{"id":58066,"date":"2018-11-29T09:00:42","date_gmt":"2018-11-29T01:00:42","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=58066"},"modified":"2020-07-07T11:59:02","modified_gmt":"2020-07-07T03:59:02","slug":"2018%e8%b3%87%e5%ae%89%e5%9b%9e%e9%a1%a7%e5%81%8f%e6%84%9b%e5%81%87%e5%86%92%e5%ae%85%e9%85%8d%e5%85%ac%e5%8f%b8app%e8%b6%85%e9%81%8e-30-%e8%90%ac%e7%94%a8%e6%88%b6%e5%8f%97%e5%ae%b3%e7%9a%84-androi","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=58066","title":{"rendered":"\u504f\u611b\u5047\u5192\u5b85\u914d\u516c\u53f8,\u8d85\u904e 30 \u842c\u7528\u6236\u53d7\u5bb3\u7684 Android \u60e1\u610f\u7a0b\u5f0f\u5bb6\u65cf:XLoader \u548c FakeSpy \u00a0"},"content":{"rendered":"

\u6df1\u5165\u63a2\u8a0e XLoader \u8207 FakeSpy \u4e4b\u9593\u7684\u95dc\u806f\u4ee5\u53ca\u5169\u8005\u8207\u4e2d\u570b\u300c\u5ef6\u908a\u5e6b\u300d\u72af\u7f6a\u96c6\u5718\u4e4b\u9593\u7684\u95dc\u4fc2<\/h2>\n

\"\"<\/a><\/p>\n

XLoader \u548c FakeSpy \u662f\u6700\u8fd1\u5d1b\u8d77\u7684\u5169\u500b\u6700\u91cd\u8981\u7684\u884c\u52d5\u60e1\u610f\u7a0b\u5f0f\u5bb6\u65cf\u3002\u6211\u5011\u5728 2018 \u5e74 4 \u6708\u5373\u63a2\u8a0e\u904e XLoader<\/a>\uff0c\u8a72\u60e1\u610f\u7a0b\u5f0f\u6703\u5229\u7528 DNS \u5feb\u53d6\u6c59\u67d3\u8207 DNS \u5047\u5192\u7b49\u6280\u5de7\u4f86\u8b93\u8b93\u53d7\u5bb3\u8005\u611f\u67d3\u60e1\u610f Android \u61c9\u7528\u7a0b\u5f0f\uff0c\u9032\u800c\u7aca\u53d6\u500b\u4eba\u8eab\u5206\u8b58\u5225\u8cc7\u8a0a (PII) \u548c\u91d1\u878d\u76f8\u95dc\u8cc7\u6599\uff0c\u4e26\u4e14\u5b89\u88dd\u984d\u5916\u7684\u61c9\u7528\u7a0b\u5f0f\u3002\u540c\u6642\uff0c\u6211\u5011\u4e5f\u5728 6 \u6708\u767c\u8868\u904e\u91dd\u5c0d FakeSpy \u7684\u7814\u7a76\u767c\u73fe<\/a>\uff0c\u6b64\u60e1\u610f\u7a0b\u5f0f\u6703\u7d93\u7531\u7db2\u8def\u91e3\u9b5a\u7c21\u8a0a (SMiShing<\/a>) \u4f86\u611f\u67d3 Android(\u5b89\u5353) \u88dd\u7f6e\uff0c\u540c\u6a23\u4e5f\u6703\u7aca\u53d6\u4f7f\u7528\u8005\u8cc7\u8a0a\u3002<\/p>\n

\u622a\u81f3 10 \u6708\u70ba\u6b62\uff0c\u5168\u7403\u52a0\u8d77\u4f86\u7e3d\u5171\u7d04\u6709 384,748 \u540d XLoader \u548c FakeSpy \u53d7\u5bb3\u8005\uff0c\u4e3b\u8981\u5206\u5e03\u5728\u5357\u97d3\u548c\u65e5\u672c\u3002<\/p>\n

\"Figure<\/p>\n

\u5716 1\uff1a\u4eca\u5e74 XLoader \u548c FakeSpy \u6bcf\u6708\u611f\u67d3\u6578\u91cf\u3002<\/em><\/p>\n

