![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2018\/04\/cyberrime-200x200.jpg\")
<\/figure><\/div>\n\n\n\n\u8da8\u52e2\u79d1\u6280<\/a>\u767c\u73fe\u4e00\u500b\u5c08\u9580\u653b\u64ca\u7db2\u7ad9\u4f3a\u670d\u5668\u3001\u7db2\u8def\u78c1\u789f\u53ca\u53ef\u5378\u9664\u5f0f\u78c1\u789f\u7684\u6700\u65b0\u60e1\u610f\u7a0b\u5f0f\u5bb6\u65cf\uff0c\u5b83\u5229\u7528\u4e86\u591a\u7a2e\u7db2\u7ad9\u4f3a\u670d\u5668\u6f0f\u6d1e\u653b\u64ca\u624b\u6cd5\u4ee5\u53ca\u6240\u8b02\u7684\u300c\u5b57\u5178\u653b\u64ca\u300d(dictionary attack)\u3002\u9019\u500b\u60e1\u610f\u7a0b\u5f0f\u53eb\u4f5c\u300cBlackSquid\u300d(\u4ee5\u5176\u6240\u5efa\u7acb\u7684\u7cfb\u7d71\u767b\u9304\u8207\u4e3b\u8981\u6a94\u6848\u4f86\u547d\u540d)\uff0c\u662f\u4e00\u500b\u76f8\u7576\u5371\u96aa\u7684\u60e1\u610f\u7a0b\u5f0f\uff0c\u539f\u56e0\u6709\u5e7e\u9ede\u3002\u9996\u5148\uff0c\u5b83\u5728\u9762\u5c0d\u6240\u8655\u74b0\u5883\u6642\uff0c\u6703\u904b\u7528\u53cd\u5236\u865b\u64ec\u74b0\u5883\u3001\u53cd\u5236\u9664\u932f\u3001\u53cd\u5236\u6c99\u76d2\u6a21\u64ec\u5206\u6790\u7684\u6280\u5de7\u4f86\u5224\u65b7\u81ea\u5df1\u662f\u5426\u8981\u7e7c\u7e8c\u57f7\u884c\u5b89\u88dd\u7a0b\u5e8f\u3002\u6b64\u5916\uff0c\u5b83\u4e5f\u5177\u5099\u985e\u4f3c\u8815\u87f2\u7684\u884c\u70ba\uff0c\u80fd\u81ea\u6211\u8907\u88fd\u4e26\u56db\u8655\u64f4\u6563\u3002\u540c\u6642\uff0c\u5b83\u66f4\u5229\u7528\u4e86\u7576\u4eca\u6700\u77e5\u540d\u7684\u4e00\u4e9b\u6f0f\u6d1e\u653b\u64ca\u624b\u6cd5\uff0c\u5982\nEternalBlue<\/a>\u3001DoublePulsar<\/a>\uff0c\u4ee5\u53ca\nCVE-2014-6287<\/a>\u3001CVE-2017-12615<\/a>\u3001CVE-2017-8464<\/a>\n\u7b49\u4e09\u9805\u6f0f\u6d1e\u7684\u653b\u64ca\u624b\u6cd5\uff0c\u4e26\u4e14\u6703\u653b\u64ca\u4e09\u7a2e\u4e0d\u540c\u7248\u672c ThinkPHP \u7684\u6f0f\u6d1e\u3002<\/p>\n\n\n\n \u9664\u6b64\u4e4b\u5916\uff0c\u7db2\u8def\u72af\u7f6a\u96c6\u5718\u4f3c\u4e4e\u4e5f\u5728\u6e2c\u8a66\u8a72\u60e1\u610f\u7a0b\u5f0f\u7576\u4e2d\u7684\u4e00\u4e9b\u6280\u5de7\u662f\u5426\u53ef\u884c\uff0c\u4ee5\u4f5c\u70ba\u5f8c\u7e8c\u767c\u5c55\u7684\u53c3\u8003\u4f9d\u64da\u3002\u76ee\u524d\u6211\u5011\u6240\u8490\u96c6\u5230\u7684\u6a23\u672c\uff0c\u6700\u7d42\u6703\u5b89\u88dd\u4e00\u500b XMRig \u9580\u7f85\u5e63\n(Monero) \u6316\u7926\u7a0b\u5f0f\u3002\u4e0d\u904e\uff0cBlackSquid \u672a\u4f86\u9084\u53ef\u80fd\u518d\u7d50\u5408\u5176\u4ed6\u60e1\u610f\u7a0b\u5f0f\u3002<\/p>\n\n\n\n \u6839\u64da\u6211\u5011\u7684\u76e3\u6e2c\u8cc7\u6599\u6307\u51fa\uff0c\u4e94\u6708\u4efd\u7684\u6700\u5f8c\u4e00\u9031\uff0cBlackSquid \u653b\u64ca\u6578\u91cf\u51fa\u73fe\u6700\u591a\u7684\u5730\u5340\u662f\u6cf0\u570b\u548c\u7f8e\u570b\u3002<\/p>\n\n\n\n BlackSquid \u53ef\u7d93\u7531\u4e09\u7a2e\u7ba1\u9053\u4f86\u611f\u67d3\u7cfb\u7d71\uff1a\u7d93\u7531\u9020\u8a2a\u5df2\u611f\u67d3\u7684\u7db2\u7ad9\u4f3a\u670d\u5668\u800c\u8b93\u4f7f\u7528\u8005\u96fb\u8166\u906d\u5230\u611f\u67d3\u3001\u7d93\u7531\u6f0f\u6d1e\u653b\u64ca\u4f86\u611f\u67d3\u7db2\u7ad9\u4f3a\u670d\u5668\u3001\u7d93\u7531\u53ef\u5378\u9664\u5f0f\u78c1\u789f\u6216\u7db2\u8def\u78c1\u789f\u4f86\u611f\u67d3\u3002\u7576\u4ee5\u4e0b\u81f3\u5c11\u4e00\u500b\u689d\u4ef6\u6210\u7acb\u6642\uff0c\u5b83\u6703\u7acb\u5373\u4e2d\u65b7\u611f\u67d3\u7684\u884c\u70ba\u4ee5\u907f\u514d\u88ab\u5075\u6e2c\u6216\u6514\u622a\uff1a<\/p>\n\n\n\n \u9664\u6b64\u4e4b\u5916\uff0c\u60e1\u610f\u7a0b\u5f0f\u4e5f\u6703\u6aa2\u67e5\u7a0b\u5f0f\u4e2d\u65b7\u9ede\u7684\u66ab\u5b58\u5668\u4f86\u770b\u770b\u662f\u5426\u70ba\u786c\u9ad4\u4e2d\u65b7\u9ede\uff0c\u7279\u5225\u662f\u67d0\u4e9b\u65d7\u6a19\u3002\u60e1\u610f\u7a0b\u5f0f\u6703\u5728\u67d0\u500b\u5beb\u6b7b\u7684\u65d7\u6a19\u70ba 0 \u6642\u8df3\u904e\u611f\u67d3\u7684\u884c\u70ba\uff0c\u8a72\u65d7\u6a19\u70ba 1 \u6642\u9032\u884c\u611f\u67d3\u52d5\u4f5c\u3002\u622a\u81f3\u672c\u6587\u64b0\u7a3f\u6642\uff0c\u8a72\u65d7\u6a19\u9084\u662f\n0\uff0c\u610f\u5473\u8457\u9019\u90e8\u5206\u7684\u60e1\u610f\u7a0b\u5f0f\u78bc\u5f88\u53ef\u80fd\u9084\u5728\u958b\u767c\u968e\u6bb5\u3002<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n \u5716 1\uff1a\u786c\u9ad4\u4e2d\u65b7\u9ede\u65d7\u6a19\u5beb\u6b7b\u70ba 0\u3002<\/em><\/p>\n\n\n\n \u53ea\u8981\u60e1\u610f\u7a0b\u5f0f\u6240\u5728\u7684\u7cfb\u7d71\u8207\u524d\u8ff0\u4e09\u9805\u689d\u4ef6\u90fd\u4e0d\u7b26\uff0c\u60e1\u610f\u7a0b\u5f0f\u5c31\u6703\u7e7c\u7e8c\u9032\u884c\u611f\u67d3\u7684\u52d5\u4f5c\u3002\u5982\u540c\u8fd1\u671f\u4e00\u4e9b\u6848\u4f8b\u6240\u7528\u7684\u865b\u64ec\u52a0\u5bc6\u8ca8\u5e63\u6316\u7926\u60e1\u610f\u7a0b\u5f0f\u4e00\u6a23\uff0cBlackSquid \u540c\u6a23\u4e5f\u4f7f\u7528\nEternalBlue-DoublePulsar \u6f0f\u6d1e\u653b\u64ca\u624b\u6cd5 (MS17-010 SMB RCE \u6f0f\u6d1e\u653b\u64ca) \u5728\u5167\u90e8\u7db2\u8def\u64f4\u6563\u3002<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n \u5716 2\uff1aEternalBlue-DoublePulsar \u6f0f\u6d1e\u653b\u64ca\u6307\u4ee4\u756b\u9762\u3002<\/em><\/p>\n\n\n\n <\/a><\/p>\n\n\n\n \u5716 3\uff1a\u91dd\u5c0d\u9023\u63a5\u57e0 445 \u548c 139 \u7684 Server\nMessage Block (SMB) \u6f0f\u6d1e\u653b\u64ca\u3002<\/em><\/p>\n\n\n\n \u5b83\u6703\u5c07\u81ea\u5df1\u8907\u88fd\u4e00\u4efd\u5230\u7db2\u8def\u78c1\u789f\u8207\u53ef\u5378\u9664\u5f0f\u78c1\u789f\uff0c\u4e26\u5229\u7528 CVE-2017-8464 \u91cd\u5927\u6f0f\u6d1e\u4f86\u57f7\u884c\u5176\u7a0b\u5f0f\u3002\u9019\u662f\u4e00\u500b\u9060\u7aef\u7a0b\u5f0f\u78bc\u57f7\u884c (RCE) \u6f0f\u6d1e\uff0c\u53ef\u8b93\u60e1\u610f\u7a0b\u5f0f\u53d6\u5f97\u672c\u6a5f\u7cfb\u7d71\u4f7f\u7528\u8005\u6b0a\u9650\u3002<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n \u5716 4\uff1a\u60e1\u610f\u7a0b\u5f0f\u5229\u7528 CVE-2017-8464 \u6f0f\u6d1e\u4f86\u57f7\u884c\u3002<\/em><\/p>\n\n\n\n \u9664\u4e86\u7d93\u7531\u7db2\u8def\u64f4\u6563\u4e4b\u5916\uff0cBlackSquid \u4e5f\u6703\u653b\u64ca\u7db2\u7ad9\u61c9\u7528\u7a0b\u5f0f\u7684\u6f0f\u6d1e\u4f86\u611f\u67d3\u7db2\u7ad9\u4f3a\u670d\u5668\u3002\u5b83\u6703\u5229\u7528 GetTickCount API \u51fd\u5f0f\u4f86\u96a8\u6a5f\u7522\u751f\u4e00\u500b\u8981\u653b\u64ca\u7684\nIP \u4f4d\u5740\uff0c\u7136\u5f8c\u8a66\u8a66\u770b\u8a72\u4f4d\u5740\u662f\u5426\u6709\u6548\u3002\u5982\u679c\u6709\u6548\uff0c\u5c31\u6703\u8a66\u5716\u9023\u4e0a\u8a72\u4f4d\u5740\u4e26\u767c\u52d5\u6f0f\u6d1e\u653b\u64ca\u6216\u5b57\u5178\u653b\u64ca\u3002<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n \u5716 5\uff1a\u96a8\u6a5f\u7522\u751f IP \u4f4d\u5740\u4f86\u653b\u64ca\u3002<\/em><\/p>\n\n\n\n \u9664\u6b64\u4e4b\u5916\uff0c\u60e1\u610f\u7a0b\u5f0f\u9084\u6703\u653b\u64ca ThinkPHP \u4e09\u500b\u4e0d\u540c\u7248\u672c\u7684\u6f0f\u6d1e\uff0c\u85c9\u7531\u300cmshta.exe\u300d\u4f86\u4e0b\u8f09\u4e26\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u7684\u4e3b\u8981\u5143\u4ef6\u3002\u4e0d\u904e\uff0c\u6211\u5011\u4e5f\u767c\u73fe\u5176\u4e2d\u4e00\u500b\u6f0f\u6d1e\u653b\u64ca\u7a0b\u5f0f\u78bc\u7576\u4e2d\u6709\u932f\u8aa4\uff0c\u539f\u672c\u61c9\u8a72\u662f\u5b57\u6bcd\u300cl\u300d\u7684\u5730\u65b9\uff0c\u537b\u8aa4\u690d\u70ba\u6578\u5b57\u300c1\u300d\uff0c\u56e0\u6b64\u8a72\u6bb5\u7a0b\u5f0f\u78bc\u61c9\u8a72\u662f\u6c92\u6709\u4f5c\u7528\u3002<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n \u5716 6\uff1aBlackSquid \u7684 ThinkPHP \u6f0f\u6d1e\u653b\u64ca\u7a0b\u5f0f\u78bc\u3002<\/em><\/p>\n\n\n\n <\/a><\/p>\n\n\n\n \u5716 7\uff1a\u99ed\u5ba2\u7684\u67d0\u6bb5 ThinkPHP \u6f0f\u6d1e\u653b\u64ca\u7a0b\u5f0f\u78bc\u7576\u4e2d\u51fa\u73fe\u4e86\u4e00\u500b\u932f\u8aa4\uff0c\u4f7f\u5f97\u9019\u6bb5\u7a0b\u5f0f\u78bc\u56e0\u800c\u7121\u6548\u3002<\/em><\/p>\n\n\n\n \u4e0d\u50c5\u5982\u6b64\uff0c\u60e1\u610f\u7a0b\u5f0f\u9084\u6703\u767c\u9001 HTTP \u8acb\u6c42\u5230\u524d\u8ff0\u7684 IP \u4f4d\u5740\u4f86\u653b\u64ca CVE-2014-6287 \u6f0f\u6d1e\uff0c\u8a66\u5716\u4f7f\u7528\u4ee5\u7a7a\u5b57\u7b26\u300c%00\u300d\u70ba\u524d\u5c0e\u7684\u53c3\u6578\u5217\u4f86\u57f7\u884c\u300cmshta.exe\u300d(Microsoft\nHTML Application \u4e3b\u7a0b\u5f0f)\u3002 \u4e00\u65e6\u653b\u64ca\u6210\u529f\uff0c\u5c31\u80fd\u8b93\u99ed\u5ba2\u5f9e\u9060\u7aef\u57f7\u884c\u4efb\u610f\u7a0b\u5f0f\u3002<\/p>\n\n\n\n <\/a>\u5716 8\uff1a\u70ba\u4e86\u653b\u64ca CVE-2014-6287 \u6f0f\u6d1e\u800c\u7cbe\u5fc3\u8a2d\u8a08\u7684\nHTTP \u8acb\u6c42\u3002<\/em><\/p>\n\n\n\n BlackSquid \u9084\u6703\u4f7f\u7528\u4e00\u6bb5\u7a0b\u5f0f\u78bc (snippet) \u4f86\u767c\u51fa HTTP \u8acb\u6c42\uff0c\u653b\u64ca Apache Tomcat \u7684 CVE-2017-12615\n\u6f0f\u6d1e\u3002\u6b64\u4e00\u653b\u64ca\u624b\u6cd5\u4e00\u65e6\u6210\u529f\uff0c\u5c31\u80fd\u5229\u7528\u7db2\u7ad9\u4f3a\u670d\u5668\u4f86\u57f7\u884c\u4efb\u610f\u7a0b\u5f0f\u78bc\uff0c\u53ea\u9700\u900f\u904e HTTP PUT \u8acb\u6c42\u5c07\u4e00\u500b JavaServer Pages (JSP) \u6a94\u6848\u4e0a\u50b3\u5373\u53ef\u3002<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n \u5716 9\uff1a\u7528\u4f86\u767c\u51fa HTTP \u8acb\u6c42\u7684 Snippet \u8207 URI\u3002<\/em><\/p>\n\n\n\n <\/a>\u5716 10\uff1aSnippet \u7684 HTTP\u8a0a\u606f\u5167\u5bb9\u3002<\/em><\/p>\n\n\n\n \u6b64\u5916\uff0cBlackSquid \u4e5f\u53ef\u4ee5\u4e0a\u50b3\u4e00\u500b JSP \u81f3\u76ee\u6a19\u7db2\u7ad9\u4f3a\u670d\u5668\uff0c\u900f\u904e\u9019\u500b JSP \u4f86\u57f7\u884c\u300cmshta.exe\u300d\uff0c\u9032\u800c\u4e0b\u8f09\u4e26\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u7684\u4e3b\u8981\u5143\u4ef6\u3002\n<\/p>\n\n\n\n <\/a><\/p>\n\n\n\n \u5716 11\uff1a\u5229\u7528\u4e00\u500b JSP \u4f86\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u7684\u4e3b\u8981\u5143\u4ef6\u3002<\/em><\/p>\n\n\n\n BlackSquid \u9084\u53ef\u611f\u67d3\u4ee5\u4e0b\u7db2\u7ad9\u4f3a\u670d\u5668\u8def\u5f91\u5e95\u4e0b\u7684 HTML \u6a94\u6848\uff0c\u5728\u6a94\u6848\u5167\u63d2\u5165\u4e00\u500b\u60e1\u610f\u7684 iframe\u3002<\/p>\n\n\n\n\u8eb2\u907f\u6280\u5de7\u3001\u884c\u70ba\u6a21\u5f0f\u8207\u6f0f\u6d1e\u653b\u64ca<\/strong><\/h3>\n\n\n\n
![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-1_blacksquid-multiexploit-xmrig_hardware-breakpoint-flags.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/06\/blacksquid-2-200x200.png\")
<\/figure><\/div>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-3_blacksquid-multiexploit-xmrig_SMB-exploit-445-139-1.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-4_blacksquid-multiexploit-xmrig_network-drives-drop-cve20178464.png\")
<\/figure><\/div>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-5_blacksquid-multiexploit-xmrig_gettickcount-api-seed.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-6_thinkphp-exploits123.jpg\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-7_blacksquid-multiexploit-xmrig_thinkphp-exploit-wrong-code.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-8_blacksquid-multiexploit-xmrig_http-cve20146287.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-9_blacksquid-multiexploit-xmrig_apache-tomcat-vuln.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-10_blacksquid-multiexploit-xmrig_apache-tomcat-http-messagebody.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-11_blacksquid-multiexploit-xmrig_javaserver-page-main-comp.png\")
<\/figure>\n\n\n\n
![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-12_blacksquid-multiexploit-xmrig_iframe-file-infect.png\")
<\/figure>\n\n\n\n![\"\"\/](\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/05\/Figure-13_blacksquid-multiexploit-xmrig_xmrig-download-copy.jpg\")
<\/figure>\n\n\n\n