Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of ProLock blackmail software, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let Xiaobian take you to understand.

Words written in the front

At a time when organizations are busy responding to the global epidemic, a new wave of ransomware attacks has quietly begun. The ransomware, called ProLock, is a variant of the PwndLocker ransomware that appeared at the end of 2019. The spread time of PwndLocker is very short, mainly because many users find that the key needed to decrypt the file can be obtained from the malware itself, so there is no need to pay a ransom. However, the ProLock that appeared in March is just the opposite, because after paying the ransom, the target user receives a problematic decryption tool that will damage data in the target user's device that has been encrypted by the blackmail software.

This error may be related to the abnormal way ProLock encrypts files, because ProLock skips files less than 8192 bytes when encrypting files, and encrypts large files after the first 8192 bytes. This will cause the file to be partially readable and partially encrypted.

ProLock preparation work

ProLock can gain access to the target network in a variety of ways, which also involves the exploitation of some third-party vulnerabilities. And according to Group-IB researchers, some ProLock victims were infected through scripts executed by QakBot Bank Trojans. FBI also pointed out that QakBot is one of the initial infection methods of ProLock, in addition to the use of phishing mail and misconfigured RDP servers, and so on. Researchers have shown that the earliest ProLock intrusions were achieved through remote Desktop Protocol (RDP) connections.

The ProLock attack will also use the access rights gained from the initial attack to conduct some network reconnaissance activities and steal some user sensitive data before starting the blackmail software attack. In the course of the study, the researchers analyzed four files related to blackmail software stored in the target system, which were downloaded from a remote server, and the relevant IP address has been published in SophosLabs's GitHub library as an intrusion threat indicator:

C:\ ProgramData\ WinMgr.bmpC:\ ProgramData\ WinMgr.xmlC:\ ProgramData\ clean.batC:\ ProgramData\ run.batProLock attack chain

ProLock malware relies on Windows Batch scripts, Windows scheduling tasks (schtasks.exe) and PowerShell to launch its attacks. The blackmail software chain starts with the run.bat script file, which creates a Windows task and uses WinMgr.xml to configure the task, then executes the clean.bat script. When the script is executed by the scheduled task, clean.bat will execute a Base64-encoded PowerShell script and extract the ProLock executable from an image file called WinMgr.bmp, then load it into memory and execute it.

The following figure shows some of the Base64 encoding script code embedded in clean.bat:

The following figure shows some of the script code in WinMgr.bmp:

The following figure shows the graphical content of WinMgr.bmp, in which ProLock malware Payload is hidden. Steganography is used here:

ProLock sample analysis

When we analyze a ProLock sample, we find that it uses a self-modified code to hide part of the content, which hides part of the text string and other elements. As is common in malware development, ProLock programs are deliberately set to not allow debugging, making it more difficult for researchers to run it in a controlled way.

The following figure shows some of the confused code during the execution of the malware sample:

The following figure shows the code comparison of ProLock binaries before and after self-modification:

Next, the code decodes its self-modified part, imports it into DLL, and sets the functions it needs to use. When the setup is complete, a new thread is started, and the first thread is set to sleep (a back-analysis technique). The malware then traverses the registry of the target device to find potential security policy settings. For some reason, malware modifies the security policy settings of IE browsers, turns off the universal naming convention path for IE, enables automatic Intranet mapping, and starts looking for applications and services that may hinder data encryption / destruction.

By calling Windows's CreateToolhelp32snapshot.dll, the malware also stores snapshots of all running processes, checks them against a built-in list, and then tries the taskkill.exe utility to shut down all processes that match that list, such as Microsoft Office programs, Firefox browsers, Thunderbird mail clients, security software components, and so on. The blackmail software terminates such processes to ensure that the user file is not locked or open, thus achieving successful encryption of the data.

Next, the malware will try net.exe to try to shut down more than 150 services and processes related to enterprise applications, security software, and backup software. The purpose of this operation is also to eliminate other interfering factors of data encryption.

Then, to prevent the local file from being restored, ProLock will delete the "shadow copy" vssadmin.exe file of the local file (Windows's shadow copy service) by executing the following command:

Delete shadows / all / quietresize shadowstorage / for=c: / on=c: / maxsize=401MBresize shadowstorage / for=c: / on=c: / maxsize=unbounded

Note: a complete list of processes and services targeted by the blackmail software is posted on SophosLabs's GitHub [portal].

At this point, when all the security measures on the target host have failed, the blackmail software will begin to detect all the loaded storage media on the target host and traverse the directory structure of local or network drives, which is done through the powershell.exe process.

Every time it reads a file, it first checks the file size and skips the file if it is less than 8192 bytes (0x2000 in hexadecimal). Otherwise, it will start encrypting the file after 8192 bytes. After the file is encrypted, the extension .prolock is appended to its file suffix. For example, a_very_large_text_file.txt becomes a_very_large_text_file.txt.prolock.

The following figure shows a screenshot of the file encrypted by PreLock:

The following figure shows the data comparison before and after file encryption:

When the blackmail software completes encrypting the files in each directory, it writes a file called [HOW TO RECOVER FILES] .TXT to the directory, which contains the extortion information.

Thank you for reading this article carefully. I hope the article "sample Analysis of ProLock ransomware" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.