd/.rpf/.rpt/.rri/.rs/.rsb/.rsd/.rsr/.rst/.rt/.rtd/.rli/.rng/.rpd/.rpf/.rpt/.rri/.rs/.rsb/.rsd/.rsr/.rst/.rt/.rtd/.rtf/.rtx/.run/.rw/.rzk/.rri/.rs/.rsb/.rsd/.rsr/.rst/.rt/.rtd/.rtf/.rtx/.run/.rw/.rzk/.rzn/.saf/.sam/.sbf/.scad/.rst/.rt/.rtd/.rtf/.rtx/.run/.rw/.rzk/.rzn/.saf/.sam/.sbf/.scad/.scc/.sch/.sci/.scm/.sct/.run/.rw/.rzk/.rzn/.saf/.sam/.sbf/.scad/.scc/.sch/.sci/.scm/.sct/.scv/.scw/.sdb/.sdf/.sdm/.sam/.sbf/.scad/.scc/.sch/.sci/.scm/.sct/.scv/.scw/.sdb/.sdf/.sdm/.sdoc/.sdw/.sep/.sfc/.sfw/.sci/.scm/.sct/.scv/.scw/.sdb/.sdf/.sdm/.sdoc/.sdw/.sep/.sfc/.sfw/.sgm/.sh/.sig/.skm/.sla/.sdb/.sdf/.sdm/.sdoc/.sdw/.sep/.sfc/.sfw/.sgm/.sh/.sig/.skm/.sla/.sld/.sldm/.sldx/.slk/.sln/.sep/.sfc/.sfw/.sgm/.sh/.sig/.skm/.sla/.sld/.sldm/.sldx/.slk/.sln/.sls/.smf/.sms/.snt/.sob/.sig/.skm/.sla/.sld/.sldm/.sldx/.slk/.sln/.sls/.smf/.sms/.snt/.sob/.spa/.spe/.sph/.spj/.spp/.sldx/.slk/.sln/.sls/.smf/.sms/.snt/.sob/.spa/.spe/.sph/.spj/.spp/.spq/.spr/.sq/.sqb/.srw/.sms/.snt/.sob/.spa/.spe/.sph/.spj/.spp/.spq/.spr/.sq/.sqb/.srw/.ssa/.ssk/.st/.stc/.std/.sph/.spj/.spp/.spq/.spr/.sq/.sqb/.srw/.ssa/.ssk/.st/.stc/.std/.sti/.stm/.stn/.stp/.str/.sq/.sqb/.srw/.ssa/.ssk/.st/.stc/.std/.sti/.stm/.stn/.stp/.str/.stw/.sty/.sub/.suo/.svf/.st/.stc/.std/.sti/.stm/.stn/.stp/.str/.stw/.sty/.sub/.suo/.svf/.svg/.svgz/.swf/.sxc/.sxd/.stn/.stp/.str/.stw/.sty/.sub/.suo/.svf/.svg/.svgz/.swf/.sxc/.sxd/.sxg/.sxi/.sxm/.sxw/.tab/.sub/.suo/.svf/.svg/.svgz/.swf/.sxc/.sxd/.sxg/.sxi/.sxm/.sxw/.tab/.tar/.tbk/.tcx/.tdf/.tdt/.swf/.sxc/.sxd/.sxg/.sxi/.sxm/.sxw/.tab/.tar/.tbk/.tcx/.tdf/.tdt/.te/.tex/.text/.tgz/.thp/.sxm/.sxw/.tab/.tar/.tbk/.tcx/.tdf/.tdt/.te/.tex/.text/.tgz/.thp/.tif/.tiff/.tlb/.tlc/.tm/.tcx/.tdf/.tdt/.te/.tex/.text/.tgz/.thp/.tif/.tiff/.tlb/.tlc