Shulou(Shulou.com)05/31 Report--

This article is about how to achieve MedusaLocker blackmail virus analysis and defense measures, the editor feels very practical, so share with you to learn, I hope you can learn something after reading this article, do not say much, follow the editor to have a look.

1 malicious code information

Name: Trojan.DelShad.if

Type: blackmail virus

MD5:d54fa56f495571d8000ced3fefccf2a7

SHA1:e4f65eba10cc0dc840549dc3ec5212e015564b1b

File type: PE 32-bit

File size: 676864 bytes

Route of transmission: no active route of transmission

Impact system: windows xp and above

2 Overview of malicious code

Jiangmin red leopard security laboratory captured samples of MedusaLocker blackmail virus. The virus began to spread in China in October 2019, and a number of domestic enterprises have been attacked by the virus. The name of the Medusa Ransom blackmail virus originated from the ancient Greek myth Medusa, and the analysis found that several versions of the virus had been leaked, including the Debug version developed by hackers. The virus is mainly infected by manual operation after the attacker violently cracked the remote desktop password, and will traverse the local and network shared disks and use RSA+AES to encrypt the data files, so it can not be decrypted without the corresponding private key.

3 manual cleaning method

End the process named svchostt.exe, delete the task named "svchostt" in the root directory of the scheduled task library, delete the local svchostt.exe file, and delete the 6.3 additional registry entries.

4 measures and suggestions

In the face of malicious attacks, in addition to making preparations, we also need to take timely high defense measures to protect the stable development of the platform business from being affected.

1. Install Jiangmin antivirus software virus update virus library.

two。 Turn off the remote desktop service for unnecessary machines.

3. Use strong passwords for machines that require remote desktop services, and they are different.

4. The virus will rule out the encryption of .rdp files. If the poisoned machine locally keeps the rdp connection password to other machines, the poisoned machine should be isolated immediately.

5. Since most attackers are manually poisoned remotely, it means that even if the security software is installed, the attacker can manually end the security software unless the authentication password is changed on the security software.

6. Disable the Guest account.

7. Detect security vulnerabilities in the system and software and update patches in a timely manner.

5 behavior summary

5.1 File behavior

Create a C:\ Users\ Administrator\ AppData\ Roaming\ svchostt.exe virus file

Traverses encrypted files other than the specified suffix.

5.2 process behavior

Create a "{8761ABBD-7F85-42EE-B272-A76179687C63}" mutex

Create a scheduled task named "svchostt"

Rights are raised through cmstplua COM interface

Stop the following services: wrapper,DefWatch,ccEvtMgr,ccSetMgr,SavRoam,sqlservr,sqlagent,sqladhlp,Culserver,RTVscan,sqlbrowser,SQLADHLP,QBIDPService,Intuit.QuickBooks.FCS,QBCFMonitorService,sqlwriter,msmdsrv,tomcat6,zhudongfangyu,SQLADHLP,vmware-usbarbitator64,vmware-converter,dbsrv12,dbeng8

Restart the following services for the changes to take effect immediately:

LanmanWorkstation

End the following process:

WxServer.exe,wxServerView,sqlservr.exe,sqlmangr.exe,RAgui.exe,supervise.exe,Culture.exe,RTVscan.exe,Defwatch.exe,sqlbrowser.exe,winword.exe,QBW32.exe,QBDBMgr.exe,qbupdate.exe,QBCFMonitorService.exe,axlbridge.exe,QBIDPService.exe,httpd.exe,fdlauncher.exe,MsDtSrvr.exe,tomcat6.exe,java.exe,360se.exe,360doctor.exe,wdswfsafe.exe,fdlauncher.exe,fdhost.exe,GDscan.exe,ZhuDongFangYu.exe

Execute the following commands, delete system backups, disable system recovery, and so on:

Vssadmin.exe Delete Shadows / All / Quiet

Bcdedit.exe / set {default} recoveryenabled No

Bcdedit.exe / set {default} bootstatuspolicy ignoreallfailures

Wbadmin DELETE SYSTEMSTATEBACKUP

Wbadmin DELETE SYSTEMSTATEBACKUP-deleteOldest

Wmic.exe SHADOWCOPY / nointeractive

5.3 Registry behavior

Modify the "EnableLUA" value to 0 (no longer prompted by the UAC window) and set the "ConsentPromptBehaviorAdmin" value to 0 under "HKLM\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Policies\\ System" (no longer need to enter credentials when running the program)

First modify the "EnableLinkedConnections" value to 1 under "HKLM\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Policies\\ System" (force LAN shared hard drives to create symbolic links locally to facilitate subsequent traversal encryption)

Create a "Name" value of "svchostt.exe" under HKCU\\ SOFTWARE\\ Medusa, which is the name of this program.

5.4 Network behavior

Send an ICMP packet to a local address

6 detailed analysis report

1. Try to open the mutex named "{8761ABBD-7F85-42EE-B272-A76179687C63}". If it is successful, it means that the blackmail virus has been running and the process exits. If not, the process continues to run:

two。 Check whether the process has administrator privileges. If not, use the API cmstplua COM to lift the rights:

3. Create a registry key:

4. Initialize the encryption related function, use RSA+AES method to get the local identification id, create the blackmail html file, and enter the local identification id:

This also means that encrypted files cannot be decrypted with selfless keys.

5. Create a persistence mechanism for viruses, that is, add scheduled tasks, which are added through the CLSID_TaskScheduler COM API. The task is named "svchostt":

6. Stop and delete the specified service to avoid process restart after the end of the process. For the list of services, see the process behavior section:

7. Terminate the specified process to avoid process occupation when encrypting files later. For the list of processes, see the process behavior section:

8. Terminate the recovery mechanism of this machine, including emptying the Recycle Bin, deleting system backups, etc.:

9. Set the registry "EnableLinkedConnections" value to 1, and then restart the "LanmanWorkstation" service to make the change take effect immediately. The effect of this change is to make the LAN shared disk create a symbolic link locally, so that it can be traversed later when traversing the disk, which is easy to encrypt:

10. To prepare the directory for encryption, in addition to traversing the directory, there are also important directories that are tried by default:

11. Start encryption:

Encryption avoids the following format files

Note that the author avoids encrypting files in .rdp format, which allows attackers to continue to attack other machines from saved rdp passwords.

The above is how to achieve MedusaLocker blackmail virus analysis and defense measures, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.