{"id":62259,"date":"2019-10-16T09:00:39","date_gmt":"2019-10-16T01:00:39","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=62259"},"modified":"2019-10-14T17:15:43","modified_gmt":"2019-10-14T09:15:43","slug":"%e7%84%a1%e6%aa%94%e6%a1%88%e6%ae%ad%e5%b1%8d%e7%97%85%e6%af%92novter%e9%80%8f%e9%81%8ekovcoreg%e6%83%a1%e6%84%8f%e5%bb%a3%e5%91%8a%e6%b4%bb%e5%8b%95%e6%95%a3%e6%92%ad","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=62259","title":{"rendered":"\u7121\u6a94\u6848\u6bad\u5c4d\u75c5\u6bd2Novter\u900f\u904eKovCoreG\u60e1\u610f\u5ee3\u544a\u6d3b\u52d5\u6563\u64ad"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"alignleft\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/08\/Malware-200x125.jpg\" alt=\"\u7121\u6a94\u6848\u6bad\u5c4d\u75c5\u6bd2Novter\u900f\u904eKovCoreG\u60e1\u610f\u5ee3\u544a\u6d3b\u52d5\u6563\u64ad\"\/><\/figure><\/div>\n\n\n\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u767c\u73fe\u4e86\u4e00\u7a2e\u65b0\u7684\u6a21\u7d44\u5316\u7121\u6a94\u6848\u6bad\u5c4d\u7db2\u8def\u75c5\u6bd2\uff08\u547d\u540d\u70ba Novter\uff0c\u4e5f\u88ab\u7a31\u70ba<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2019\/09\/26\/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware\/\">Nodersok<\/a>\u6216 <a href=\"https:\/\/blog.talosintelligence.com\/2019\/09\/divergent-analysis.html\">Divergent<\/a>\uff09\uff0c\u81ea\u4e09\u6708\u8d77\u5c31\u4e00\u76f4\u900f\u904e<a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/threat-actor-profile-kovcoreg-kovter-saga\">KovCoreG<\/a>\u60e1\u610f\u6d3b\u52d5\u6563\u64ad\u3002\u81ea\u5f9e\u6b64\u5a01\u8105\u51fa\u73fe\u767c\u5c55\u4ee5\u4f86\uff0c\u6211\u5011\u5c31\u4e00\u76f4\u7a4d\u6975\u5730\u52a0\u4ee5\u76e3\u63a7\uff0c\u4e5f\u89c0\u5bdf\u5230\u5b83\u7d93\u5e38\u5730\u9032\u884c\u66f4\u65b0\u3002\u5f9e2011\u5e74\u5c31\u958b\u59cb\u6d3b\u8e8d\u7684KovCoreG\u662f\u4ee5\u4f7f\u7528<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/kovter-an-evolving-malware-gone-fileless\">Kovter<\/a>\u6bad\u5c4d\u7db2\u8def\u75c5\u6bd2\u805e\u540d\u7684\u9577\u671f\u60e1\u610f\u6d3b\u52d5\uff0c\u4e3b\u8981\u662f\u5229\u7528\u60e1\u610f\u5ee3\u544a\u548c<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/definition\/exploit-kit\">\u6f0f\u6d1e\u653b\u64ca\u5957\u4ef6<\/a>\u6563\u64ad\u3002Kovter\u81ea2015\u5e74\u958b\u59cb\u5c31\u4e00\u76f4\u53c3\u8207\u9ede\u64ca\u8a50\u6b3a\u7684\u64cd\u4f5c\uff0c\u64da\u5831\u7528\u6b3a\u8a50\u6027\u5ee3\u544a\u8b93\u4f01\u696d\u640d\u5931\u8d85\u904e<a