{"id":55296,"date":"2018-04-25T09:00:43","date_gmt":"2018-04-25T01:00:43","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=55296"},"modified":"2018-04-24T16:40:05","modified_gmt":"2018-04-24T08:40:05","slug":"%e7%84%a1%e9%9c%80%e5%b7%a8%e9%9b%86%ef%bc%9a%e6%b7%b1%e5%85%a5%e8%a7%a3%e6%9e%90%e5%88%a9%e7%94%a8rtf%e7%9a%84%e8%a8%ad%e8%a8%88%e5%8f%8aoffice%e7%9a%84%e6%bc%8f%e6%b4%9e%e6%95%a3%e6%92%ad%e7%9a%84fo","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=55296","title":{"rendered":"\u7121\u9700\u5de8\u96c6\uff1a\u6df1\u5165\u89e3\u6790\u5229\u7528RTF\u7684\u8a2d\u8a08\u53caOffice\u7684\u6f0f\u6d1e\u6563\u64ad\u7684Formbook RAT"},"content":{"rendered":"<p>\u5b89\u5168\u7814\u7a76\u4eba\u54e1<a href=\"https:\/\/www.darkreading.com\/vulnerabilities---threats\/rtf-design-office-flaw-exploited-in-multi-stage-document-attack\/d\/d-id\/1331482\">\u767c\u73fe<\/a>\u4e86\u4e00\u8d77\u591a\u968e\u6bb5\u7684\u653b\u64ca\u93c8\uff0c\u5229\u7528RTF\u6a94\u6848\u7684\u8a2d\u8a08\u53ca\u5fae\u8edfOffice\u6f0f\u6d1e\uff08CVE-2017-8570\uff09\u4f86\u6563\u64adFormbook\u9060\u7aef\u5b58\u53d6\u6728\u99ac\uff08RAT\uff09\u3002\u4ee5\u4e0b\u662f\u4f01\u696d\u8981\u4e3b\u52d5\u56de\u61c9\u6b64\u5a01\u8105\u6240\u9700\u8981\u4e86\u89e3\u7684\u8cc7\u8a0a\uff1a<\/p>\n<p><strong>[<\/strong><strong>\u76f8\u95dc\u6587\u7ae0\uff1a<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/evolving-trickbot-adds-detection-evasion-and-screen-locking-features\">Trickbot\u8cc7\u6599\u7aca\u53d6\u7a0b\u5f0f\u52a0\u5165\u8eb2\u907f\u5075\u6e2c\u548c\u9396\u4f4f\u87a2\u5e55\u7684\u529f\u80fd<\/a>]<\/strong><\/p>\n<p><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/12\/trend-micro-sandbox-1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-53727\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/12\/trend-micro-sandbox-1.jpg\" alt=\"\" width=\"490\" height=\"335\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/12\/trend-micro-sandbox-1.jpg 490w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/12\/trend-micro-sandbox-1-300x205.jpg 300w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2017\/12\/trend-micro-sandbox-1-30x21.jpg 30w\" sizes=\"(max-width: 490px) 100vw, 