Shulou(Shulou.com)05/31 Report--

The content of this article mainly focuses on how the blackmail software Snatch uses the safe mode to bypass the antivirus software. The content of the article is clear and clear. It is very suitable for beginners to learn and is worth reading. Interested friends can follow the editor to read together. I hope you can get something through this article!

The researchers found that the ransomware Snatch allows Windows to restart to safe mode to bypass security.

In mid-October, researchers found that ransomware called Snatch set itself up as a service and ran during safe mode boot. It can quickly restart the computer to safe mode and encrypt the victim's hard drive in a safe mode environment where most software, including security software, does not run.

Click on the picture to view the original picture

Snatch ransomware has been active since the summer of 2018, and safe mode startup of the malware is a new addition. Malware includes a ransomware component and a separate data thief, both of which are apparently developed by cybercriminals, as well as several public tools that are not malicious in themselves and are often used by penetration testers, system administrators, or technicians. Snatch ransomware does not support multiple platforms and can run on the most common Windows versions, ranging from 7 to 10, 32-bit and 64-bit versions. The samples found were packaged using the open source packager UPX, resulting in content confusion.

The way Snatch works

Malware adopts the active automatic attack mode, which infiltrates the enterprise network through automatic brute force attacks on vulnerable services and spreads within the target organization's network. While blackmailing, malware can always steal a large amount of information from the target organization.

Snatch team members have held technical discussions and found partners online and trained others to use malware for free, allowing potential partners to use their infrastructure to provide servers running Metasploit.

Snatch behavior analysis

In one of the attacks on a large international company, MTR managed to obtain detailed logs from the target company that the blackmail software could not encrypt. The attacker initially accessed the company's internal network by forcing a password into an administrator account on the Microsoft Azure server and was able to log in to the server using remote Desktop (RDP).

The attacker uses the Azure server as the penetration foothold, logs in to the domain-controlled DC on the same network using the administrator account, and then performs monitoring tasks on the target network within weeks. Query the list of users who have the right to log in and write the results to a file. In addition, the WMIC system user data, process list, and the memory content of the Windows LSASS service are stored in a file, and then uploaded to the c2 server.

User information stolen by Snatch

Snatch dumps lsass from memory then uploads the dump

The attacker sets up an one-time Windows service to deploy specific tasks. These services have long random file names that query the list of running processes from the tasklist program, output them to a file in the temp directory, and then run a batch file (also in the temp directory) to upload the tasklist file to the C2 server.

It uses the same method to upload a large amount of information to the C2 server. For example, it uses this command to send extracted user account and other profile information (.txt file) back to C2, and then executes the batch it created in the Windows temporary directory.

The attacker installed monitoring software on about 200 computers, accounting for 5% of the number of computers within the organization. The attacker installed several malicious files; one set of files was designed to give the attacker remote access to these computers without having to rely on the Azure server. Attackers also installed a Windows program called Advanced Port Scanner, which used the tool to discover other potential target computers on the network.

The researchers also found malware called Update_Collector.exe, which uses data collected by WMI to find more information about other computers and user accounts on the network, which is then dumped to a file and uploaded to the attacker's server. A range of other legitimate tools have also been found, including Process Hacker, IObit Uninstaller, PowerTool, and PsExec. The exact same toolset was used in several other attacks, with attackers targeting organizations around the world, including the United States, Canada and several European countries. At least one or more computers with RDP in the affected organization are exposed to the internet.

At some point during the attack (possibly a few days to weeks after the initial network attack), the attacker downloads the blackmail software components to the target computer. This component name includes a unique five-character code for each victim and "_ pack.exe".

Download the blackmail software and start it through PSEXEC

When the malware invokes the PSEXEC service to execute the blackmail software, it has extracted itself into the Windows folder and uses the same five characters and "unpack.exe".

The "unpack" version ends up in the Windows directory

Ransomware installs itself as a Windows service called SuperBackupMan. The service description text "This service make backup copy every day," helps to hide it in the service list. This registry key is set immediately before the computer starts restarting.