href=\"https:\/\/www.justice.gov\/usao-edny\/pr\/two-international-cybercriminal-rings-dismantled-and-eight-defendants-indicted-causing\">2,900\u842c\u7f8e\u5143<\/a>\u3002\u5728\u57f7\u6cd5\u548c\u7db2\u8def\u5b89\u5168\u5c08\u5bb6\uff08\u5305\u62ec\u8da8\u52e2\u79d1\u6280\uff09\u7684\u5171\u540c\u52aa\u529b\u4e0b\uff0c\u6bad\u5c4d\u7db2\u8def\u57282018\u5e74\u5e95\u88ab<a href=\"https:\/\/www.whiteops.com\/3ve\">\u95dc\u9589<\/a>\u3002<\/p>\n\n\n\n<p>\u6bad\u5c4d\u7db2\u8def\u95dc\u9589\u4e26\u6c92\u6709\u963b\u6b62\u7db2\u8def\u72af\u7f6a\u5206\u5b50\u3002\u5118\u7ba1\u6bad\u5c4d\u7db2\u8def\u5df2\u6b7b\uff0c\u4f46\u6211\u5011\u6ce8\u610f\u5230KovCoreG\u4e26\u672a\u505c\u6b62\u6d3b\u52d5\uff0c\u800c\u662f\u958b\u767c\u4e86\u53e6\u4e00\u500b\u6bad\u5c4d\u7db2\u8def\u3002\u901a\u904e\u8207ProofPoint\u5a01\u8105\u7814\u7a76\u4eba\u54e1<a href=\"https:\/\/twitter.com\/kafeine\">Kafeine<\/a>\u7684\u5408\u4f5c\uff0c\u6211\u5011\u767c\u73fe\u4e86\u7531KovCoreG\u64cd\u4f5c\u8005\u6563\u5e03\u7684\u65b0\u578b\u7121\u6a94\u6848\u6bad\u5c4d\u7db2\u8def \u75c5\u6bd2Novter\u3002<\/p>\n\n\n\n<!--more-->\n\n\n\n<p>\u60e1\u610f\u5ee3\u544a\u653b\u64ca\u6700\u521d\u4e3b\u8981\u91dd\u5c0d\u7f8e\u570b\u4f7f\u7528\u8005\uff0c\u4f46\u5f9e\u4eca\u5e74\u590f\u5929\u958b\u59cb\u5df2\u7d93\u5ef6\u4f38\u89f8\u89d2\u5230\u591a\u500b\u6b50\u6d32\u570b\u5bb6\u3002\u6211\u5011\u7684\u76e3\u6e2c\u8cc7\u6599\u9084\u986f\u793a\u60e1\u610f\u5ee3\u544a\u653b\u64ca\u662f\u901a\u904e\u90e8\u5206\u7684\u7f8e\u570b\u524d\u767e\u5927\u7db2\u7ad9\u6563\u64ad\uff0c\u9019\u4e9b\u7db2\u7ad9\u5728\u4e4b\u524d\u4e5f\u66fe\u88abKovter<a href=\"https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/kovter-group-malvertising-campaign-exposes-millions-potential-malware-and-fraud\">\u6feb\u7528\u904e<\/a>\u3002\u6211\u5011\u5728<em><a href=\"https:\/\/documents.trendmicro.com\/assets\/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf\">\u6280\u8853\u5831\u544a<\/a><\/em>\u5167\u8a73\u7d30\u4ecb\u7d39\u4e86\u5c0dNovter\u7684\u5206\u6790\uff0c\u5c24\u5176\u662f\u5176\u6700\u503c\u5f97\u6ce8\u610f\u7684\u6a21\u7d44\u5316\u80fd\u529b\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/10\/novter-1.jpg\" alt=\" KovCoreG\u3001Novter\u548cNodster\u7684\u611f\u67d3\u93c8\"\/><\/figure>\n\n\n\n<p>\u57161. KovCoreG\u3001Novter\u548cNodster\u7684\u611f\u67d3\u93c8<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>KovCoreG<\/strong><strong>\u7684\u653b\u64ca\u93c8<\/strong><\/h4>\n\n\n\n<p>KovCoreG\u662f\u5229\u7528\u793e\u4ea4\u5de5\u7a0b\u653b\u64ca\u7684\u60e1\u610f\u5ee3\u544a\u6d3b\u52d5\uff0c\u8a98\u9a19\u4f7f\u7528\u8005\u53bb\u4e0b\u8f09\u8edf\u9ad4\u4f86\u66f4\u65b0\u904e\u671f\u7684Adobe