490px\" \/><\/a><\/p>\n<p><strong>Formbook<\/strong><strong>\u5177\u5099\u9375\u76e4\u5074\u9304\u548c\u87a2\u5e55\u64f7\u53d6\u529f\u80fd<\/strong><\/p>\n<p>Formbook\u5177\u5099\u9375\u76e4\u5074\u9304\u548c\u87a2\u5e55\u64f7\u53d6\u529f\u80fd\u3002\u5b83\u9084\u53ef\u4ee5\u4e0b\u8f09\u5176\u4ed6\u60e1\u610f\u8edf\u9ad4\u6216\u5143\u4ef6\u4f86\u7aca\u53d6\u548c\u5916\u6d29\u8cc7\u6599\u3002\u7814\u7a76\u4eba\u54e1\u6307\u51fa\uff0c\u9019\u7248\u672c\u7684Formbook\u4e5f\u542b\u6709\u9280\u884c\u6728\u99ac\u4e2d\u5e38\u898b\u7684\u60e1\u610f\u5143\u4ef6\u3002<\/p>\n<p>\u57282017\u5e7412\u6708\uff0c\u8da8\u52e2\u79d1\u6280\u767c\u73fe\u6578\u500b\u7db2\u8def\u72af\u7f6a\u96c6\u5718\u6563\u64adFormbook\u53ca\u5927\u91cf\u7684\u5176\u4ed6\u8cc7\u6599\u7aca\u53d6\u60e1\u610f\u8edf\u9ad4\u3002\u4ed6\u5011\u7684\u653b\u64ca\u6d3b\u52d5\u4e2d\u4e5f\u5229\u7528\u4e86RTF\u6a94\u6848\uff0c\u653b\u64ca\u7684\u662f\u53e6\u4e00\u500b\u6f0f\u6d1e\uff08CVE-2017-11882\uff09\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><strong>[<\/strong><strong>\u5ef6\u4f38\u95b1\u8b80\uff1a<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/threat-landscape\/challenging-problem-of-smb-security-might-need-third-party-intervention\">\u4e2d\u5c0f\u578b\u4f01\u696d\u7684\u8cc7\u5b89\u6311\u6230\u53ef\u80fd\u9700\u8981\u7b2c\u4e09\u65b9\u5354\u52a9<\/a>]<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u653b\u64ca\u93c8<\/strong><\/p>\n<p>\u611f\u67d3\u65b9\u5f0f\u662f\u96d9\u7ba1\u9f4a\u4e0b\u3002\u7b2c\u4e00\u968e\u6bb5\u5229\u7528\u593e\u5e36\u5fae\u8edfWord\u6587\u4ef6\uff08.docx\uff09\u7684\u5783\u573e\u90f5\u4ef6\uff0c\u6587\u4ef6\u6a94\u5167\u7684frameset\uff08\u5305\u542b\u8f09\u5165\u6587\u4ef6\u6240\u9700\u6846\u67b6\u7684HTML\u6a19\u7c64\uff09\u5167\u5d4c\u4e86\u60e1\u610f\u7db2\u5740\u3002\u4e00\u65e6\u53d7\u5bb3\u8005\u6253\u958b\u6a94\u6848\uff0c\u5c31\u6703\u4e0b\u8f09\u653b\u64ca\u8005\u6240\u6307\u5b9a\u7684\u7269\u4ef6\u4e26\u5448\u73fe\u5728\u6587\u4ef6\u5167\u3002\u7d93\u904e\u7814\u7a76\u4eba\u54e1\u9006\u5411\u5de5\u7a0b\u4e00\u500bFormbook\u6a23\u672c\u986f\u793a\uff0c\u7db2\u5740\u6703\u9023\u5230\u53e6\u4e00\u500b\u5e36\u6709\u6f0f\u6d1e\u653b\u64caRTF\u6a94\u6848\u7684\u547d\u4ee4\u8207\u63a7\u5236\uff08C&amp;C\uff09\u4f3a\u670d\u5668\u3002\u9019\u7a2e\u653b\u64ca\u4e0d\u9700\u8981\u5de8\u96c6\u548cshellcode\u3002<!--more--><\/p>\n<p>\u611f\u67d3\u93c8\u7684\u7b2c\u4e8c\u968e\u6bb5\u5229\u7528RTF\u7684\u8a2d\u8a08\u4e26\u4e14\u653b\u64ca\u4e86\u6f0f\u6d1eCVE-2017-8570\uff0c\u9032\u800c\u8b93Formbook\u611f\u67d3\u7cfb\u7d71\u3002\u7576RTF\u6587\u4ef6\u5167\u5d4c\u7269\u4ef6\u6642\uff0c\u7269\u4ef6\u6703\u88ab\u81ea\u52d5\u653e\u5165Temp\uff08%TEMP%\uff09\u7cfb\u7d71\u8cc7\u6599\u593e\u3002Cobalt\u99ed\u5ba2\u96c6\u5718\u4e5f\u66fe\u7d93\