神刀安全网

Locky勒索软件潮来袭,请躲避

Locky勒索软件潮来袭,请躲避

概述

自2月以来,360威胁情报中心监测到一大波勒索软件潮,国内单位组织陆续开始受到的冲击,公司对外的邮箱收到大量如下携带恶意附件的邮件。

Locky勒索软件潮来袭,请躲避

邮件内容大致如下:

Locky勒索软件潮来袭,请躲避

员工如不小心打开恶意附件,恶意软件会对外连接服务器下载组件,加密系统上的重要文件,要求用户付费解密。

样本行为分析

邮件附件为只有两个JS脚本的压缩包:

Locky勒索软件潮来袭,请躲避

Locky勒索软件潮来袭,请躲避

JS经过混淆,通过分析得知,受害者双击执行JS后创建MSXML2.XMLHTTP对象下载http://vaseline-amar-ujala.in/euwiyr4hdc可执行文件,并通过WScript.Shell对象的run方法启动Locky主进程:

Locky勒索软件潮来袭,请躲避

下载的exe经过大量的混淆处理:

Locky勒索软件潮来袭,请躲避

进程启动后将机器ID写入HKEY_CURRENT_USER/Software/Locky/id,并将用到的加密公钥写入HKEY_CURRENT_USER/Software/Locky/pubkey:

Locky勒索软件潮来袭,请躲避

Locky勒索软件潮来袭,请躲避

随后木马开始遍历目录寻找.xls、.ppt、.doc、.wb2、.jpg、.wav等文件格式,使用RSA加密为Id+哈希.locky文件,并在存在文档得目录下写入恢复指导文档:

Locky勒索软件潮来袭,请躲避

Locky勒索软件潮来袭,请躲避

完成加密后将HKEY_CURRENT_USER/Software/Locky/completed设置为1,并通过加密的数据告知服务器:

Locky勒索软件潮来袭,请躲避

如下是部分通信地址列表:

http://78.40.108.39/main.php

http://51.255.107.8/main.php

http://51.255.107.10/main.php

http://51.254.181.122/main.php

http://195.64.154.114/main.php

http://188.127.231.116/main.php

http://149.202.109.205/main.php

最后将桌面设置为恢复指导图,并弹出恢复指导文档,等待受害者交付赎金:

Locky勒索软件潮来袭,请躲避

感染情况与建议

根据360威胁情报中心的数据,自3月以来确认中招的用户超过万人,淘宝上甚至已经出现协助代付款解密的服务。在此建议用户不要随意点击来源不明的邮件,目前360安全卫士已对此勒索软件做持续的查杀。

IOC

攻击者用于存放恶意代码的Downloader服务器大都是被攻陷的合法站点,以下是部分列表,请在边界设备上予以阻断。

http://1.casino-engine.ru/engine/core/76tr5rguinml.exe

http://1.casino-engine.ru/modules/images/87yhb54cdfy.exe

http://111.208.4.230:82/1Q2W3E4R5T6Y7U8I9O0P1Z2X3C4V5B/saigonnew.com.vn/system/logs/76tr5rguinml.exe

