Çå¾²¶¯Ì¬

¿ËÈÕ
£¬BevictorΰµÂÚÐÌýʵÑéÊÒ¼à²âµ½ÔÚÒ°µÄMoney MessageÀÕË÷²¡¶¾
£¬¸Ã×éÖ¯ÊÇÒ»ÖÖÀÕË÷Èí¼þ¼´·þÎñ(RaaS)ģʽ·¸·¨ÍÅ»ï
£¬¹¥»÷È«Çò¸÷ÐÐÒµ×ÅÃûÆóÒµ
£¬Í¨¹ýÇÔÈ¡²¢¼ÓÃÜÓû§Êý¾Ý¡¢Ë÷Òª¾Þ¶îÊê½ð»ñÈ¡ÖØ´óÊÕÒæ¡£

¾Ý¸Ã×éÖ¯µØÏÂÍøÂ粩¿Í³Æ
£¬ÏÖÔÚÉÐÓп¿½ü2°ÙÍòÌõ´ý¹ûÕæµÄÊܺ¦Õ߼ͼ
£¬ÏÖÔÚÊܺ¦Õß°üÀ¨ÃÀ¹ú×î´óµÄÒ©·¿Ò©Î﹫˾PharMerica¡¢Î¢Ðǹú¼Ê£¨MSI£©ÅÌËã»úÓ²¼þÌṩÉÌ¡¢ÉÌÒµ¹¤ÒµºÍÒâÍâΣÏÕ°ü¹Ü·þÎñÉÌGolden BearµÈ¡£

ÂÄÀúÖ¤
£¬BevictorΰµÂÏÂÒ»´ú·À»ðǽ¡¢EDR¡¢×Ô˳ӦÇå¾²·ÀÓùϵͳ¡¢½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³¡¢²¡¶¾¹ýÂËÍø¹Ø¿É׼ȷ¼ì²â²¢²éɱ¸ÃÀÕË÷²¡¶¾
£¬ÌṩÖÜÈ«µÄÇå¾²±£»¤
£¬ÓÐÓÃ×èÖ¹¸ÃÊÂÎñÉìÕÅ¡£

²¡¶¾ÆÊÎö

Money MessageÀÕË÷²¡¶¾Ê¹ÓÃC++ÓïÑÔ±àд
£¬ÏÖÔÚ×îÔçÔÚÒ°Ñù±¾·ºÆðÔÚ3ÔÂ19ÈÕ¡£

Money MessageÀÕË÷²¡¶¾µÄÔËÐнçÃæÈçÏÂͼËùʾ¡£Ê×ÏÈö¾Ù²¢¿¢ÊÂÖ¸¶¨µÄÀú³ÌÓë·þÎñ
£¬²¢ËÑË÷Êܺ¦Ö÷»úÉϵÄÍâµØ´ÅÅÌÀàÐÍ¡£

ŲÓÃϵͳ³ÌÐòssadmin.exe Ö´ÐÐdelete shadows /all /quietÏÂÁîɾ³ý¾íÓ°¸±±¾
£¬±ÜÃâ¼ÓÃÜÎļþºó±»ÍâµØ·þÎñÊý¾Ý»Ö¸´±¸·Ý¡£

Ö®ºó½¨Éè¶à¸öÏß³ÌÖ´ÐмÓÃÜ
£¬Õ¼ÓÃCPU½Ï¸ßÐÔÄÜ¡£ÓÉÓÚ½ÓÄɵÄË㷨ǿ¶È½Ï¸ß
£¬¼ÓÃÜÎļþµÄËÙÂʽÏÁ¿Âý
£¬ÈôÊÇÔÚ¼ÓÃÜÀú³ÌÖз¢Ã÷²¢¿¢ÊÂÀÕË÷¿ÉÒÔÍì»ØÒ»¶¨Ëðʧ¡£

ÈçÏÂÊÇÀÕË÷²¡¶¾ÔËÐÐÀú³ÌÖÐÄÚ´æÖлá½âÃܵÄÉèÖÃÎļþ
£¬°üÀ¨Á˼ÓÃÜÀú³ÌµÄºÚÃûµ¥Àú³ÌÓë·þÎñÃû³Æ
£¬°×Ãûµ¥ÎļþĿ¼
£¬ÍøÂçÃÜÔ¿µÈÖ÷ÒªÐÅÏ¢¡£

±ðµÄÀÕË÷²¡¶¾ÔÚÈí¼þÖÐÄÚǶÁ˼ÓÃܵİ×Ãûµ¥ÎļþÁбí
£¬°üÀ¨desktop.ini¡¢ntuser.dat¡¢thumbs.db¡¢iconcache.db¡¢ntuser.ini¡¢ntldr¡¢bootfont.bin¡¢ntuser.dat.log¡¢bootsect.bak¡¢boot.ini¡¢autorun.inf¡£