u5229\u7528\u904eRTF\u9019\u7a2e\u884c\u70ba\u4f86\u6563\u64ad\u8cc7\u6599\u7aca\u53d6\u7a0b\u5f0f\u3002\u63a5\u8457\u5b83\u6703\u653b\u64ca\u9060\u7aef\u7a0b\u5f0f\u78bc\u57f7\u884c\u6f0f\u6d1eCVE-2017-8570\uff08\u5728\u53bb\u5e7411\u6708\u88ab\u4fee\u88dc\uff09\u4f86\u57f7\u884c\u60e1\u610f\u8edf\u9ad4\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><strong>[<\/strong><strong>\u5ef6\u4f38\u95b1\u8b80\uff1a<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/historical-overview-of-proactive-incident-response-strategies-and-what-they-mean-to-enterprises\">\u4e3b\u52d5\u4e8b\u4ef6\u56de\u61c9\u7b56\u7565\u7684\u6b77\u53f2\u6982\u8ff0\u53ca\u5176\u5c0d\u4f01\u696d\u4ee3\u8868\u4ec0\u9ebc<\/a>]<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u5b83\u5e36\u4f86\u4ec0\u9ebc\u5f71\u97ff\u53ca\u8a72\u5982\u4f55\u6d88\u5f2d\u6b64\u5a01\u8105\uff1f<\/strong><\/p>\n<p>\u96d6\u7136\u9019\u4e9b\u6280\u8853\u4e26\u4e0d\u65b0\u9bae\uff0c\u4f46\u5229\u7528\u6b63\u5e38\u7a0b\u5f0f\u884c\u70ba\u53ca\u653b\u64ca\u6f0f\u6d1e\u8b93\u9019\u5a01\u8105\u975e\u5e38\u6709\u6548\u679c\u3002\u591a\u968e\u6bb5\u611f\u67d3\u93c8\u4e5f\u503c\u5f97\u6ce8\u610f\uff0c\u986f\u793a\u51fa\u99ed\u5ba2\u505a\u8db3\u4e86\u6e96\u5099\u5de5\u4f5c\u3002\u9019\u4e9b\u4f5c\u6cd5\u4e5f\u8b93\u5176\u80fd\u5920\u8eb2\u907f\u67d0\u4e9b\u5b89\u5168\u63a7\u5236\u63aa\u65bd\uff08\u5982\u50b3\u7d71<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/security-technology\/how-can-advanced-sandboxing-techniques-thwart-elusive-malware\">\u6c99\u7bb1\u6280\u8853<\/a>\uff09\uff0c\u53ef\u4ee5\u5728\u4e0d\u5f15\u8d77\u8b66\u5831\u4e0b\u57f7\u884c\u6d3b\u52d5\u3002<\/p>\n<p>\u9084\u6709\u4e9b\u5176\u4ed6\u7684\u7db2\u8def\u72af\u7f6a\u96c6\u5718\u6216\u7db2\u8def\u9593\u8adc\u7d44\u7e54<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/vulnerabilities-and-exploits\/17-year-old-ms-office-flaw-cve-2017-11882-actively-exploited-in-the-wild\">\u63a1\u7528<\/a>\u76f8\u540c\u6280\u8853\uff08\u4f7f\u7528\u60e1\u610f\u683c\u5f0fRTF\uff09\u4f86\u6563\u64ad\u81ea\u5df1\u7684\u8cc7\u6599\u7aca\u53d6\u7a0b\u5f0f\uff08\u50cf\u662fLoki\u548cPony\/FAREIT\uff09\u3002\u4e86\u89e3\u9019\u6280\u8853\u6709\u52a9\u65bc\u7cfb\u7d71\u7ba1\u7406\u54e1\u548c\u8cc7\u8a0a\u5b89\u5168\u5c08\u5bb6\u5728\u5c0b\u627e\u5a01\u8105\u6642\u53ef\u4ee5\u64f4\u5927\u7bc4\u570d\u3002Formbook\u7684\u9032\u5165\u9ede\u662f\u4ec0\u9ebc\uff1f\u53ef\u4ee5\u63a1\u53d6\u4ec0\u9ebc\u63aa\u65bd\u4f86\u4fee\u88dc\u5b89\u5168\u9593\u9699\uff