{"id":10948,"date":"2015-01-21T10:58:55","date_gmt":"2015-01-21T02:58:55","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=10948"},"modified":"2015-01-21T10:59:47","modified_gmt":"2015-01-21T02:59:47","slug":"plugx%e6%83%a1%e6%84%8f%e8%bb%9f%e9%ab%94%e5%87%ba%e7%8f%be%e5%9c%a8%e5%ae%98%e6%96%b9%e7%89%88%e6%9c%ac%e7%9a%84%e8%8b%b1%e9%9b%84%e8%81%af%e7%9b%9f%e5%92%8c%e6%b5%81%e4%ba%a1%e9%bb%af%e9%81%93","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=10948","title":{"rendered":"PlugX\u60e1\u610f\u8edf\u9ad4\u51fa\u73fe\u5728\u5b98\u65b9\u7248\u672c\u7684\u82f1\u96c4\u806f\u76df\u548c\u6d41\u4ea1\u9eef\u9053"},"content":{"rendered":"<p>\u53f0\u7063\u7684\u8cc7\u8a0a\u5b89\u5168\u5927\u6703 \u2013 <a href=\"https:\/\/hitcon.org\/2014\/\">\u53f0\u7063\u99ed\u5ba2\u5e74\u6703\uff08HITCON\uff09<\/a>\u4e0a<a href=\"https:\/\/blog.hitcon.org\/2015\/01\/2015-hitcon-freetalk.html\">\u767c\u8868\u4e86\u4e00\u8d77\u91dd\u5c0d\u591a\u6b3e\u7dda\u4e0a\u904a\u6232\u7684\u653b\u64ca<\/a>\u3002\u5169\u6b3e\u71b1\u9580\u7dda\u4e0a\u904a\u6232\u7684\u5b98\u65b9\u7248\u672c\u88ab\u767c\u73fe\u6709\u554f\u984c\uff0c\u6703\u4e0b\u8f09\u60e1\u610f\u8edf\u9ad4\u5230\u7cfb\u7d71\u4e0a\u3002HITCON\u548c\u8da8\u52e2\u79d1\u6280\u5408\u4f5c\u63d0\u4f9b\u4e86<a href=\"https:\/\/www.trendmicro.tw\/tw\/security\/plugxgame\/index.html\">\u6e05\u9664\u5de5\u5177<\/a>\u7d66\u9019\u6ce2\u653b\u64ca\u7684\u6f5b\u5728\u53d7\u5bb3\u8005\u3002\u8da8\u52e2\u79d1\u6280\u63a5\u8457\u548c\u53d7\u5230\u5f71\u97ff\u7684\u904a\u6232\u4f9b\u61c9\u5546\u5408\u4f5c\u4f86\u89e3\u6c7a\u9019\u8d77\u4e8b\u4ef6\u3002<\/p>\n<p><a href=\"https:\/\/t.rend.tw\/?i=MzQ0MQ==\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-10851\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/01\/Plugx.gif\" alt=\"Plugx\" width=\"1200\" height=\"627\" \/><\/a><\/p>\n<p><strong><em>\u6709\u554f\u984c\u7684\u5b98\u65b9\u7248\u672c<\/em><\/strong><\/p>\n<p>\u88ab\u7528\u5728\u9019\u6ce2\u653b\u64ca\u7684\u904a\u6232\u662f\u7dda\u4e0a\u904a\u6232 \u2013 \u82f1\u96c4\u806f\u76df\uff08LoL\uff09\u548c\u6d41\u4ea1\u9eef\u9053\uff08Path of Exile\uff09\u3002\u9060\u7aef\u5b58\u53d6\u6728\u99ac\uff08RAT\uff09PlugX\u7684\u8b8a\u7a2e\u51fa\u73fe\u5728\u9019\u4e9b\u904a\u6232\u7684\u5b98\u65b9\u7248\u672c\uff0c\u800c\u4e14\u986f\u7136\u5730\u662f\u91dd\u5c0d\u65bc\u4e9e\u6d32\u7279\u5b9a\u570b\u5bb6\u7684\u4f7f\u7528\u8005\u3002<\/p>\n<p>\u611f\u67d3\u93c8\u7d93\u7531\u4e0b\u8f09\u5408\u6cd5\u5b89\u88dd\u7a0b\u5f0f\u6216\u66f4\u65b0\u904a\u6232\u800c\u89f8\u767c\u3002\u6709\u554