The SuperBackupMan service can organize users to stop or pause.

Malware adds this key to the Windows registry to start during safe mode boot.

HKLM\ SYSTEM\ CurrentControlSet\ Control\ SafeBoot\ Minimal\ SuperBackupMan:Default:Service

Use the BCDEDIT tool on Windows to issue the command to set the Windows operating system to boot in safe mode, and then immediately force the infected computer to restart.

Bcdedit.exe / set {current} safeboot minimal

Shutdown / r / f / t 00

When the computer enters safe mode after a reboot, the malware uses the Windows component net.exe to stop the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all Volume Shadow copies on the system, preventing technicians from forensics recovery of files encrypted by the blackmail software.

Net stop SuperBackupMan

Vssadmin delete shadows / all / quiet

The blackmail software then starts encrypting files on the local hard drive of the infected machine.

Snatch impact analysis

The blackmail software appends a pseudo-random string of five alphanumeric characters to the encrypted file. This string appears in the extortion software executable file name and blackmail notification and is unique to each target organization. For example, if the ransomware is named abcdex64.exe, the encrypted file appends the file extension .abcde to the original filename, and the blackmail information uses a naming convention such as README_abcde_files.txt or DECRYPT_abcde_DATA.txt.

A company that specializes in negotiations between extortion victims and attackers said it had negotiated with criminals 12 times on behalf of clients from July to October. Ransoms range from $2000 to $35000 and are on the rise within four months.

Like many other ransomware, Snatch does not encrypt certain file and folder location lists. Blackmail software usually does this in order to maintain the stability of the system, focusing on work documents or personal files. The positions it skips include:

C:\

Windows

Recovery

$recycle.bin

Perflogs

C:\ ProgramData

Start menu

Microsoft

Templates

Favorites

C:\ Program Files\

Windows

Perflogs

$recycle.bin

System volume information

Common files

Dvd maker

Internet explorer

Microsoft

Mozilla firefox

Reference assemblies

Tap-windows

Windows defender

Windows journal

Windows mail

Windows media player

Windows nt

Windows photo viewer

In one of the samples, it was found that the attacker was monitoring the system on which his agent was running. When the analyst logged out unexpectedly, the analyst suspected that the attacker recognized the machine as a security research platform, so he wrote a message to the attacker and left it on the desktop of the test machine. Moments later, the attacker logged off the analyst computer again, preventing the IP address used by the analyst from reconnecting to the C2 server.

It is also found that the blackmail software is using OpenPGP, and the binary file hard-codes the PGP public key block into the file.

Prevention and monitoring prevention

It is recommended that any organization should not expose remote desktop interfaces to the unprotected Internet and should place them behind VPN so that no one without VPN credentials can access them.

The attacker also indicated that he was looking for other partners who could use other types of remote access tools (such as VNC and TeamViewer) as well as Web shell or SQL injection technology.

The organization should immediately implement multi-factor authentication for users with administrative privileges, making it more difficult for attackers to forcibly exploit these account credentials.

Detection

Most initial access and footholds are on unprotected and unmonitored devices. The organization shall regularly inspect the equipment to ensure that there are no neglected equipment machines on the network.

The extortion of the blackmail software occurs a few days after the attacker enters the network. Before the ransomware is executed, a mature threat search program is needed to identify the attacker's software.

Detection detail

Detect the various components of Snatch and the files used in this attack with the following signatures:

Troj/Snatch-H

Mal/Generic-R

Troj/Agent-BCYI

Troj/Agent-BCYN

HPmal/GoRnSm-A

HPmal/RansMaz-A

PUA Detected: 'PsExec'

Thank you for your reading, I believe you have a certain understanding of "blackmail software Snatch how to use security mode to bypass antivirus software" this problem, quickly practice it, if you want to know more relevant knowledge points, you can pay attention to the website! The editor will continue to bring you better articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.