http://120.52.72.52/biosoftbelgium.com/c3pr90ntcsf0/system/logs/76tr5rguinml.exe

http://120.52.72.57/thuanhshop.com/c3pr90ntcsf0/system/logs/4trf3g45.exe

http://178.33.176.229/ber.exe

http://2.casino-engine.ru/img/multigaminator/4trf3g45.exe

http://50.28.211.199/hdd0/89o8i76u5y4

http://51457642.de.strato-hosting.eu/980k7j6h5

http://academiasuperior.net/wp-includes/rest-api/5h45hg4b

http://accessinvestment.net/4/0vexw3s5

http://aexpress.co/system/logs/086tg7

http://aimsande.com/87yg756f5.exe

http://aksci.net/system/logs/98yhb764d.exe

http://alexkote.ru/wp-content/plugins/87tg7v645c.exe

http://alumaxgroup.in/87yg756f5.exe

http://anro.kiev.ua/vqmod/vqcache/4trf3g45.exe

http://aqarhits.com/system/logs/87tg7v645c.exe

http://ari-ev.com/system/logs/765uy453gt5

http://aroham.com/87yg756f5.exe

http://art-studia-sharm.com.ua/libraries/simplepie/765g473bf34

http://art-wiz.ru/wp-includes/SimplePie/7ygvtyvb7niim.exe

http://astralia.ro/08o76g445g

http://azshop24.com.vn/system/logs/87tg7v645c.exe

http://baiya.org/image/templates/7ygvtyvb7niim.exe

http://behrozan.ir/system/logs/7t6f65g.exe

http://beltshoesnmore.com/system/logs/87yhb54cdfy.exe

http://besttec-cg.com/89ok8jhg

http://bindulin.by/system/logs/7ygvtyvb7niim.exe

http://biomir.ajanslive.com/system/logs/78tgh76.exe

http://biosoftbelgium.com/system/logs/76tr5rguinml.exe

http://browardcountystore.com/system/cache/223

http://buyfuntees.com/system/logs/7t6f65g.exe

http://c001456.aaa.ididp.com/system/logs/87yg756f5.exe

http://casewerkz.demowebsite.net/system/logs/87yhb54cdfy.exe

http://cazasports.com/system/logs/uy78hn654e.exe

http://ccac3323.com.sapo.pt/0y7bf3r

http://cherryuk.co.uk/system/logs/uy78hn654e.exe

http://chinhuanoithat.com/system/logs/uy78hn654e.exe

http://clubxtoys.com/system/logs/lkj87h.exe

http://cocowashi.com/system/logs/76tr5rguinml.exe

http://creditwallet.net/87yg756f5.exe

http://croqqer.org/wp-content/uploads/5h45hg4b

http://cuagonhaviet.com.vn/system/logs/lkj87h.exe

http://cyberbuh.pp.ua/97kh65gh5

http://demo.essarinfotech.net/87yg756f5.exe

http://demo.rublemag.ru/system/logs/87yhb54cdfy.exe

http://demo2.master-pro.biz/modules/payments/76tr5rguinml.exe

http://demo2.master-pro.biz/plugins/markitup/4trf3g45.exe

http://dgcustomgraphics.com/system/logs/98yhb764d.exe

http://dolcevita-ykt.ru/system/logs/uy78hn654e.exe

http://dommediciny.ru/system/logs/76h5gf43wg54

http://donutes.33499.info/system/logs/87yhb54cdfy.exe

http://dropshipaanbod.nl/system/logs/uy78hn654e.exe

http://dsignshop.com.au/system/logs/87tg7v645c.exe

http://effone.com/js/playstation4.exe

http://eiadmeodeda.securalive.ca/8fjvimkel1/c987ah8j9ei1.php

http://e-journal.respati.ac.id/8y74hfb

http://electime.com/wp-content/themes/765g473bf34

http://elogistic.ir/wp-admin/network/87hg8n54

http://emotos.ru/admin/model/87yhb54cdfy.exe

http://escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe

http://estudiomatera.com.ar/763fdvf

http://fashion-girl.od.ua/catalog/controller/87hg8n54

http://fb7707vd.bget.ru/admin/language/4trf3g45.exe

http://fibrefamily.ru/system/logs/87tg7v645c.exe

http://fkaouane.free.fr/67uh54gb4

http://flaxxup.com/87yg756f5.exe

http://for-sale.pk/system/logs/87yhb54cdfy.exe

http://fortyseven.com.ar/system/logs/7t6f65g.exe

