Merhabalar, Symantec raporuna göre bulgular hashler aşağıdaki gibi;
Preliminary Technical Details: There are reports that the threat is initially introduced through a compromised website/watering hole attack using a JavaScript The JavaScript creates a pop-up to install a malicious Flash Player update When the user clicks on the “Install” button, install_flash_player.exe is downloaded from hxxp://1dnscontrol[.]com and executed. This file is the main threat and scans for open shares within the environment and then launches the Hacktool to harvest credentials in order to execute infpub.dat from rundll.exe It then uses DiskCryptor (legitimate software) as means to encrypt the hard drive and dispci.exe to create the lock screen. Coverage: On-Disk detection is now available for the main components of the threat install_flash_player.exe - Ransom.BadRabbit – Dropper component MD5: fbbdc39af1139aebba4da004475e8839 SHA2: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da Total Cloud Protection(SEP14): Trojan Horse – Available now Detected as: Ransom.BadRabbit RR Seq: 188194 – Ext: 20171024.016 infpub.dat - Ransom.BadRabbit – Main Threat/Encryptor component MD5: 1d724f95c61f1055f0d02c2154bbccd3 SHA2: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648 Total Cloud Protection(SEP14): Trojan Horse – Available now Detected as: Ransom.BadRabbit - RR Seq: 188198 – Ext: 20171024.020 dispci.exe - Ransom.BadRabbit – ScreenLocker component MD5: b14d8faf7f0cbcfad051cefe5f39645f SHA2: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 Total Cloud Protection(SEP14): Trojan Horse – Available now Detected as: Ransom.BadRabbit - RR Seq: 188198 – Ext: 20171024.020 TMP file - Ransom.BadRabbit – Hacktool component MD5: 347ac3b6b791054de3e5720a7144a977 SHA2: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c Detected as: Ransom.BadRabbit – RR Seq 188200 – Ext 20171024.022 TMP file - Ransom.BadRabbit – Hacktool component MD5: 37945C44A897AA42A66ADCAB68F560E0 SHA2: 2F8C54F9FA8E47596A3BEFF0031F85360E56840C77F71C6A573ACE6F46412035 Detected as: Ransom.BadRabbit - RR Seq 188200 – Ext 20171024.022 page-main.js – From compromised website – Under research Detected as: ??? pending DiskCryptor - Legitimate disk encryption software (not detected) MD5: edb72f4a46c39452d1a5414f7d26454a SHA2: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 Actions: Block hxxp://1dnscontrol[.]com at the gateway Blacklist known threat hashes (see above) Consider blacklisting DiskCryptor hash (see above) Mehmet Can TAŞ ---- On Sal, 24 Eki 2017 21:26:57 +0300 Hamza Şamlıoğlu <teako...@teakolik.com> wrote ---- Merhaba Arkadaşlar, İnternette paylaşılan bilgilere göre sahte Adobe Flash güncellemesi ile EthernalBlue exploitini kullanarak sistemlere bulaşan BadRabbit Ransomeware'ı Türkiye, Rusya, Ukrayna ve Bulgaristan'da etkili olmaya başladı! BadRabbit aynı zamanda sisteme bulaştıktan sonra Mimikatz'ı da kullandığı belirtiliyor. Blog Yazısı: https://www.bgasecurity.com/2017/10/badrabbit-ransomware-yayilmaya-basladi/ Saldırıya karşı dikkatli olmanızı tavsiye ederiz. İyi çalışmalar. Hamza Şamlıoğlu http://teakolik.blog PGP/GPG ------------------------------------------------- Webinar - Yeni Nesil DDOS Saldırıları ve Savunma Yöntemleri https://www.bgasecurity.com/yeni-nesil-ddos-saldirilari-ve-savunma-yontemleri/ -------------------------------------------------
------------------------------------------------- Webinar - Yeni Nesil DDOS Saldırıları ve Savunma Yöntemleri https://www.bgasecurity.com/yeni-nesil-ddos-saldirilari-ve-savunma-yontemleri/ -------------------------------------------------