×ðÁú¿­Ê±

֤ȯ¼ò³Æ£º×ðÁú¿­Ê± ֤ȯ´úÂ룺002212
È«Ììºò7x24Сʱ·þÎñ£º 400-777-0777

Ô¶¿ØľÂí¡°BADNEWS¡±Éý¼¶ÔÙÏÖ£¬×ðÁú¿­Ê±Çå¾²·ÀÓù¼Æ»®ËÙËÙ°²ÅÅ£¡

¾«×¼ÍµÏ®BADNEWSľÂí£¬×ðÁú¿­Ê±ÏÂÒ»´ú·À»ðǽ¡¢EDR¡¢½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³¡¢ÈëÇÖ¼ì²âϵͳ¡¢ÈëÇÖ·ÀÓùϵͳ¡¢²¡¶¾¹ýÂËÍø¹Ø¾ù¿É¼ì²â²¢·ÀÓù£¬¿ìÀ´Éý¼¶°É~

Ô¶¿ØľÂí¡°BADNEWS¡±Éý¼¶ÔÙÏÖ£¬×ðÁú¿­Ê±Çå¾²·ÀÓù¼Æ»®ËÙËÙ°²ÅÅ£¡

Ðû²¼Ê±¼ä£º2023-05-15
ä¯ÀÀ´ÎÊý£º4645
·ÖÏí£º

¿ËÈÕ£¬×ðÁú¿­Ê±Ììè¯ÊµÑéÊÒÔÚÒ»Ñùƽ³£Çå¾²ÔËÓªÖз¢Ã÷ÍâÑóºÚ¿Í×éÖ¯Patchwork½«BADNEWSÔ¶¿ØľÂíαװ³ÉPDFµÄlnkÎļþ¾ÙÐÐÔ˶¯¡£±¾´Î·¢Ã÷µÄBADNEWSÔ¶¿ØľÂí£¬²î±ðÓÚ֮ǰ°æ±¾Ê¹ÓÃHTTPЭÒéÉÏ´«Ö÷»úÐÅÏ¢ºÍÎüÊÕÔ¶¿ØÖ¸Á¶øÊǽÓÄÉHTTPSͨѶ£¬¸üΪÒþ²Ø¡£

Patchwork£¬Ó¡¶È×ÅÃûºÚ¿Í×éÖ¯£¬ÓÖ³ÆHangOver¡¢VICEROY TIGER¡¢The Dropping Elephant¡¢Ä¦Ú­²Ý£¨APT-C-09£©£¬¸Ã×éÖ¯Ö÷ÒªÕë¶ÔÑÇÖÞ¹ú¼Ò£¨µØÇø£©µÄÕþ¸®»ú¹¹¡¢¿ÆÑнÌÓýµÈÁìÓò¾ÙÐÐÍøÂçÌع¤Ô˶¯£¬ÒÔÇÔÈ¡Ãô¸ÐÐÅϢΪÖ÷¡£

ÏÖÔÚ×ðÁú¿­Ê±Ììè¯ÊµÑéÊÒÒÑÆÊÎöÌáÈ¡³öBADNEWSľÂíÌØÕ÷£¬ÂÄÀúÖ¤£¬×ðÁú¿­Ê±ÏÂÒ»´ú·À»ðǽ¡¢EDR¡¢½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³¡¢ÈëÇÖ¼ì²âϵͳ¡¢ÈëÇÖ·ÀÓùϵͳ¡¢²¡¶¾¹ýÂËÍø¹Ø¾ù¿É׼ȷ¼ì²â¸ÃľÂíµÄÈö²¥¼°Ô˶¯ÐÐΪ£¬ÌṩÖÜÈ«µÄ±£»¤²½·¥£¬ÓÐÓÃ×èֹΣº¦½øÒ»²½ÉìÕÅ¡£

ÑùÌìÖ°Îö

1¡¢¸ÃÑù±¾ºó׺ÃûΪ.pdf.lnk£¬ÏÖʵΪlnkÎļþ£¬Ë«»÷ÔËÐкó»áÖ´ÐÐÎļþÖеÄPowerShellÏÂÁî¡£lnkÎļþ»á´Óshhh2564.b-cdn.net/abc.pdfÏÂÔØÓÕ¶üÎļþ²¢·­¿ª£¬½Ó×Å´Óshhh2564.b-cdn.net/cÏÂÔØÎļþµ½C:\ProgramData\Microsoft\DeviceSync\p£¬½«pÎļþ¸´ÖÆΪͬ·¾¶ÏµÄOneDrive.exe£¬²¢É¾³ýpÎļþ£¬×îºó½¨ÉèÍýÏëʹÃüÿ¸ô1·ÖÖÓÖ´ÐÐOneDrive.exe¡£

