{"id":58182,"date":"2018-12-14T09:00:00","date_gmt":"2018-12-14T01:00:00","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=58182"},"modified":"2018-12-22T14:37:46","modified_gmt":"2018-12-22T06:37:46","slug":"autoit-%e8%a0%95%e8%9f%b2%e9%80%8f%e9%81%8e%e5%8f%af%e7%a7%bb%e9%99%a4%e7%a3%81%e7%a2%9f%e6%95%a3%e6%92%ad%e7%84%a1%e6%aa%94%e6%a1%88%e5%be%8c%e9%96%80%e7%a8%8b%e5%bc%8fbladabindi-njrat","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=58182","title":{"rendered":"\u3010\u8cc7\u5b89 \u3011AutoIt \u8815\u87f2\u900f\u904e\u53ef\u79fb\u9664\u78c1\u789f,\u6563\u64ad\u7121\u6a94\u6848\u5f8c\u9580\u7a0b\u5f0fBLADABINDI\/njRAT"},"content":{"rendered":"

BLADABINDI\uff08\u4e5f\u88ab\u7a31\u70banjRAT\/Njw0rm<\/a>\uff09\u662f\u4e00\u7a2e\u9060\u7aef\u5b58\u53d6\u5de5\u5177\uff08RAT\uff09\uff0c\u5177\u5099\u4e86\u9375\u76e4\u5074\u9304\u3001\u57f7\u884c\u5206\u6563\u5f0f\u963b\u65b7\u670d\u52d9\u653b\u64ca” (DDoS)<\/a><\/u>\u653b\u64ca\u7b49\u773e\u591a\u5f8c\u9580\u529f\u80fd\uff0c\u4e00\u518d\u5730\u88ab\u91cd\u8907\u904b\u7528<\/a>\u5728\u5404\u7a2e\u7db2\u8def\u9593\u8adc<\/a>\u6d3b\u52d5<\/a>\u4e2d\u3002\u4e8b\u5be6\u4e0a\uff0cBLADABINDI\u7684\u53ef\u5ba2\u88fd\u6027<\/a>\u53ca\u53ef\u5f9e\u7db2\u8def\u5730\u4e0b\u4e16\u754c\u53d6\u5f97<\/a>\u8b93\u5b83\u6210\u70ba\u4e00\u7a2e\u5e38\u898b<\/a>\u7684\u60e1\u610f\u5a01\u8105\u3002\u8da8\u52e2\u79d1\u6280\u524d\u5e7e\u65e5\u5c31\u767c\u73fe\u4e86\u4e00\u96bb\u8815\u87f2\u75c5\u6bd2Worm.Win32.BLADABINDI.AA\uff0c\u5b83\u6703\u900f\u904e\u884c\u52d5\u789f\u4f86\u6563\u64ad\u4e26\u5b89\u88dd\u7121\u6a94\u6848\u7248\u672c\u7684BLADABINDI\u5f8c\u9580\u7a0b\u5f0f\u3002<\/p>\n

\u96d6\u7136\u4ecd\u7121\u6cd5\u78ba\u5207\u77e5\u9053\u60e1\u610f\u6a94\u6848\u5982\u4f55\u9032\u5165\u53d7\u611f\u67d3\u7cfb\u7d71\uff0c\u4f46\u5176\u6563\u64ad\u884c\u70ba\u986f\u793a\u51fa\u5b83\u6703\u900f\u904e\u884c\u52d5\u789f\u4f86\u9032\u5165\u7cfb\u7d71\u3002AutoIt<\/a>\u9664\u4e86\u662f\u4e00\u7a2e\u9748\u6d3b\u4e14\u6613\u65bc\u4f7f\u7528\u7684\u8173\u672c\u8a9e\u8a00\u5916\uff0cBLADABINDI\u5982\u4f55\u53bb\u6feb\u7528\u5b83\u4e5f\u5f88\u4ee4\u4eba\u95dc\u5fc3\u3002\u5b83\u5229\u7528AutoIt<\/a>\uff08FileInstall\u547d\u4ee4\uff09\u4f86\u5c07\u5f8c\u9580\u7a0b\u5f0f\u548c\u4e3b\u8173\u672c\u7de8\u8b6f\u6210\u55ae\u4e00\u7684\u57f7\u884c\u6a94\uff0c\u8b93\u5f8c\u9580\u7a0b\u5f0f\u96e3\u4ee5\u88ab\u5075\u6e2c\u5230\u3002<\/p>\n