Flash\u61c9\u7528\u7a0b\u5f0f\u3002\u4f46\u4e8b\u5be6\u4e0a\u662f\u4e0b\u8f09\u60e1\u610f\u7684HTA\u6a94\u6848 \u2013 <em>Player{timestamp}.hta<\/em>\u3002\u7576\u53d7\u5bb3\u8005\u57f7\u884c\u4e86HTA\u6a94\u6848\uff0c\u5b83\u6703\u5f9e\u9060\u7aef\u4f3a\u670d\u5668\uff08\u9023\u7dda\u7d93\u904eRC4\u52a0\u5bc6\uff09\u8f09\u5165\u5176\u4ed6\u8173\u672c\uff0c\u4e26\u4e14\u57f7\u884cPowerShell\u8173\u672c\uff08\u4f3c\u4e4e\u662f\u5f9e\u958b\u653e\u539f\u59cb\u78bc\u5c08\u6848<a href=\"https:\/\/github.com\/EmpireProject\/Empire\/blob\/master\/data\/module_source\/management\/Invoke-PSInject.ps1\">Invoke-PSInject<\/a>\u53d6\u5f97\u7684\u9748\u611f\uff09\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/09\/novter-2.png\" alt=\"KovCoreG\u60e1\u610f\u5ee3\u544a\u622a\u5716\uff08\u7531ProofPoint\u63d0\u4f9b\uff09\"\/><\/figure>\n\n\n\n<p>\u57162. KovCoreG\u60e1\u610f\u5ee3\u544a\u622a\u5716\uff08\u7531ProofPoint\u63d0\u4f9b\uff09<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/09\/novter-3.png\" alt=\"KovCoreG\u60e1\u610f\u5ee3\u544a\u6d41\u91cf\u622a\u5716\"\/><\/figure>\n\n\n\n<p>\u57163. KovCoreG\u60e1\u610f\u5ee3\u544a\u6d41\u91cf\u622a\u5716\uff08\u7531ProofPoint\u63d0\u4f9b\uff09<\/p>\n\n\n\n<p>PowerShell\u8173\u672c\u6703\u505c\u7528Windows\nDefender\u548cWindows Update\u7684\u7a0b\u5e8f\u3002\u5b83\u6703\u57f7\u884c\u4e00\u500bShellcode\u4f86\u900f\u904e<a href=\"https:\/\/www.endurant.io\/cmstp\/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon\/\">CMSTPLUA\n<\/a>COM\u63a5\u53e3\uff08\u8207\u9023\u7dda\u7ba1\u7406\u6709\u95dc\uff09\u7e5e\u904e\u4f7f\u7528\u8005\u5e33\u6236\u63a7\u5236\uff08UAC\uff09\u3002PowerShell\u8173\u672c\u4e5f\u5167\u5d4c\u4e86Novter\uff0c\u5b83\u6703\u900f\u904ePowerShell\u53cd\u5c04<a