{"id":50711,"date":"2017-07-11T09:00:33","date_gmt":"2017-07-11T01:00:33","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=50711"},"modified":"2017-07-03T15:38:55","modified_gmt":"2017-07-03T07:38:55","slug":"%e8%b3%87%e6%96%99%e5%81%b7%e7%ab%8a%e8%bb%9f%e9%ab%94%e6%94%bb%e6%93%8a%e4%bb%a5%e8%89%b2%e5%88%97%e9%86%ab%e9%99%a2","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=50711","title":{"rendered":"\u8cc7\u6599\u5077\u7aca\u8edf\u9ad4\u653b\u64ca\u4ee5\u8272\u5217\u91ab\u9662"},"content":{"rendered":"

\u6377\u5f91\uff08LNK\uff09\u6a94\u8d8a\u4f86\u8d8a\u88ab\u7db2\u8def\u72af\u7f6a\u5206\u5b50\u6240\u611b\u7528<\/a>\u3002\u8da8\u52e2\u79d1\u6280<\/a>\u5df2\u7d93\u770b\u5230\u8a31\u591a\u5a01\u8105\u5229\u7528\u60e1\u610fLNK\u6a94\u6848\uff1a\u5f9e\u77e5\u540d\u7684\u52d2\u7d22\u75c5\u6bd2\u5bb6\u65cf<\/a>\u3001\u5e38\u7528\u65bc\u91dd\u5c0d\u6027\u653b\u64ca<\/a>\u7684\u5f8c\u9580\u7a0b\u5f0f<\/a>\uff0c\u4ee5\u53ca\u9280\u884c\u6728\u99ac<\/a>\uff0c\u4e00\u76f4\u5230\u5783\u573e\u90f5\u4ef6<\/a>\uff0c\u751a\u81f3\u662f\u91dd\u5c0dLNK\u672c\u8eab\u6f0f\u6d1e\u7684\u653b\u64ca\u78bc<\/a>\u3002\u9019\u4e9b\u60e1\u610f\u5a01\u8105\u901a\u5e38\u6703\u5229\u7528\u5408\u6cd5\u5de5\u5177\u8b93\u60c5\u6cc1\u8b8a\u5f97\u66f4\u56b4\u91cd\uff0c\u5982\u6feb\u7528PowerShell<\/a>\u6216\u662f\u8173\u672c\u81ea\u52d5\u5316\u5de5\u5177AutoIt<\/a>\u3002\u6240\u4ee5\u7576\u6211\u5011\u5728\u4ee5\u8272\u5217\u91ab\u9662\u5075\u6e2c\u5230\u6709\u8cc7\u6599\u7aca\u53d6\u7a0b\u5f0f\u5229\u7528LNK\u6a94\u4e5f\u5c31\u7d72\u6beb\u4e0d\u5947\u602a\u4e86\u3002<\/p>\n

\u91ab\u7642\u6a5f\u69cb\u88ab\u8a8d\u70ba\u662f\u7db2\u8def\u72af\u7f6a\u5206\u5b50\u7684\u6416\u9322\u6a39<\/a>\uff0c\u56e0\u70ba\u5177\u5099\u4e86\u5229\u6f64\u8c50\u539a\u7684\u4f86\u6e90 \u2013 \u64c1\u6709\u53ef\u4ee5\u5728\u5730\u4e0b\u5e02\u5834\u8ca8\u5e63\u5316\u7684\u500b\u4eba\u8eab\u4efd\u8cc7\u6599<\/a>\u3002\u7d93\u904e\u521d\u6b65\u8abf\u67e5\u986f\u793a\uff0c\u4efb\u4f55\u700f\u89bd\u5668\u76f8\u95dc\u8cc7\u8a0a\uff08\u5982\u767b\u9304\u6191\u8b49\uff09\u90fd\u53ef\u4ee5\u88ab\u5077\u8d70\uff0c\u9019\u5c0d\u53ef\u4ee5\u7528\u700f\u89bd\u5668\u64cd\u4f5c\u7684\u7ba1\u7406\u7cfb\u7d71\u548c\u61c9\u7528\u7a0b\u5f0f\u4f86\u8aaa\u76f8\u7576\u91cd\u8981\u3002<\/p>\n

