{"id":48067,"date":"2017-03-16T09:00:13","date_gmt":"2017-03-16T01:00:13","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=48067"},"modified":"2017-03-07T11:22:06","modified_gmt":"2017-03-07T03:22:06","slug":"ratankba%e5%85%a5%e4%be%b5%e6%94%bb%e6%93%8a%e7%9b%ae%e6%a8%99%e7%b6%93%e5%b8%b8%e7%80%8f%e8%a6%bd%e7%9a%84%e5%90%88%e6%b3%95%e7%b6%b2%e7%ab%99%e9%87%9d%e5%b0%8d%e4%bc%81%e6%a5%ad%e7%99%bc%e5%8b%95","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=48067","title":{"rendered":"RATANKBA\u5165\u4fb5\u653b\u64ca\u76ee\u6a19\u7d93\u5e38\u700f\u89bd\u7684\u5408\u6cd5\u7db2\u7ad9,\u91dd\u5c0d\u4f01\u696d\u767c\u52d5\u5927\u898f\u6a21\u6c34\u5751\u653b\u64ca,\u53f0\u7063\u4e5f\u53d7\u5f71\u97ff"},"content":{"rendered":"

\u5728\u4e8c\u6708\u521d\uff0c\u6709\u591a\u5bb6\u91d1\u878d\u6a5f\u69cb\u901a\u5831\u51fa\u73fe\u60e1\u610f\u8edf\u9ad4\u611f\u67d3\uff0c\u800c\u4e14\u986f\u7136\u4f86\u6e90\u662f\u5408\u6cd5\u7db2\u7ad9\u3002\u9019\u4e9b\u653b\u64ca\u4ee5\u5165\u4fb5\u53d7\u4fe1\u4efb\u7684\u7db2\u7ad9\u4f86\u611f\u67d3\u5404\u7522\u696d\u5167\u88ab\u9396\u5b9a\u4f01\u696d\u7684\u7cfb\u7d71, \u662f\u5927\u898f\u6a21\u653b\u64ca\u6d3b\u52d5\u7684\u4e00\u90e8\u5206\u3002\u9019\u7a2e\u7b56\u7565\u901a\u5e38\u88ab\u7a31\u70ba\u300c\u6c34\u5751\uff08watering hole\uff09<\/a>\u300d\u653b\u64ca\u3002<\/p>\n

\u6700\u8fd1\u5c0d\u6ce2\u862d\u9280\u884c\u9032\u884c\u7684\u9023\u4e32\u60e1\u610f\u8edf\u9ad4\u653b\u64ca<\/a>\uff0c\u64da\u5831<\/a>\u6703\u5728\u7d42\u7aef\u6a5f\u8ddf\u4f3a\u670d\u5668\u4e0a\u51fa\u73fe\u672a\u77e5\u7684\u60e1\u610f\u8edf\u9ad4\uff0c\u9084\u6709\u53ef\u7591\u3001\u52a0\u5bc6\u7684\u7a0b\u5f0f\/\u53ef\u57f7\u884c\u6a94\uff0c\u66f4\u52a0\u5f15\u4eba\u6ce8\u610f\u7684\u662f\u4e0d\u5c0b\u5e38\u7684\u7db2\u8def\u6d3b\u52d5\u3002\u4e2d\u6bd2\u7cfb\u7d71\u6703\u9023\u5230\u4e0d\u5c0b\u5e38\u7684\u4f4d\u7f6e\uff0c\u53ef\u80fd\u662f\u8981\u6697\u6e21\u9673\u6ec4\u5c07\u5165\u4fb5\u55ae\u4f4d\u7684\u6a5f\u5bc6\u8cc7\u6599\u9001\u81f3\u8a72\u8655\u3002<\/p>\n

