Fortinet：勒索病毒GandCrab 4.0才推出兩天就釋出4.1，小心盜版網站的假破解工具

Fortinet：勒索病毒GandCrab 4.0才推出兩天就釋出4.1，小心盜版網站的假破解工具

News from: iThome & FORTINET.

對於外傳勒索病毒GandCrab會透過SMB漏洞主動傳染一事，資安業者Fortinet提到，這消息純屬推論，企業不要過度恐慌，重要的是應盡速更新修補該漏洞。

資安業者Fortinet揭露，勒索軟體GandCrab距上個版本發布才兩天，現在又釋出了新版本，並且增加了過去他們不曾觀察到的網路通訊策略。至於外傳GandCrab新版本將會透過伺服器訊息區塊（Server Message Block，SMB）漏洞主動傳染，Fortinet對此表示，經過他們研究後，認為這個說法只是推測，他們並無實際找到任何相關的功能，微軟 Microsoft已修補該漏洞，企業應該要盡速更新。

GandCrab發布4.0版本後的兩天又再度釋出了4.1版本，這兩個版本都是透過埋伏在盜版網站中，偽裝成破解應用程式的下載網址以誘騙受害者。Fortinet提到這個新版本的GandCrab，增加了過去沒看過的通訊策略，其中包含了一份寫死的感染網站列表，紀載了數量多達近千個不同的主機，GandCrab會連接到這些網站上傳資料。

為產生完整的主機的網址，駭客使用隨機演算法，以http://{主機}/{字1}/{字2}/{檔案名稱}.{擴充}格式樣板生成不同的網址，最前面的主機會填入寫死的列表主機位置，後面的選項都有預定義的字詞。在成功連結網址後，惡意程式會傳送受害者的資料到所有的主機，其中包括IP位置、網路域名、作業系統以及GandCrab內部訊息等多項資訊。

Fortinet認為，將資料傳送到所有主機的動作很不尋常，因為通常傳送一次應該就代表成功了，但重複近千次的目的令人匪夷所思，Fortinet推論，這個動作可能是駭客在實驗某種功能，或是單純的進行轉移分析。GandCrab會主動關閉許多常用應用程式的程序，以確保加密檔案攻擊不會意外地被中斷，這些程序包含常用的Office、瀏覽器或是資料庫等，而也因為這些目標文件通常對受害者來說價值較高，勒索成功率也比較高。

由於去年肆虐一時的勒索病毒WannaCry、Petya/NotPeta，使用SMB漏洞進行傳染。而外界最近也一直流傳，GandCrab惡意軟體會透過SMB漏洞主動傳染一事，造成不少企業恐慌。Fortinet提到，他們並沒有在GandCrab上，找到可以實際使用SMB漏洞的功能，GandCrab感染主要是透過網路分享而非漏洞傳播。

Fortinet表示，目前並沒有證據證明GandCrab能透過SMB漏洞傳染，所以那僅是推測而已，一旦他們有所新發現，會即時對外發布相關消息，但他們也認為，GandCrab過去一星期積極發展，假設未來駭客真的增加了新功能，也不會特別令人感到意外。但重點是微軟的MS17-010更新早已修補了該漏洞，企業應該確保自己的系統已經獲得適當的更新。

---------------------------------------------------

GandCrab v4.1 Ransomware and the Speculated SMB Exploit Spreader

Only two days after the release of GandCrab 4.0, FortiGuard Labs found a newer version (v4.1) being distributed using the same method, which is through compromised websites disguised as download sites for cracked applications.

With this new version, GandCrab has added a network communication tactic that was not observed in the previous version. In addition, we will be sharing our analysis of currently circulating reports concerning an alleged “SMB exploit spreader” threat.

This new version of the GandCrab malware contains an unusually long hard-coded list of compromised websites that it connects to. In one binary, the number of these websites can go up to almost a thousand unique hosts.

To generate the full URL for each host, a pseudo-random algorithm is used to choose from sets of pre-defined words. The final URL is in the following format (e.g. www.{host}.com/data/tmp/sokakeme.jpg):

After successfully connecting to a URL, this malware sends encrypted (and base64-encoded) victim data, which contains the following infected system and GandCrab information:

·       IP Address·       User name·       Computer name·       Network DOMAIN·       List of Installed AVs (if any exists)·       Default System Locale·       Keyboard Russian Layout Flag (0=Yes/1=No)·       Operating System·       Processor Architecture·       Ransom ID ({crc of volume serial number} {volume of serial number})·       Network and Local Drives·       GandCrab Internal Info:

o   ido   sub_ido   versiono   action

However, we found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab. Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humour.