http://g200.qdesign.vn/system/logs/87yhb54cdfy.exe

http://galit-law.co.il/32tguynjk

http://gargsons.com/87yg756f5.exe

http://giveitallhereqq.com/69.exe

http://giveitallhereqq.com/80.exe

http://giveitalltheresqq.com/69.exe

http://giveitalltheresqq.com/80.exe

http://gladilki.bohush.ru/system/library/a.exe

http://glslindia.com/87yg756f5.exe

http://gwentpressurewashers.com/system/logs/7ygvtyvb7niim.exe

http://heenaz.in/system/logs/98yhb764d.exe

http://hellomississmithqq.com/69.exe

http://hellomississmithqq.com/80.exe

http://het-havenhuis.nl/099oj6hg

http://hipnotixx.com/27h8n

http://hitronic.org/system/logs/76tr5rguinml.exe

http://hkhc-shop.lms.hk/system/logs/87yg7g

http://howisittomorrowff.com/69.exe

http://hppl.net/87yg756f5.exe

http://ihsanind.com/system/logs/87jhg44g5

http://imgointoeatnowcc.com/69.exe

http://imgointoeatnowcc.com/80.exe

http://imgointoeatnowcc.com/80.exe

http://imperiovintage.com.br/system/logs/76tr5rguinml.exe

http://indianexporthouse.eu/system/logs/uy78hn654e.exe

http://iperfume.co.il/system/logs/4trf3g45.exe

http://ipovareshka.ru/system/logs/76tr5rguinml.exe

http://italco.com.ua/system/logs/98yhb764d.exe

http://iwear.md/system/logs/7t6f65g.exe

http://izzy-cars.nl/9uj8n76b5.exe

http://jewellery.jagodesh.com/system/logs/iu8y7g6b

http://jldoptics.com/system/logs/87tg7v645c.exe

http://joecockerhereqq.com/69.exe

http://joecockerhereqq.com/80.exe

http://jorgecodas.com/76t2gr345

http://kiddyshop.kiev.ua/image/data/87tg7v645c.exe

http://kidtuning.ro/7r5fyf6

http://kievelectric.kiev.ua/art/media/87tg7v645c.exe

http://klariss.cz/87yg756f5.exe

http://kokoko.himegimi.jp/54g4

http://komplektik.com/system/logs/76tr5rguinml.exe

http://lahmar.choukri.perso.neuf.fr/78hg4wg

http://lampusorotmurah.com/system/logs/78tgh76.exe

http://lapdatcamerachatluongcao.com/system/logs/uy78hn654e.exe

http://leaderjewelleryco.com/admin/controller/87yhb54cdfy.exe

http://lhs-mhs.org/9uj8n76b5.exe

http://lightsroom.ru/system/logs/87tg7v645c.exe

http://liquor1.slvtechnologies.com/system/logs/7ygvtyvb7niim.exe

http://livewireradio.net/wp-admin/js/765g473bf34

http://magic-beauty.com.ua/system/logs/98yhb764d.exe

http://mail-dedmoroz.com.ua/adminka/templ/7ygvtyvb7niim.exe

http://mansolution.in.th/system/logs/7ygvtyvb7niim.exe

http://massage-himmel.de/978yhen2

http://maxbeauty.dp.ua/administrator/manifests/765g473bf34

http://maybridalsash.com/system/cache/111

http://mercadohiper.com.br/system/logs/uy78hn654e.exe

http://ministerepuissancejesus.com/o097jhg4g5

http://mobile-house.be/system/logs/98yhb764d.exe

http://myonlinedeals.pk/system/logs/43d5f67n8

http://myphampro.com/system/logs/87yhb54cdfy.exe

http://nagrobkipelplin.conceptreklamy.pl/modules/mod_wrapper/4trf3g45.exe

http://ncrweb.in/system/logs/7t6f65g.exe

http://newleaf.org.in/87yg756f5.exe

http://nguoitieudungthongthai.com/system/logs/987i6u5y4t

http://nhinh.com/system/logs/uy78hn654e.exe

http://nobilitas.cz/0954t4h45

http://nro.gov.sd/23r35y44y5

http://nypizza.ru/system/logs/7ygvtyvb7niim.exe

http://ohammam.fr/system/logs/23f3rf33.exe

http://ohbelleza.linkium.mx/system/logs/87yhb54cdfy.exe

http://ohellograndpaqq.com/69.exe

http://ohellograndpaqq.com/80.exe

http://ohelloguyff.com/70.exe

