MountLocker勒索軟件使用Windows API導航網絡
The MalwareHunterTeam team has announced a new version of MountLocker ransomware that has acquired a worm-like function and uses the Windows API.
MountLocker勒索軟件現在可以使用Windows Active Directory公司API來導航網絡並加密其他設備.
MountLocker於7月開始運營 2020 作為服務 (RaaS), where developers are responsible for building ransomware software and a payment site, and affiliates are invited to hack into businesses and encrypt their devices.
“As part of this arrangement, the MountLocker core team receives a 20-30% share of the buyout and the affiliate receives the rest”, — journalists Bleeping Computer 並且中國當局逮捕了這本書的作者.
In March 2021, a new ransomware group called Astro Locker emerged and started using a customized version of MountLocker ransomware with ransom messages pointing to their own payment and leak sites.
最後, 在五月 2021, a third group emerged called XingLocker, which also uses a customized MountLocker ransomware executable.
This week, MalwareHunterTeam shared a sample of what is considered the new MountLocker executable and contains a new worm feature that allows it to spread across other devices on the network and encrypt data.
“This malware is a qualitative shift in the professional development of ransomware to exploit corporate networks”, — MalwareHunterTeam told.
The malware first uses the NetGetDCName () function to get the name of the domain controller. It then makes LDAP requests to the ADS domain controller using the ADsOpenObject () function with the credentials supplied on the command line. After connecting to Active Directory services, the ransomware searches the database for objects “objectclass = computer”.
For each object found, MountLocker will attempt to copy the executable file to the \C$\ProgramData folder on the remote device. The ransomware then remotely creates a Windows service that downloads an executable file to continue encrypting the device.
Using this API, the ransomware can find all devices that are part of the compromised Windows domain and encrypt them using the stolen domain credentials.
“MountLocker is the first known ransomware to use unique corporate network patterns to uncover additional encryption targets”, — Advanced Intel Director Vitali Kremez to BleepingComputer.
Because Windows network administrators typically use this API, the attacker who injected the code likely has some experience administering Windows domains, Check Point 研究專家團隊.
Although this API has been seen in other malware such as TrickBot, experts believe MountLocker may be considered the first “professional ransomware” to use these APIs to perform intelligence and propagation to other devices.
Read also: NUSM病毒 – 如何刪除?