1f\u54ea\u4e9b\u6b63\u5e38\u7a0b\u5f0f\u6216\u5de5\u5177\u906d\u5230\u6feb\u7528\uff0c\u9700\u8981\u5728\u96fb\u8166\u4e0a\u7981\u6b62\u4f7f\u7528\u6216\u52a0\u4ee5\u9650\u5236\uff1f\u60e1\u610f\u6d3b\u52d5\u662f\u5426\u96b1\u85cf\u5728\u6b63\u5e38\u7db2\u8def\u6d41\u91cf\u80cc\u5f8c\uff1f\u7684\u78ba\uff0c\u60e1\u610f\u8edf\u9ad4\u53ef\u4ee5\u5f88\u5bb9\u6613\u5730\u90e8\u7f72\u4e26\u4e14\u7e5e\u904e\u50b3\u7d71\u5b89\u5168\u63aa\u65bd\uff0c\u8aaa\u660e\u9700\u8981\u63a1\u53d6\u4e3b\u52d5\u5f0f\u4e8b\u4ef6\u56de\u61c9\u7b56\u7565\u3002\u9019\u53ef\u4ee5\u70ba\u4f01\u696d\u63d0\u4f9b\u53ef\u64da\u4ee5\u884c\u52d5\u7684\u60c5\u5831\uff0c\u6709\u52a9\u65bc\u5c0d\u5a01\u8105\u9032\u884c\u4e3b\u52d5\u5075\u6e2c\uff0c\u5206\u6790\u548c\u56de\u61c9\u3002<\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u8da8\u52e2\u79d1\u6280\u89e3\u6c7a\u65b9\u6848<\/strong><\/p>\n<p><a href=\"https:\/\/t.rend.tw\/?i=Mzc4MQ\">\u8da8\u52e2\u79d1\u6280Deep Security<\/a>\u3001<u>Vulnerability Protection <\/u><u>\u6f0f\u6d1e\u9632\u8b77<\/u>\u548cTippingPoint\u63d0\u4f9b<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/capabilities\/intrusion-prevention.html?cm_re=10_19_17-_-2d_Capabilities-_-IntrusionPrevention\">\u865b\u64ec\u4fee\u88dc<\/a>\u529f\u80fd\uff0c\u53ef\u4ee5\u4fdd\u8b77\u7aef\u9ede\u5c0d\u6297\u5229\u7528\u672a\u4fee\u88dc\u6f0f\u6d1e\u7684\u5a01\u8105\u3002<\/p>\n<p>\u8da8\u52e2\u79d1\u6280\u7684<a href=\"https:\/\/www.trendmicro.com\/us\/small-business\/hosted-email-security\/\">Hosted Email Security<\/a>\u662f\u4e00\u7a2e\u7121\u9700\u7dad\u8b77\u7684\u96f2\u7aef\u89e3\u6c7a\u65b9\u6848\uff0c\u53ef\u6301\u7e8c\u5730\u66f4\u65b0\u9632\u8b77\uff0c\u5728\u5783\u573e\u90f5\u4ef6\u3001\u60e1\u610f\u8edf\u9ad4\u3001\u9b5a\u53c9\u5f0f\u91e3\u9b5a\u90f5\u4ef6\u3001\u52d2\u7d22\u75c5\u6bd2\u548c\u9032\u968e\u91dd\u5c0d\u6027\u653b\u64ca\u9032\u5165\u4f01\u696d\u7db2\u8def\u524d\u5148\u52a0\u4ee5\u5c01\u9396\u3002<a href=\"https:\/\/www.trendmicro.com\/us\/enterprise\/security-risk-management\/deep-discovery\/index.html\">\u8da8\u52e2\u79d1\u6280 Deep Discovery&#x2122; Email Inspector<\/a>\u548c<a href=\"https:\/\/www.trendmicro.tw\/tw\/enterprise\/network-security\/interscan-web-security\/\">InterScan&#x2122; Web Security<\/a>\u00a0\u53ef\u4ee5\u9632\u6b62\u60e1\u610f\u8edf\u9ad4\u63a5\u8fd1\u6700\u7d42\u4f7f\u7528\u8005\u3002\u5728\u7aef\u9ede\u5c64\u7d1a\uff0c<a href=\"https:\/\/www.trendmicro.tw\/tw\/business\/complete-software-protection\/index.html\">\u8da8\u52e2\u79d1\u6280 