Shulou(Shulou.com)05/31 Report--

This article introduces how to efficiently detect and defend the leakage of the Debug version of MedusaLocker blackmail virus. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

Preface

Recently, a blackmail virus called MedusaLocker has been fired in foreign security circles because several versions of the virus have been leaked, including the Debug version in the process of hacker development. Recently, I am convinced that with the help of powerful threat intelligence sources, it has been observed that Southeast Asian countries such as the Philippines, as well as many domestic enterprises have been infected with the virus one after another, and there is a trend of continuous outbreaks. I am convinced that the security team is tracking the virus to achieve detection and defense.

Under normal circumstances, in order to prevent being tracked, hackers will erase sensitive information before distributing malware, and this Debug version of MedusaLocker is likely to be accidentally leaked by hackers in the development process, the Debug version contains more sample information, we can study it and develop an effective detection and defense plan.

Since the MD5 of the sample is not published on Twitter, we have to search on VT according to keywords, and finally select two related samples. According to the time of discovery, the second sample is likely to be the leaked version of Debug in advance.

Run the sample locally, the host file is encrypted to ".skynet", and the following blackmail prompt file "Readme.html" is generated. If you take a closer look at the keywords of "Your files are encrypted" and "Attention", they are very similar to the Globelmposter virus and do not rule out the possibility that the author may imitate Globelmposter.

It is possible that the sample is the reason for the Debug version, and the debugging information will be automatically printed at runtime. According to the information, you can roughly know the workflow of the virus as follows:

Power raising-> initialization encryption algorithm-> release extortion prompt file-> add self-startup-> clear database, kill software process-> delete shadow backup-> scan traversal file encryption

Detection

Using IDA to open the sample, we will find that the sample carries PDB information. By extracting the features of PDB information, we can identify the variants of the MedusaLocker family.

What is the PDB information in the PE file and what is the use? Its main function is to record the path of the PDB file in the project and store it in the IMAGE_DEBUG_TYPE_CDEVIEW field of the PE file. By reading the value of this field, the compiler can find the PDB file and load the related information. From this path, we can see that the hacker is named Gh0St, and the path of the project also has an explicit MedusaLocker string.

The format of the PDB path field is as follows, starting with the "/ RSDS" logo, and according to the following format, you can easily write yara rules for Medusalocker.

PDB information is stored in clear text, and different variants of the virus family can be detected efficiently by detecting PDB feature strings.

This detection technology based on PDB information has been introduced by foreign security manufacturers FireEye before. They have sorted out many suspicious PDB string rules for detection and have successfully captured a number of new malware samples.

However, this detection method is still limited, in most cases, hackers will use tools to erase PDB information before distributing malicious software, so, except for some Debug programs that are leaked in advance, most of the samples do not have PDB information.

The principle of erasing PDB information is simple: overwrite the PDB path to 0, or delete the IMAGE_DEBUG_TYOE_CODEVIEW field directly.

Through this method, the Release version of the MedusaLocker sample was found on the Internet.

Release version and Debug version of the virus logic is basically the same, except for the lack of debugging code, but the encryption suffix and blackmail tip file is completely different, encryption suffix becomes a ".alarm", extortion tip file name "HOW_TO_RECOVER_DATA.html", and the painting style has been greatly improved, in the lower right corner added an eye-catching Birdman logo.

Defense

Virus detection and killing

1. Convinced that security products such as EDR products, next-generation firewalls and security awareness platforms all have virus detection capabilities, users who deploy related products can perform virus detection, as shown in the figure:

2. Convinced to provide free inspection and killing tools for the majority of users, you can download the following tools for testing and killing.

64-bit system download link:

Http://edr.sangfor.com.cn/tool/SfabAntiBot_X64.7z

32-bit system download link:

Http://edr.sangfor.com.cn/tool/SfabAntiBot_X86.7z

Virus defense

1. Patch the computer in time to fix the loophole

2. Make regular non-local backups of important data files

3. Do not click on email attachments from unknown sources or download software from unknown websites.

4. Try to turn off unnecessary file sharing permissions.

5. Change the account password, set a strong password, and avoid using a unified password, because a unified password will cause one to be breached and multiple units to suffer.

6. If you do not need to use RDP in your business, it is recommended to close RDP.

7. When such events occur, it is recommended to use the convinced firewall or the micro-isolation function of the Terminal Detection response platform (EDR) to block ports such as 3389 to prevent proliferation.

8. Convinced firewall and terminal detection response platform (EDR) all have anti-blasting function. Firewalls enable this function and enable rules 11080051, 11080027 and 11080016, while EDR enables anti-blasting function for defense.

9. Convinced firewall customers, it is recommended to upgrade to AF805 version and turn on artificial intelligence engine Save to achieve the best defense effect.

10. Convinced Terminal Detection response platform (EDR) supports the identification of most popular hacker tools on the market, and has the function of actively intercepting and prohibiting operation. Convinced EDR customers, it is recommended to turn on blackmail protection function to accurately intercept extortion virus.

11. Use convincing security products, access security cloud brain, and use cloud search service to instantly detect and defend against new threats

12. Convinced to launch security operation services, through the "man-machine intelligence" service model to help users quickly expand security capabilities, in view of such threat security operation services to provide equipment security equipment policy check, security threat check, related vulnerability check and other services, to ensure the first time to detect risks and update policies to prevent such threats.

Finally, it is suggested that enterprises should carry out a security inspection and antivirus scan on the whole network to strengthen the protection work.

On the MedusaLocker blackmail virus Debug version of the leak how to effectively detect and defend to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.