<\/p>\n

\u57161<\/em>\uff1a\u622a\u5716\u986f\u793a\u51fa\u5e38\u898b\u7684AutoIt<\/em>\u7de8\u8b6f\u8173\u672c\u6a19\u793a\uff08\u7528\u7d05\u8272\u6846\u5708\u51fa\uff09<\/em><\/p>\n

<\/p>\n

\u6280\u8853\u5206\u6790<\/em><\/strong><\/p>\n

\u6211\u5011\u7528AutoIt\u8173\u672c\u53cd\u7de8\u8b6f\u5668\u4f86\u5f9e\u57f7\u884c\u6a94\u53d6\u51faAutoIt\u8173\u672c\uff0c\u767c\u73fe\u8173\u672c\u7684\u4e3b\u51fd\u5f0f\u6703\u5148\u522a\u9664\u7cfb\u7d71%TEMP%\u8cc7\u6599\u593e\u5167\u7684Tr.exe<\/em>\u6a94\u6848\uff0c\u597d\u5b89\u88dd\u81ea\u5df1\u7248\u672c\u7684Tr.exe<\/em>\u3002\u7d42\u6b62\u76f8\u540c\u540d\u7a31\u7684\u7a0b\u5e8f\u5f8c\u5c31\u6703\u57f7\u884c\u690d\u5165\u7684\u6a94\u6848\u3002\u5b83\u9084\u6703\u5c07\u81ea\u5df1\u8907\u88fd\u5230\u540c\u4e00\u500b\u8cc7\u6599\u593e\u5167\u3002\u70ba\u4e86\u9054\u5230\u6301\u7e8c\u6027\uff0c\u5b83\u6703\u5c07\u6a94\u6848\u6377\u5f91\u52a0\u5165%STARTUP%\u8cc7\u6599\u593e\u3002<\/p>\n

 <\/p>\n

\u70ba\u4e86\u9032\u884c\u6563\u64ad\uff0c\u5b83\u6703\u5c07\u81ea\u5df1\u8907\u88fd\u5230\u53d7\u611f\u67d3\u7cfb\u7d71\u6240\u6709\u7684\u53ef\u79fb\u9664\u78c1\u789f\u3002\u5b83\u9084\u6703\u52a0\u5165\u4e00\u500b\u6377\u5f91\u6a94\u6848\uff08.LNK\uff09\uff0c\u4e26\u5c07\u53ef\u79fb\u9664\u78c1\u789f\u539f\u672c\u7684\u6a94\u6848\u90fd\u5f9e\u6839\u76ee\u9304\u79fb\u52d5\u5230\u540d\u70basss\u7684\u8cc7\u6599\u593e\u5167\u3002<\/p>\n

<\/p>\n

\u57162<\/em>\uff1a\u53cd\u7de8\u8b6f\u8173\u672c\u57f7\u884c\u6a94<\/em><\/p>\n

<\/p>\n

\u57163<\/em>\uff1a\u5982\u4f55\u7528AutoIt<\/em>\u7684FileInstall<\/em>\u547d\u4ee4\u5c07AutoIt<\/em>\u8173\u672c\u8207\u6a94\u6848\u7d81\u5728\u4e00\u8d77\uff0c\u7136\u5f8c\u5728\u8173\u672c\u57f7\u884c\u6642\u8f09\u5165\u6a94\u6848<\/em><\/p>\n

<\/p>\n

<\/p>\n

\u57164<\/em>\uff1a\u986f\u793a\u5982\u4f55\u52a0\u5165\u6377\u5f91\uff08\u4e0a\uff09\u53ca\u5b83\u5982\u4f55\u900f\u904e\u53ef\u79fb\u9664\u78c1\u789f\u6563\u64ad\uff08\u4e0b\uff09<\/em><\/p>\n