Smart Protection Suites<\/a>\u63d0\u4f9b\u591a\u7a2e\u529f\u80fd\uff0c\u53ef\u5c07\u5a01\u8105\u7684\u5f71\u97ff\u964d\u81f3\u6700\u4f4e\u3002<\/p>\n<p>\u9019\u4e9b\u89e3\u6c7a\u65b9\u6848\u90fd\u7531\u8da8\u52e2\u79d1\u6280\u7684XGen&#x2122; \u9632\u8b77\u6280\u8853\u9a45\u52d5\uff0c\u5b83\u63d0\u4f9b\u8de8\u4e16\u4ee3\u6df7\u5408\u7684\u5a01\u8105\u9632\u79a6\u6280\u8853\u4f86\u8655\u7406<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/deep-security-data-center.html\">\u8cc7\u6599\u4e2d\u5fc3<\/a>\u3001<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/hybrid-cloud\/deep-security-for-cloud.html\">\u96f2\u7aef\u74b0\u5883<\/a>\u3001<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/network.html\">\u7db2\u8def<\/a>\u548c<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/user-protection.html\">\u7aef\u9ede<\/a>\u6240\u53ef\u80fd\u9762\u81e8\u7684\u5404\u7a2e\u5a01\u8105\u3002\u5b83\u5177\u5099\u9ad8\u4fdd\u771f\u6a5f\u5668\u5b78\u7fd2\u529f\u80fd\u4f86\u4fdd\u8b77<a href=\"https:\/\/www.trendmicro.com\/us\/business\/complete-user-protection\/index.html\">\u9598\u9053<\/a>\u548c<a href=\"https:\/\/www.trendmicro.com\/us\/enterprise\/product-security\/vulnerability-protection\/\">\u7aef\u9ede<\/a>\u8cc7\u6599\u53ca\u61c9\u7528\u7a0b\u5f0f\uff0c\u4e26\u4fdd\u8b77\u5be6\u9ad4\u3001\u865b\u64ec\u548c\u96f2\u7aef\u7684\u5de5\u4f5c\u6a5f\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>@\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/no-macros-required-design-in-rtf-and-vulnerability-in-office-exploited-to-deliver-formbook-rat\">No Macros Required: Design in RTF and Vulnerability in Office Exploited to Deliver Formbook RAT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u5b89\u5168\u7814\u7a76\u4eba\u54e1\u767c\u73fe\u4e86\u4e00\u8d77\u591a\u968e\u6bb5\u7684\u653b\u64ca\u93c8\uff0c\u5229\u7528RTF\u6a94\u6848\u7684\u8a2d\u8a08\u53ca\u5fae\u8edfOffice\u6f0f\u6d1e\uff08CVE-2017-8570\uff09 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[1268,3654,156,2744],"tags":[3833,1406,1846,2292,83,1283],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/55296"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=55296"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/55296\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=55296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=55296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=55296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}