\u6211\u5011\u4e00\u958b\u59cb\u5728\u767c\u8868 XLoader \u548c FakeSpy \u7684\u76f8\u95dc\u5831\u544a\u6642\uff0c\u4e26\u672a\u767c\u73fe\u5169\u8005\u4e4b\u9593\u6709\u4efb\u4f55\u95dc\u9023\u3002\u7136\u800c\uff0c\u96a8\u8457\u6211\u5011\u7684\u6700\u65b0\u7814\u7a76\u51fa\u73fe\uff0c\u9019\u5169\u9805\u653b\u64ca\u80cc\u5f8c\u5f88\u53ef\u80fd\u662f\u540c\u4e00\u72af\u7f6a\u96c6\u5718\u3001\u6216\u662f\u5169\u500b\u95dc\u4fc2\u5bc6\u5207\u7684\u72af\u7f6a\u96c6\u5718\u6240\u70ba\u3002<\/p>\n

 <\/p>\n

XLoader \u548c FakeSpy \u5047\u5192\u65e5\u672c\u67d0\u77e5\u540d\u5b85\u914d\u516c\u53f8\u7684\u61c9\u7528\u7a0b\u5f0f<\/strong><\/h3>\n

XLoader \u548c FakeSpy \u5169\u8005\u4e4b\u9593\u6709\u6240\u95dc\u806f\u7684\u7b2c\u4e00\u500b\u7dda\u7d22\u5c31\u662f\uff0cXLoader \u66fe\u5728\u4eca\u5e74 6 \u6708\u5047\u5192\u65e5\u672c\u67d0\u5927\u578b\u5b85\u914d\u516c\u53f8\u7684\u61c9\u7528\u7a0b\u5f0f\u3002\u6709\u8da3\u7684\u662f\uff0c\u5e7e\u4e4e\u6240\u6709\u7684 FakeSpy \u8b8a\u7a2e\u540c\u6a23\u90fd\u662f\u5047\u5192\u9019\u5bb6\u5b85\u914d\u516c\u53f8\u7684\u61c9\u7528\u7a0b\u5f0f\u4f86\u7aca\u53d6\u4f7f\u7528\u8005\u8cc7\u8a0a\u3002<\/p>\n

\u5728\u6df1\u5165\u8ffd\u67e5 XLoader \u548c FakeSpy \u7684\u6d3b\u52d5\u4e4b\u5f8c\uff0c\u6211\u5011\u767c\u73fe\u5b83\u5011\u90fd\u662f\u5229\u7528\u540c\u4e00\u500b\u7ba1\u9053\u4f86\u6563\u5e03\u60e1\u610f\u7a0b\u5f0f\u3002\u8da8\u52e2\u79d1\u6280<\/a><\/u>\u5728 7 \u6708\u6642\u66fe\u5229\u7528 VirusTotal \u7db2\u7ad9\u4f86\u641c\u5c0b\u67d0\u500b XLoader \u7684\u6a23\u672c (\u96dc\u6e4a\u78bc\uff1abf0ad39d8a19b9bc385fb629e3227dec4012e1f5a316e8a30c932202624e8e0e)\uff0c\u4e26\u767c\u73fe\u8a72\u6a23\u672c\u662f\u5f9e\u67d0\u500b\u5047\u5192\u524d\u8ff0\u5b85\u914d\u516c\u53f8\u7684\u7db2\u57df\u6240\u4e0b\u8f09\u800c\u4f86\u3002\u4e00\u500b\u6708\u4e4b\u5f8c\uff0c\u7576\u6211\u5011\u5728\u5206\u6790\u67d0\u500b FakeSpy \u7684\u6a23\u672c\u6642 (\u96dc\u6e4a\u78bc\uff1aba5b85a4dd70b96f4a43bda5eb66e546facc4e3523f78a91fc01c768c6de5c24)\uff0c\u6211\u5011\u767c\u73fe\u6b64\u6a23\u672c\u4e5f\u662f\u5f9e\u540c\u4e00\u500b\u60e1\u610f\u7db2\u57df\u6240\u4e0b\u8f09\u3002<\/p>\n

\"Figure<\/p>\n

\u5716 2\uff1aVirusTotal \u7684\u8a73\u7d30\u8cc7\u6599\u986f\u793a XLoader \u6a23\u672c\u4f86\u5728\u524d\u8ff0\u7db2\u57df\u3002<\/em><\/p>\n

\"Figure<\/p>\n

\u5716 3\uff1aFakeSpy \u6a23\u672c\u4e5f\u662f\u5f9e\u540c\u4e00\u500b\u7db2\u57df\u6240\u4e0b\u8f09\u3002<\/em><\/p>\n