/.tm/.tmd/.tmv/.tmx/.tne/.tpc/.text/.tgz/.thp/.tif/.tiff/.tlb/.tlc/.tm/.tmd/.tmv/.tmx/.tne/.tpc/.trm/.tvj/.udb/.ufr/.unx/.tlb/.tlc/.tm/.tmd/.tmv/.tmx/.tne/.tpc/.trm/.tvj/.udb/.ufr/.unx/.uof/.uop/.uot/.upd/.usr/.tmx/.tne/.tpc/.trm/.tvj/.udb/.ufr/.unx/.uof/.uop/.uot/.upd/.usr/.utxt/.vb/.vbr/.vbs/.vcd/.udb/.ufr/.unx/.uof/.uop/.uot/.upd/.usr/.utxt/.vb/.vbr/.vbs/.vcd/.vct/.vdb/.vdi/.vec/.vm/.uot/.upd/.usr/.utxt/.vb/.vbr/.vbs/.vcd/.vct/.vdb/.vdi/.vec/.vm/.vmdk/.vmx/.vnt/.vob/.vpd/.vbr/.vbs/.vcd/.vct/.vdb/.vdi/.vec/.vm/.vmdk/.vmx/.vnt/.vob/.vpd/.vrm/.vrp/.vsd/.vsdm/.vsdx/.vdi/.vec/.vm/.vmdk/.vmx/.vnt/.vob/.vpd/.vrm/.vrp/.vsd/.vsdm/.vsdx/.vsm/.vstm/.vstx/.vue/.vw/.vnt/.vob/.vpd/.vrm/.vrp/.vsd/.vsdm/.vsdx/.vsm/.vstm/.vstx/.vue/.vw/.wav/.wbk/.wcf/.wdb/.wgz/.vsd/.vsdm/.vsdx/.vsm/.vstm/.vstx/.vue/.vw/.wav/.wbk/.wcf/.wdb/.wgz/.wire/.wks/.wma/.wmdb/.wmv/.vstx/.vue/.vw/.wav/.wbk/.wcf/.wdb/.wgz/.wire/.wks/.wma/.wmdb/.wmv/.wn/.wp/.wpa/.wpd/.wpg/.wcf/.wdb/.wgz/.wire/.wks/.wma/.wmdb/.wmv/.wn/.wp/.wpa/.wpd/.wpg/.wps/.wpt/.wpw/.wri/.wsc/.wma/.wmdb/.wmv/.wn/.wp/.wpa/.wpd/.wpg/.wps/.wpt/.wpw/.wri/.wsc/.wsd/.wsh/.wtx/.x/.xar/.wpa/.wpd/.wpg/.wps/.wpt/.wpw/.wri/.wsc/.wsd/.wsh/.wtx/.x/.xar/.xd/.xdb/.xlc/.xld/.xlf/.wpw/.wri/.wsc/.wsd/.wsh/.wtx/.x/.xar/.xd/.xdb/.xlc/.xld/.xlf/.xlgc/.xlm/.xls/.xlsb/.xlsm/.wtx/.x/.xar/.xd/.xdb/.xlc/.xld/.xlf/.xlgc/.xlm/.xls/.xlsb/.xlsm/.xlsx/.xlt/.xltm/.xltx/.xlw/.xlc/.xld/.xlf/.xlgc/.xlm/.xls/.xlsb/.xlsm/.xlsx/.xlt/.xltm/.xltx/.xlw/.xps/.xwp/.xyp/.xyw/.ya/.xls/.xlsb/.xlsm/.xlsx/.xlt/.xltm/.xltx/.xlw/.xps/.xwp/.xyp/.xyw/.ya/.ybk/.ym/.zabw/.zdb/.zdc/.xltm/.xltx/.xlw/.xps/.xwp/.xyp/.xyw/.ya/.ybk/.ym/.zabw/.zdb/.zdc/.zip/.zw/.xyp/.xyw/.ya/.ybk/.ym/.zabw/.zdb/.zdc/.zip/.zw/.zabw/.zdb/.zdc/.zip/.zw

