{"id":12094,"date":"2015-04-28T09:00:35","date_gmt":"2015-04-28T01:00:35","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=12094"},"modified":"2015-04-30T17:01:55","modified_gmt":"2015-04-30T09:01:55","slug":"apt-%e6%94%bb%e6%93%8a%e6%9c%89%e4%bd%95%e8%ae%8a%e5%8c%96","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=12094","title":{"rendered":"APT \u653b\u64ca\u6709\u4f55\u8b8a\u5316?\u653f\u5e9c\u6a5f\u95dc\u4f9d\u7136\u662fAPT \u653b\u64ca\u6700\u611b,\u53f0\u7063\u5217\u5165\u71b1\u9580\u76ee\u6a19"},"content":{"rendered":"<p>2014 \u5e74\u662f<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">\u300c\u9032\u968e\u6301\u7e8c\u6027\u6ef2\u900f\u653b\u64ca\u300d\uff08Advanced Persistent Threat\uff0c\u4ee5\u4e0b\u7c21\u7a31APT\u653b\u64ca\uff09<\/a>\u624b\u6cd5\u66f4\u52a0\u7cbe\u9032\u7684\u4e00\u5e74\u3002\u96a8\u8457\u8d8a\u4f86\u8d8a\u591a\u4f01\u696d\u5347\u7d1a\u5230\u65b0\u7248\u7684 Windows \u4f5c\u696d\u7cfb\u7d71\uff0c\u6211\u5011\u767c\u73fe\u6709\u4e9b\u653b\u64ca\u884c\u52d5\u4e5f\u958b\u59cb\u63a1\u7528\u66f4\u591a\u7684 64 \u4f4d\u5143\u60e1\u610f\u7a0b\u5f0f\u3002\u9019\u985e 64 \u4f4d\u5143\u60e1\u610f\u7a0b\u5f0f\u7684\u7bc4\u4f8b\u5305\u62ec\uff1a<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/web-attack\/139\/havex-targets-industrial-control-systems\">HAVEX<\/a> (\u4e00\u7a2e RAT \u9060\u7aef\u5b58\u53d6\u6728\u99ac\u7a0b\u5f0f\uff0c\u7528\u65bc\u5c08\u9580\u91dd\u5c0d\u5de5\u696d\u63a7\u5236\u7cfb\u7d71\u7684\u653b\u64ca) \u4ee5\u53ca <a href=\"https:\/\/blog.trendmicro.com.tw\/?p=10654\">WIPALL<\/a> (Sony Pictures \u906d\u99ed\u4e8b\u4ef6\u7684\u4e3b\u89d2)\u3002<\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/04\/APT04221.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12250\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/04\/APT04221.png\" alt=\"APT \u653b\u64ca\u6709\u4f55\u8b8a\u5316?\u653f\u5e9c\u6a5f\u95dc\u4f9d\u7136\u662fAPT \u653b\u64ca\u6700\u611b,\u53f0\u7063\u5217\u5165\u71b1\u9580\u76ee\u6a19\" width=\"574\" height=\"300\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/04\/APT04221.png 1200w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/04\/APT04221-300x157.png 300w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/04\/APT04221-1024x535.png 1024w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/04\/APT04221-800x418.png 800w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/04\/APT04221-600x314.png 600w\" sizes=\"(max-width: 574px) 100vw, 574px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2013\/09\/apt.jpg\"><br \/>\n<\/a><\/p>\n<p>\u96a8\u8457\u6b79\u5f92\u8f49\u9032\u65b0\u7684 Windows \u7248\u672c\uff0c\u4ed6\u5011\u4e5f\u958b\u59cb\u5728\u653b\u64ca\u7576\u4e2d\u5229\u7528\u4e00\u4e9b\u6b63\u5e38\u7684\u5de5\u5177\u548c\u529f\u80fd\u3002Windows PowerShell\u00ae \u5c31\u662f\u4e00\u500b\u4f8b\u5b50\uff0c\u9019\u662f Windows 7 \u958b\u59cb\u63d0\u4f9b\u7684\u4e00\u500b\u529f\u80fd\uff0c\u53ef\u8b93\u7cfb\u7d71\u7ba1\u7406\u54e1\u4e0d\u9700\u900f\u904e\u5716\u5f62\u4f7f\u7528\u8005\u4ecb\u9762 (GUI) \u5c31\u80fd\u64cd\u4f5c\u7cfb\u7d71\u7684\u4e00\u4e9b\u529f\u80fd\u3002\u6b79\u5f92\u4f7f\u7528 PowerShell \u6307\u4ee4\u4f86\u4e0b\u8f09\u60e1\u610f\u6a94\u6848\uff0c\u4e26\u4e14\u8d8a\u904e\u6a94\u6848\u57f7\u884c\u7ba1\u5236\u539f\u5247\u4f86\u57f7\u884c\u4e0b\u8f09\u7684\u60e1\u610f\u6a94\u6848\u3002<\/p>\n<p>\u6b64\u5916\uff0c\u9084\u6709\u4e00\u500b\u6587\u4ef6\u6f0f\u6d1e\u653b\u64ca\u7bc4\u672c TROJ_MDROP.TRX <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/template-document-exploit-found-in-several-targeted-attacks\/\">\u4e5f\u51fa\u73fe\u5728\u591a\u8d77APT\u653b\u64ca\u7576\u4e2d<\/a>\u3002\u6b64\u6f0f\u6d1e\u653b\u64ca\u7bc4\u672c\u5f88\u53ef\u80fd\u5df2\u5728\u5730\u4e0b\u5e02\u5834\u4e0a\u8ca9\u552e\u53ca\u6563\u5e03\uff0c\u56e0\u70ba\u5b83\u66fe\u51fa\u73fe\u5728\u591a\u9805\u653b\u64ca\u884c\u52d5\u7576\u4e2d\u3002\u6b79\u5f92\u53ea\u9700\u4fee\u6539\u9019\u500b\u6f0f\u6d1e\u653b\u64ca\u7bc4\u672c\u4f86\u914d\u5408\u5176\u76ee\u7684\u5373\u53ef\u3002<\/p>\n<p>\u6839\u64da<a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u7684\u8cc7\u6599\uff0c.RTF \u548c .DOC \u6a94\u6848\u662f\u6700\u5e38\u88ab\u4f7f\u7528\u7684\u96fb\u5b50\u90f5\u4ef6\u9644\u4ef6\u6a94\u6848\uff0c\u9019\u5f88\u53ef\u80fd\u662f\u56e0\u70ba Microsoft Word\u00ae \u5728\u4efb\u4f55\u4f01\u696d\u53ca\u6a5f\u69cb\u90fd\u6703\u7528\u5230\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2015\/04\/2014-attack-trends-1.png\" alt=\"\" width=\"550\" height=\"333\" \/><br \/>\n<em>\u5716 1\uff1a2014 \u5e74\u9396\u5b9aAPT \u653b\u64ca\u6700\u5e38\u7528\u7684\u96fb\u5b50\u90f5\u4ef6\u9644\u4ef6\u6a94\u6848\u985e\u578b<\/em><\/p>\n<p><strong><em>\u653b\u64ca\u6240\u4f7f\u7528\u7684\u65b0\u820a\u6f0f\u6d1e<\/em><\/strong><\/p>\n<p>2014 \u5e74\u7684\u9396\u5b9a<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">APT \u653b\u64ca<\/a>\u4f7f\u7528\u4e86\u591a\u500b\u96f6\u6642\u5dee\u6f0f\u6d1e\u3002\u4f8b\u5982\uff0c\u5169\u500b\u91dd\u5c0d <a href=\"https:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2014-1761\">CVE-2014-1761<\/a>\u00a0\u6f0f\u6d1e\u7684 <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/targeted-attack-against-taiwanese-agencies-used-recent-microsoft-word-zero-day\/\">Taidoor \u76f8\u95dc\u96f6\u6642\u5dee\u6f0f\u6d1e\u653b\u64ca<\/a>\uff0c\u8972\u64ca\u4e86\u53f0\u7063\u7684\u4e00\u4e9b\u653f\u5e9c\u6a5f\u95dc\u548c\u67d0\u500b\u6559\u80b2\u6a5f\u69cb\uff0c\u5176\u4fee\u88dc\u7a7a\u7a97\u671f\u7dad\u6301\u4e86 15 \u5929\u3002\u653b\u64ca\u65b0\u7684\u6f0f\u6d1e\u6bd4\u653b\u64ca\u820a\u7684\u6f0f\u6d1e\u6548\u679c\u66f4\u597d\uff0c\u56e0\u70ba\u5ee0\u5546\u5c1a\u672a\u91cb\u51fa\u4fee\u88dc\u7a0b\u5f0f\u3002\u96f6\u6642\u5dee\u6f0f\u6d1e\u7d93\u5e38\u8b93\u5ee0\u5546\u53ca\u4e00\u822c\u53d7\u5bb3\u8005\u624b\u5fd9\u8173\u4e82\u3002<\/p>\n<p>\u7136\u800c\uff0c\u6b79\u5f92\u4e26\u672a\u56e0\u70ba\u4f7f\u7528\u65b0\u7684\u6f0f\u6d1e\u5c31\u653e\u68c4\u5229\u7528\u820a\u7684\u6f0f\u6d1e\u3002\u4e8b\u5be6\u4e0a\uff0c\u653b\u64ca\u820a\u7684\u6f0f\u6d1e\u53ef\u4ee5\u6536\u5230\u56fa\u5b9a\u7684\u6210\u6548\uff0c\u800c\u4e14\u6b79\u5f92\u53ea\u9700\u5229\u7528\u4e00\u4e9b\u53ef\u8f15\u6613\u8cb7\u5230\u4e14\u7d93\u904e\u9577\u671f\u9a57\u8b49\u7684\u6f0f\u6d1e\u653b\u64ca\u5de5\u5177\u5373\u53ef\u3002<\/p>\n<p>\u5118\u7ba1\u00a0<a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms12-027.aspx\">MS12-027<\/a>\u8cc7\u8a0a\u5b89\u5168\u516c\u544a\u5df2\u4fee\u6b63\u4e86\u00a0<a href=\"https:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2012-0158\">CVE-2012-0158<\/a>\u00a0\u6f0f\u6d1e\uff0c\u4f46\u6b64\u6f0f\u6d1e\u4ecd\u662f\u99ed\u5ba2\u7684\u6700\u611b\u3002\u4e0d\u4f46\u5982\u6b64\uff0c\u5b83\u9084\u662f 2014 \u4e0a\u534a\u5e74\u9396\u5b9aAPT \u653b\u64ca\u6700\u5e38\u5229\u7528\u7684\u6f0f\u6d1e\u3002\u6700\u6709\u540d\u7684\u4f8b\u5b50\u5c31\u662f <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/plead-targeted-attacks-against-taiwanese-government-agencies-2\/\">PLEAD<\/a>\u00a0 \u548c\u00a0 <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/operation-pawn-storm-the-red-in-sednit\/\">Pawn Storm<\/a>\uff0c\u9019\u5169\u9805\u653b\u64ca\u884c\u52d5\u90fd\u662f\u5229\u7528\u9019\u500b\u6f0f\u6d1e\u4f86\u6ef2\u900f\u76ee\u6a19\u7db2\u8def\u3002<\/p>\n<p><strong><em>\u5168\u7403\u554f\u984c<\/em><\/strong><\/p>\n<p>\u653f\u5e9c\u6a5f\u95dc\u4f9d\u7136\u662f 2014 \u5e74\u9396\u5b9a<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">APT \u653b\u64ca<\/a> \u6700\u611b\u7684\u5c0d\u8c61\u3002\u4e0d\u904e\u5728\u4e0b\u534a\u5e74\uff0c\u8edf\u786c\u9ad4\u516c\u53f8\u3001\u6d88\u8cbb\u6027\u96fb\u5b50\u7522\u54c1\u88fd\u9020\u5546\u4ee5\u53ca\u91ab\u7642\u7167\u8b77\u6a5f\u69cb\u906d\u5230\u9396\u5b9a<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">APT \u653b\u64ca<\/a> \u7684\u6b21\u6578\u4e5f\u7a81\u7136\u7ac4\u5347\u3002<\/p>\n<p>\u6b64\u5916\uff0c\u6211\u5011\u4e5f\u7d71\u8a08\u4e86\u8207\u5e55\u5f8c\u64cd\u7e31\u4f3a\u670d\u5668\u901a\u8a0a\u7684\u53d7\u5bb3\u76ee\u6a19\u5728\u5168\u7403\u7684\u5206\u5e03\u72c0\u6cc1\u3002\u5982\u4ee5\u4e0b\u5730\u5716\u4e2d\u7684\u71b1\u5340\u986f\u793a\uff0c\u7f8e\u570b\u3001\u4fc4\u7f85\u65af\u548c\u4e2d\u570b\u4e0d\u518d\u662f\u6b79\u5f92\u552f\u4e00\u7684\u6700\u611b\uff0c\u5176\u4ed6\u71b1\u9580\u7684\u76ee\u6a19\u9084\u6709\u53f0\u7063\u3001\u5357\u97d3\u3001\u6cd5\u570b\u8207\u5fb7\u570b\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2015\/04\/2014-attack-trends-2a.png\" alt=\"\" width=\"550\" height=\"410\" \/><br \/>\n<em>\u5716 2\uff1a2014 \u5e74\u8207\u9396\u5b9aAPT \u653b\u64ca\u5e55\u5f8c\u64cd\u7e31\u4f3a\u670d\u5668\u901a\u8a0a\u6700\u591a\u7684\u570b\u5bb6 (\u9ede\u4e00\u4e0b\u5f71\u50cf\u53ef\u653e\u5927\u6aa2\u8996)<\/em><\/p>\n<p><strong><em>\u8ddf\u4e0a\u5a01\u8105\u7684\u8173\u6b65<\/em><\/strong><\/p>\n<p>\u6709\u9451\u65bc\u9396\u5b9a<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">APT \u653b\u64ca<\/a> \u6578\u91cf\u4e0d\u65b7\u589e\u52a0\u3001\u767c\u52d5\u653b\u64ca\u7684\u56f0\u96e3\u5ea6\u4e0d\u65b7\u4e0b\u964d\u3001\u9632\u79a6\u7684\u56f0\u96e3\u5ea6\u4e0d\u65b7\u4e0a\u5347\uff0c\u7db2\u8def\u5b89\u5168\u4eba\u54e1\u6700\u91cd\u8981\u7684\u662f\u5f9e\u9810\u9632\u5230\u5075\u6e2c\u7684\u5fc3\u614b\u8f49\u8b8a\u3002\u4e5f\u5c31\u662f\u8aaa\uff0c\u4f01\u696d\u5fc5\u9808\u63a5\u53d7<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">APT \u653b\u64ca<\/a> \u52e2\u5fc5\u653b\u9677\u5176\u7db2\u8def\u7684\u4e8b\u5be6\uff0c\u56e0\u6b64\uff0c\u4efb\u4f55\u9ed1\u540d\u55ae\u7684\u6a5f\u5236\u90fd\u5c07\u7121\u6cd5\u904f\u6b62\u6709\u5fc3\u7684\u99ed\u5ba2\u3002<\/p>\n<p>\u5efa\u7acb\u5a01\u8105\u60c5\u5831\u662f\u5c0d\u6297\u9396\u5b9aAPT \u653b\u64ca\u7684\u91cd\u8981\u95dc\u9375\u3002\u900f\u904e\u5916\u754c\u7684\u5404\u7a2e\u5831\u544a\u4ee5\u53ca\u5167\u90e8\u7684\u6b77\u53f2\u8a18\u9304\u548c\u5373\u6642\u76e3\u63a7\u8cc7\u6599\u4f86\u4e86\u89e3\u6b79\u5f92\u6240\u7528\u7684\u5de5\u5177\u3001\u6280\u5006\u53ca\u624b\u6cd5\uff0c\u80fd\u6709\u52a9\u65bc\u5efa\u7acb\u5f37\u5927\u7684\u5165\u4fb5\u6307\u6a19 (Indicators of Compromise\uff0c\u7c21\u7a31 