\u53e6\u6709\u591a\u500b XLoader \u548c FakeSpy \u6a23\u672c\u4e5f\u51fa\u73fe\u540c\u6a23\u7684\u7d50\u679c\u3002\u622a\u81f3\u672c\u6587\u64b0\u7a3f\u70ba\u6b62\uff0c\u6211\u5011\u5df2\u767c\u73fe 126 \u500b XLoader \u548c FakeSpy \u5171\u540c\u7528\u4f86\u6563\u5e03\u60e1\u610f\u7a0b\u5f0f\u7684\u7db2\u57df (\u5b8c\u6574\u7684\u5165\u4fb5\u6307\u6a19 IoC \u6e05\u55ae\u8acb\u53c3\u95b1\u8a72\u4efd\u7814\u7a76\u5831\u544a)\u3002<\/p>\n

\u6b64\u5916\uff0c\u6211\u5011\u5f9e XLoader \u548c FakeSpy \u96b1\u85cf\u5e55\u5f8c\u64cd\u7e31 (C&C) \u901a\u8a0a\u4f4d\u5740\u7684\u624b\u6cd5\u4e0a\u4e5f\u767c\u73fe\u4e00\u4e9b\u76f8\u4f3c\u4e4b\u8655\u3002\u5169\u8005\u7684\u67d0\u4e9b\u8b8a\u7a2e\u7686\u6703\u5229\u7528\u793e\u7fa4\u5a92\u9ad4\u7684\u500b\u4eba\u8cc7\u6599\u6a94\u6848\u4f86\u96b1\u85cf\u771f\u6b63\u7684 C&C \u4f4d\u5740\u3002<\/p>\n

\"Figure<\/p>\n

\u5716 4\uff1aXLoader \u5c07\u771f\u6b63\u7684 C&C \u4f4d\u5740\u6697\u85cf\u5728\u67d0\u500b\u793e\u7fa4\u5a92\u9ad4\u4f7f\u7528\u8005\u500b\u4eba\u6a94\u6848\u7576\u4e2d\u3002\u8a3b\uff1a\u6211\u5011\u5df2\u4e3b\u52d5\u548c\u672c\u7814\u7a76\u4e2d\u76f8\u95dc\u60e1\u610f\u7db2\u57df\u6240\u5c6c\u7684\u5ee0\u5546\u806f\u7d61\uff0c\u4f7f\u5f97\u9019\u4e9b\u500b\u4eba\u6a94\u6848\u548c\u5e33\u865f\u7686\u5df2\u906d\u9396\u3002<\/em><\/p>\n

\"Figure<\/p>\n

\u5716 5\uff1aIP \u4f4d\u5740\u662f\u8a18\u9304\u5728\u793e\u7fa4\u5a92\u9ad4\u500b\u4eba\u6a94\u6848\u7576\u4e2d\uff0c\u4e26\u4ee5\u300c^^\u300d\u70ba\u958b\u982d\u3001\u300c$$\u300d\u70ba\u7d50\u5c3e\u3002\u7576\u61c9\u7528\u7a0b\u5f0f\u555f\u52d5\u6642\uff0c\u5c31\u6703\u5b58\u53d6\u8a72\u7db2\u9801\u4e26\u89e3\u6790\u5176\u5167\u5bb9\u4f86\u53d6\u5f97\u771f\u6b63\u7684 C&C \u4f4d\u5740\u3002<\/em><\/p>\n

 <\/strong><\/p>\n

\u8207\u4e2d\u570b\u7db2\u8def\u72af\u7f6a\u96c6\u5718\u300c\u5ef6\u908a\u5e6b\u300d(Yanbian Gang) \u7684\u95dc\u806f<\/strong><\/h3>\n

\u5728\u5206\u6790\u904e XLoader \u548c FakeSpy \u7a0b\u5f0f\u78bc\u7d50\u69cb\u548c\u884c\u70ba\u4e4b\u5f8c\uff0c\u6211\u5011\u63a8\u6e2c\u5f8c\u8005\u7684\u6a23\u672c\u8207\u4e2d\u570b\u7db2\u8def\u72af\u7f6a\u96c6\u5718\u300c\u5ef6\u908a\u5e6b<\/a>\u300d(Yanbian Gang) \u6709\u6240\u95dc\u806f\uff0c\u8a72\u96c6\u5718\u5c08\u9580\u7aca\u53d6\u5357\u97d3\u9280\u884c\u5ba2\u6236\u5e33\u4e0a\u7684\u5b58\u6b3e\u3002<\/p>\n

