{"id":53726,"date":"2017-12-10T17:06:33","date_gmt":"2017-12-10T09:06:33","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=53726"},"modified":"2017-12-18T17:20:44","modified_gmt":"2017-12-18T09:20:44","slug":"17%e5%b9%b4%e7%9a%84%e5%be%ae%e8%bb%9foffice%e6%bc%8f%e6%b4%9e%ef%bc%88cve-2017-11882%ef%bc%89%e4%bb%8d%e7%b9%bc%e7%ba%8c%e6%90%9e%e7%a0%b4%e5%a3%9e","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=53726","title":{"rendered":"17\u5e74\u7684\u5fae\u8edfOffice\u6f0f\u6d1e\uff08CVE-2017-11882\uff09,\u4ecd\u7e7c\u7e8c\u641e\u7834\u58de"},"content":{"rendered":"

\"\"<\/a><\/p>\n

\u8da8\u52e2\u79d1\u6280\u767c\u73fe\u4e00\u500b\u60e1\u610fRTF\u6a94\u6848\u6703\u5229\u7528\u6f0f\u6d1eCVE-2017-11882\u4f86\u6563\u64ad\u9593\u8adc\u8edf\u9ad4Loki\uff08TSPY_LOKI\uff09\u3002\u5b83\u900f\u904eHTML\u61c9\u7528\u7a0b\u5f0f\uff08HTA\uff09\u4f86\u547c\u53ebPowerShell\u690d\u5165\u60e1\u610f\u8edf\u9ad4\uff0c\u518d\u4f86\u53d6\u5f97\u8cc7\u6599\u7aca\u53d6\u8edf\u9ad4\u3002<\/p>\n

CVE-2017-11882<\/strong>\u662f\u4ec0\u9ebc\uff1f<\/strong><\/p>\n

CVE-2017-11882<\/a>\u662f\u5fae\u8edfOffice\uff08\u5305\u62ecOffice 360\u200b\u200b\uff09\u5167\u5b58\u572817\u5e74\u7684\u8a18\u61b6\u9ad4\u640d\u6bc0\u554f\u984c\u3002\u4e00\u65e6\u653b\u64ca\u6210\u529f\uff0c\u5728\u958b\u555f\u60e1\u610f\u6587\u4ef6\u5f8c\u53ef\u4ee5\u8b93\u653b\u64ca\u8005\u5728\u6709\u6f0f\u6d1e\u7684\u96fb\u8166\u4e0a\u57f7\u884c\u9060\u7aef\u7a0b\u5f0f\u78bc\uff08\u7121\u9700\u7d93\u904e\u4f7f\u7528\u8005\u4e92\u52d5\uff09\u3002\u9019\u500b\u6f0f\u6d1e\u5b58\u5728\u65bc\u65b9\u7a0b\u5f0f\u7de8\u8f2f\u5668\uff08EQNEDT32.EXE\uff09\uff0c\u9019\u662f\u5fae\u8edfOffice\u7528\u4f86\u5728\u6587\u4ef6\u4e2d\u63d2\u5165\u6216\u7de8\u8f2fOLE\u7269\u4ef6\u7684\u5de5\u5177\u3002\u6982\u5ff5\u8b49\u660e\u6f0f\u6d1e\u653b\u64ca\u78bc\u5df2\u7d93\u88ab\u516c\u5e03\uff0c\u800c\u5fae\u8edf\u5df2\u7d93\u572811\u6708\u4efd\u7684\u661f\u671f\u4e8c\u66f4\u65b0\u65e5<\/a>\u4fee\u88dc\u4e86\u9019\u500b\u6f0f\u6d1e\u3002<\/p>\n

Loki\u75c5\u6bd2\u5bb6\u65cf\u53ef\u4ee5\u7aca\u53d6FTP\u5ba2\u6236\u7aef\u7684\u5e33\u865f\u8cc7\u6599\uff0c\u4ee5\u53ca\u5132\u5b58\u5728\u5404\u7a2e\u7db2\u8def\u700f\u89bd\u5668\u548c\u6578\u4f4d\u8ca8\u5e63<\/a>\u9322\u5305\u7684\u6191\u8b49\u3002Loki\u9084\u53ef\u4ee5\u5f9e\u201cSticky\u201d\u76f8\u95dc\uff08\u5373Sticky Notes\uff09\u548c\u7dda\u4e0a\u64b2\u514b\u904a\u6232\u61c9\u7528\u7a0b\u5f0f\u6536\u96c6\u8cc7\u6599\u3002<\/p>\n