<\/p>\n

\u8da8\u52e2\u79d1\u6280<\/a>\u770b\u5230\u5b83\u8a66\u5716\u9032\u5165\u7cfb\u7d71\u548c\u5340\u57df\u7db2\u8def\u5167\u7684\u5206\u4eab\u8cc7\u6599\u593e\u3002\u53e6\u4e00\u500b\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u5b83\u7d50\u5408\u4e86\u8815\u87f2\u7684\u6563\u64ad\u80fd\u529b\u4ee5\u53ca\u96b1\u8eab\u80fd\u529b\u3002<\/p>\n

\u8da8\u52e2\u79d1\u6280<\/a>\u5206\u6790\u4ecd\u5728\u9032\u884c\u4e2d\uff0c\u7576\u6211\u5011\u627e\u5230\u95dc\u65bc\u6b64\u5a01\u8105\u7684\u8a73\u7d30\u8cc7\u8a0a\u5c07\u6703\u6301\u7e8c\u66f4\u65b0\u672c\u7bc7\u6587\u7ae0\u3002\u4e0b\u9762\u662f\u76ee\u524d\u6240\u77e5\u7684\u8cc7\u8a0a\uff1a<\/p>\n

\u900f\u904e\u8815\u87f2\u6563\u64ad\u3002<\/em><\/strong>\u60e1\u610f\u8edf\u9ad4\u7684\u521d\u6b65\u5206\u6790\u986f\u793a\u6703\u900f\u904e\u8815\u87f2\u6563\u64ad\u3002\u5b83\u5c07\u81ea\u5df1\uff08\u5305\u62ec\u6377\u5f91\u6a94\u3001\u975e\u60e1\u610f\u53ef\u57f7\u884c\u6a94AutoIt\uff0c\u4ee5\u53ca\u60e1\u610fAutoIt\u8173\u672c\uff09\u8907\u88fd\u5230\u4e2d\u6bd2\u7cfb\u7d71\u7684\u6839\u76ee\u9304 \u2013 C:\\WinddowsUpdated\\<file copy>\u3002<\/p>\n

\u507d\u88dd\u6210Windows<\/em><\/strong>\u66f4\u65b0\u3002<\/em><\/strong>\u8a72\u6377\u5f91\u6a94\u507d\u88dd\u6210\u700f\u89bd\u5668\u548cWindows\u66f4\u65b0\u7a0b\u5f0f\uff0c\u7db2\u98013D\u88fd\u4f5c\u5de5\u5177\uff0c\u4e26\u93c8\u7d50\u5230\u7cfb\u7d71\u7684\u4e0b\u8f09\u548c\u904a\u6232\u8cc7\u6599\u593e\u3002<\/p>\n

\u7d93\u7531AutoIt<\/em><\/strong>\u7684\u57f7\u884c\u3002<\/em><\/strong>AutoIt\u662f\u5408\u6cd5\u7684\u8173\u672c\u8a9e\u8a00\u8edf\u9ad4\/\u53ef\u57f7\u884c\u6a94\uff0c\u7528\u4f86\u70baWindows\u5167\u8a31\u591a\u7a0b\u5f0f\u9032\u884c\u81ea\u52d5\u5316\u52d5\u4f5c\uff08\u5373\u5de8\u96c6\uff09\u3002\u7136\u800c\u5b83\u5e38\u6703\u88ab\u6feb\u7528\u4f86\u5305\u88dd\u5404\u7a2e\u9060\u7aef\u5b58\u53d6\u6728\u99ac\uff08RAT\uff09\u3002\u5728\u9019\u7a2e\u60c5\u6cc1\u4e0b\uff0c\u5408\u6cd5\u7684AutoIt\u53ef\u57f7\u884c\u6a94\u6210\u70ba\u57f7\u884c\u60e1\u610f\u547d\u4ee4\u7684\u8f14\u52a9\u5de5\u5177\u3002\u4e8b\u5be6\u4e0a\uff0c\u6211\u5011\u57282014\u5e74\u5c31\u5df2\u7d93\u5728IPPEDO\u8815\u87f2\uff08WORM_IPPEDO.B<\/a>\uff09\u898b\u904e\u985e\u4f3c\u7684\u60e1\u610f\u7528\u6cd5\u3002<\/p>\n