 <\/p>\n

\u88ab\u690d\u5165\u7684Tr.exe<\/em>\u5176\u5be6\u662f\u53e6\u4e00\u500bAutoIt\u8173\u672c\u57f7\u884c\u6a94\uff08Trojan.Win32.BLADABINDI.AA\uff09\u3002\u53cd\u7de8\u8b6f\u5f8c\u767c\u73fe\u5b83\u5305\u542b\u4e00\u500b\u7528base64\u7de8\u78bc\u904e\u7684\u57f7\u884c\u6a94\uff0c\u6703\u5beb\u5165\u767b\u9304\u8868HKEY_CURRENT_USER\\Software\u5167\u7684\u767b\u9304\u503c\u9805Valuex<\/em>\u3002<\/p>\n

 <\/p>\n

\u5b83\u9084\u6703\u5efa\u7acb\u53e6\u4e00\u500b\u503c\u9805\u4f86\u9054\u5230\u6301\u7e8c\u6027\u3002\u4f7f\u7528\u7684\u662f\u81ea\u52d5\u57f7\u884c\u767b\u9304\u8868HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u5167\u7684AdobeMX<\/em>\uff0c\u5b83\u6703\u57f7\u884cPowerShell\u4f86\u900f\u904e\u53cd\u5c04\u8f09\u5165\uff08\u5f9e\u8a18\u61b6\u9ad4\u8f09\u5165\u57f7\u884c\u6a94\u800c\u4e0d\u662f\u5f9e\u7cfb\u7d71\u78c1\u789f\uff09\u7de8\u78bc\u904e\u7684\u57f7\u884c\u6a94\u3002<\/p>\n

 <\/p>\n

\u7531\u65bc\u57f7\u884c\u6a94\u76f4\u63a5\u5f9e\u767b\u9304\u8868\u8f09\u5165\u5230PowerShell\u7684\u8a18\u61b6\u9ad4\uff0c\u56e0\u6b64\u6211\u5011\u80fd\u5920\u8f49\u5132\u60e1\u610f\u57f7\u884c\u6a94\u6240\u5728\u7684\u7279\u5b9a\u5730\u5740\u3002\u6211\u5011\u767c\u73fe\u5b83\u662f\u7528.NET\u6240\u7de8\u8b6f\uff0c\u4f7f\u7528\u5546\u696d\u7b49\u7d1a\u7684\u7a0b\u5f0f\u78bc\u4fdd\u8b77\u8edf\u9ad4\u4f86\u9032\u884c\u6df7\u6dc6\u8655\u7406\u3002<\/p>\n

<\/p>\n

\u57165<\/em>\uff1a\u622a\u5716\u986f\u793aPowerShell<\/em>\u8f09\u5165\u7de8\u78bc\u904e\u7684\u57f7\u884c\u6a94<\/em><\/p>\n

 <\/p>\n

BLADABINDI\/njRAT<\/em><\/strong>\u6709\u6548\u8f09\u8377\uff08payload<\/em><\/strong>\uff09<\/em><\/strong><\/p>\n

 <\/p>\n

BLADABINDI\u5f8c\u9580\u7a0b\u5f0f\u8b8a\u7a2e\u5229\u7528water-boom[.]duckdns[.]org\u7aef\u53e31177\u4f5c\u70ba\u547d\u4ee4\u548c\u63a7\u5236\uff08C&C\uff09\u4f3a\u670d\u5668\u3002\u8ddfBLADABINDI\u4e4b\u524d<\/a>\u7684\u5e7e\u500b\u7248\u672c\u4e00\u6a23\uff0c\u9019\u500b\u7121\u6a94\u6848<\/a>\u7248\u672c\u7684C&C\u76f8\u95dc\u7db2\u5740\u4f7f\u7528\u52d5\u614bDNS\u3002\u9019\u8b93\u653b\u64ca\u8005\u80fd\u5920\u96b1\u85cf\u4f3a\u670d\u5668\u7684\u5be6\u969bIP\u5730\u5740\u6216\u6839\u64da\u9700\u8981\u4f86\u52a0\u4ee5\u66f4\u6539\/\u66f4\u65b0\u3002<\/p>\n

