Shulou(Shulou.com)05/31 Report--

It is believed that many inexperienced people have no idea about how to analyze the technical details of WastedLocker. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Words written in the front

It has become a very common phenomenon that cyber criminals use blackmail software in targeted attacks. New ransomware attacks occur every month, sometimes even more frequently. In the first half of this year, the activity of WastedLocker ransomware is becoming more and more frequent. In this article, we will conduct a detailed technical analysis of a sample of WastedLocker ransomware.

Command line argument

It is important to note that WastedLocker has a command-line interface that supports the processing of multiple parameters controlled by an attacker that control the behavior of WastedLocker.

-p

Priority: this parameter is used to specify the directory that the blackmail software needs to encrypt first, which is then added to the internal exclusion list to avoid repeated encryption. Next, the ransomware will encrypt the remaining directories and files in the available drive.

-f

This parameter is used to specify the directory to be encrypted.

-u username:password\\ hostname

This parameter specifies that authentication credentials are used to encrypt network resource files.

-r

This parameter can perform the following behaviors:

1. Delete source files.

2. Use the random substring in the list of subkeys in the registry key "SYSTEM\ CurrentControlSet\ Control\" to copy the file to "% WINDIR%\ system32\ .exe".

3. Create a service whose name is similar to the selection method in the second step. If the service name already exists, a "Ms" prefix is added. For example, if the "Power" service already exists, the malware will create a new service called "MsPower". The command line interface for the new service will be set to "% WINDIR%\ system32\ .exe-s".

4. Open the service and wait for it to complete the task.

5. Delete the service.

S

Open the created service and encrypt all eligible files found by malware.

UAC bypass

Another interesting feature of WastedLocker is the method it uses to implement UAC bypass. When the Trojan starts running, it detects the integrity level of the run. If this level is not high enough, malware will try to quietly use known bypass techniques in the background to elevate its privileges.

First, the malware creates a new directory under "% appdata%". The directory name is selected from the random substring in the list of subkeys in the registry key "SYSTEM\ CurrentControlSet\ Control\". Next, based on the data in the system directory, create a random EXE or DLL file in this new directory, and then write the Trojan to the NTFS stream ": bin".

At this point, the malware creates a temporary directory, loads it with the API function NtFsControlFile and the parameter "IO_REPARSE_TAG_MOUNT_POINT" and points to "C:\ Windows". Next, it creates a subdirectory called "system32" in this temporary directory, and the path to this subdirectory becomes "% temp%\\ system32" or "C:\ Windows\ system32".

Next, copy the legitimate winsat.exe and winmm.dll into this subdirectory, replace the entry point code of winmm.dll with the NTFS stream created in step 2 and malicious code, start winsat.exe, and trigger winmm.dll modification to implement DLL hijacking.

The following figure shows the Procmon log snippet during WastedLocker startup:

Encryption scheme

In order to encrypt files on the target device, WastedLocker developers used an encryption scheme that combines AES and RSA algorithms, which is also different from the method commonly used by many blackmail software. The search mask of the malware can select the files to be encrypted and the paths that need to be ignored as set in the malware configuration. The following figure shows the path substrings that need to be ignored in the blackmail software configuration:

For each pending file, WastedLocker will generate a unique 256bit key and a 126bit IV, and the malware will use these parameters and the AES-256 algorithm (CBC mode) to encrypt the contents of the file. The implementation of file operation is worthy of our analysis, because it uses file mapping technology to achieve data access. Here, malware developers must try their best to improve the ability of blackmail software to evade security solutions, and each encrypted file will be appended with a ".garminwasted" suffix.

In addition, the blackmail software also implements the file integrity control mechanism in the encryption program. The malware will calculate the MD5 hash of the original file, which will be used in the decryption program to ensure the correctness of the decryption.

Here, WastedLocker uses a publicly available reference implementation in the RSA algorithm, "rsaref".

The AES key, IV, MD5 hash, and other information of the original file will be encrypted using a RSA public key embedded in the blackmail software. The following sample contains a 4096-bit RSA public key:

It is important to note that this type of encryption mechanism uses the same RSA public key for all target users, which is a weakness for the large-scale spread of WastedLocker. At this point, if a user gets the decryption tool, the RSA private key contained in it will allow all other users to decrypt their own files.

However, we can see that WastedLocker is mainly aimed at specific organizations, so this decryption method is not applicable in actual attack scenarios.

The result of RSA encryption will be Base64-encoded data and will be stored in a new file with the suffix ".garminwasted _ info".

The following figure shows a list of encrypted files in our test device:

The following figure shows the extortion information left by the blackmail software on the target device:

Safety mitigation measures

Install the latest update patch and use the latest version of the operating system and application version.

Do not turn on RDP access on the Internet unless necessary, and prefer to use VPN remote access protection.

Using modern terminal security solutions, these solutions need to support behavior detection, automatic file rollback, and other blackmail software protection technologies.

Strengthen network security education within the organization and combine network security expertise with best practice educational technologies and technologies.

Use a reliable data backup scheme.

After reading the above, have you mastered the method of how to analyze the technical details of WastedLocker? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.