Killing Processes to Ensure Encryption

Our analysis also uncovered that to ensure the full encryption of targeted files, GandCrab may kill the following processes:

- msftesql.exe- sqlagent.exe- sqlbrowser.exe- sqlwriter.exe- oracle.exe- ocssd.exe- dbsnmp.exe- synctime.exe- agntsvc.exeisqlplussvc.exe- xfssvccon.exe- sqlservr.exe- mydesktopservice.exe- ocautoupds.exe- agntsvc.exeagntsvc.exe- agntsvc.exeencsvc.exe- firefoxconfig.exe- tbirdconfig.exe- mydesktopqos.exe- ocomm.exe- mysqld.exe- mysqld-nt.exe- mysqld-opt.exe- dbeng50.exe- sqbcoreservice.exe- excel.exe- infopath.exe- msaccess.exe- mspub.exe- onenote.exe- outlook.exe- powerpnt.exe- steam.exe- thebat.exe- thebat64.exe- thunderbird.exe- visio.exe- winword.exe- wordpad.exe

Killing off these processes allows for the encryption routine to successfully complete its goal without any undesirable interruptions. Additionally, these targeted file types often contain data that is valuable to the victim, and therefore makes increases the likelihood that the victim will consider making a payment to get their files back.

GandCrab SMB Exploit Spreader Speculation

Over the past few days, numerous reports have been circulating claiming that this version of the GandCrab malware can self-propagate via an "SMB exploit” – a phrase that has become the dread (as it should be) of the cybersecurity industry following the global WannaCry and Petya/NotPeta ransomware attacks in the second quarter of last year. So it is no surprise that news of another ransomware using this method of spreading would cause quite a stir.

Since we had not seen any technical report for the claim, we decided to investigate and confirm this rumour since this functionality was not observed during our previous analysis. However, this was to no avail.

According to reports, a module that is now being called “network f**ker” is supposed to be responsible for performing the said exploit. This is apparently made evident by the following debug string found in the malware’s binary: 

However, in spite of this string, we could not find any actual function that resembles the reported exploit capability. (It may also be relevant to report that this string was actually first found in v4.0 and not in v4.1, at least in the samples that we have analysed.) Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.

Conclusion

We have provided this analysis to help prevent the possibility of unnecessary panic in the community. It is not meant to discredit any reports or personalities, but until we get a hold of hard evidence of its existence, we currently consider GandCrab’s SMB exploit propagation as only being speculative.

If the function does exist (we honestly hope not), we’ll be sure to provide updates. However, with GandCrab’s rapid development over the past week, and the public speculation of this exploit propagation functionality, we would not be a surprise if the threat actors decided to add it in a future update.

In any case, this vulnerability has long been patched by Microsoft’s MS17-010 update. So make sure your systems have been appropriately updated. In the meantime, FortiGuard Labs will keep an eye out for any further developments.

Note: Thanks to David Maciejak, Jasper Manuel, Artem Semenchenko, Val Saengphaibul, and Fred Gutierrez for additional insights.

-= FortiGuard Lion Team =-

Solution

Fortinet customers are protected by the following:

· Samples are detected by W32/Gandcrab.IV!tr and W32/GandCrypt.CHT!tr signatures· FortiSandbox rates the GandCrab’s behaviour as high risk

IOCs

Sha256

37e660ada1ea7c65de2499f5093416b3db59dfb360fc99c74820c355bf19ec52 (4.1) – W32/Gandcrab.IV!tr

222ac1b64977c9e24bdaf521a36788b068353c65869469a90b0af8d6c4060f8a (4.1) - W32/Gandcrab.IV!tr

cf104f2ad205baee6d9d80e256201ef6758b850576686611c355808a681bec60 (4.1) - W32/Gandcrab.IV!tr

8ecbfe6f52ae98b5c9e406459804c4ba7f110e71716ebf05015a3a99c995baa1 (4.1) - W32/Filecoder_GandCrab.D!tr

6c1ed5eb1267d95d8a0dc8e1975923ebefd809c2027427b4ead867fb72703f82 (4.0) - W32/GandCrypt.CHT!tr