Emergent ransomware operation has strong links with shuttered NetWalker.
紧急勒索软件操作与已关闭的 NetWalker 有着密切的联系。
Alpha, a new ransomware that first appeared in February 2023 and stepped up its operations in recent weeks, has strong similarities to the long-defunct NetWalker ransomware, which disappeared in January 2021 following an international law enforcement operation.
Alpha 是一种新的勒索软件,于 2023 年 2 月首次出现,并在最近几周加强了行动,与早已不复存在的 NetWalker 勒索软件有很强的相似之处,后者在 2021 年 1 月国际执法行动后消失了。
The NetWalker Connection
NetWalker 连接
Analysis of Alpha reveals significant similarities with the old NetWalker ransomware. Both threats use a similar PowerShell-based loader to deliver the payload. In addition to this, there is a significant amount of code overlap between the Alpha and NetWalker payloads. This includes:
对 Alpha 的分析揭示了与旧的 NetWalker 勒索软件的显着相似之处。这两种威胁都使用类似的基于 PowerShell 的加载程序来传递有效负载。除此之外,Alpha 和 NetWalker 有效载荷之间还存在大量代码重叠。这包括:
- The general execution flow of the main functionalities of both payloads.
两个有效负载的主要功能的一般执行流程。 - Two functionalities handled within a single thread: termination of processes and termination of services.
在单个线程中处理的两个功能:进程终止和服务终止。 - A similar list of resolved APIs. While APIs are resolved using a hash, the hashes used are not the same.
已解析 API 的类似列表。虽然 API 使用哈希值进行解析,但使用的哈希值并不相同。 - Both payloads have similar configurations, including their lists of skipped folders, files, and extensions; and their lists of processes and services to kill.
两个有效负载都具有相似的配置,包括跳过的文件夹、文件和扩展名列表;以及他们要杀死的流程和服务列表。 - Both payloads delete themselves using a temporary batch file after encryption is completed.
加密完成后,两个有效负载都会使用临时批处理文件自行删除。 - Both have similar payment portals, containing the same message: “For enter, please use user code”.
两者都有类似的支付门户,包含相同的消息:“如需输入,请使用用户代码”。
Figure 1. Payment portals for NetWalker (left) and Alpha (right). Both contain the same message: “For enter, please use user code”.
图 1.NetWalker(左)和 Alpha(右)的支付门户。两者都包含相同的消息:“如需输入,请使用用户代码”。
Table 1. NetWalker and Alpha have virtually identical lists of processes to kill. The only difference is the addition of Notepad and the game Genshin Impact on Alpha’s list. The reason for the latter’s inclusion is unknown.表 1.NetWalker 和 Alpha 拥有几乎相同的要终止的进程列表。唯一的区别是在 Alpha 的列表中添加了记事本和游戏 Genshin Impact。后者被列入的原因尚不清楚。
| NetWalker NetWalker的 | Alpha 阿尔法 |
|---|---|
| nslsvice.exe | nslsvice.exe |
| pg* | pg* |
| nservice.exe | nservice.exe |
| cbvscserv* | cbvscserv* |
| ntrtscan.exe | ntrtscan.exe |
| cbservi* | cbservi* |
| hMailServer* hMailServer* (英语) | hMailServer* hMailServer* (英语) |
| IBM* IBM* (英语) | IBM* IBM* (英语) |
| bes10* | bes10* |
| black* 黑* | black* 黑* |
| apach* 阿帕奇* | apach* 阿帕奇* |
| bd2* | bd2* |
| db* | db* |
| ba* | ba* |
| be* | be* |
| QB* | QB* |
| oracle* 神谕* | oracle* 神谕* |
| wbengine* WB引擎* | wbengine* WB引擎* |
| vee* V型* | vee* V型* |
| postg* 发布* | postg* 发布* |
| sage* 圣人* | sage* 圣人* |
| sap* 树液* | sap* 树液* |