href=\"https:\/\/powersploit.readthedocs.io\/en\/latest\/CodeExecution\/Invoke-ReflectivePEInjection\/\">\u6ce8\u5165<\/a>\u6280\u8853\u505a\u5230<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/security-technology\/security-101-defending-against-fileless-malware#memoryexploits\">\u7121\u6a94\u6848<\/a>\u57f7\u884c\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Novter<\/strong><strong>\u60e1\u610f\u8edf\u9ad4\u5206\u6790<\/strong><\/h4>\n\n\n\n<p>Novter\u662f\u57f7\u884c\u6a94\u5f62\u5f0f\u7684\u5f8c\u9580\u7a0b\u5f0f\u3002\u4e00\u65e6\u57f7\u884c\u5c31\u6703\u99ac\u4e0a\u57f7\u884c\u4e0b\u5217\u7684\u9632\u9664\u932f\u548c\u9632\u5206\u6790\u6aa2\u67e5\uff1a<\/p>\n\n\n\n<ul><li>\u5c07\u7a0b\u5e8f\u548c\u6a21\u7d44\u540d\u7a31\u7d93\u904eCRC32\u6f14\u7b97\u6cd5\u904b\u7b97\u5f8c\u8207\u5167\u5efa\u7684CRC32\u5217\u8868\u9032\u884c\u6bd4\u5c0d\u4ee5\u641c\u5c0b\u662f\u5426\u5217\u5728\u9ed1\u540d\u55ae\u5167<\/li><li>\u6aa2\u67e5\u5167\u6838\u6578\u91cf\u662f\u5426\u904e\u5c11<\/li><li>\u6aa2\u67e5\u7a0b\u5e8f\u662f\u5426\u6b63\u5728\u9032\u884c\u9664\u932f<\/li><li>\u6aa2\u67e5\u4f11\u7720\u529f\u80fd\u662f\u5426\u88ab\u6539\u52d5\u904e<\/li><\/ul>\n\n\n\n<p>\u5982\u679c\u767c\u73fe\u4efb\u4f55\u4ee5\u4e0a\u72c0\u6cc1\u51fa\u73fe\uff0c\u5247\u6703\u56de\u5831\u7d66C&amp;C\u4f3a\u670d\u5668\u3002\u8acb\u6ce8\u610f\uff0c\u4e0d\u540c\u76ee\u7684\u6703\u4f7f\u7528\u4e0d\u540c\u7d44\u7684C&amp;C\u4f3a\u670d\u5668\u3002\u50cf\u662f\u6709\u4e00\u7d44\u4f3a\u670d\u5668\u53ea\u7528\u4f86\u56de\u5831\u9632\u5206\u6790\u8cc7\u8a0a\u3002\u4ed4\u7d30\u6aa2\u67e5\u4e26\u56de\u5831\u53d7\u5f71\u97ff\u96fb\u8166\u7684\u74b0\u5883\u5f8c\uff0c\u60e1\u610f\u8edf\u9ad4\u6703\u9032\u5165\u4f11\u7720\u72c0\u614b\u5f88\u9577\u4e00\u6bb5\u6642\u9593\u3002<\/p>\n\n\n\n<p>Novter\u652f\u63f4\u7684\u5f8c\u9580\u547d\u4ee4\u70ba\uff1a<\/p>\n\n\n\n<ul><li>killall \u2013 \u7d42\u6b62\u7a0b\u5e8f\u4e26\u522a\u9664\u6a94\u6848\uff08\u5c0d\u6240\u6709\u6a21\u7d44\uff09<\/li><li>kill \u2013 \u7d42\u6b62\u7a0b\u5e8f\u4e26\u522a\u9664\u6a94\u6848\uff08\u91dd\u5c0d\u7279\u5b9a\u6a21\u7d44\uff09<\/li><li>stop \u2013 \u7d42\u6b62\u7a0b\u5e8f\u4f46\u4e0d\u522a\u9664\u6a94\u6848\uff08\u91dd\u5c0d\u7279\u5b9a\u6a21\u7d44\uff09<\/li><li>resume \u2013 \u555f\u52d5\u7a0b\u5e8f\uff08\u91dd\u5c0d\u7279\u5b9a\u6a21\u7d44\uff09<\/li><li>modules \u2013 \u4e0b\u8f09\u4e26\u57f7\u884c\u984d\u5916\u6a21\u7d44<\/li><li>update \u2013 \u4e0b\u8f09\u65b0\u7248\u672c\u4e26\u5b89\u88dd\u66f4\u65b0<\/li><li>update_interval \u2013 \u8a2d\u5b9a\u66f4\u65b0\u9593\u9694\u6642\u9593<\/li><\/ul>\n\n\n\n<p>Novter\u6703\u8ddf\u547d\u4ee4\u548c\u63a7\u5236\uff08C&amp;C\uff09\u4f3a\u670d\u5668\u9023\u7dda\u4e26\u4e0b\u8f09\u591a\u500bJavaScript\u6a21\u7d44\u7528\u65bc\u4e0d\u540c\u76ee\u7684\u3002\u6211\u5011\u78ba\u8a8d\u4e86\u4e09\u500bNovter\u6a21\u7d44\uff0c\u5305\u62ec\u4e86\uff1a<\/p>\n\n\n\n<ul><li>\u5728\u53d7\u5bb3\u8005\u96fb\u8166\u4e0a\u986f\u793a\u6280\u8853\u652f\u63f4\u8a50\u9a19\u7db2\u9801\u7684\u6a21\u7d44<\/li><li>\u5229\u7528<a href=\"https:\/\/reqrypt.org\/windivert.html\">WinDivert<\/a>\u7684\u6a21\u7d44\uff0cWinDivert\u662f\u500bWindows\u5c01\u5305\u8655\u7406\u5de5\u5177\uff0c\u7528\u4f86\u64f7\u53d6\u3001\u4fee\u6539\u6216\u4e1f\u68c4Windows\u7db2\u8def\u5806\u758a\u6536\u767c\u7684\u7db2\u8def\u5c01\u5305\uff0c\u597d\u5c01\u9396\u7279\u5b9a\u7a0b\u5e8f\uff08\u5982\u9632\u6bd2\u8edf\u9ad4\uff09\u7684\u7db2\u8def\u901a\u8a0a<\/li><li>\u7528<a href=\"https:\/\/nodejs.org\/en\/\">NodeJS<\/a>\u548c<a href=\"https:\/\/socket.io\/\">io<\/a>\u7de8\u5beb\u4ee3\u7406\u7db2\u8def\u6d41\u91cf\u7684\u6a21\u7d44\uff08\u7a31\u70ba\u201c\nNodster\u201d\uff09\u3002\u6211\u5011\u8a8d\u7232\u6b64\u6a21\u7d44\u662f\u7528\u4f86\u5efa\u69cb\u9ede\u64ca\u8a50\u6b3a\u64cd\u4f5c\u6240\u9700\u7684\u4ee3\u7406\u670d\u52d9\u3002<\/li><\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Novter<\/strong><strong>\u6a21\u7d44\u201c Nodster<\/strong><strong>\u201d\u7684\u6280\u8853\u5206\u6790<\/strong><\/h4>\n\n\n\n<p>\u5728\u5206\u6790Novter\u7684\u904e\u7a0b\u4e2d\uff0c\u6211\u5011\u767c\u73fe\u4e86\u6b64\u60e1\u610f\u8edf\u9ad4\u6240\u4e0b\u8f09\u7684\u4e09\u500b\u503c\u5f97\u6ce8\u610f\u7684\u6a21\u7d44\u3002\u5176\u4e2d\u4e00\u500b\u6211\u5011\u7a31\u70baNodster\uff0c\u662f\u500b\u7db2\u8def\u4ee3\u7406\u6a21\u7d44\u3002\u6b64\u6a21\u7d44\u6703\u5c07NodeJS\u5b89\u88dd\u5728\u53d7\u5bb3\u8005\u96fb\u8166\u4e0a\uff0c\u4e26\u5728\u80cc\u666f\u57f7\u884cNodeJS\u8173\u672capp.js\u3002\u6b64\u8173\u672c\u6703\u9023\u5230\u5167\u5d4c\u7684C&amp;C\u4f3a\u670d\u5668\u5730\u5740\uff0c\u4e26\u63a5\u6536\u7b2c\u4e8c\u500bC&amp;C\u4f3a\u670d\u5668\u7684\u5730\u5740\u3002<\/p>\n\n\n\n<p>\u63a5\u8457\u5b83\u6703\u7528socket.io\u5354\u5b9a\u5efa\u7acb\u5c0d\u7b2c\u4e8c\u500bC&amp;C\u4f3a\u670d\u5668\u7684\u53cd\u5411\u9023\u63a5\u3002\u7b2c\u4e8c\u500bC&amp;C\u4f3a\u670d\u5668\u6703\u8fd4\u56de\u547d\u4ee4\u4f86\u6307\u793a\u6a21\u7d44\u5efa\u7acbTCP\u9023\u7dda\uff0c\u767c\u9001TCP\u5c01\u5305\u4e26\u5c07\u4f3a\u670d\u5668\u56de\u61c9\u8fd4\u56de\u7d66\u5b83\u5011\u3002\u9019\u8b93\u611f\u67d3Novter\u7684\u7cfb\u7d71\u6210\u70ba\u4