2¡¢OneDrive.exe¾ÍÊÇBADNEWSÔ¶¿ØľÂí£¬Ê¹ÓÃC++ÓïÑÔ±àд£¬±àÒëÓÚ4ÔÂ6ÈÕ¡£

3¡¢¸ÃÔ¶¿ØÔËÐкóÊ×ÏÈÒþ²ØÔËÐд°¿Ú¡£

4¡¢½¨É軥³âÌåÃûΪ¡°qzex¡±£¬°ü¹ÜľÂí×ÔÉíµ¥ÊµÀýÔËÐС£

5¡¢Ê¹ÓÃSetWindowsHookExW×¢²á¼üÅ̹³×Ó£¬½«²¶»ñµ½µÄ¼üÅ̼ͼÒÔÎı¾µÄ·½·¨ÉúÑÄÔÚ%temp%Ŀ¼ÏµÄkednfbdnfby.datÎļþÖС£

6¡¢»ñÈ¡Êܺ¦Ö÷»úµÄʱÇøÃû³Æ£¬¼ì²éÊÇ·ñΪÖйú±ê׼ʱÇø¡£

7¡¢Èô¼ì²âЧ¹ûΪÖйú±ê׼ʱÇø½«ÍøÂçϵͳÐÅÏ¢ÉÏ´«ÖÁ·þÎñÆ÷¡£

¢Ù »ñÈ¡²Ù×÷ϵͳ°æ±¾ÐÅÏ¢¡£

¢ÚʹÓÃÕý³£µÄWeb·þÎñ£¨myexternalip.com£¬ api.ipify.org£¬ifconfig.me£©»ñÈ¡Ö÷»úIPÍâÍøµØµã¡£

¢Û½«ÉÏÒ»²½»ñÈ¡µ½µÄÍâÍøIPµØµãÔÚ£¨api.iplocation.net£¬ipapi.coµÈ£©Web·þÎñÖÐÅÌÎÊËùÊô¹ú¼ÒµÄÃû³Æ¡£

¢Ü½«»ñÈ¡µÄÐÅÏ¢base64±àÂëºó¾ÙÐÐAES-128µÄCBCģʽ¼ÓÃÜ£¬×îºó½«¼ÓÃܺóµÄÊý¾ÝÔÙ¾ÙÐÐbase64±àÂë¡£AES-128¼ÓÃÜʹÓõÄÃÜԿΪ¡°qgdrbn8kloiuytr3¡±£¬IVΪ¡°feitrt74673ngbfj¡±¡£

¢ÝÏêϸÍøÂçµÄÊܺ¦Ö÷»ú»ù±¾ÐÅÏ¢ÈçÏÂ±í£º

8¡¢½Ó×Å»ñÈ¡CreateThreadº¯ÊýµØµã£¬½¨Éè3¸öÏß³ÌÓë·þÎñÆ÷ͨѶ£¬ÉÏ´«Ö÷»úÐÅÏ¢ÎüÊÕÔ¶¿ØÖ¸Áî¡£

¢Ù»ñÈ¡CreateThreadº¯ÊýµØµã£¬½¨Éè3¸öÏ̡߳£

¢ÚC2µØµãΪ£ºcharliezard.shop:443£¬uriΪ/tagpdjjarzajgt/cooewlzafloumm.php£¬Í¨Ñ¶ÄÚÈÝ»áʹÓÃAES-128¼ÓÃÜÊý¾Ý¡£

¢ÛÏß³Ìsub_409900ÈÏÕ潫ÍøÂçµ½µÄÐÅϢʹÓÃPOST·½·¨·¢Ë͸øC2£¬ÄÚÈÝΪÍøÂçµÄϵͳÐÅÏ¢¼ÓÃÜÊý¾Ý¡£

¢ÜÏß³Ìsub_4090A0Ö÷ÒªÎüÊÕ·þÎñÆ÷Ï·¢µÄ¿ØÖÆÖ¸ÁִÐÐÏìÓ¦µÄ²Ù×÷¡£

¢ÝÏß³Ìsub_409440½¨ÉècmdÀú³ÌÖ´ÐÐwhoamiÏÂÁî¡¢ipconfig /allÏÂÁî¡¢ipconfig /displaydnsÏÂÁî¡¢systeminfoÏÂÁî¡¢tasklistÏÂÁî¡£ÍøÂçÄ¿½ñÓû§Ãû¡¢ÍêÕûÍøÂçÉèÖÃÐÅÏ¢¡¢DNS»º´æÐÅÏ¢¡¢ÍêÕûϵͳÐÅÏ¢¡¢ÕýÔÚÖ´ÐеÄÀú³ÌÐÅÏ¢ºó£¬Ê¹ÓÃAES-128¼ÓÃÜÊý¾Ý£¬Ìí¼Óµ½endfh²ÎÊý·¢Ë͵½C2¡£