\u8da8\u52e2\u79d1\u6280\u767c\u73fe\u5099\u53d7\u95dc\u6ce8\u7684\u60e1\u610f\u8edf\u9ad4RATANKBA,\u4e0d\u50c5\u8ddf\u5c0d\u6ce2\u862d\u9280\u884c\u7684\u60e1\u610f\u8edf\u9ad4\u653b\u64ca\u6709\u95dc\uff0c\u800c\u4e14\u9084\u6d89\u53ca\u58a8\u897f\u54e5\u3001\u70cf\u62c9\u572d\u3001\u82f1\u570b\u548c\u667a\u5229\u91d1\u878d\u6a5f\u69cb\u6240\u767c\u751f\u7684\u985e\u4f3c\u4e8b\u4ef6<\/a>\u3002\u5b83\u5982\u4f55\u611f\u67d3\u53d7\u5bb3\u8005\uff1f\u6709\u6c92\u6709\u5176\u4ed6\u60e1\u610f\u8edf\u9ad4\u53c3\u8207\u5176\u4e2d\uff1f\u9019\u653b\u64ca\u6d3b\u52d5\u662f\u5426\u771f\u7684\u8ddf\u4fc4\u7f85\u65af\u7db2\u8def\u72af\u7f6a\u96c6\u5718\u6709\u95dc\uff1f\u4e0d\u904e\u6839\u64da\u6211\u5011\u5728\u60e1\u610f\u8edf\u9ad4\u5167\u6240\u770b\u5230\u7684\u4fc4\u6587\uff0c\u6211\u5011\u8a8d\u70ba\u9019\u53ea\u662f\u7528\u4f86\u6df7\u6dc6\u653b\u64ca\u8005\u771f\u9762\u76ee\u7684\u507d\u88dd\u624b\u6cd5\u3002<\/p>\n

\u53f0\u7063\u4e5f\u53d7\u5230\u5f71\u97ff<\/strong><\/p>\n

\u9280\u884c\u4e26\u4e0d\u662f\u552f\u4e00\u7684\u76ee\u6a19\uff1b\u4e5f\u6709\u96fb\u4fe1\u3001\u7ba1\u7406\u8aee\u8a62\u3001\u8cc7\u8a0a\u6280\u8853\u3001\u4fdd\u96aa\u3001\u822a\u592a\u3001\u6559\u80b2\u7b49\u4f01\u696d\u53d7\u5bb3\u3002\u6b64\u5916\uff0c\u653b\u64ca\u6d3b\u52d5\u4e26\u975e\u50c5\u5c40\u9650\u65bc\u5317\u7f8e\u548c\u6b50\u6d32\uff0c\u4e00\u4e9b\u4e9e\u592a\u5730\u5340\uff0c\u7279\u5225\u662f\u53f0\u7063\u3001\u9999\u6e2f\u548c\u4e2d\u570b\u4e5f\u53d7\u5230\u5f71\u97ff\u3002<\/strong><\/p>\n

\u5728\u6b64\u63d0\u4f9b\u9032\u4e00\u6b65\u7684\u5206\u6790\u548c\u898b\u89e3\uff0c\u53ef\u4ee5\u88dc\u5145\u5176\u4ed6\u95dc\u65bc\u6b64\u4e00\u5a01\u8105\u7684\u7814\u7a76\u3002<\/p>\n

<\/p>\n

 <\/p>\n

\u57161<\/em>\u3001\u95dc\u65bcRATANKBA<\/em>\u7684\u53ef\u80fd\u611f\u67d3\u6d41\u7a0b<\/em><\/p>\n

<\/p>\n

\u611f\u67d3\u6d41\u7a0b<\/em><\/strong><\/p>\n

\u9019\u500b\u653b\u64ca\u6d3b\u52d5\u5c31\u5982\u540c\u6211\u5011\u5728\u53d7\u5bb3\u7684\u6ce2\u862d\u9280\u884c\u6240\u770b\u5230\uff0c\u6709\u8a31\u591a\u653b\u64ca\u93c8\u3002\u6240\u4f7f\u7528\u7684\u5de5\u5177\u548c\u6280\u8853\u90fd\u5e38\u88ab\u7528\u5728\u91dd\u5c0d\u6027\u653b\u64ca\/\u9396\u5b9a\u76ee\u6a19\u653b\u64ca(Targeted attack )<\/a>\uff0c\u56e0\u70ba\u5176\u6a6b\u5411\u79fb\u52d5\u548c\u5075\u5bdf\u7b49\u5143\u7d20\u3002\u653b\u64ca\u8005\u5229\u7528\u4e86\u300c\u6c34\u5751\uff08watering hole\uff09<\/a>\u300d\u653b\u64ca\uff0c\u5165\u4fb5\u653b\u64ca\u76ee\u6a19\u6240\u7d93\u5e38\u700f\u89bd\u7684\u5408\u6cd5\u4e14\u53d7\u4fe1\u4efb\u7684\u7db2\u7ad9\u3002\u9019\u4e9b\u7db2\u7ad9\u88ab\u6ce8\u5165\u60e1\u610fJavaScript\u7a0b\u5f0f\u78bc\uff0c\u6703\u8fa8\u8b58\u700f\u89bd\u5668\u5143\u4ef6\u4e26\u5f9e\u4ed6\u5011\u7684\u60e1\u610f\u8edf\u9ad4\u548c\u6f0f\u6d1e\u653b\u64ca\u5957\u4ef6\u7cfb\u7d71\u8f09\u5165\u6f0f\u6d1e\u653b\u64ca\u78bc\uff0c\u5176\u4e2d\u6709\u4e9b\u4e5f\u53ef\u80fd\u662f\u88ab\u99ed\u7684\u7db2\u7ad9\u3002<\/p>\n

