RansomEXX Trojan attacks Linux systems

RansomEXX Trojan attacks Linux systems

We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems.
我们最近发现了一种新的文件加密木马,它构建为 ELF 可执行文件,旨在加密由基于 Linux 的操作系统控制的机器上的数据。

After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year.
经过初步分析,我们注意到木马的代码、赎金记录的文本和勒索的一般方法有相似之处,这表明我们实际上遇到了以前已知的勒索软件系列 RansomEXX 的 Linux 版本。该恶意软件因攻击大型组织而臭名昭著,今年早些时候最为活跃。

RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.
RansomEXX 是一种针对性很强的木马。每个恶意软件样本都包含受害者组织的硬编码名称。此外,加密的文件扩展名和用于联系勒索者的电子邮件地址都使用了受害者的姓名。

Several companies have fallen victim to this malware in recent months, including the Texas Department of Transportation (TxDOT) and Konica Minolta.
近几个月来,有几家公司成为这种恶意软件的受害者,包括德克萨斯州交通部 (TxDOT) 和柯尼卡美能达。

Technical description 技术说明

The sample we came across – aa1ddf0c8312349be614ff43e80a262f – is a 64-bit ELF executable. The Trojan implements its cryptographic scheme using functions from the open-source library mbedtls.
我们遇到的示例 aa1ddf0c8312349be614ff43e80a262f 是一个 64 位 ELF 可执行文件。特洛伊木马使用开源库 mbedtls 中的函数实现其加密方案。

When launched, the Trojan generates a 256-bit key and uses it to encrypt all the files belonging to the victim that it can reach using the AES block cipher in ECB mode. The AES key is encrypted by a public RSA-4096 key embedded in the Trojan’s body and appended to each encrypted file.
启动时,特洛伊木马会生成一个 256 位密钥,并使用它来加密属于受害者的所有文件,在 ECB 模式下使用 AES 分组密码可以访问这些文件。AES 密钥由嵌入在特洛伊木马主体中的公共 RSA-4096 密钥加密,并附加到每个加密文件中。

Additionally, the malware launches a thread that regenerates and re-encrypts the AES key every 0.18 seconds. However, based on an analysis of the implementation, the keys actually only differ every second.
此外,该恶意软件会启动一个线程,该线程每 0.18 秒重新生成并重新加密 AES 密钥。但是,根据对实现的分析,密钥实际上仅每秒不同。

Apart from encrypting the files and leaving ransom notes, the sample has none of the additional functionality that other threat actors tend to use in their Trojans: no C&C communication, no termination of running processes, no anti-analysis tricks, etc.
除了加密文件和留下赎金记录外,该示例没有其他威胁参与者倾向于在其特洛伊木马中使用的附加功能:没有 C&C 通信、没有终止正在运行的进程、没有反分析技巧等。

RansomEXX Trojan attacks Linux systems

Fragment of the file encryption procedure pseudocode; variable and function names are saved in the debug information and must match the original source code

Curiously, the ELF binary contains some debug information, including names of functions, global variables and source code files used by the malware developers.
奇怪的是,ELF 二进制文件包含一些调试信息,包括恶意软件开发人员使用的函数名称、全局变量和源代码文件。

RansomEXX Trojan attacks Linux systems

Original names of source files embedded in the trojan’s body

RansomEXX Trojan attacks Linux systems

Execution log of the trojan in Kaspersky Linux Sandbox
卡巴斯基 Linux 沙箱中木马的执行日志

Similarities with Windows builds of RansomEXX
与 RansomEXX 的 Windows 版本的相似之处

Despite the fact that previously discovered PE builds of RansomEXX use WinAPI (functions specific to Windows OS), the organization of the Trojan’s code and the method of using specific functions from the mbedtls library hint that both ELF and PE may be derived from the same source code.
尽管之前发现的 RansomEXX 的 PE 版本使用 WinAPI(特定于 Windows 操作系统的函数),但特洛伊木马代码的组织和使用 mbedtls 库中特定函数的方法暗示 ELF 和 PE 可能来自相同的源代码。

In the screenshot below, we see a comparison of the procedures that encrypt the AES key. On the left is the ELF sample aa1ddf0c8312349be614ff43e80a262f; on the right is the PE sample fcd21c6fca3b9378961aa1865bee7ecb used in the TxDOT attack.
在下面的屏幕截图中,我们看到了加密 AES 密钥的过程的比较。左边是ELF样本aa1ddf0c8312349be614ff43e80a262f;右边是 TxDOT 攻击中使用的 PE 样本 fcd21c6fca3b9378961aa1865bee7ecb。

Despite being built by different compilers with different optimization options and for different platforms, the similarity is quite obvious.

RansomEXX Trojan attacks Linux systems

We also observe resemblances in the procedure that encrypts the file content, and in the overall layout of the code.

What’s more, the text of the ransom note is also practically the same, with the name of the victim in the title and equivalent phrasing.

Parallels with a recent attack in Brazil

As reported by the media, one of the country’s government institutions has just been attacked by a targeted ransomware Trojan.

Based on the ransom note, which is almost identical to the one in the sample we described, and the news article mentioned above, there is a high probability that the target is the victim of another variant of RansomEXX.
根据与我们描述的样本中几乎相同的赎金记录以及上面提到的新闻文章,目标很有可能是 RansomEXX 另一种变体的受害者。

RansomEXX Trojan attacks Linux systems

Ransom note from the sample aa1ddf0c8312349be614ff43e80a262f
来自示例的赎金记录 aa1ddf0c8312349be614ff43e80a262f

RansomEXX Trojan attacks Linux systems

Ransom note from the Bleeping Computer post about the most recent attack in Brazil
来自 Bleeping Computer 帖子的赎金记录,内容涉及巴西最近的一次攻击

Our products protect against this threat and detect it as Trojan-Ransom.Linux.Ransomexx
我们的产品可防范此威胁,并将其检测为 Trojan-Ransom.Linux.Ransomexx

RansomEXX Trojan attacks Linux systems

Kaspersky Threat Attribution Engine identifies Ransomexx malware family
卡巴斯基威胁归因引擎识别 Ransomexx 恶意软件家族

Indicators of compromise

Recent Linux version: aa1ddf0c8312349be614ff43e80a262f
最近的 Linux 版本: aa1ddf0c8312349be614ff43e80a262f

Earlier Windows version: fcd21c6fca3b9378961aa1865bee7ecb
早期 Windows 版本:fcd21c6fca3b9378961aa1865bee7ecb

原文始发于FEDOR SINITSYNVLADIMIR KUSKOVRansomEXX Trojan attacks Linux systems

版权声明:admin 发表于 2024年7月6日 上午11:21。
转载请注明:RansomEXX Trojan attacks Linux systems | CTF导航