e86\u653b\u64ca\u8005\u7684\u4ee3\u7406\u4f3a\u670d\u5668\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/09\/novter-4.jpg\" alt=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/09\/novter-4.jpg\"\/><\/figure>\n\n\n\n<p>\u57164. Nodster\u4ee3\u7406\u8207C&amp;C\u4f3a\u670d\u5668\u9593\u7684\u901a\u8a0a\u6d41\u7a0b<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u95dc\u806f Nodster\u7684\u7db2\u8def\u6d41\u91cf<\/strong><\/h4>\n\n\n\n<p>\u5728\u7814\u7a76\u904e\u7a0b\u4e2d\uff0c\u6211\u5011\u89c0\u5bdf\u5230\u8a31\u591a\u901a\u904eNodster\u6a21\u7d44\u4ee3\u7406\u7684\u52a0\u5bc6\u6d41\u91cf\uff0c\u6211\u5011\u8a2d\u6cd5\u9032\u884c\u89e3\u5bc6\u5f8c\u767c\u73fe\u7528\u65bc\u7db2\u8def\u5ee3\u544a\u7684\u8173\u672c\u3002\u9019\u8868\u793aC&amp;C\u4f3a\u670d\u5668\u6307\u793a\u53d7\u611f\u67d3\u96fb\u8166\u9023\u5230\u5e36\u6709\u986f\u793a\u5ee3\u544a\u76f8\u95dcJavaScript\u7684\u7db2\u7ad9\u3002<\/p>\n\n\n\n<p>\u6211\u5011\u9084\u6ce8\u610f\u5230\u5ee3\u544a\u6d41\u91cf\u4f3c\u4e4e\u662f\u5f9eAndroid\u88dd\u7f6e\u767c\u9001\uff0c\u56e0\u70ba\u7d93\u7531\u4ee3\u7406\u50b3\u8f38\u7684HTTP(S)\u8acb\u6c42\u5e36\u6709\u4f86\u81eaAndroid\u88dd\u7f6e\u7684HTTP User-Agent\u6a19\u982d\u3002\u9019\u4e9b\u8acb\u6c42\u6703\u9644\u52a0\u5e36\u6709\u8a31\u591aAndroid\u61c9\u7528\u7a0b\u5f0f\u540d\u7a31\u7684\u201c X-Requested-With\u201d\u6a19\u982d\u3002\u6211\u5011\u6700\u521d\u8a8d\u70ba\u7db2\u8def\u6d41\u91cf\u53ef\u80fd\u662f\u7531\u9019\u4e9b\u61c9\u7528\u7a0b\u5f0f\u6240\u7522\u751f\uff0c\u6240\u4ee5\u5728Google Play\u4e0a\u6aa2\u67e5\u4e86\u9019\u4e9b\u61c9\u7528\u7a0b\u5f0f\u3002\u4f46\u6211\u5011\u4e26\u6c92\u6709\u767c\u73fe\u4efb\u4f55\u6703\u7522\u751f\u9019\u4e9b\u7db2\u8def\u6d41\u91cf\u7684\u53ef\u7591\u7a0b\u5f0f\u78bc\u3002\u6211\u5011\u4e5f\u6c92\u6709\u767c\u73fe\u9019\u4e9bAndroid\u61c9\u7528\u7a0b\u5f0f\u9593\u6709\u4efb\u4f55\u5171\u4eab\u7684\u76f8\u4f3c\u7a0b\u5f0f\u78bc\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/09\/novter-5.png\" alt=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2019\/09\/novter-5.png\"\/><\/figure>\n\n\n\n<p>\u57165. \u507d\u88dd\u6210\u4f86\u81eaAndroid\u88dd\u7f6e\u7684HTTPS\u8acb\u6c42\u6a19\u982d<\/p>\n\n\n\n<p>\u7d93\u904e\u6b64\u767c\u73fe\uff0c\u6211\u5011\u63a8\u65b7\u5ee3\u544a\u6d41\u91cf\u4e26\u975e\u4f86\u81ea\u884c\u52d5\u88dd\u7f6e\u800c\u662f\u7531\u653b\u64ca\u8005\u7522\u751f\u3002\u653b\u64ca\u8005\u5c07\u7db2\u8def\u6d41\u91cf\u507d\u88dd\u6210\u662f\u4f86\u81eaAndroid\u88dd\u7f6e\u548c\u884c\u52d5\u61c9\u7528\u7a0b\u5f0f\uff0c\u4e26\u4e14\u901a\u904eNovter\/Nodster\u6bad\u5c4d\u7db2\u8def\u4ee3\u7406\u3002\u7562\u7adfKovCoreG\u7684\u904b\u4f5c\u8ddf\u9ede\u64ca\u8a50\u6b3a\u6709\u95dc\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>\u62b5\u79a6 