f\u984c\u7684\u904a\u6232\u555f\u52d5\u7a0b\u5f0f\u6703\u690d\u5165\u4e09\u500b\u6a94\u6848\uff1a<\/p>\n<ul>\n<li>\u5408\u6cd5\u904a\u6232\u555f\u52d5\u7a0b\u5f0f<\/li>\n<li>\u7528\u5408\u6cd5\u555f\u52d5\u7a0b\u5f0f\u4f86\u84cb\u6389\u6709\u554f\u984c\u7248\u672c\u7684\u300c\u6e05\u7406\u7a0b\u5f0f\u300d<\/li>\n<li>\u5b89\u88ddPlugX\u6a94\u6848\u7684\u690d\u5165\u7a0b\u5f0f<\/li>\n<\/ul>\n<p>\u6e05\u7406\u7a0b\u5f0f\u53ef\u4ee5\u8996\u70ba\u662f\u4e00\u7a2e\u63a9\u98fe\u60e1\u610f\u6d3b\u52d5\u75d5\u8de1\u7684\u4f5c\u6cd5\u3002\u5230\u6700\u5f8c\uff0c\u53d7\u5bb3\u8005\u53ea\u6703\u770b\u5230\u5169\u500b\u60e1\u610f\u6a94\u6848\uff0c<em>NtUserEx.dll<\/em>\u548c<em>NtUserEx.dat<\/em>\uff08\u90fd\u88ab\u5075\u6e2c\u70baBKDR_PLUGX.ZTBL-EC\uff09\u3002<\/p>\n<p>PlugX\u5141\u8a31\u9060\u7aef\u653b\u64ca\u8005\u5728\u672a\u7d93\u4f7f\u7528\u8005\u8a31\u53ef\u6216\u6388\u6b0a\u4e0b\u57f7\u884c\u60e1\u610f\u548c\u8cc7\u6599\u7aca\u53d6\u884c\u70ba\u3002PlugX\u8b8a\u7a2e\u5f80\u5f80\u6703<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-wave-of-plugx-targets-legitimate-apps\/\">\u91dd\u5c0d\u5408\u6cd5\u7684\u61c9\u7528\u7a0b\u5f0f<\/a>\uff0c\u6240\u4ee5\u5229\u7528\u9019\u4e9b\u904a\u6232\u4e26\u4e0d\u7b97\u662f\u65b0\u624b\u6cd5\u3002\u4e00\u500b\u6bd4\u8f03\u5927\u7684\u5206\u5225\u662f\u9019\u500bPlugX\u8b8a\u7a2e\u6703\u5efa\u7acb\u81ea\u5df1\u7684\u81ea\u52d5\u555f\u52d5\u670d\u52d9\uff0c\u800c\u975e\u5229\u7528\u5408\u6cd5\u61c9\u7528\u7a0b\u5f0f\u7684\u670d\u52d9\u3002<\/p>\n<p>\u4ed4\u7d30\u6aa2\u67e5\u6703\u767c\u73fe\u300cCooper\u300d\u5b57\u4e32\u51fa\u73fe\u5728\u60e1\u610f\u8edf\u9ad4\u5167\u3002\u800c\u5728\u53e6\u4e00\u8d77<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">APT\u653b\u64ca<\/a>\u6d3b\u52d5\u4e2d\uff0c\u300cLee Cooper\u300d\u9019\u540d\u5b57\u88ab\u7528\u4f86\u8a3b\u518a\u547d\u4ee4\u8207\u63a7\u5236\uff08C&amp;C\uff09\u4f3a\u670d\u5668\uff0c\u9019\u986f\u793a\u9019\u5169\u8d77\u653b\u64ca\u6d3b\u52d5\u80cc\u5f8c\u53ef\u80fd\u662f\u76f8\u540c\u7684\u5718\u9ad4\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2015\/01\/Figure01_Cooper.jpg\" alt=\"\" width=\"500\" height=\"415\" \/><\/p>\n<p><em>\u57161<\/em><em>\u3001\u300cCooper<\/em><em>\u300d\u5b57\u4e32\u53ef\u4ee5\u5728\u60e1\u610f\u8edf\u9ad4\u4e2d\u627e\u5230<\/em><\/p>\n<p>\u540c\u6642\u6aa2\u67e5\u5176\u6191\u8b49\uff0c\u6211\u5011\u6ce8\u610f\u5230\u53ef\u7591\u6a94\u6848\u7684\u96dc\u6e4a\u503c\u662f\u6709\u6548\u7684\uff0c\u610f\u5473\u8457\u6709\u7528\u300c\u7c3d\u7ae0\u5de5\u5177\u300d\u4f86\u914d\u5c0d\u6709