Welcome again, my greenhorn cyberwarriors!
For these of you who’re new to Mr. Robotic, Elliot Alderson is an asocial IT safety engineer who groups up a with a bunch of hackers (f/society) decided to make use of their hacking abilities to make a greater world. They have been in a position to critically harm the info on the world’s largest holder of client and scholar debt, Evil Corp. Elliot, performed brilliantly by Rami Malek, suffers from delusions involving his late father, performed by Christian Slater. As season two begins, Elliot is attempting to “get well” and achieve a grip on his delusions whereas staying together with his mom, whereas the world monetary system is reeling from a world monetary disaster introduced on by the f/society hack of Evil Corp.
On this collection of articles, moderately than recount the story particulars of this good TV collection, I’ll try and present how every of the lifelike hacks of this present are accomplished. We had two main hacks on this first episode, the ransomware in opposition to Evil Corp and the SmartHome hack of the Evil Corp’s Normal Counsel.
Ransomware
On this first episode of Season 2, f/society was in a position to infect Evil Corp’s information with ransomware (in case you look carefully, it’s CryptoWall). Ransomware is a sort of malware that has change into very talked-about in recent times. After infecting the sufferer’s pc, it then encrypts their information making it unusable. The sufferer can solely get well their information after paying a ransom to get the important thing to decrypt it. Typically, the ransoms are comparatively small, normally within the $300-500 vary, however there have been circumstances the place hospitals and different giant establishments have paid $20,000 or extra. Within the case of the Colonial Pipeline assault in 2021, the ransom was $5 million about the identical as f/society’s right here.
Let’s check out an instance of some precise ransomware that was captured within the wild to raised perceive the way it works. All ransomware tends perform equally. To grasp how the f/society ransomware works, let’s take a look at Chimera, a variant of the ransomware style of malware present in Germany.
Utilizing Chimera as an Instance
Most ransomware has been used in opposition to shoppers, however Chimera–like the the f/society ransomware– has been used to assault companies in Germany. Since most ransomware works equally, let’s use it as a mannequin for the way f/society encrypted the info and ransomed on Evil Corp for $5.9m!
On this evaluation, I’ll summarize how Chimera works, leaving out some steps for the sake of brevity. If you need a duplicate of Chimera to conduct your individual thorough evaluation, I’ve posted it in my Pastebin account right here.
Step 1: Delivering the Malware
Like a lot of the ransomware that has appeared in recent times, Chimera was delivered by e mail, doubtless with a social engineering element to get somebody to click on on a hyperlink or a file (on this episode, Darlene makes use of the Social Engineering Toolset in Kali to load the ransomware onto a flash drive). Chimera was written in .NET.
On this first stage, Chimera initially delivers an executable stub, whose solely job is to name, decrypt, and decode the second stage payload, to the sufferer.
Step 2: The AES Algorithm
The second stage is the encrypted and encoded payload that accommodates a way that’s clearly an AES encryption algorithm. Very doubtless, f/society would have it run in a number of threads to hurry up the method. Contemplating the truth that Evil Corp has petabytes of knowledge, encrypting all of it would take a while.
Step 3: Mapping to Reminiscence
Within the subsequent stage, Chimera then manually maps its processes to reminiscence. That is very prone to bypass ASLR and DEP protections which might be constructed into Home windows and different working techniques. These protections randomize the place a course of will doubtless be in reminiscence, making it tougher to implement a buffer overflow, because the malware can not predict the placement of the pointer. By manually mapping the method to reminiscence, it makes it extra doubtless that the malware will perform as anticipated.
Step 4: Discover 32-Bit Course of to Host
Subsequent, Chimera goes by means of each Home windows course of searching for a 32-bit course of that may host its payload after which open it.
Step 5: Discovering the Native IP
Subsequent, this ransomware goes out and finds the general public IP of the machine it has contaminated through the use of www.whatismyipaddress.com. It then shops that worth in a variable.