http://ohelloguyqq.com/70.exe

http://ohelloguyzzqq.com/85.exe

http://onsancompany.com/system/logs/uy78hn654e.exe

http://ozono.org.es/k7j6h5gf

http://pacificgiftcards.com/3/67t54cetvy

http://parturiencies3f9.besaba.com/76t2gr345

http://perfumy_alice.republika.pl/08h867g5

http://peterdickem.com/87745g

http://phatfx.net/98h8n23r23

http://phongsachviettech.com/system/logs/98yg7b

http://planetarchery.com.au/system/logs/q32r45g54

http://printisimo.ru/image/cache/7ygvtyvb7niim.exe

http://ptunited.net/system/logs/87tg7v645c.exe

http://pugmahons.com/~pugmahons/56er5f6g7b

http://realvacantcolony.tradersnetwork.co/97adguwod/08h13rfi982y.php

http://regentsanctionbisexual.isupplementscanada.com/97adguwod/08h13rfi982y.php

http://rem.az/system/logs/lkj87h.exe

http://risetravel.net/wp-includes/theme-compat/765g473bf34

http://rmdszms.ro/2/87yv5cds

http://saabvolvo.com.ua/system/logs/7ygvtyvb7niim.exe

http://saachi.co/system/logs/43ghy8n

http://sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe

http://saigonnew.com.vn/system/logs/76tr5rguinml.exe

http://sales-teleselling.eu.org/wp-includes/fonts/5h45hg4b

http://scorpyofilms.com/67j5h5h4

http://scs-smesi.ru/published/PD/87tg7v645c.exe

http://shapes.com.pk/system/logs/87tg7v645c.exe

http://shoescorner.gr/system/logs/76tr5rguinml.exe

http://shofukai.web.fc2.com/23rt54y56

http://shop.celiodent.com/system/cache/111

http://shopphpmvc.e-groups.vn/system/logs/lkj87h.exe

http://shopthoitrangphukien.com/system/logs/7ygvtyvb7niim.exe

http://sigmahardware.com.my/system/logs/7ygvtyvb7niim.exe

http://silvermarket.gr/system/logs/78tgh76.exe

http://sitemar.ro/5/92buyv5

http://sm1.by/vqmod/xml/76tr5rguinml.exe

http://smeja.de/i876jh556h

http://smokediscount.de/786u5h

http://snosto.com/wp-admin/includes/i75rg456

http://softcrk.com/system/logs/4trf3g45.exe

http://softworksbd.com/73tgbf334

http://solucionesdubai.com.ve/system/logs/uy78hn654e.exe

http://sribinayakelectricals.com/system/logs/78tgh76.exe

http://srv35613.ht-test.ru/storage/plugins/76tr5rguinml.exe

http://stalu.sk/43dfg7hy

http://stepsaweb.com/system/logs/uy78hn654e.exe

http://stopmeagency.free.fr/9uj8n76b5.exe

http://storageinbath.co.uk/78jh5h

http://store.suhaskhamkar.in/system/logs/78tgh76.exe

http://sub4.gustoitalia.ru/system/logs/87tg7v645c.exe

http://superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe

http://supply-division.dk/system/logs/76tr5rguinml.exe

http://surfcash.7u.cz/0o9k7jh55

http://surgitek.co.uk/system/logs/98yt

http://surprise.co.in/system/logs/87tg7v645c.exe

http://svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe

http://szkoleniasluzb.pl/67j5hg

http://tcpos.com.vn/system/logs/56y4g45gh45h

http://tekstil-world.ru/vqmod/install/7ygvtyvb7niim.exe

http://test.sharmx.com.ua/sdideep/87hg8n54

http://texfibre.eu/system/logs/87tg7v645c.exe

http://thaihost.biz/bestylethai.com/43t3gh4

http://theskcreativearts.com/45tg

http://thewhitemug.co.uk/system/logs/4trf3g45.exe

http://thietbianninhngocphuoc.com/system/logs/98yhb764d.exe

http://thietbicokhi.com.vn/system/logs/7ygvtyvb7niim.exe

http://thisisitsqq.com/69.exe

http://thisisitsqq.com/80.exe

http://thuanhshop.com/system/logs/4trf3g45.exe

http://tianshilive.ru/vqmod/xml/87yhb54cdfy.exe