| b1* | b1* |
| fdlaunch* | fdlaunch* |
| msmdsrv* | msmdsrv* |
| report* 报告* | report* 报告* |
| msdtssr* | msdtssr* |
| coldfus* 冷傅* | coldfus* 冷傅* |
| cfdot* | cfdot* |
| swag* 赃物* | swag* 赃物* |
| swstrtr* | swstrtr* |
| jetty.exe | jetty.exe |
| wrsa.exe | wrsa.exe |
| team* 团队* | team* 团队* |
| agent* 代理* | agent* 代理* |
| store.exe | store.exe |
| sql* SQL格式* | sql* SQL格式* |
| sqbcoreservice.exe | sqbcoreservice.exe |
| thunderbird.exe | thunderbird.exe |
| ocssd.exe | ocssd.exe |
| encsvc.exe | encsvc.exe |
| excel.exe | excel.exe |
| synctime.exe | synctime.exe |
| mspub.exe | mspub.exe |
| ocautoupds.exe | ocautoupds.exe |
| thebat.exe | thebat.exe |
| dbeng50.exe | dbeng50.exe |
| *sql* *SQL格式* | *sql* *SQL格式* |
| mydesktopservice.exe | mydesktopservice.exe |
| onenote.exe | onenote.exe |
| outlook.exe | outlook.exe |
| powerpnt.exe | powerpnt.exe |
| msaccess.exe | msaccess.exe |
| tbirdconfig.exe | tbirdconfig.exe |
| wordpad.exe | wordpad.exe |
| ocomm.exe | ocomm.exe |
| dbsnmp.exe | dbsnmp.exe |
| thebat64.exe | thebat64.exe |
| winword.exe | winword.exe |
| oracle.exe | oracle.exe |
| xfssvccon.exe | xfssvccon.exe |
| firefoxconfig.exe | firefoxconfig.exe |
| visio.exe | visio.exe |
| mydesktopqos.exe | mydesktopqos.exe |
| infopath.exe | infopath.exe |
| agntsvc.exe | agntsvc.exe |
| notepad.exe | |
| genshinimpact.exe |
Figure 2. Use of custom Import Address Tables (IATs) in NetWalker. When calling the NtQuerySystemInformation API, it uses a function to retrieve the starting address of the custom IAT and references from that address the location of the API it needs to us
图2.在 NetWalker 中使用自定义导入地址表 (IAT)。调用 NtQuerySystemInformation API 时,它使用函数检索自定义 IAT 的起始地址,并从该地址引用它需要的 API 的位置
Figure 3. Use of custom Import Address Tables (IATs) in Alpha.
图3.在 Alpha 中使用自定义导入地址表 (IAT)。
Alpha Attacks 阿尔法攻击
While Alpha first appeared in February 2023, it maintained a low profile until recent weeks when it appeared to begin scaling up its operations and launching a data leak site.
虽然 Alpha 于 2023 年 2 月首次出现,但它一直保持低调,直到最近几周它似乎开始扩大业务规模并推出数据泄露网站。
In recent attacks involving Alpha, the attackers made heavy use of a number of living-off-the-land tools, including:
在最近涉及 Alpha 的攻击中,攻击者大量使用了一些离地生存的工具,包括:
- Taskkill: Windows command-line tool that can be used to end one or more tasks or processes.
Taskkill:可用于结束一个或多个任务或进程的 Windows 命令行工具。 - PsExec: Microsoft Sysinternals tool for executing processes on other systems. The tool is primarily used by attackers to move laterally on victim networks.
PsExec:用于在其他系统上执行进程的 Microsoft Sysinternals 工具。攻击者主要使用该工具在受害者网络上横向移动。 - Net.exe: Microsoft tool that can be used to stop and start the IPv6 protocol.
Net.exe:可用于停止和启动 IPv6 协议Microsoft工具。 - Reg.exe: Windows command-line tool that can be used to edit the registry of local or remote computers.
Reg.exe:可用于编辑本地或远程计算机注册表的 Windows 命令行工具。
Rebrand or Return? 品牌重塑还是退货?