Step 6: Name Again to Command & Management Servers
As soon as Chimera has the IP of the contaminated host, it then calls out to its command and management (C&C) servers. On this case, these servers are at 95.165.168.168 and 158.222.211.81.
Chimera makes use of Bitmessage to speak through a P2P protocol on ports 8444 and 8080. Bitmessage is a safe, encrypted P2P messaging system that allows a single individual to ship out messages to 1 or many recipients. You may see within the screenshot under that Chimera calls the Bitmessage shopper PyBitmessage.
Step 7: Browse & Discover Onerous Drives, Then Recordsdata
Subsequent, the malware should discover the arduous drives the place the info is saved. It must browse every of the logical drives after which retailer these areas right into a variable for later use within the encryption course of.
Step 8: Get Random Key
Now that this ransomware has efficiently taken over a 32-bit course of, mapped itself to reminiscence to keep away from ASLR, and enumerated the arduous drives, it must name again to its command and management server to get a random key with which to encrypt the information.
As soon as the random key has been obtained from the command and management server, Chimera calls the perform from Step #2 above—the AES encryption algorithm—and begins to encrypt crucial information.
Earlier than it begins the encryption, it seems for the next file varieties:
.jpg, .jpeg, .xml, .xsl, .wps, .cmf, .vbs, .accdb, .ini, .cdr, .svg, .conf, .config, .wb2, .msg, .azw, .azw1, .azw3, .azw4, .lit, .apnx, .mobi, .p12, .p7b, .p7c, .pfx, .pem, .cer, .key, .der, .mdb, .htm, .html, .class, .java, .asp, .aspx, .cgi, .php, .jsp, .bak, .dat, .pst, .eml, .xps, .sqllite, .sql, .jar, .wpd, .crt, .csv, .prf, .cnf, .indd, .quantity, .pages, .x3f, .srw, .pef, .raf, .rf, .nrw, .nef, .mrw, .mef, .kdc, .dcr, .crw, .eip, .fff, .iiq, .k25, .crwl, .bay, .sr2, .ari, .srf, .arw, .cr2, .uncooked, .rwl, .rw2, .r3d, .3fr, .eps, .pdd, .dng, .dxf, .dwg, .psd, .png, .jpe, .bmp, .gif, .tiff, .gfx, .jge, .tga, .jfif, .emf, .3dm, .3ds, .max, .obj, .a2c, .dds, .pspimage, .yuv, .3g2, .3gp, .asf, .asx, .mpg, .mpeg, .avi, .mov, .flv, .wma, .wmv, .ogg, .swf, .ptx, .ape, .aif, .av, .ram, .m3u, .film, .mp1, .mp2, .mp3, .mp4, .mp4v, .mpa, .mpe, .mpv2, .rpf, .vlc, .m4a, .aac, .aa3, .amr, .mkv, .dvd, .mts, .vob, .3ga, .m4v, .srt, .aepx, .camproj, .sprint, .zip, .rar, .gzip, ., mdk, .mdf, .iso, .bin, .cue, .dbf, .erf, .dmg, .toast, .vcd, .ccd, .disc, .nrg, .nri, .cdi
These file varieties are doubtless crucial to the enterprise operation. These are graphics information, spreadsheet information, database information, backup information, e mail information, Java information, audio information, film information, and encryption keys. With out them, the enterprise is crippled.
Step 9: Ransom Request
Lastly, Chimera makes a ransom request to the enterprise proprietor. Be aware that the browser and its related information are exempt from the encryption to allow the browser request and obtain the cost of the ransom.
I hope this lets you perceive how f/society was in a position to ransom Evil Corp for $5.9 and I’ll try and show every hack from season 2, so hold coming again to Hackers-Come up, my greenhorn hackers!
For extra on ransomware, try;
1. Construct Your Personal Ransomware;
2. The Historical past and Evolution of Ransomware;