Novter\u60e1\u610f\u6d3b\u52d5<\/strong><\/h4>\n\n\n\n<p>\u5ee3\u544a\u662f\u7121\u5bb3\u7684\u7dda\u4e0a\u884c\u70ba\uff0c\u4f46KovCoreG\u60e1\u610f\u6d3b\u52d5\u5c55\u793a\u51fa\u5ee3\u544a\u4e5f\u53ef\u80fd\u5e36\u6709\u4fb5\u5165\u6027\uff0c\u66f4\u4e0d\u7528\u8aaaNovter\u6703\u8b93\u4f7f\u7528\u8005\u7684\u7cfb\u7d71\u66b4\u9732\u65bc\u5176\u4ed6\u5a01\u8105\u3002\u9451\u65bcKovCoreG\u8ddf\u9ede\u64ca\u8a50\u6b3a\u6709\u95dc\uff0c\u5b83\u53ef\u80fd\u6703\u5c0d\u4f01\u696d\u9020\u6210\u56b4\u91cd\u7684\u5f71\u97ff\u3002\u50cf\u662f2018\u5e74\u767c\u751f\u7684\u4e00\u6b21<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/mobile-safety\/mobile-ad-fraud-schemes-how-they-work-and-how-to-defend-against-them\">\u884c\u52d5\u5ee3\u544a\u8a50\u6b3a<\/a>\u4e8b\u4ef6\u8b93Google\u53ca\u5176\u5408\u4f5c\u5925\u4f34\u640d\u5931\u4e86\u7d04<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/research-and-analysis\/threat-reports\/roundup\/2018-mobile-threat-landscape\">1,000\u842c\u7f8e\u5143<\/a>\u3002<\/p>\n\n\n\n<p>Novter\u9084\u904b\u7528\u4e86\u7121\u6a94\u6848\u611f\u67d3\u4f5c\u6cd5\u4e26\u4e14\u6df7\u6dc6\u5176C&amp;C\u9023\u7dda\u53ca\u8a50\u6b3a\u76f8\u95dc\u6d41\u91cf\uff0c\u9019\u4e9b\u90fd\u986f\u793a\u51fa\u8a50\u6b3a\u8005\u7684\u6280\u8853\u76f8\u7576\u6210\u719f\u3002\u4f7f\u7528\u8005\u61c9\u8a72\u8981\u63a1\u7528\u6700\u4f73\u5be6\u4f5c\uff0c\u5c24\u5176\u662f\u5728\u61c9\u5c0d\u5982<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/malvertising-when-online-ads-attack\">\u60e1\u610f\u5ee3\u544a<\/a>\u4e4b\u985e\u7684\u793e\u4ea4\u5de5\u7a0b\u5a01\u8105\u6642\u3002<\/p>\n\n\n\n<p>\u8da8\u52e2\u79d1\u6280\u7aef\u9ede\u89e3\u6c7a\u65b9\u6848\uff08\u5982\u5177\u5099<a href=\"https:\/\/success.trendmicro.com\/solution\/1122593-configuring-behavior-monitoring-settings-in-apex-one\">\u884c\u70ba\u76e3\u63a7<\/a>\u80fd\u529b\u7684<a href=\"https:\/\/www.trendmicro.tw\/tw\/business\/complete-software-protection\/index.html\">Smart Protection\nNetwork&#x2122;<\/a>\u548c <a