NetWalker was part of the first wave of cybercrime operations to profit from targeted ransomware attacks, where attackers attempt to encrypt entire networks in order to extort their victims. One jailed group member alone is alleged to have earned over $27.6 million from attacks.
NetWalker 是第一波网络犯罪行动的一部分,这些行动从有针对性的勒索软件攻击中获利,攻击者试图加密整个网络以勒索受害者。据称,仅一名被监禁的团体成员就从袭击中赚取了超过2 760万美元。
Following the law enforcement operation and long cessation of activity, it had been assumed that NetWalker had completely departed. However, the similarities between Alpha and the NetWalker ransomware suggest a strong link between the two threats. Alpha may be an attempt at reviving the old ransomware operation by one or more of the original NetWalker developers. Alternatively, the attackers behind Alpha may have acquired and modified the original NetWalker payload in order to launch their own ransomware operation.
在执法行动和长期停止活动之后,人们认为NetWalker已经完全离开。然而,Alpha 和 NetWalker 勒索软件之间的相似之处表明这两种威胁之间存在密切联系。Alpha 可能是一个或多个原始 NetWalker 开发人员试图恢复旧的勒索软件操作。或者,Alpha 背后的攻击者可能已经获取并修改了原始的 NetWalker 有效载荷,以便启动他们自己的勒索软件操作。
Protection/Mitigation 保护/缓解
For the latest protection updates on Alpha, please visit the Symantec Protection Bulletin.
有关 Alpha 的最新保护更新,请访问赛门铁克保护公告。
Indicators of Compromise 妥协指标
If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.
如果 IOC 是恶意的,并且该文件可供我们使用,Symantec Endpoint 产品将检测并阻止该文件。
46569bf23a2f00f6bac5de6101b8f771feb972d104633f84e13d9bc98b844520 – PowerShell loader
46569bf23a2f00f6bac5de6101b8f771feb972d104633f84e13d9bc98b844520 – PowerShell 加载程序
6462b8825e02cf55dc905dd42f0b4777dfd5aa4ff777e3e8fe71d57b7d9934e7 – PowerShell loader
6462b8825e02cf55dc905dd42f0b4777dfd5aa4ff77e3e8fe71d57b7d9934e7 – PowerShell 加载程序
6e204e39121109dafcb618b33191f8e977a433470a0c43af7f39724395f1343e – PowerShell loader
6e204e39121109dafcb618b33191f8e977a433470a0c43af7f39724395f1343e – PowerShell 加载程序
89bfcbf74607ad6d532495de081a1353fc3cf4cd4a00df7b1ba06c10c2de3972 – PowerShell loader
89bfcbf74607ad6d532495de081a1353fc3cf4cd4a00df7b1ba06c10c2de3972 – PowerShell 加载程序
e43b1e06304f39dfcc5e59cf42f7a17f3818439f435ceba9445c56fe607d59ea – PowerShell loader
e43b1e06304f39dfcc5e59cf42f7a17f3818439f435ceba9445c56fe607d59ea – PowerShell 加载程序
e573d2fec8731580ab620430f55081ceb7153d0344f2094e28785950fb17f499 – Alpha ransomware loader
e573d2fec8731580ab620430f55081ceb7153d0344f2094e28785950fb17f499 – Alpha 勒索软件加载程序
e68dd7f20cd31309479ece3f1c8578c9f93c0a7154dcf21abce30e75b25da96b – Alpha ransomware loader
e68dd7f20cd31309479ece3f1c8578c9f93c0a7154dcf21abce30e75b25da96b – Alpha 勒索软件加载程序
ab317c082c910cfe89214b31a0933eaab6c766158984f7aafb9943aef7ec6cbb – Alpha ransomware loader
ab317c082c910cfe89214b31a0933eaab6c766158984f7aafb9943aef7ec6cbb – Alpha 勒索软件加载程序