\u6536\u96c6\u7cfb\u7d71\u8cc7\u8a0a\u3002<\/em><\/strong>\u60e1\u610f\u8edf\u9ad4\u6703\u57f7\u884c\u6b64\u547d\u4ee4\u4f86\u53d6\u5f97\u7cfb\u7d71\u8cc7\u8a0a\uff1aC:\\WINDOWS\\system32\\cmd.exe \/c SystemInfo<\/em>\u3002<\/p>\n

\u5728\u4e2d\u6bd2\u7cfb\u7d71\u4e0a\u7522\u751fLNK\u6a94\u3002\u8a72LNK\u6a94\u88ab\u5d4c\u5165\u4ee5\u4e0b\u60e1\u610f\u547d\u4ee4\uff1a<\/p>\n

cmd.exe \/c start ..\\WinddowsUpdateCheck\\WinddowsUpdater.exe \u201c..\\WinddowsUpdateCheck\\WinddowsUpdater.zip\u201d & exit<\/em><\/p>\n

\u6b64\u5a01\u8105\u4f3c\u4e4e\u662f\u7d93\u904e\u76f8\u7576\u7a0b\u5ea6\u6df7\u6dc6\u5316\u7684\u8cc7\u6599\u7aca\u53d6\u7a0b\u5f0f\u3002<\/em><\/strong>\u6211\u5011\u76ee\u524d\u6b63\u5728\u5206\u6790\u7684\u6a23\u672c\u7d93\u904e\u9ad8\u5ea6\u6df7\u6dc6\u5316\uff0c\u6709\u6548\u8f09\u8377\u7d93\u904e\u6578\u5c64\u7684\u52a0\u5bc6\u3002\u6211\u5011\u6240\u770b\u5230\u6a23\u672c\u5305\u542b\u56db\u500b\u60e1\u610fLNK\u6a94\u3002\u9019\u4e9bLNK\u6587\u4ef6\u6703\u767c\u51fa\u547d\u4ee4\u4f86\u8b93AutoIT\u57f7\u884c.TNT\u548c.EXE\u6a94\u6848\u3002\u6839\u64da\u6211\u5011\u5230\u76ee\u524d\u70ba\u6b62\u6240\u89c0\u5bdf\u5230\u7684\u884c\u70ba\uff0c\u5b83\u4f3c\u4e4e\u662f\u5728\u7aca\u53d6\u700f\u89bd\u5668\u76f8\u95dc\u8cc7\u8a0a\u548c\u9032\u884c\u9375\u76e4\u5074\u9304\u3002\u56e0\u70ba\u91ab\u7642\u6a5f\u69cb\u5167\u8cc7\u8a0a\u7684\u654f\u611f\u6027\uff0c\u9019\u76f8\u7576\u6709\u53ef\u80fd\u3002<\/p>\n