\u554f\u984c\u6a94\u6848\u7684\u96dc\u6e4a\u503c\u3002\u800c\u5728\u53e6\u4e00\u65b9\u9762\uff0c\u5408\u6cd5\u7684\u904a\u6232\u555f\u52d5\u7a0b\u5f0f\u5247\u5e36\u6709\u7121\u6548\u7684\u6578\u4f4d\u7c3d\u7ae0\u3002<\/p>\n<p><strong><em>\u8ffd\u67e5\u6e90\u982d<\/em><\/strong><\/p>\n<p>\u9019\u4e9b\u6709\u554f\u984c\u7684\u5b98\u65b9\u7248\u672c\u53ef\u4ee5\u8ffd\u67e5\u5230Garena\uff0c\u9019\u662f\u4e00\u5bb6\u4e9e\u6d32\u7684\u7dda\u4e0a\u904a\u6232\u4ee3\u7406\u5546\u3002Garena\u548cRiot Games\u3001S2 Games\u548c\u85dd\u96fb\u7b49\u904a\u6232\u5ee0\u5546\u6709\u5408\u4f5c\u95dc\u4fc2\uff0c\u6240\u4ee5\u5c0d\u67d0\u4e9b\u904a\u6232\u6709\u7368\u5bb6\u767c\u884c\u6b0a\u3002<\/p>\n<p>\u5728\u4e00\u4efd<a href=\"https:\/\/lol.garena.tw\/news\/news_info.php?nid=2530\">\u5b98\u65b9\u8aaa\u660e<\/a>\u4e2d\uff0cGarena\u8aaa\u9053\u300c\u96fb\u8166\u548c\u4fee\u88dc\u7a0b\u5f0f\u4f3a\u670d\u5668\u53d7\u5230\u4e86\u6728\u99ac\u7a0b\u5f0f\u611f\u67d3\u3002\u7d50\u679c\u9020\u6210\u6240\u6709\u82f1\u96c4\u806f\u76df\u548c\u6d41\u4ea1\u9eef\u9053\u7684\u904a\u6232\u7a0b\u5f0f\u53d7\u5230\u611f\u67d3\u300d\u3002<\/p>\n<p><strong><em>\u81fa\u7063\u548c\u65b0\u52a0\u5761\u6240\u53d7\u7684\u5f71\u97ff\u6700\u5927<\/em><\/strong><\/p>\n<p>\u6839\u64da\u5206\u6790\uff0c\u4f3c\u4e4e\u53ea\u6709\u81fa\u7063\u7248\u672c\u7684\u82f1\u96c4\u806f\u76df\u548c\u6d41\u4ea1\u9eef\u9053\u53d7\u5230\u5f71\u97ff\u3002<a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=1244&amp;name=20090817\">\u4e3b\u52d5\u5f0f\u96f2\u7aef\u622a\u6bd2\u670d\u52d9\u00a0 Smart Protection Network<\/a>\u7684\u53cd\u994b\u8cc7\u6599\u4e5f\u652f\u6301\u9019\u9805\u767c\u73fe\u3002\u7136\u800c\uff0c\u6211\u5011\u4e5f\u770b\u5230\u4f86\u81ea\u5176\u4ed6\u4e9e\u6d32\u570b\u5bb6\uff08\u5982\u6cf0\u570b\u3001\u99ac\u4f86\u897f\u4e9e\u548c\u9999\u6e2f\uff09\u7684\u53d7\u5bb3\u8005\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2015\/01\/Figure02_piechart02.jpg\" alt=\"\" width=\"626\" height=\"369\" \/><\/p>\n<p><em>\u57163<\/em><em>\u3001\u53d7\u5f71\u97ff\u7684\u570b\u5bb6<\/em><\/p>\n<p><!--more--><\/p>\n<p>\u5206\u6790C&amp;C\u6d3b\u52d5\u986f\u793a\u9019\u4e9b\u570b\u5bb6\u90fd\u6703\u5b58\u53d6\u8a72C&amp;C\u4f3a\u670d\u5668\u3002\u60e1\u610f\u8edf\u9ad4\u6d3b\u52d5\u5728Garena\u767c\u8868\u5176\u5b98\u65b9\u516c\u544a\u5f8c\u4e0d\u4e45\u5c31\u505c\u6b62\u4e86\u3002<\/p>\n<p><strong><em>\u4fdd\u8b77\u904a\u6232\u73a9\u5bb6<\/em><\/strong><\/p>\n<p>\u800c\u73fe\u5728\uff0c\u5df2\u7d93\u78ba\u8a8dGarena\u7db2\u7ad9\u548c\u5176\u4ed6\u76f8\u95dc\u9023\u7d50\u7684\u5b89\u88dd\u7a0b\u5f0f\u5f9e2014\u5e7412\u670829\u65e5\u958b\u59cb\u90fd\u662f\u4e7e\u6de8\u7684\u3002\u8da8\u52e2\u79d1\u6280\u5df2\u7d93\u91cb\u51fa\u91dd\u5c0d\u76f8\u95dc\u611f\u67d3\u7684<a