ºÍͨÀýÀÕË÷²¡¶¾²î±ðµÄÊÇ
£¬Money MessageÔÚ¼ÓÃÜÎļþºó²¢²»»á¸ü¸ÄÎļþºó׺
£¬ÕâÖ±½Óµ¼ÖÂһЩ¿ÉÖ´ÐÐÎļþÔÚ±»¼ÓÃܺó»á·ºÆðÃûÌñ¨´í
£¬Îı¾ÀàÎļþ¿ÉÒÔÖ±½Ó·­¿ªµ«Êý¾Ý±»¼ÓÃÜ·ºÆðÂÒÂë¡£

ÔÚCÅÌÊͷŵÄmoney_message.logʵÔòÊÇÀÕË÷ÐÅ
£¬¼û¸æÊܺ¦Õß½ÉÄÉÊê½ðµÄ̸ÅеØÖ·
£¬²¢ÖÒÑÔÊܺ¦ÕßÈôÊÇÔÚ»®×¼Ê±¼äÄÚÄò»µ½Êê½ð
£¬½«»áÐû²¼Êܺ¦ÕßµÄ˽ÃÜÊý¾Ý¡£

Money MessageÀÕË÷²¡¶¾½ÓÄÉECDHºÍChaCha20Ëã·¨¼ÓÃÜÓû§Êý¾Ý
£¬¸Ã¼ÓÃÜ·½·¨ËÙÂÊËäÂý
£¬µ«¼ÓÃÜÇ¿¶È½Ï¸ß
£¬ÏÖÔÚ»¹ÎÞ·¨Æƽâ¡£

¸½Â¼£º

Money MessageÀÕË÷¼ÓÃÜÉèÖÃÎļþ£º

https://github.com/StupidBird-Code/Malware_Analysize-Tools/blob/main/money_message_ransom_config.json

Ñù±¾IOCÁÐ±í£º

·À»¤½¨Òé

ʵʱÐÞ¸´ÏµÍ³¼°Ó¦ÓÃÎó²î
£¬½µµÍ±»Money MessageÀÕË÷²¡¶¾Í¨¹ýÎó²îÈëÇÖµÄΣº¦¡£

ÔöÇ¿»á¼û¿ØÖÆ
£¬¹Ø±Õ²»ÐëÒªµÄ¶Ë¿Ú
£¬½ûÓò»ÐëÒªµÄÅþÁ¬
£¬½µµÍ×ʲúΣº¦Ì»Â¶Ãæ¡£

¸ü¸Äϵͳ¼°Ó¦ÓÃʹÓõÄĬÈÏÃÜÂë
£¬ÉèÖøßÇ¿¶ÈÃÜÂëÈÏÖ¤
£¬²¢°´ÆÚ¸üÐÂÃÜÂë
£¬±ÜÃâÈõ¿ÚÁî¹¥»÷¡£

°´ÆÚ¾ÙÐÐÊý¾Ý±¸·Ý
£¬²¢½«ÕâЩ±¸·ÝÊý¾ÝÉúÑÄÔÚÀëÏßÇéÐλòµ¥¶ÀµÄÍøÂçÖС£

×°ÖÃBevictorΰµÂÇå¾²²úÆ·ÔöÇ¿·À»¤
£¬BevictorΰµÂÏÂÒ»´ú·À»ðǽ¡¢EDR¡¢×Ô˳Ӧ¡¢½©Ä¾Èä¡¢²¡¶¾¹ýÂËÍø¹Ø
£¬¿ÉÓÐÓ÷ÀÓù¸ÃÀÕË÷²¡¶¾¡£

BevictorΰµÂ²úÆ··ÀÓùÉèÖÃ

Ò»¡¢BevictorΰµÂÏÂÒ»´ú·À»ðǽϵͳ·ÀÓùÉèÖÃ

1¡¢Í¨¹ý»á¼û¿ØÖÆÕ½ÂÔÔöÇ¿½ûÓò»ÐëÒªµÄ¶Ë¿Ú¡¢·þÎñ
£¬ËõС×ʲú̻¶Ãæ
£¬½µµÍѬȾΣº¦£»

2¡¢¿ªÆôÈõ¿ÚÁî·À»¤¡¢±©Á¦Æƽâ·À»¤¹¦Ð§
£¬¿ÉÓÐÓýµµÍ¿ÚÁîÆƽâΣº¦;

3¡¢Éý¼¶µ½×îв¡¶¾ÌØÕ÷¿â
£¬ÉèÖò¡¶¾·À»¤Õ½ÂÔ
£¬¿ÉÓÐÓüì²â²¢×è¶ÏÀÕË÷²¡¶¾Èö²¥¡£

4¡¢¿ªÆôÁª¶¯¹¦Ð§
£¬»ñÈ¡BevictorΰµÂEDR¡¢BevictorΰµÂ²¡¶¾¹ýÂËÍø¹Ø¡¢BevictorΰµÂ½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³µÈ²úÆ·¼ì²âЧ¹û
£¬ÊµÊ±×èµ²Èö²¥/ѬȾԴ
£¬¿ØÖÆÍøÂçÈö²¥¹æÄ££»