Ñù±¾IOCÁбí

·À»¤½¨Òé

Ó¦ÓÃÈí¼þÏÂÔØÇëͨ¹ý¹Ù·½ÍøÕ¾»ñÈ¡£¬×èֹͨ¹ýµÚÈý·½ÍøÕ¾ÏÂÔØ£¬ÏÂÔØÎļþ·­¿ªÇ°£¬ÌáǰʹÓÃɱ¶¾Èí¼þ²éɱ¡£

ʵʱ¹Ø±Õ¿Í»§¶ËÉϲ»ÐëÒªµÄÎļþ¹²ÏíȨÏÞÒÔ¼°¶Ë¿Ú¡£

ÉèÖøßÇ¿¶ÈÃÜÂëÈÏÖ¤£¬½¨Òé¿ÚÁ¶ÈΪ16λ¼°ÒÔÉÏ£¬°üÀ¨¾Þϸд×Öĸ¡¢Êý×ֺͷûºÅÔÚÄÚµÄ×éºÏ¡£×èÖ¹¶à¸öÕË»§Ê¹ÓÃÏàͬ¿ÚÁîÒÔ¼°Èõ¿ÚÁ²¢°´ÆÚÌæ»»¡£

°´ÆÚ¶ÔϵͳÕö¿ª»ùÏß¼ì²é£¬×éÖ¯Éø͸²âÊÔ¼°Çå¾²¼Ó¹Ì£¬²¢ÊµÊ±¸üвÙ×÷ϵͳ¡¢¿ªÔ´Èí¼þ¡¢µÚÈý·½Ó¦ÓóÌÐò²¹¶¡µÈ¡£

¹ºÖÃ×ðÁú¿­Ê±ÏÂÒ»´ú·À»ðǽ¡¢EDR¡¢½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³¡¢ÈëÇÖ¼ì²âϵͳ¡¢ÈëÇÖ·ÀÓùϵͳ¡¢²¡¶¾¹ýÂËÍø¹ØϵͳµÄ¿Í»§£¬¿ÉÒÔͨ¹ýÉý¼¶½©Ê¬Ö÷»ú¹æÔò¿â¡¢ÍþвÇ鱨¿â¡¢²¡¶¾ÌØÕ÷¿â¾ÙÐÐÓÐÓüà²â·À»¤¡£

×ðÁú¿­Ê±²úÆ··ÀÓùÉèÖÃ

1¡¢×ðÁú¿­Ê±ÏÂÒ»´ú·À»ðǽϵͳ·ÀÓùÉèÖÃ

1£©Éý¼¶µ½×îв¡¶¾ÌØÕ÷¿â£¬ÉèÖò¡¶¾·À»¤Õ½ÂÔ£¬¿ªÆôÈÕÖ¾¼Í¼ºÍ±¨¾¯¹¦Ð§£»

2£©Í¨¹ý»á¼û¿ØÖÆÕ½ÂÔ½ûÓò»ÐëÒªµÄ¶Ë¿Ú¡¢·þÎñ£¬ËõС×ʲú̻¶Ã棬½µµÍѬȾΣº¦£»

3£©¿ªÆôÈõ¿ÚÁî·À»¤¡¢±©Á¦Æƽâ·À»¤¹¦Ð§£¬¿ÉÓÐÓýµµÍ¿ÚÁîÆƽâΣº¦£»

4£©¿ªÆôÁª¶¯¹¦Ð§£¬»ñÈ¡×ðÁú¿­Ê±EDRϵͳ¡¢²¡¶¾¹ýÂËÍø¹Ø¡¢½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³µÈ²úÆ·¼ì²âЧ¹û£¬ÊµÊ±×èµ²Èö²¥/ѬȾԴ£¬¿ØÖÆÍøÂçÈö²¥¹æÄ££»

5£©¿ªÆô×ʲú·À»¤¹¦Ð§£¬ÆôÓÃ×ʲúÐÐΪ»ùÏß¹¦Ð§£¬Í¨¹ý¼ì²â×ʲúÒì³£ÐÐΪ£¬¿Éʵʱ·¢Ã÷Òþ²Ø¹¥»÷ÐÐΪ²¢ÆôÓÃÕ½ÂÔ¾ÙÐÐ×è¶Ï¡£

2¡¢×ðÁú¿­Ê±EDRϵͳ·ÀÓùÉèÖÃ

1£©¿ªÆô²¡¶¾ÊµÊ±¼à¿Ø¹¦Ð§£¬ÓÐÓÃÔ¤·ÀºÍ²éɱ¸Ã²¡¶¾£»

2£©Í¨¹ý΢¸ôÀëÕ½ÂÔÔöÇ¿»á¼û¿ØÖÆ£¬½µµÍºáÏòѬȾΣº¦£»