 <\/p>\n

\u5f9eC&C\u4f3a\u670d\u5668\u4e0b\u8f09\u7684\u6a94\u6848\u4ee5Trojan.exe<\/em>\u5132\u5b58\u5728%TEMP%\u8cc7\u6599\u593e\u4e2d\u3002\u5b83\u4f7f\u7528\u5b57\u4e325cd8f17f4086744065eb0992a09e05a2\u4f5c\u70ba\u53d7\u611f\u67d3\u96fb\u8166\u4e0a\u7684mutex\u8ddf\u767b\u9304HIVE\u3002\u767b\u9304\u503ctcpClient_0<\/em>\u662f\u7528\u4f86\u8a2d\u5b9a\u63a5\u6536\u53d7\u611f\u67d3\u96fb\u8166\u7aca\u4f86\u8cc7\u6599\u7684HTTP\u4f3a\u670d\u5668\u3002\u4f46\u7531\u65bc\u8a72\u503c\u8a2d\u70banull\uff0c\u56e0\u6b64\u6240\u6709\u88ab\u7aca\u8cc7\u6599\u90fd\u6703\u9001\u5230\u540c\u4e00\u500bC&C\u4f3a\u670d\u5668\u3002<\/p>\n

 <\/p>\n

\u7576\u5f8c\u9580\u7a0b\u5f0f\u57f7\u884c\u6642\uff0c\u5b83\u6703\u5efa\u7acb\u4e00\u500b\u9632\u706b\u7246\u653f\u7b56\uff0c\u5c07PowerShell\u7a0b\u5e8f\u52a0\u9032\u7cfb\u7d71\u5141\u8a31\u7684\u7a0b\u5e8f\u5217\u8868\u3002BLADABINDI\u7684\u5f8c\u9580\u7a0b\u5f0f\u529f\u80fd\u5982\u57167\u6240\u793a\uff0c\u5305\u542b\u4e86\u9375\u76e4\u5074\u9304\uff0c\u53d6\u56de\u548c\u57f7\u884c\u6a94\u6848\uff0c\u4ee5\u53ca\u5f9e\u7db2\u9801\u700f\u89bd\u5668\u7aca\u53d6\u5e33\u5bc6\u3002<\/p>\n

 <\/p>\n

\"\"<\/p>\n

\"\"<\/a><\/p>\n

\u57166<\/em>\uff1a\u986f\u793aBLADABINDI<\/em>\u8b8a\u7a2e\u8a2d\u5b9a\u7684\u7a0b\u5f0f\u78bc\uff08\u4e0a\uff09\uff1b\u5efa\u7acb\u9632\u706b\u7246\u653f\u7b56\u5c07PowerShell<\/em>\u52a0\u5165\u5141\u8a31\u57f7\u884c\u7684\u7a0b\u5e8f\u5217\u8868\uff08\u4e0b\uff09<\/em><\/p>\n

\"\"<\/a><\/p>\n

\u57167<\/em>\uff1aBLADABINDI<\/em>\u8b8a\u7a2e\u7684\u5f8c\u9580\u529f\u80fd<\/em><\/p>\n

 <\/p>\n

\u6700\u4f73\u5be6\u4f5c\u548c\u8da8\u52e2\u79d1\u6280\u89e3\u6c7a\u65b9\u6848<\/em><\/strong><\/p>\n