\u9664\u4e86 FakeSpy \u548c\u5ef6\u908a\u5e6b\u7684\u61c9\u7528\u7a0b\u5f0f\u90fd\u662f\u653b\u64ca\u65e5\u672c\u8207\u5357\u97d3\u7db2\u8def\u9280\u884c\u7684\u5ba2\u6236\u4e4b\u5916\uff0c\u6211\u5011\u4e5f\u767c\u73fe\u5169\u8005\u4f7f\u7528\u7684\u60e1\u610f\u7a0b\u5f0f\u7576\u4e2d\u542b\u6709\u985e\u4f3c\u7684\u7a0b\u5f0f\u78bc\uff1a<\/p>\n

\"Figure<\/p>\n

\u5716 6\uff1a\u5ef6\u908a\u5e6b\u61c9\u7528\u7a0b\u5f0f\u7576\u4e2d\u7684\u7a0b\u5f0f\u78bc\u3002<\/em><\/p>\n

\"Figure<\/p>\n

\u5716 7\uff1aFakeSpy \u61c9\u7528\u7a0b\u5f0f\u7576\u4e2d\u7684\u7a0b\u5f0f\u78bc\u3002<\/em><\/p>\n

\"Figure<\/p>\n

\u5716 8\uff1a\u5ef6\u908a\u5e6b (\u4e0a) \u548c FakeSpy (\u4e0b) \u7684\u61c9\u7528\u7a0b\u5f0f\u6a23\u672c\u7576\u4e2d\u90fd\u6709\u985e\u4f3c\u7684\u57fa\u672c\u8cc7\u6599\u8a18\u8f09\u8457\u53d7\u611f\u67d3\u88dd\u7f6e\u7684\u8cc7\u8a0a\u548c C&C \u4f3a\u670d\u5668\u8def\u5f91\u3002<\/em><\/p>\n

\u6839\u64da WHOIS \u67e5\u8a62\u7684\u7d50\u679c\u986f\u793a\uff0c\u8a3b\u518a FakeSpy \u548c XLoader \u60e1\u610f\u7db2\u57df\u7d66\u5047\u5192\u65e5\u672c\u5b85\u914d\u516c\u53f8\u7684\u61c9\u7528\u7a0b\u5f0f\u4f7f\u7528\u7684\u8a3b\u518a\u4eba\u7686\u4f86\u81ea\u4e2d\u570b\u3002\u8a3b\u518a\u4eba\u7684\u96fb\u8a71\u865f\u78bc\u4e5f\u90fd\u4f4d\u65bc\u4e2d\u570b\u5409\u6797\u7701\uff0c\u800c\u9019\u6b63\u662f\u5ef6\u908a\u5e6b\u6210\u54e1\u6240\u5728\u7684\u5730\u9ede\u3002<\/p>\n

\u6839\u64da\u6211\u5011\u7814\u7a76\u6240\u8490\u96c6\u5230\u7684\u6240\u6709\u8cc7\u8a0a\u4f86\u5224\u65b7\uff0c\u6211\u5011\u63a8\u6e2c\u5ef6\u908a\u5e6b\u53ef\u80fd\u8207 FakeSpy \u548c XLoader \u6709\u6240\u95dc\u806f\u3002\u7576\u7136\uff0c\u4e5f\u6709\u53ef\u80fd\u662f\u5169\u500b\u4e0d\u540c\u7684\u72af\u7f6a\u96c6\u5718\u525b\u597d\u4f7f\u7528\u76f8\u540c\u7684\u5e55\u5f8c\u670d\u52d9\u6216\u57fa\u790e\u67b6\u69cb\u3002\u4f46\u4e0d\u7ba1\u600e\u6a23\uff0c\u5c31 XLoader \u548c FakeSpy \u76ee\u524d\u6c3e\u6feb\u7684\u60c5\u6cc1\u4f86\u770b\uff0c\u4f7f\u7528\u8005\u6700\u597d\u9084\u662f\u990a\u6210\u826f\u597d\u7684\u884c\u52d5\u88dd\u7f6e\u4f7f\u7528\u7fd2\u6163<\/a>\u3002<\/p>\n