[\u76f8\u95dc\u8cc7\u6599\uff1aCobalt\u99ed\u5ba2\u96c6\u5718\u518d\u6b21\u5c07\u76ee\u6a19\u653e\u5728\u4fc4\u8a9e\u4f01\u696d<\/a>]<\/p>\n

 <\/p>\n

\u653b\u64ca\u8005\u5982\u4f55\u5229\u7528CVE-2017-11882<\/strong>\uff1f<\/strong><\/p>\n

\u8da8\u52e2\u79d1\u6280\u6700\u521d\u548c\u9032\u884c\u4e2d\u7684\u5206\u6790\u9084\u767c\u73fe\u5783\u573e\u90f5\u4ef6\u96c6\u5718\u4e5f\u5728\u7a4d\u6975\u7684\u5229\u7528CVE-2017-11882\u6f0f\u6d1e\uff0c\u597d\u8b93\u7cfb\u7d71\u611f\u67d3\u8cc7\u6599\u7aca\u53d6\u8edf\u9ad4Pony\/FAREIT<\/a>\u548cFormBook\u3002\u653b\u64ca\u93c8\u5305\u62ec\u6703\u5f9e\u9060\u7aefSMB\u4f3a\u670d\u5668\u7684\u958b\u653e\u8cc7\u6599\u593e\u53d6\u5f97\u60e1\u610f\u8edf\u9ad4\u7684\u6307\u4ee4\u3002<\/p>\n

Cobalt\u99ed\u5ba2\u96c6\u5718\u4e5f\u572811\u6708\u4e0b\u65ec\u7684\u4e00\u6ce2\u653b\u64ca\u6d3b\u52d5<\/a>\u4e2d\u5229\u7528\u4e86\u9019\u500b\u5b89\u5168\u6f0f\u6d1e\uff0c\u5bc4\u51fa\u985e\u4f3c\u7d50\u69cb\u7684RTF\u6a94\u6848\u3002\u5b83\u6700\u5f8c\u6703\u5e36\u4f86\u4e00\u500bDLL\u6a94\u6848\u3002\u5728\u4ed6\u5011\u4e4b\u524d\u7684\u9b5a\u53c9\u5f0f\u91e3\u9b5a\u653b\u64ca<\/a>\u4e2d\uff0c\u9019DLL\u662f\u6ef2\u900f\u6e2c\u8a66\u5de5\u5177Cobalt Strike\u7684\u4e00\u500b\u7d44\u4ef6\uff0c\u88ab\u4ed6\u5011\u60e1\u610f\u7528\u4f86\u52ab\u6301\u53d7\u611f\u67d3\u7cfb\u7d71\u3002<\/p>\n

\u8da8\u52e2\u79d1\u6280\u9084\u770b\u5230\u5176\u4ed6\u60e1\u610f\u4efd\u5b50\u5229\u7528CVE-2017-11882\u4f86\u8b93\u7cfb\u7d71\u611f\u67d3\u9375\u76e4\u5074\u9304\u7a0b\u5f0f\u548c\u5e36\u6709\u8ddfBad Rabbit<\/a>\u76f8\u4f3c\u52d2\u8d16\u901a\u77e5\u7684\u9396\u5b9a\u87a2\u5e55\u3002\u5783\u573e\u90f5\u4ef6\u572811\u670821\u65e5\u51fa\u73fe\u5728\u6fb3\u6d32\u548c\u65e5\u672c\uff0c\u5206\u5225\u6703\u5e36\u4f86ZLoader\uff08ZBOT<\/a>\u7684\u4e0b\u8f09\u5668\u6728\u99ac\uff09\u548cUrsnif<\/a>\u3002<\/p>\n

<\/p>\n

\u6fb3\u6d32\uff08\u5de6\uff09\u548c\u65e5\u672c\uff08\u53f3\uff09\u6240\u51fa\u73fe\u7684\u5783\u573e\u90f5\u4ef6\u622a\u5716<\/em><\/p>\n

\u00a0<\/strong><\/p>\n

\u4f7f\u7528\u8005\u548c\u4f01\u696d\u53ef\u4ee5\u505a\u4e9b\u4ec0\u9ebc\uff1f<\/strong><\/p>\n

 <\/p>\n

\u4ee5\u4e0b\u662f\u53ef\u4ee5\u7528\u4f86\u5c0d\u4ed8CVE-2017-11882\u6f0f\u6d1e\u653b\u64ca\u5a01\u8105\u7684\u4e00\u4e9b\u5c0d\u7b56\uff1a<\/p>\n