該樣本采用典型的 RSA+AES模式結合的加密算法對文件進行加密，并且采用了多線程的方式加速加密過程，樣本加密的總體流程如下：

1) 遍歷文件和文件夾，判斷當前要加密的文件后綴是否在黑名單中，如果在則進行加密。

2) 隨機生成 AES 加密所需要的 Key 和 IV。

3) 使用 AES 加密算法對當前文件進行加密。

4) 使用使用 CryptoAPI通過內置的 RSA 公鑰對 AES 的 Key 和 IV 進行加密，它每次迭代加密大小相等的數據塊（1,048,576字節）

5) 將被加密的文件添加擴展名 .mhkgchqs。

6) 加密操作完成后，在各個文件夾下創建 README.html 勒索信。

IOCs

Sha256

MSI

e25443afb01606f6cbd8efdfc2eecb1c67d0c9122cc27b01dd28aecce50d4339

1c290d16344bfb15ee27b6efc21dc973151c7c4a717ce254fe3c2554d258a3ed

22bd495b318471d6183904e5f2bed598cb4ef685672350d51ab7bd53fe841277

42db5cec13c4a0a1964dac11759029e59e3c819c282dbab6ecf266dfe24622ef

77436ce13e345b39525806708becc20c3f527b8c1d5a84523bcbcef5d8c18102

8efb4e8bc17486b816088679d8b10f8985a31bc93488c4b65116f56872c1ff16

98d3fca413a3bbd7566b1fc26bf18e96ad590185a5e30355d4fb724c285a5f9c

c0b21eb4ddfbd0138bc6a6b1dacdd7c70312e154da788abb4ab0abe6cabadf6b

cf90ffcf978ec1d052d0a6c2365273f1cac9966eff066baffca0db9d48640f25

DLL

07c8ab61570fe9ec86e168aa96c58fe24246b35db78241fe7c83928ed559b3f6

1c303d6ba7fd9dc1c84bf5311657d0ea08924fe59ea047055f9e6341de1f8931

1deaa7f390951217266bbb432f62b7d54823ac525687024aee4bbc24c5bea943

3aa29b6b4a9e39b3c3f3f12ca56cbe19178815c6d4d86c9f14d463dd21fc773e

441634c99c59f57271a68c841fa4ab33e01762d4991e7465e6bd37ef7305356e

586294d477b30613fbb31cf222d16cf2396ba9ce5d5665b6556a5901c248c50f

7a46fe71b140677f1eb29da8ae6f72f9636e2f53e8f49cd81ebb38e54bf8c65c

a05352ca7f5049f607d26785e5d42fa51df0b158db4fc1db2b2f91eb4762e46d

defed38da9110f4820f60f3545384202ada94e97676301f15ef298f3fe876575

45.32.88.152

ATT&CK

解決方案

處置建議

1、避免打開可疑或來歷不明的郵件，尤其是其中的鏈接和附件等，如一定要打開未知文件，請先使用殺毒軟件進行掃描查殺。

2、重要的數據最好雙機備份或云備份。

深信服解決方案

【深信服終端檢測響應平臺EDR】

已支持查殺攔截此次事件使用的病毒文件，請更新軟件（如有定制請先咨詢售后再更新版本）和病毒庫至最新版本，并接入深信服安全云腦，及時查殺新威脅；

【深信服下一代防火墻AF】的安全防護規則更新至最新版本，接入深信服安全云腦，“云鑒” 服務即可輕松抵御此高危風險。
【深信服安全感知管理平臺SIP】建議用戶及時更新規則庫，接入深信服安全云腦，并聯動【深信服下一代防火墻AF】實現對高危風險的入侵防護。
【深信服安全托管服務MSS】以保障用戶網絡安全“持續有效”為目標，通過將用戶安全設備接入安全運營中心，依托于XDR安全能力平臺和MSSP安全服務平臺實現有效協同的“人機共智”模式，圍繞資產、脆弱性、威脅、事件四個要素為用戶提供7*24H的安全運營服務，快速擴展持續有效的安全運營能力，保障可承諾的風險管控效果。

返回預警列表