href=\"https:\/\/t.rend.tw\/?i=MzQ0MQ==\">\u6e05\u9664\u5de5\u5177<\/a>\u4f9b\u73a9\u5bb6\u4f7f\u7528\u3002Garena\u4e5f\u5efa\u8b70\u4e86\u4ee5\u4e0b\u6b65\u9a5f\u4f86\u4fdd\u8b77\u73a9\u5bb6\u5e33\u865f\uff1a<\/p>\n<ul>\n<li>\u66f4\u65b0\u904a\u6232<\/li>\n<li>\u5229\u7528\u5b89\u5168\u89e3\u6c7a\u65b9\u6848\u6383\u63cf\u96fb\u8166<\/li>\n<li>\u8b8a\u66f4\u5e33\u865f\u5bc6\u78bc<\/li>\n<li>\u4f7f\u7528Garena\u6240\u63d0\u4f9b\u7684\u5169\u6b65\u9a5f\u8a8d\u8b49<\/li>\n<\/ul>\n<p>\u8da8\u52e2\u79d1\u6280\u53ef\u4ee5\u5075\u6e2c\u548c\u5c01\u9396\u6240\u6709\u76f8\u95dc\u5a01\u8105\u3002<\/p>\n<p>\u76f8\u95dc\u6a94\u6848\u7684\u96dc\u6e4a\u503c\uff1a<\/p>\n<ul>\n<li>f920e6b34fb25f54c5f9b9b3a85dca6575708631 (FO3Launcher.exe)<\/li>\n<li>bd33a49347ef6b175fb9bdbf2b295763e79016d6 (NtUserEx.dll)<\/li>\n<li>f3eabaf2d7c21994cd2d79ad8a6c0acf610bbf78 (NtUserEx.dat)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong><em>\u984d\u5916\u5206\u6790\u4f86\u81eaJimmy Hung<\/em><\/strong><strong><em>\u3001Marco Dela Vega<\/em><\/strong><strong><em>\u3001MingYen Hsieh<\/em><\/strong><strong><em>\u3001Nancy Chuang<\/em><\/strong><strong><em>\u3001Razor Huang<\/em><\/strong><strong><em>\u3001Tim Yeh<\/em><\/strong><strong><em>\u548cVico Fang<\/em><\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\uff20\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/plugx-malware-found-in-official-releases-of-league-of-legends-path-of-exile\/\">PlugX Malware Found in Official Releases of League of Legends, Path of Exile<\/a>\u4f5c\u8005\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/author\/bensons\/\">Benson Sy\uff08\u5a01\u8105\u5206\u6790\u5e2b\uff09<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u53f0\u7063\u7684\u8cc7\u8a0a\u5b89\u5168\u5927\u6703 \u2013 \u53f0\u7063\u99ed\u5ba2\u5e74\u6703\uff08HITCON\uff09\u4e0a\u767c\u8868\u4e86\u4e00\u8d77\u91dd\u5c0d\u591a\u6b3e\u7dda\u4e0a\u904a\u6232\u7684\u653b\u64ca\u3002\u5169\u6b3e\u71b1\u9580\u7dda\u4e0a\u904a\u6232\u7684\u5b98\u65b9 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[10,456],"tags":[1884,1915,1916,1917,692,2310,780],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/10948"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10948"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/10948\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}