http://tomkinshop.net/system/logs/87yhb54cdfy.exe

http://torgtehnik.ru/system/cache/…/1.exe

http://tracks4africa.li/43f

http://tradesolutions.me.uk/8i76

http://tramps-ike.gr/8i67uy4g

http://tratancuongthainguyen.com/v4v5g45hg.exe

http://trieugiatrang.net/image/cache/87yhb54cdfy.exe

http://trimchic.co.uk/system/logs/lkj87h.exe

http://tuning.com.mx/v4v5g45hg.exe

http://u1847.netangels.ru/system/smsgate/7ygvtyvb7niim.exe

http://ubermensch.altervista.org/system/logs/87yhb54cdfy.exe

http://vaanifashion.com/system/logs/uy78hn654e.exe

http://vacationinbath.co.uk/v4v5g45hg.exe

http://vacationinbath.com/v4v5g45hg.exe

http://valerieannefashions.co.uk/v4v5g45hg.exe

http://vartashakti.com/v4v5g45hg.exe

http://vfwuc.eu.org/wp-content/uploads/5h45hg4b

http://vgp3.vitebsk.by/6/98yh8bb

http://vikasartsjodhpur.com/v4v5g45hg.exe

http://vip-creme.de/v4v5g45hg.exe

http://vip-shape.de/v4v5g45hg.exe

http://vital4age.de/v4v5g45hg.exe

http://vital4age.eu/v4v5g45hg.exe

http://washitallawayff.com/69.exe

http://washitallawayff.com/80.exe

http://webmail.p55.be/v4v5g45hg.exe

http://wechselkur.de/v4v5g45hg.exe

http://whatskv.com/v4v5g45hg.exe

http://winjoytechnologies.com/v4v5g45hg.exe

http://wireless-sync.com/system/cache/111

http://workplace-communication.eu.org/wp-includes/pomo/5h45hg4b

http://www.aebnworld.com/98o7kj56h

http://www.aggiesaquariums.com.au/wp-includes/y78hiuok

http://www.almraah.com/wp-content/uploads/y78hiuok

http://www.avdanrenault.com/system/logs/4trf3g45.exe

http://www.dentiera-rotta.it/files/Fedex/fedex.exe

http://www.ekowen.sk/09y8j

http://www.findtube.gr/templates/atomic/js/111.exe

http://www.fotoleonia.it/files/sample.exe

http://www.freeadultcontent.us/98o7kj56h

http://www.freepussyshow.com/9oi654gh3

http://www.gruposdemediosrrr.com/9oi654gh3

http://www.gw-fs.co.uk/873y4g7bf3

http://www.houseman.cz/files/10003c.exe

http://www.istruiscus.it/7643grb

http://www.kidshealingcrohnsandcolitis.com/8y7hybigv

http://www.kidshealingcrohnsandcolitis.org/8y7hybigv

http://www.koinerestaurant.com/parallax/piatti/promt.exe

http://www.livegirlshow.com/8i5ju4g34

http://www.liveshowgirl.com/8i5ju4g34

http://www.momstav.com/087hg67

http://www.myxxxlinks.com/4ggh45yh45

http://www.myxxxlinks.com:20480/4ggh45yh45

http://www.nenitasthumbs.com/4ggh45yh45

http://www.nevjegydesign.hu/0k6j6n4h4

http://www.nevjegyportal.hu/0k6j6n4h4

http://www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe

http://www.promumedical.com/system/logs/87tg7v645c.exe

http://www.silko.ir/k8j5h

http://www.souqaqonline.com/system/logs/87tg7v645c.exe

http://www.tech-filter.ru/system/logs/78tgh76.exe

http://www.toolsavenue.com/system/cache/87yhb54cdfy.exe

http://www.trasachthainguyen.com/0l9k7j6

http://www.tuttiesauriti.org/wp-content/plugins/hello123/89h8btyfde445.exe

http://www.vtipnetriko.cz/9oi86j5hg4

http://xn--80ahetikodul.xn--p1ai/system/logs/4trf3g45.exe

http://xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe

http://yander.by/system/logs/uy78hn654e.exe

http://zarabotoknasayte.zz.mu/7/sh87hg5v4

本文由 360安全播报 原创发布,如需转载请注明来源及本文地址。本文地址:http://bobao.360.cn/learning/detail/2804.html

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Locky勒索软件潮来袭,请躲避

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