\u5a01\u8105\u5f62\u52e2\u6b63\u5728\u4e0d\u65b7\u5730\u6210\u719f\u548c\u591a\u6a23\u5316<\/a>\uff0c\u9632\u8b77\u7d44\u7e54\u5b89\u5168\u7684IT\/\u7cfb\u7d71\u7ba1\u7406\u54e1\u548c\u8cc7\u5b89\u5c08\u696d\u4eba\u54e1\u4e5f\u8a72\u5982\u6b64\u3002\u63a1\u53d6\u4ee5\u4e0b\u5b89\u5168\u5c0d\u7b56\uff1a\u5b89\u88dd\u4fee\u88dc\u7a0b\u5f0f\u4e26\u4fdd\u6301\u7cfb\u7d71\u66f4\u65b0\u3001\u57f7\u884c\u6700\u5c0f\u6b0a\u9650\u539f\u5247\u3001\u9632\u8b77\u9598\u9053\u4f86\u6e1b\u5c11\u53d7\u653b\u64ca\u9762\uff0c\u900f\u904e\u591a\u5c64\u6b21\u5b89\u5168\u9632\u8b77\u6a5f\u5236\u4f86\u9032\u884c\u7e31\u6df1\u9632\u79a6 \u2013 \u5305\u62ec\u7aef\u9ede<\/a>\u3001\u7db2\u8def<\/a>\u548c\u4f3a\u670d\u5668<\/a>\u3002<\/p>\n

\u5165\u4fb5\u6307\u6a19\uff08IoCs<\/strong>\uff09\uff1a<\/strong><\/p>\n

01e03241c42b12381e5c3ceb11e53f6c5c6bf0fa \u2013 WORM_RETADUP.A<\/a><\/p>\n

1186e8d32677f6ac86a35704c9435ccd9ffa8484 \u2013 WORM_RETADUP.A<\/p>\n

479dcd0767653e59f2653b8d3fcddb662a728df4 \u2013 LNK_RETADUP.A<\/a><\/p>\n

580ff21d0c9d8aeda2b7192b4caaccee8aba6be4 \u2013 LNK_RETADUP.A<\/p>\n

5f32f648610202c3e994509ca0fb714370d6761d \u2013 LNK_RETADUP.A<\/p>\n

63ac13c121e523faa7a4b871b9c2f63bea05bbff \u2013 LNK_RETADUP.A<\/p>\n

68d90647cf57428aca972d438974ad6f98e0e2b2 \u2013 LNK_RETADUP.A<\/p>\n

ce1b01eccf1b71d50e0f5dd6392bf1a4e6963a99 \u2013 LNK_RETADUP.A<\/p>\n

\u9032\u4e00\u6b65\u5206\u6790\u986f\u793a\uff0c\u60e1\u610f\u8edf\u9ad4\u6703\u8b93\u57f7\u884c\u6a94\u548c\u507d\u88dd\u6210\u53e6\u4e00\u6a94\u6848\u985e\u578b\u7684\u540c\u6a94\u540d\u6a94\u6848\u4e00\u8d77\u51fa\u73fe\u3002\u4f8b\u5982\uff0c\u6a94\u6848WinddowsUpdater.exe\u6703\u8207WinddowsUpdater.zip\u4e00\u8d77\u3002\u96d6\u7136.EXE\u6a94\u662f\u5408\u6cd5AutoIt\u6a94\u6848\uff0c.ZIP\u6a94\u5247\u662f\u5305\u542b\u5be6\u969b\u6709\u6548\u8ca0\u8f09\u7684\u52a0\u5bc6\u8cc7\u6599\u6a94\u3002\u9019\u5c31\u662f\u70ba\u4ec0\u9ebc\u4e0a\u8ff0LNK\u6a94\u5167\u547d\u4ee4\u53ea\u7528\u4e00\u500b\u53c3\u6578\u4f86\u8dd1\u57f7\u884c\u6a94\uff0c\u5b83\u8ddf\u6709\u6548\u8f09\u8377\u6a94\u6848\u7684\u540d\u7a31\u76f8\u540c\u3002<\/p>\n

 <\/p>\n

\u6aa2\u8996\u5b83\u7684\u7a0b\u5f0f\u78bc\uff0c\u8a72\u60e1\u610f\u8edf\u9ad4\u5305\u542b\u4ee5\u4e0b\u5b57\u4e32\uff0c\u9019\u986f\u793a\u5b83\u53ef\u80fd\u8a66\u8457\u6536\u96c6\u4e2d\u6bd2\u7cfb\u7d71\u7684\u8cc7\u8a0a\uff1a<\/p>\n