df15266a9967320405b3771d0b7353dc5a4fb1cbf935010bc3c8c0e2fe17fb94 – Alpha ransomware loader
df15266a9967320405b3771d0b7353dc5a4fb1cbf935010bc3c8c0e2fe17fb94 – Alpha 勒索软件加载程序
b7ca6d401b051712cb5b1a388a2135921a4420db8fe41842d51d2ec27380b479 – Alpha ransomware loader
b7ca6d401b051712cb5b1a388a2135921a4420db8fe41842d51d2ec27380b479 – Alpha 勒索软件加载程序
5f3bf9c07eedde053f19ce134caa7587f8fb6c466e33256e1253f3a9450b7110 – Alpha ransomware loader
5f3bf9c07eedde053f19ce134caa7587f8fb6c466e33256e1253f3a9450b7110 – Alpha 勒索软件加载程序
c00fbf3fb992e7f237c396d69081246570cbd60d6c7a2262c01ae4d8e6f17ddd – Alpha ransomware loader
c00fbf3fb992e7f237c396d69081246570cbd60d6c7a2262c01ae4d8e6f17ddd – Alpha 勒索软件加载程序
b2adf8ec7ab5193c7358f6acb30b003493466daee33ea416e3f703e744f73b7d – Alpha ransomware loader
b2adf8ec7ab5193c7358f6acb30b003493466daee33ea416e3f703e744f73b7d – Alpha 勒索软件加载程序
a8d350bbe8d9ccfbb0c3e9c2dd9251c957d18ce13ae405ceb2f2d087c115db15 – Alpha ransomware loader
a8d350bbe8d9ccfbb0c3e9c2dd9251c957d18ce13ae405ceb2f2d087c115db15 – Alpha 勒索软件加载程序
2d07f0425dc465b3a1267a672c1293f9a3d0cd23106b7be490807fea490978ea – Alpha ransomware loader
2d07f0425dc465b3a1267a672c1293f9a3d0cd23106b7be490807fea490978ea – Alpha 勒索软件加载程序
f5d25777331ba55d80e064dea72240c1524ffcd3870555a8c34ff5377def3729 – Alpha ransomware loader
f5d25777331ba55d80e064dea72240c1524ffcd3870555a8c34ff5377def3729 – Alpha 勒索软件加载程序
9d6ed8396ee79ae92a5e6cef718add321226def3461711cf585e0fd302c961ae – Alpha ransomware loader
9d6ed8396ee79ae92a5e6cef718add321226def3461711cf585e0fd302c961ae – Alpha 勒索软件加载程序
1c12ff296e7d9f90391e45f8a1d82d8140edf98d616a7da28741094d60d4779d – Alpha ransomware loader
1c12ff296e7d9f90391e45f8a1d82d8140edf98d616a7da28741094d60d4779d – Alpha 勒索软件加载程序
9c71500a9472814f7bf97a462fe9822cf93dc41e2e34cc068734586d5e5146ef – Alpha ransomware loader
9c71500a9472814f7bf97a462fe9822cf93dc41e2e34cc068734586d5e5146ef – Alpha 勒索软件加载程序
480cf54686bd50157701d93cc729ecf70c14cd1acd2cb622b38fc25e23dfbc26 – Alpha ransomware loader
480cf54686bd50157701d93cc729ecf70c14cd1acd2cb622b38fc25e23dfbc26 – Alpha 勒索软件加载程序
0bad18cb64b14a689965540126e0adbc952f090f1fb7b6447fe897a073860cdb – Alpha ransomware loader
0bad18cb64b14a689965540126e0adbc952f090f1fb7b6447fe897a073860cdb – Alpha 勒索软件加载程序
c5f7492a3e763b4456afbb181248fdb8e652575cea286db7861e97ffcd1b72e4 – Alpha ransomware loader
c5f7492a3e763b4456afbb181248fdb8e652575cea286db7861e97ffcd1b72e4 – Alpha 勒索软件加载程序
f3858d29073ae90f90c9bb284913752533fe1a6437edd6536e4b1775fc8f6db4 – Alpha ransomware loader
f3858d29073ae90f90c9bb284913752533fe1a6437edd6536e4b1775fc8f6db4 – Alpha 勒索软件加载程序
原文始发于Threat Hunter:Alpha Ransomware Emerges From NetWalker Ashes
相关文章