\u611f\u67d3\u904e\u7a0b\u6709\u591a\u500b\u968e\u6bb5\uff0c\u6d89\u53ca\u4e86\u591a\u7a2e\u60e1\u610f\u8edf\u9ad4\uff0c\u6700\u7d42\u7684\u60e1\u610f\u8edf\u9ad4\u53ea\u6703\u6d3e\u9001\u7d66\u4ed6\u5011\u611f\u8208\u8da3\u7684\u76ee\u6a19\u3002\u4f7f\u7528\u4e86\u4e0d\u540c\u7684\u547d\u4ee4\u548c\u63a7\u5236\uff08C&C\uff09\u4f3a\u670d\u5668\u3002\u6709\u4e9b\u662f\u88ab\u99ed\u7db2\u7ad9\u4f5c\u70ba\u4ee3\u7406\u7a0b\u5f0f\u4f86\u9023\u5230\u653b\u64ca\u8005\u7684\u57fa\u790e\u8a2d\u65bd\u3002<\/p>\n

\u5728\u4e00\u500b\u6211\u5011\u89c0\u5bdf\u5230\u7684\u4f8b\u5b50\u4e2d\uff0c\u539f\u5148\u53d7\u5bb3\u8005\u611f\u67d3\u7684\u60e1\u610f\u8edf\u9ad4RATANKBA\uff08TROJ_RATANKBA.A<\/a>\uff09\u6703\u9023\u5230\u4e00\u500b\u88ab\u99ed\u7684\u5408\u6cd5\u7db2\u7ad9\uff08eye-watch[.]in:443<\/em>\uff0c\u4e00\u500b\u884c\u52d5\u61c9\u7528\u7a0b\u5f0f\u92b7\u552e\u7db2\u7ad9\uff09\uff0c\u4e0b\u8f09\u4e00\u500b\u99ed\u5ba2\u5de5\u5177\uff08nbt_scan.exe\uff09\u3002\u8a72\u7db2\u57df\u4e5f\u8b8a\u6210\u4f5c\u70baC&C\u901a\u8a0a\u4e4b\u7528\u7684\u653b\u64ca\u6d3b\u52d5\u5e73\u53f0\u3002<\/p>\n

\u60e1\u610f\u5206\u5b50\u5229\u7528RATANKBA<\/strong>\u4f86\u9032\u884c\u52d8\u67e5\u6d3b\u52d5<\/strong>\uff0c\u5b83\u6703\u6aa2\u8996\u5bbf\u4e3b\u57f7\u884c\u4e2d\u7684\u4efb\u52d9\u3001\u7db2\u57df\u3001\u5171\u4eab\u8cc7\u6599\u593e\u3001\u4f7f\u7528\u8005\u8cc7\u8a0a\uff0c\u5bbf\u4e3b\u662f\u5426\u6709\u9810\u8a2d\u7684\u7db2\u8def\u9023\u7dda\u7b49\u7b49\u3002<\/p>\n

<\/p>\n

\u57162<\/em>\u3001RATANKBA<\/em>\u6aa2\u8996\u7cfb\u7d71\u7684\u5404\u500b\u65b9\u9762<\/em><\/p>\n

 <\/p>\n

\u503c\u5f97\u6ce8\u610f\u7684\u662fRATANKBA\u9084\u6703\u5c0b\u627e\u611f\u8208\u8da3\u7684\u7279\u5b9aIP\u5730\u5740\u7bc4\u570d\uff1a<\/p>\n

<\/p>\n

\u57163<\/em>\u3001RATANKBA<\/em>\u5c0b\u627e\u7279\u5b9aIP<\/em>\u7bc4\u570d<\/em><\/p>\n

