We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems.
我们最近发现了一种新的文件加密木马,它构建为 ELF 可执行文件,旨在加密由基于 Linux 的操作系统控制的机器上的数据。
After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year.
经过初步分析,我们注意到木马的代码、赎金记录的文本和勒索的一般方法有相似之处,这表明我们实际上遇到了以前已知的勒索软件系列 RansomEXX 的 Linux 版本。该恶意软件因攻击大型组织而臭名昭著,今年早些时候最为活跃。
RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.
RansomEXX 是一种针对性很强的木马。每个恶意软件样本都包含受害者组织的硬编码名称。此外,加密的文件扩展名和用于联系勒索者的电子邮件地址都使用了受害者的姓名。
Several companies have fallen victim to this malware in recent months, including the Texas Department of Transportation (TxDOT) and Konica Minolta.
近几个月来,有几家公司成为这种恶意软件的受害者,包括德克萨斯州交通部 (TxDOT) 和柯尼卡美能达。
Technical description 技术说明
The sample we came across – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable. The Trojan implements its cryptographic scheme using functions from the open-source library mbedtls.
我们遇到的示例 aa1ddf0c8312349be614ff43e80a262f 是一个 64 位 ELF 可执行文件。特洛伊木马使用开源库 mbedtls 中的函数实现其加密方案。
When launched, the Trojan generates a 256-bit key and uses it to encrypt all the files belonging to the victim that it can reach using the AES block cipher in ECB mode. The AES key is encrypted by a public RSA-4096 key embedded in the Trojan’s body and appended to each encrypted file.
启动时,特洛伊木马会生成一个 256 位密钥,并使用它来加密属于受害者的所有文件,在 ECB 模式下使用 AES 分组密码可以访问这些文件。AES 密钥由嵌入在特洛伊木马主体中的公共 RSA-4096 密钥加密,并附加到每个加密文件中。
Additionally, the malware launches a thread that regenerates and re-encrypts the AES key every 0.18 seconds. However, based on an analysis of the implementation, the keys actually only differ every second.
此外,该恶意软件会启动一个线程,该线程每 0.18 秒重新生成并重新加密 AES 密钥。但是,根据对实现的分析,密钥实际上仅每秒不同。
Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat actors tend to use in their Trojans: no C&C communication, no termination of running processes, no anti-analysis tricks, etc.
除了加密文件和留下赎金记录外,该示例没有其他威胁参与者倾向于在其特洛伊木马中使用的附加功能:没有 C&C 通信、没有终止正在运行的进程、没有反分析技巧等。
Fragment of the file encryption procedure pseudocode; variable and function names are saved in the debug information and must match the original source code
文件加密过程的片段伪代码;变量和函数名称保存在调试信息中,并且必须与原始源代码匹配
Curiously, the ELF binary contains some debug information, including names of functions, global variables and source code files used by the malware developers.
奇怪的是,ELF 二进制文件包含一些调试信息,包括恶意软件开发人员使用的函数名称、全局变量和源代码文件。
Original names of source files embedded in the trojan’s body
嵌入在特洛伊木马主体中的源文件的原始名称
Execution log of the trojan in Kaspersky Linux Sandbox
卡巴斯基 Linux 沙箱中木马的执行日志
Similarities with Windows builds of RansomEXX
与 RansomEXX 的 Windows 版本的相似之处
Despite the fact that previously discovered PE builds of RansomEXX use WinAPI (functions specific to Windows OS), the organization of the Trojan’s code and the method of using specific functions from the mbedtls library hint that both ELF and PE may be derived from the same source code.
尽管之前发现的 RansomEXX 的 PE 版本使用 WinAPI(特定于 Windows 操作系统的函数),但特洛伊木马代码的组织和使用 mbedtls 库中特定函数的方法暗示 ELF 和 PE 可能来自相同的源代码。
In the screenshot below, we see a comparison of the procedures that encrypt the AES key. On the left is the ELF sample aa1ddf0c8312349be614ff43e80a262f; on the right is the PE sample fcd21c6fca3b9378961aa1865bee7ecb used in the TxDOT attack.
在下面的屏幕截图中,我们看到了加密 AES 密钥的过程的比较。左边是ELF样本aa1ddf0c8312349be614ff43e80a262f;右边是 TxDOT 攻击中使用的 PE 样本 fcd21c6fca3b9378961aa1865bee7ecb。
Despite being built by different compilers with different optimization options and for different platforms, the similarity is quite obvious.
尽管由不同的编译器构建,具有不同的优化选项和不同的平台,但相似之处非常明显。
We also observe resemblances in the procedure that encrypts the file content, and in the overall layout of the code.
我们还观察到加密文件内容的过程和代码的整体布局的相似之处。
What’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and equivalent phrasing.
更重要的是,赎金票据的文本也几乎相同,标题中有受害者的姓名和等效的措辞。
Parallels with a recent attack in Brazil
与最近在巴西发生的袭击事件相似
As reported by the media, one of the country’s government institutions has just been attacked by a targeted ransomware Trojan.
据媒体报道,该国的一个政府机构刚刚遭到有针对性的勒索软件木马的攻击。
Based on the ransom note, which is almost identical to the one in the sample we described, and the news article mentioned above, there is a high probability that the target is the victim of another variant of RansomEXX.
根据与我们描述的样本中几乎相同的赎金记录以及上面提到的新闻文章,目标很有可能是 RansomEXX 另一种变体的受害者。
Ransom note from the sample aa1ddf0c8312349be614ff43e80a262f
来自示例的赎金记录 aa1ddf0c8312349be614ff43e80a262f
Ransom note from the Bleeping Computer post about the most recent attack in Brazil
来自 Bleeping Computer 帖子的赎金记录,内容涉及巴西最近的一次攻击
Our products protect against this threat and detect it as Trojan-Ransom.Linux.Ransomexx
我们的产品可防范此威胁,并将其检测为 Trojan-Ransom.Linux.Ransomexx
Kaspersky Threat Attribution Engine identifies Ransomexx malware family
卡巴斯基威胁归因引擎识别 Ransomexx 恶意软件家族
Indicators of compromise
妥协指标
Recent Linux version: aa1ddf0c8312349be614ff43e80a262f
最近的 Linux 版本: aa1ddf0c8312349be614ff43e80a262f
Earlier Windows version: fcd21c6fca3b9378961aa1865bee7ecb
早期 Windows 版本:fcd21c6fca3b9378961aa1865bee7ecb
原文始发于FEDOR SINITSYN、VLADIMIR KUSKOV:RansomEXX Trojan attacks Linux systems
相关文章