5¡¢¿ªÆô×ʲú·À»¤¹¦Ð§
£¬ÆôÓÃ×ʲúÐÐΪ»ùÏß¹¦Ð§
£¬Í¨¹ý¼ì²â×ʲúÒì³£ÐÐΪ
£¬¿Éʵʱ·¢Ã÷Òþ²Ø¹¥»÷ÐÐΪ²¢ÆôÓÃÕ½ÂÔ¾ÙÐÐ×è¶Ï¡£

¶þ¡¢BevictorΰµÂEDRϵͳ·ÀÓùÉèÖÃ

1¡¢Í¨¹ý΢¸ôÀëÕ½ÂÔÔöÇ¿»á¼û¿ØÖÆ
£¬½µµÍºáÏòѬȾΣº¦£»

2¡¢¿ªÆôÎļþʵʱ¼à¿Ø¹¦Ð§
£¬¿ÉÓÐÓÃÔ¤·ÀºÍ²éɱ¸ÃÀÕË÷²¡¶¾;

3¡¢¿ªÆôϵͳ¼Ó¹Ì¹¦Ð§
£¬¿ÉÓÐÓÃ×èµ²¸ÃÀÕË÷²¡¶¾¶ÔϵͳҪº¦Î»ÖþÙÐÐÆÆËðºÍ¸Ä¶¯¡£

Èý¡¢BevictorΰµÂ×Ô˳ӦÇå¾²·ÀÓùϵͳ·ÀÓùÉèÖÃ

1¡¢Í¨¹ý΢¸ôÀëÕ½ÂÔÔöÇ¿»á¼û¿ØÖÆ
£¬½µµÍºáÏòѬȾΣº¦£»

2¡¢Í¨¹ýΣº¦·¢Ã÷¹¦Ð§É¨ÃèϵͳÊÇ·ñ±£´æÏà¹ØÎó²îºÍÈõ¿ÚÁî
£¬½µµÍΣº¦¡¢ïÔÌ­×ʲú̻¶£»

3¡¢¿ªÆô²¡¶¾ÊµÊ±¼à²â¹¦Ð§
£¬¿ÉÓÐÓÃÔ¤·ÀºÍ²éɱ¸ÃÀÕË÷²¡¶¾¡£

ËÄ¡¢BevictorΰµÂ½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³ÉèÖÃ

1¡¢Éý¼¶×îÐÂÍþвÇ鱨¿â
£¬¿ªÆôÍþвÇ鱨¶ñÒâÎļþ¼ì²âºÍ²¶»ñ¹¦Ð§
£¬ÊµÊ±¼ì²âºÍ²¶»ñÍøÂçÖеÄÀÕË÷²¡¶¾£»

2¡¢¿ªÆôÍþвÇ鱨ÈÕÖ¾¼Í¼ºÍ±¨¾¯¹¦Ð§£»

3¡¢¿ÉÉèÖÃÅÔ·×è¶Ï»òÕßBevictorΰµÂ·À»ðǽÁª¶¯
£¬×èµ²ÀÕË÷²¡¶¾ÍøÂçÈö²¥¡£

Îå¡¢BevictorΰµÂ²¡¶¾¹ýÂËÍø¹Ø·ÀÓùÉèÖÃ

1¡¢Éý¼¶µ½×îв¡¶¾ÌØÕ÷¿â£»

2¡¢¿ªÆôHTTP¡¢POP3¡¢SMTP¡¢FTP¡¢IMAPµÈЭÒéµÄ²¡¶¾É¨Ãè¼ì²â£»

3¡¢ÉèÖò¡¶¾¼ì²â´¦Öóͷ£Õ½ÂÔ;

4¡¢¿ªÆôÈÕÖ¾¼Í¼ºÍ±¨¾¯¹¦Ð§¡£

BevictorΰµÂ²úÆ·»ñÈ¡·½·¨

BevictorΰµÂÏÂÒ»´ú·À»ðǽ¡¢¹ýÂËÍø¹Ø¡¢½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³µÈ²úÆ·ÌØÕ÷¿âÏÂÔصØÖ·: ftp://ftp.topsec.com.cn

BevictorΰµÂ×Ô˳ӦÇå¾²·ÀÓùϵͳ¡¢BevictorΰµÂEDRÆóÒµ°æÊÔÓ㺿Éͨ¹ýBevictorΰµÂ¸÷µØ·Ö¹«Ë¾»ñÈ¡¡£ÅÌÎÊÍøÖ·£º

http://www.topsec.com.cn/contact/

BevictorΰµÂEDRµ¥»ú°æÏÂÔصØÖ·£ºhttp://edr.topsec.com.cn