IoC) \u8cc7\u6599\u5eab\uff0c\u9019\u5c07\u6210\u70ba\u4f01\u696d\u63a1\u53d6\u884c\u52d5\u7684\u57fa\u790e\u3002\u4f46\u4f01\u696d\u4e0d\u61c9\u50c5\u6b62\u65bc\u4e86\u89e3\u9019\u985e\u653b\u64ca\uff0c\u9084\u61c9\u5efa\u7acb\u53ca\u8a13\u7df4\u4e00\u4e9b\u4e8b\u4ef6\u61c9\u8b8a\u5718\u968a\uff0c\u4e26\u4e14\u6559\u80b2\u54e1\u5de5\u3001\u5408\u4f5c\u5925\u4f34\u4ee5\u53ca\u4e0a\u4e0b\u6e38\u5ee0\u5546\u8a8d\u8b58\u793e\u4ea4\u5de5\u7a0b\u6280\u5de7\u8207\u8cc7\u8a0a\u5b89\u5168\u7684\u6982\u5ff5\uff0c\u4ee5\u964d\u4f4e\u9396\u5b9a<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">APT \u653b\u64ca<\/a> \u7684\u76f8\u95dc\u98a8\u96aa\u3002<\/p>\n<p><em>\u5982\u9700\u8a73\u7d30\u7684\u8aaa\u660e\uff0c\u8acb\u53c3\u95b1\u6211\u5011\u7684<\/em><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/04\/rpt-targeted-attack-trends-annual-2014-report-v2-APT-fix.pdf\"><strong><em>\u9396\u5b9aAPT \u653b\u64ca\u8da8\u52e2\uff1a2014 \u5e74\u5ea6\u5831\u544a<\/em><\/strong><\/a>\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2015\/04\/rpt-targeted-attack-trends-annual-2014-report-v2-APT-fix.pdf\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/www.trendmicro.com\/vinfo\/resources\/images\/tex\/research-reports\/2014-targeted-attack-campaign-report_ai.jpg\" alt=\"\" width=\"210\" height=\"270\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>\u539f\u6587\u51fa\u8655\uff1a <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/how-targeted-attacks-changed-in-2014\/\">https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/how-targeted-attacks-changed-in-2014\/<\/a><br \/>\n<iframe loading=\"lazy\" style=\"border: none; overflow: hidden; width: 350px; height: 62px;\" src=\"https:\/\/www.facebook.com\/plugins\/likebox.php?id=255176705131&amp;width=350&amp;connections=0&amp;stream=false&amp;header=false&amp;height=62\" width=\"300\" height=\"150\" frameborder=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>2014 \u5e74\u662f\u300c\u9032\u968e\u6301\u7e8c\u6027\u6ef2\u900f\u653b\u64ca\u300d\uff08Advanced Persistent Threat\uff0c\u4ee5\u4e0b\u7c21\u7a31APT\u653b\u64ca [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[10,906,195],"tags":[45,357,1817,2280,1008],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/12094"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12094"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/12094\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12094"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12094"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12094"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}