href=\"https:\/\/www.trendmicro.com\/zh_tw\/small-business\/all-products-for-smb.html\">Worry-Free Business Security&nbsp;<\/a>\uff09\u53ef\u4ee5\u5075\u6e2c\u60e1\u610f\u6a94\u6848\u3001\u8173\u672c\u548c\u90f5\u4ef6\u4e26\u5c01\u9396\u6240\u6709\u76f8\u95dc\u60e1\u610f\u7db2\u5740\u4f86\u4fdd\u8b77\u4f7f\u7528\u8005\u548c\u4f01\u696d\u62b5\u79a6Emotet\u4e4b\u985e\u7684\u5a01\u8105\u3002<a href=\"https:\/\/www.trendmicro.com\/zh_tw\/business\/products\/user-protection\/sps\/endpoint.html\">\u8da8\u52e2\u79d1\u6280Apex One<\/a>\u63a1\u7528\u591a\u7a2e\u5a01\u8105\u6aa2\u6e2c\u529f\u80fd\u4f86\u9032\u884c\u4fdd\u8b77\uff0c\u4f8b\u5982\u884c\u70ba\u5206\u6790\u80fd\u5920\u62b5\u79a6\u60e1\u610f\u8173\u672c\u3001\u6ce8\u5165\u3001\u52d2\u7d22\u75c5\u6bd2\u3001\u8a18\u61b6\u9ad4\u548c\u700f\u89bd\u5668\u653b\u64ca\u3002<\/p>\n\n\n\n<p>\u6b64\u7bc7<em><a href=\"https:\/\/documents.trendmicro.com\/assets\/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf\">\u6280\u8853\u5831\u544a<\/a><\/em>\u5305\u542b\u4e86\u6211\u5011\u5b8c\u6574\u7684Novter\u7814\u7a76\u8cc7\u8a0a\uff0c\u540c\u6642\u5728<em><a href=\"https:\/\/documents.trendmicro.com\/assets\/Appendix-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf\">\u9644\u9304<\/a><\/em>\u4e2d\u5217\u51fa\u4e86\u5165\u4fb5\u6307\u6a19\uff08IoC\uff09\u3002<\/p>\n\n\n\n<p>@\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign\/\">New\nFileless Botnet Novter Distributed by KovCoreG Malvertising Campaign<\/a> \u4f5c\u8005\uff1aJaromir Horejsi\u548cJoseph C. Chen\uff08<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/author\/trend-micro\/\">\u8da8\u52e2\u79d1\u6280<\/a>\u5a01\u8105\u7814\u7a76\u4eba\u54e1\uff09<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8da8\u52e2\u79d1\u6280\u767c\u73fe\u4e86\u4e00\u7a2e\u65b0\u7684\u6a21\u7d44\u5316\u7121\u6a94\u6848\u6bad\u5c4d\u7db2\u8def\u75c5\u6bd2\uff08\u547d\u540d\u70ba Novter\uff0c\u4e5f\u88ab\u7a31\u70baNodersok\u6216 Diverg [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[2387,11,3441],"tags":[2140,23,3297],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/62259"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=62259"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/62259\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=62259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=62259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=62259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}