3£©½¨ÉèÖÜÆÚɨÃèʹÃü£¬×¼Ê±¶ÔÖ÷»ú¾ÙÐÐÖÜÈ«ÕûÀí£¬Ïû³ýÇå¾²Òþ»¼¡£

3¡¢×ðÁú¿­Ê±½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³¡¢ÈëÇÖ¼ì²âϵͳÉèÖÃ

1£©Éý¼¶×îн©Ê¬Ö÷»ú¹æÔò¿â£¬ÉèÖý©Ê¬Ö÷»úÕ½ÂÔ£¬ÊµÊ±¼ì²âľÂíµÄÒ쳣ͨѶ£»

2£©Éý¼¶×îÐÂÍþвÇ鱨¿â£¬¿ªÆôÍþвÇ鱨¶ñÒâÎļþ¼ì²âºÍ²¶»ñ¹¦Ð§£¬ÊµÊ±¼ì²âºÍ²¶»ñÍøÂçÖÐÈö²¥µÄľÂí£»

3£©¿ªÆô½©Ê¬Ö÷»ú¡¢ÍþвÇ鱨ÈÕÖ¾¼Í¼ºÍ¸æ¾¯¹¦Ð§£»

4£©¿ÉÉèÖÃÅÔ·×è¶Ï»òÕß×ðÁú¿­Ê±·À»ðǽÁª¶¯£¬×赲ľÂíµÄÒ쳣ͨѶºÍÍøÂçÈö²¥¡£

4¡¢×ðÁú¿­Ê±ÈëÇÖ·ÀÓùϵͳÉèÖÃ

1£©Éý¼¶×îн©Ê¬Ö÷»ú¹æÔò¿â£¬ÉèÖý©Ê¬Ö÷»úÕ½ÂÔ£¬ÊµÊ±¼ì²â¡¢×赲ľÂíµÄÒ쳣ͨѶ£»

2£©Éý¼¶×îÐÂÍþвÇ鱨¿â£¬¿ªÆôÍþвÇ鱨¶ñÒâÎļþ×è¶ÏºÍ²¶»ñ¹¦Ð§£¬ÊµÊ±¼ì²â¡¢×èµ²¼°²¶»ñÍøÂçÖÐÈö²¥µÄľÂí£»

3£©¿ªÆô½©Ê¬Ö÷»ú¡¢ÍþвÇ鱨ÈÕÖ¾¼Í¼ºÍ¸æ¾¯¹¦Ð§¡£

5¡¢×ðÁú¿­Ê±²¡¶¾¹ýÂËÍø¹Ø·ÀÓùÉèÖÃ

1£©Éý¼¶µ½×îв¡¶¾ÌØÕ÷¿â£»

2£©µ¼ÈëHTTPSÖ¤Ê飻

3£©¿ªÆôHTTP¡¢POP3¡¢SMTP¡¢FTP¡¢IMAPµÈЭÒéµÄ²¡¶¾É¨Ãè¼ì²â£»

4£©ÉèÖò¡¶¾¼ì²â´¦Öóͷ£Õ½ÂÔ£»

5£©¿ªÆôÈÕÖ¾¼Í¼ºÍ±¨¾¯¹¦Ð§¡£

×ðÁú¿­Ê±²úÆ·»ñÈ¡·½·¨

×ðÁú¿­Ê±ÏÂÒ»´ú·À»ðǽ¡¢²¡¶¾¹ýÂËÍø¹Ø¡¢½©Ê¬ÍøÂçľÂíºÍÈä³æ¼à²âÓë´¦Öóͷ£ÏµÍ³¡¢ÈëÇÖ¼ì²âϵͳ¡¢ÈëÇÖ·ÀÓùϵͳµÈ²úÆ·ÌØÕ÷¿âÏÂÔصصã: ftp://ftp.topsec.com.cn

×ðÁú¿­Ê±EDRÆóÒµ°æÊÔÓãº×ðÁú¿­Ê±Ììϸ÷·ÖÖ§»ú¹¹»ñÈ¡£¨ÅÌÎÊÍøÖ·£º

http://www.topsec.com.cn/contact/£©

×ðÁú¿­Ê±EDRµ¥»ú°æÏÂÔصص㣺http://edr.topsec.com.cn

Òªº¦´Ê±êÇ©£º
×ðÁú¿­Ê± Çå¾²·ÀÓù¼Æ»® Ô¶¿ØľÂí¡°BADNEWS¡±
¿Í»§·þÎñÈÈÏß

400-777-0777
7*24Сʱ·þÎñ

ÁªÏµÓÊÏä

servicing@topsec.com.cn

ɨÂë¹Ø×¢
ÍøÕ¾µØͼ