Shulou(Shulou.com)06/03 Report--

This article will explain in detail how to treat NextCry ransomware virus using PHP latest vulnerability attack spread, the quality of the article content is high, so Xiaobian share for everyone to make a reference, I hope you have a certain understanding of related knowledge after reading this article.

overview

Recently, the Qianxin Virus Response Center discovered a new entry channel for NextCry Ransomware during daily sample monitoring, which is using PHP-fpm remote code execution vulnerability (CVE-2019-11043) to launch attacks against Linux servers.

NextCry ransomware is a new type of ransomware written in Python and packaged as a Linux ELF binary file using PyInstall, using RSA-2048 and AES-256-CBC algorithms to encrypt files under specified directories that cannot be decrypted, as can be seen from the ransomware name, the author attempts to pay tribute to the WannaCry ransomware worm of 2017.

Based on the multi-dimensional big data correlation analysis of Qianxin Threat Intelligence Center, at present, the blackmail mainly attacks servers installed with Nextcloud software. It is not excluded that the attack scope will be expanded later. In order to avoid panic, we disclose some details of this attack event and give solutions.

vulnerability analysis

Nextcloud is an open source client-server software for creating network hard disks, often used to build private cloud disks, similar to Dropbox.

CVE-2019-11043 is a PHP related vulnerability that was disclosed at the end of October. The corresponding technical details have been disclosed. This vulnerability can be exploited to execute arbitrary commands remotely on affected servers very easily and stably. Running certain versions of PHP 7 on PHP-Fpm enabled Nginx servers may be attacked. Not running Nginx server theoretically will not have an impact, but it is worth noting that Nextcloud software opens Nginx server by default, so almost all cloud disks based on Nextcloud will be affected, which may be the reason why attackers choose Nextcloud.

The vulnerability exists in fpm_main.c where path_info is zeroed when truncated by the %0a character:

Since path_info is controllable, the result of the FCGI_PUTENV function is controlled by zeroing the pointer address, thereby zeroing the pos pointer in the_fcgi_data_seg structure:

By analyzing the internal implementation of FCGI_PUTENV, we found that any PHP global variable can be controlled as long as the data package is properly constructed:

Once an attacker takes control of PHP global variables, it can include the NextCry ransomware in the appropriate directory to execute the blackmail.

Sample Analysis File Name nextcry File Type Linux ELFMD58c6ed96e6df3d8a9cda39aae7e87330c Packager PyInstaller

After decompiling pyc solved by PyInstaller, the source code of blackmail is obtained. As can be seen from the mian function, once the invasion is successful, the nextcloud configuration file will be read to search for Nextcloud file sharing and synchronize the data directory.

After that start encrypting files with AES and encrypt AES keys with the built-in RSA public key:

Save the encrypted AES key to the keys.ENC file, and finally generate the ransomware index.php:

The ransom letter follows, demanding a payment of 0.025 bitcoins, which cannot currently be decrypted without paying a ransom.

conclusion

The Qianxin Threat Intelligence Center has detected that there are users who have been recruited. Please update the PHP software package and update the Nginx configuration file. Change the relevant items to:

IOC

MD5：

8c6ed96e6df3d8a9cda39aae7e87330c

Extortion Bitcoin Wallet Address:

1K1wwHCUpmsKTuDh9TagfJ4h3bKMxLkjpY

Contact Email:

aksdkja0sdp@ctemplar.com

About how to treat NextCry ransomware virus to exploit PHP latest vulnerability attack spread to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.