 <\/p>\n

\u8da8\u52e2\u79d1\u6280<\/a>\u5c0d\u99ed\u5ba2\u5de5\u5177\uff08HKTL_NBTSCAN.GA<\/a>\u548cHKTL_NBTSCAN.GB<\/a>\uff09\u7684\u5206\u6790\u986f\u793a\u5b83\u662f\u6703\u6383\u63cf\u7db2\u8def\u4f86\u53d6\u5f97NetBIOS\u8cc7\u8a0a\uff08\u5982IP\u5730\u5740\u3001NetBIOS\u96fb\u8166\u540d\u7a31\u3001\u5df2\u767b\u5165\u4f7f\u7528\u8005\u548cMAC\u5730\u5740\uff09\u7684\u547d\u4ee4\u5217\u5de5\u5177\uff0c\u52a0\u4e0a\u4e00\u4e9b\u4f86\u81eaRATAKNBA\u521d\u59cb\u5b89\u88dd\u6642\u7684\u8cc7\u8a0a\u3002\u60e1\u610f\u5206\u5b50\u73fe\u5728\u53ef\u4ee5\u7d50\u5408\u9019\u4e9b\u8cc7\u8a0a\u52a0\u4e0a\u4e00\u4efd\u4f7f\u7528\u8005\u540d\u7a31\u548c\u5bc6\u78bc\u5217\u8868\u548cIP\u5730\u5740\u7bc4\u570d\u4f86\u7528\u4ed6\u5011\u7684\u65b9\u5f0f\u66b4\u529b\u7834\u89e3\u6574\u500b\u7db2\u8def\uff08\u900f\u904eNetBIOS\uff09\u3002<\/p>\n

<\/p>\n

\u57164<\/em>\u3001\u99ed\u5ba2\u5de5\u5177\u7684\u547d\u4ee4\u884c\u8aaa\u660e<\/em><\/p>\n

 <\/p>\n

\u4e00\u65e6\u9023\u7dda\u6210\u529f\uff0c\u9019\u500b\u99ed\u5ba2\u5de5\u5177\u6703\u8a66\u5716\u5c07\u653b\u64ca\u8005\u96fb\u8166\u4e0a\u7684calc.exe\u8907\u88fd\u5230\u76ee\u6a19\u96fb\u8166\u7684\u7db2\u8def\u5206\u4eab\uff08C$\uff09\u4f86\u6e2c\u8a66\u662f\u5426\u53ef\u4ee5\u900f\u904e\u7db2\u8def\u5206\u4eab\u50b3\u9001\u6a94\u6848\uff0c\u63a5\u8457\u53ef\u80fd\u662f\u6e2c\u8a66\u6240\u4f7f\u7528\u6191\u8b49\u662f\u5426\u5177\u6709\u7ba1\u7406\u54e1\u6b0a\u9650\u3002\u5b83\u63a5\u8457\u6703\u8a18\u9304\u4e2d\u6bd2\u96fb\u8166\u7684IP\u5730\u5740\u3001\u4f7f\u7528\u8005\u3001\u7db2\u57df\u3001\u4e3b\u6a5f\u540d\u7a31\u3001\u4f5c\u696d\u7cfb\u7d71\u548cService Pack\u4ee5\u53ca\u66b4\u529b\u653b\u64ca\u6240\u4f7f\u7528\u6210\u529f\u7684\u4f7f\u7528\u8005\u540d\u7a31\u548c\u5bc6\u78bc\u3002\u65e5\u8a8c\u63a5\u8457\u6703\u88ab\u8a18\u9304\u5728\u8a72\u6a94\u6848\u6700\u521d\u57f7\u884c\u7684\u76ee\u9304\u3002<\/p>\n

\u6709\u4e86RATANKBA\u4f86\u7684\u8cc7\u8a0a\u52a0\u4e0aHKTL_NBTSCAN\u6210\u529f\/\u5931\u6557\u7684\u7d50\u679c\uff0c\u60e1\u610f\u5206\u5b50\u73fe\u5728\u53ef\u4ee5\u4efb\u610f\u5730\u5c07\u6700\u7d42\u60e1\u610f\u8edf\u9ad4\u90e8\u7f72\u5230\u611f\u8208\u8da3\u7684\u7cfb\u7d71\u4e0a\u3002\u9280\u884c\u6728\u99ac\uff08TSPY_BANKER.NTE<\/a>\uff09\u662fRATANKBA\u7684\u6700\u7d42\u60e1\u610f\u8edf\u9ad4\u4e4b\u4e00\u3002<\/p>\n

\u653b\u64ca\u8005\u6240\u4f7f\u7528\u7684\u4e00\u4e9b\u88ab\u99ed\u7db2\u7ad9\u6703\u63d0\u4f9b\u60e1\u610f\u8edf\u9ad4\u548c\u53ef\u7591\/\u60e1\u610f\u6a94\u6848\uff0c\u5305\u62ec\uff1a<\/p>\n

 <\/p>\n