 <\/p>\n

\u8815\u87f2\u75c5\u6bd2\u5728\u53d7\u611f\u67d3\u7cfb\u7d71\u4e0a\u7684\u6709\u6548\u8f09\u8377\uff08payload\uff09\u3001\u6563\u64ad\u80fd\u529b\u4ee5\u53ca\u80fd\u5920\u7121\u6a94\u6848<\/a>\u5730\u6563\u5e03\u5f8c\u9580\u7a0b\u5f0f\u7684\u6280\u8853<\/a>\u8b93\u5176\u6210\u70ba\u4e00\u7a2e\u56b4\u91cd\u7684\u5a01\u8105\u3002\u4f7f\u7528\u8005\u548c\u4f01\u696d\uff08\u5c24\u5176\u662f\u4ecd\u5728\u5de5\u4f5c\u5834\u6240\u4f7f\u7528\u53ef\u79fb\u9664\u5a92\u9ad4\u7684\u55ae\u4f4d\uff09\u8981\u5efa\u7acb\u826f\u597d\u7684\u8cc7\u5b89\u7fd2\u6163\u3002\u9650\u5236\u4e26\u9632\u8b77\u53ef\u79fb\u9664\u5a92\u9ad4\u6216USB\u529f\u80fd\u6216PowerShell\u7b49\u5de5\u5177\u7684\u4f7f\u7528\uff08\u7279\u5225\u662f\u5728\u653e\u6709\u654f\u611f\u8cc7\u6599\u7684\u7cfb\u7d71\u4e0a\uff09\uff0c\u4e26\u4e3b\u52d5\u76e3\u8996\u9598\u9053\u3001\u7aef\u9ede\u3001\u7db2\u8def\u548c\u4f3a\u670d\u5668\u4f86\u6aa2\u8996\u7570\u5e38\u884c\u70ba\u548c\u53ef\u7591\u6307\u6a19\uff08\u5982C&C\u901a\u8a0a\u548c\u8cc7\u6599\u7aca\u53d6\uff09\u3002<\/p>\n

 <\/p>\n

\u4f7f\u7528\u8005\u548c\u4f01\u696d\u9084\u53ef\u4ee5\u4f7f\u7528\u8da8\u52e2\u79d1\u6280\u7684\u7aef\u9ede\u89e3\u6c7a\u65b9\u6848\uff08\u5982PC-cillin 2019 \u96f2\u7aef\u7248<\/a>\uff0c\u8da8\u52e2\u79d1\u6280OfficeScan<\/a>\u548c Worry-Free Business Security\u00a0<\/a>\uff09\uff0c\u5b83\u5011\u90fd\u5305\u542b\u4e86\u884c\u70ba\u76e3\u63a7\u6280\u8853\u4f86\u5075\u6e2c\u7121\u6a94\u6848\u60e1\u610f\u8edf\u9ad4\u653b\u64ca\u3002\u53ef\u4ee5\u5e6b\u52a9\u7d44\u7e54\u627e\u51fa\u60e1\u610f\u884c\u70ba\uff0c\u5728\u60e1\u610f\u8edf\u9ad4\u57f7\u884c\u6216\u52d5\u4f5c\u524d\u5148\u52a0\u4ee5\u5c01\u9396\u3002OfficeScan\u9084\u5305\u542b\u4e86\u8a2d\u5099\u63a7\u5236<\/a>\u529f\u80fd\uff0c\u53ef\u4ee5\u9632\u6b62USB\u548c\u5149\u789f\u88ab\u5b58\u53d6\uff0c\u9632\u6b62\u985e\u4f3c\u672c\u6587\u4e2d\u6240\u8a0e\u8ad6\u7684\u653b\u64ca\u3002\u5177\u5099\u8da8\u52e2\u79d1\u6280XGen™ \u9632\u8b77<\/a>\u7aef\u9ede\u5b89\u5168\u9632\u8b77\u6280\u8853\u7684\u8da8\u52e2\u79d1\u6280\u8da8\u52e2\u79d1\u6280OfficeScan<\/a>\u7d50\u5408\u4e86\u9ad8\u4fdd\u771f\u6a5f\u5668\u5b78\u7fd2\u8207\u5176\u4ed6\u5075\u6e2c\u6280\u8853\u548c\u5168\u7403\u5a01\u8105\u60c5\u5831\uff0c\u53ef\u5168\u9762\u6027\u5730\u9632\u7bc4\u9032\u968e\u60e1\u610f\u8edf\u9ad4\u3002<\/p>\n

 <\/p>\n

\u5165\u4fb5\u6307\u6a19\uff08IoC<\/em><\/strong>\uff09\uff1a<\/em><\/strong><\/p>\n

 <\/p>\n

\u76f8\u95dc\u96dc\u6e4a\u503c\uff08SHA-256\uff09\uff1a<\/p>\n