{"id":54469,"date":"2018-02-13T21:19:42","date_gmt":"2018-02-13T13:19:42","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=54469"},"modified":"2018-02-13T21:19:42","modified_gmt":"2018-02-13T13:19:42","slug":"%e9%a7%ad%e5%ae%a2%e5%88%a9%e7%94%a8-windows-installer-msiexec-exe-%e7%a8%8b%e5%bc%8f%e5%9c%a8%e7%b3%bb%e7%b5%b1%e6%a4%8d%e5%85%a5-lokibot-%e8%b3%87%e8%a8%8a%e7%ab%8a%e5%8f%96%e7%a8%8b%e5%bc%8f","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=54469","title":{"rendered":"\u99ed\u5ba2\u5229\u7528 Windows Installer (msiexec.exe) \u7a0b\u5f0f\u5728\u7cfb\u7d71\u690d\u5165 LokiBot \u8cc7\u8a0a\u7aca\u53d6\u7a0b\u5f0f"},"content":{"rendered":"

\u6642\u9593\u62c9\u56de 2017 \u5e74 9 \u6708\uff0c\u7576\u6642 Microsoft \u4fee\u6b63\u4e86 CVE-2017-11882<\/a> \u9019\u500b\u53ef\u8b93\u99ed\u5ba2\u5f9e\u9060\u7aef\u57f7\u884c\u7a0b\u5f0f\u7684 Microsoft Office \u6f0f\u6d1e\u3002\u4f46\u9019\u4ecd\u7121\u6cd5\u963b\u6b62 Cobalt<\/a> \u7db2\u8def\u72af\u7f6a\u96c6\u5718\u7e7c\u7e8c\u5229\u7528\u6b64\u6f0f\u6d1e\u4f86\u6563\u5e03\u5404\u7a2e\u60e1\u610f\u7a0b\u5f0f<\/a>\uff0c\u4f8b\u5982FAREIT<\/a>\u3001Ursnif<\/a> \u4ee5\u53ca\u67d0\u500b\u7834\u89e3\u7248 Loki \u8cc7\u8a0a\u7aca\u53d6\u7a0b\u5f0f<\/a> (\u9019\u662f\u4e00\u500b\u4ee5\u7aca\u53d6\u5bc6\u78bc\u548c\u52a0\u5bc6\u865b\u64ec\u8ca8\u5e63\u9322\u5305\u70ba\u8ce3\u9ede\u7684\u9375\u76e4\u5074\u9304\u7a0b\u5f0f)\u3002<\/p>\n

\u6700\u8fd1\uff0c\u8da8\u52e2\u79d1\u6280<\/b><\/a>\u767c\u73fe\u99ed\u5ba2\u53c8\u518d\u6b21\u5229\u7528 CVE-2017-11882 \u6f0f\u6d1e\u767c\u52d5\u653b\u64ca\uff0c\u9019\u6b21\u63a1\u7528\u7684\u662f\u4e00\u7a2e\u7f55\u898b\u7684\u65b9\u6cd5\uff0c\u900f\u904e Microsoft Windows \u4f5c\u696d\u7cfb\u7d71\u4e2d\u7684 Windows Installer \u670d\u52d9<\/a>\u3002\u6b64\u624b\u6cd5\u6709\u5225\u65bc\u4e4b\u524d\u4f7f\u7528 Windows \u7684 mshta.exe \u7a0b\u5f0f\u4f86\u57f7\u884c Powershell \u8173\u672c\u4ee5\u4e0b\u8f09\u4e26\u57f7\u884c\u60e1\u610f\u6a94\u6848\u7684\u4f5c\u6cd5\uff0c\u800c\u662f\u900f\u904e Windows Installer \u670d\u52d9\u7576\u4e2d\u7684\u300cmsiexec.exe\u300d\u7a0b\u5f0f\u4f86\u57f7\u884c\u60e1\u610f\u6a94\u6848\u3002<\/p>\n

\u5b8c\u6574\u611f\u67d3\u904e\u7a0b<\/strong><\/p>\n

\"Figure<\/p>\n

\u5716 1\uff1a\u5b8c\u6574\u611f\u67d3\u904e\u7a0b\u3002<\/em><\/p>\n

\u6211\u5011\u6240\u5206\u6790\u5230\u7684\u6a23\u672c\u4f3c\u4e4e\u67d0\u4e00\u6ce2\u5783\u573e\u90f5\u4ef6\u6240\u4f7f\u7528\u7684\u9644\u4ef6\u6a94\u6848\uff0c\u9019\u4e9b\u5783\u573e\u90f5\u4ef6\u6703\u8981\u6c42\u6536\u4ef6\u4eba\u78ba\u8a8d\u5bc4\u4ef6\u4eba\u6240\u6536\u5230\u7684\u4e00\u7b46\u6b3e\u9805\u3002\u96fb\u5b50\u90f5\u4ef6\u5167\u5bb9\u542b\u6709\u97d3\u6587\u64b0\u5beb\u7684\u6587\u5b57\uff0c\u5927\u610f\u662f\u300c\u60a8\u597d\uff0c\u8acb\u6aa2\u67e5\u4e00\u4e0b\u60a8\u7684\u96fb\u8166\u662f\u5426\u4e2d\u6bd2\u6216\u611f\u67d3\u60e1\u610f\u7a0b\u5f0f\u300d\uff0c\u4f3c\u4e4e\u5728\u63d0\u9192\u6536\u4ef6\u4eba\u5c0f\u5fc3\u5225\u4e2d\u6bd2\u3002<\/p>\n

\u6b64\u5916\uff0c\u96fb\u5b50\u90f5\u4ef6\u4e5f\u9644\u4e86\u4e00\u500b\u540d\u70ba\u300cPayment copy.Doc\u300d\u7684\u6587\u4ef6\u6a94\u6848\uff0c\u8a72\u6a94\u6848\u770b\u4f3c\u4e00\u4efd\u4ed8\u6b3e\u78ba\u8a8d\u55ae\uff0c\u4f46\u5176\u5be6\u662f\u500b\u6728\u99ac\u7a0b\u5f0f (\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba\uff1aTROJ_CVE201711882.SM)\uff0c\u5b83\u6703\u653b\u64ca CVE-2017-11882 \u6f0f\u6d1e\u3002<\/p>\n

\"Figure<\/p>\n

\u5716 2\uff1a\u96a8\u9644\u60e1\u610f\u6587\u4ef6\u6703\u653b\u64ca CVE-2017-11882 \u6f0f\u6d1e\u7684\u5783\u573e\u90f5\u4ef6\u3002<\/em><\/p>\n

\"<\/p>\n

\u5716 3\uff1a\u6587\u4ef6\u958b\u555f\u5f8c\u7684\u6a23\u5b50\u3002<\/em><\/p>\n

\u60e1\u610f\u9644\u4ef6\u6703\u5229\u7528\u524d\u8ff0\u6f0f\u6d1e\u900f\u904e Windows Installer \u670d\u52d9\u4f86\u4e0b\u8f09\u4e26\u5b89\u88dd\u4e00\u500b\u540d\u70ba\u300czus.msi\u00a0\u300d\u7684 Windows \u5b89\u88dd\u5957\u4ef6\uff0c\u5176\u5b8c\u6574\u6307\u4ee4\u5217\u5982\u4e0b\uff1a<\/p>\n