\u5982\u9700\u66f4\u591a\u6709\u95dc XLoader \u548c FakeSpy \u60e1\u610f\u7a0b\u5f0f\u884c\u70ba\u3001\u653b\u64ca\u76ee\u6a19\u3001\u5e55\u5f8c\u57fa\u790e\u67b6\u69cb\u3001\u653b\u64ca\u7ba1\u9053\u4ee5\u53ca\u8fd1\u5e74\u4f86\u5982\u4f55\u6f14\u8b8a\u7684\u76f8\u95dc\u8cc7\u8a0a\uff0c\u8acb\u53c3\u95b1\u6211\u5011\u7684\u7814\u7a76\u5831\u544a\u300cXLoader \u548c FakeSpy \u6f14\u8b8a\u904e\u7a0b\uff1a\u5169\u500b\u95dc\u4fc2\u5bc6\u5207\u7684 Android \u60e1\u610f\u7a0b\u5f0f\u5bb6\u65cf<\/a>\u300d(The Evolution of XLoader and FakeSpy: Two Interconnected Android Malware Families)\u3002<\/em><\/p>\n

 <\/p>\n

 <\/p>\n

\u539f\u6587\u51fa\u8655\uff1aA Look into the Connection Between XLoader and FakeSpy, and Their Possible Ties With the Yanbian Gang<\/a> \u4f5c\u8005<\/strong>\uff1aLorin Wu <\/strong>\u548c<\/strong> Ecular Xu <\/strong><\/p>\n

 <\/strong><\/p>\n

\u300a\u5ef6\u4f38\u95b1\u8b80 \u300b<\/strong><\/p>\n

Android\u7c21\u8a0a\u91e3\u9b5a\u75c5\u6bd2: FakeSpy\u7aca\u53d6\u7c21\u8a0a\u3001\u5e33\u865f\u8cc7\u6599\u3001\u806f\u7d61\u4eba\u548c\u901a\u8a71\u8a18\u9304,\u9084\u6703\u6563\u64ad\u9280\u884c\u6728\u99ac<\/a><\/p>\n

\u624b\u6a5f\u9234\u8072\u8b8a\u6210\u975c\u97f3?Android \u9593\u8adc\u7a0b\u5f0f\u4f5c\u602a! XLoader \u5077\u6253\u96fb\u8a71 \u3001\u770b\u7c21\u8a0a \u3001\u6697\u4e2d\u9304\u97f3,\u9084\u6703\u7aca\u53d6\u9280\u884c\u5e33\u5bc6<\/a><\/p>\n

Google Play\u51fa\u73fe\u5047\u9280\u884c\u61c9\u7528\u7a0b\u5f0f,\u9032\u884c\u7c21\u8a0a\u91e3\u9b5a\uff08SMiShing\uff09\u8a50\u9a19<\/a><\/p>\n

\u4e2d\u570b\u300c\u5ef6\u908a\u5e6b\u300d\u4ee5\u884c\u52d5\u88dd\u7f6e\u60e1\u610f\u7a0b\u5f0f\u5077\u8d70\u5357\u97d3\u7db2\u9280\u7528\u6236\u6578\u767e\u842c\u7f8e\u5143<\/a>
\n\u4f60\u7684\u624b\u6a5f\u5b9a\u4f4d\u670d\u52d9\u4e00\u76f4\u958b\u8457\u55ce?10 \u500b\u4fdd\u8b77\u884c\u52d5\u8a2d\u5099\u7684\u65b9\u6cd5<\/a><\/p>\n

 <\/p>\n

 <\/strong> <\/strong><\/p>\n

PC-cillin \u96f2\u7aef\u7248\u6574\u5408 AI \u4eba\u5de5\u667a\u6167\u7684\u591a\u5c64\u5f0f\u9632\u8b77\uff0c\u7cbe\u6e96\u9810\u6e2c\u5373\u6642\u62b5\u79a6\u672a\u77e5\u5a01\u8105 >>\u5373\u523b\u514d\u8cbb\u4e0b\u8f09\u8a66\u7528<\/a><\/p>\n

<\/a><\/p>\n

\u300a \u60f3\u4e86\u89e3\u66f4\u591a\u95dc\u65bc\u7db2\u8def\u5b89\u5168\u7684\u79d8\u8a23\u548c\u5efa\u8b70\uff0c\u53ea\u8981\u5230\u8da8\u52e2\u79d1\u6280\u7c89\u7d72\u7db2\u9801<\/a> \u6216\u4e0b\u9762\u7684\u6309\u9215\u6309\u8b9a \u300b<\/p>\n