{"id":63781,"date":"2020-03-25T10:00:00","date_gmt":"2020-03-25T02:00:00","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=63781"},"modified":"2020-03-24T19:45:13","modified_gmt":"2020-03-24T11:45:13","slug":"nefilim-%e5%8b%92%e7%b4%a2%e7%97%85%e6%af%92%e5%a8%81%e8%84%85%e6%9b%9d%e5%85%89%e4%bc%81%e6%a5%ad%e8%b3%87%e6%96%99-%e8%b6%a8%e5%8b%a2%e7%a7%91%e6%8a%80%e5%bb%ba%e8%ad%b0%e5%9b%9b%e6%ad%a5%e9%a9%9f","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=63781","title":{"rendered":"Nefilim \u52d2\u7d22\u75c5\u6bd2\u5a01\u8105\u66dd\u5149\u4f01\u696d\u8cc7\u6599, \u8da8\u52e2\u79d1\u6280\u5efa\u8b70\u56db\u6b65\u9a5f\u9632\u6b62 RDP \u906d\u5229\u7528"},"content":{"rendered":"\n

<\/p>\n\n\n\n

\u6700\u8fd1\u7814\u7a76\u4eba\u54e1\u767c\u73fe\u4e86\u4e00\u500b\u65b0\u7684\u52d2\u7d22\u75c5\u6bd2Ransomware<\/a> (\u52d2\u7d22\u8edf\u9ad4\/\u7d81\u67b6\u75c5\u6bd2)\uff0c\u540d\u70ba\u300cNefilim\u300d\u3002\u8a72\u75c5\u6bd2\u6703\u5a01\u8105\u53d7\u5bb3\u8005\u82e5\u4e0d\u652f\u4ed8\u8d16\u91d1\u5c31\u8981\u5c07\u53d7\u5bb3\u8005\u7684\u8cc7\u6599\u516c\u958b\u3002\u6839\u64da SentinelLabs \u7684 Vitali Krimez<\/a> \u548c ID Ransomware \u7684 Michael Gillespie<\/a> \u5728 Bleeping Computer<\/a> \u4e0a\u8868\u793a\uff0c\u6b64\u75c5\u6bd2\u6700\u6709\u53ef\u80fd\u662f\u7d93\u7531\u66b4\u9732\u5728\u5916\u7684\u9060\u7aef\u684c\u9762 (RDP) \u9023\u63a5\u57e0\u6563\u64ad\u3002 <\/p><\/blockquote>\n\n\n\n

 <\/h1>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n

Nefilim \u7684\u7a0b\u5f0f\u78bc\u8207 Nemty\n2.5 \u52d2\u7d22\u75c5\u6bd2\u6709\u8a31\u591a\u76f8\u4f3c\u4e4b\u8655\uff0c\u5169\u8005\u7684\u4e3b\u8981\u5dee\u7570\u5728\u65bc Nefilim \u5df2\u4e0d\u518d\u4f7f\u7528\u52d2\u7d22\u75c5\u6bd2\u670d\u52d9 (Ransomware-as-a-Service\uff0c\u7c21\u7a31\nRaaS)<\/a>\uff0c\u6b64\u5916\u4e5f\u6539\u7528\u96fb\u5b50\u90f5\u4ef6\u901a\u8a0a\u4f86\u6536\u53d7\u8d16\u91d1\uff0c\u4e0d\u518d\u900f\u904e Tor \u652f\u4ed8\u7db2\u7ad9\u3002\u76ee\u524d\u4e26\u7121\u8cc7\u6599\u986f\u793a Nemty \u548c Netfilim \u662f\u540c\u4e00\u96c6\u5718\u6240\u70ba\u3002\u9019\u500b\u65b0\u7684\u52d2\u7d22\u75c5\u6bd2\u5f88\u53ef\u80fd\u50cf\u5176\u4ed6\u4e00\u4e9b\u52d2\u7d22\u75c5\u6bd2\n(\u5982 Nemty<\/a>\u3001Crysis<\/a>\u3001SAMSAM<\/a>) \u4e00\u6a23\u662f\u7d93\u7531 RDP \u901a\u8a0a\u5354\u5b9a\u6563\u5e03\u3002<\/p>\n\n\n\n\n\n\n\n

<\/div>\n\n\n\n

\u5ef6\u4f38\u95b1\u8b80:<\/p>\n\n\n\n

Nemty\u52d2\u7d22\u75c5\u6bd2\u53ef\u80fd\u900f\u904e\u66b4\u9732\u7684\u9060\u7aef\u684c\u9762\u9023\u7dda\u6563\u64ad<\/a><\/p>\n\n\n\n

 \u5df2\u5f9e\u4e2d\u6bd2\u96fb\u8166\u79fb\u9664,\u9084\u80fd\u518d\u5ea6\u611f\u67d3\u7cfb\u7d71 ! Crysis \u900f\u904e\u66b4\u529b\u7834\u89e3\u9060\u7aef\u684c\u9762\u5354\u5b9a\uff08RDP\uff09\u6563\u64ad<\/a><\/p>\n\n\n\n

\u522a\u9664\u5099\u4efd,\u903c\u8feb\u5c31\u7bc4!! \u65b0\u52d2\u7d22\u75c5\u6bd2 SAMSAM ,\u653b\u64ca\u4f3a\u670d\u5668\u6f0f\u6d1e,\u9396\u5b9a\u91ab\u9662<\/a><\/p>\n\n\n\n


\nNetfilim \u63a1\u7528\nAES-128 \u52a0\u5bc6\u6f14\u7b97\u6cd5\u4f86\u5c07\u53d7\u5bb3\u8005\u7684\u6a94\u6848\u52a0\u5bc6\u3002\u7136\u5f8c\u518d\u4f7f\u7528\u52d2\u7d22\u75c5\u6bd2\u57f7\u884c\u6a94\u5167\u5d4c\u7684 RSA-2048 \u516c\u958b\u91d1\u9470\u4f86\u5c07 AES \u52a0\u5bc6\u91d1\u9470\u52a0\u5bc6\u3002\u63a5\u8457\u518d\u5c07\u52a0\u5bc6\u5f8c\u7684 AES\n\u91d1\u9470\u9644\u5728\u6bcf\u500b\u88ab\u52a0\u5bc6\u7684\u6a94\u6848\u672b\u7aef\u3002\u6b64\u5916\uff0c\u52d2\u7d22\u75c5\u6bd2\u9084\u6703\u5728\u88ab\u52a0\u5bc6\u7684\u6a94\u6848\u5167\u63d2\u5165\u300cNEFILIM\u300d\u9019\u4e32\u5b57\u4f86\u4f5c\u70ba\u6a19\u8a18\uff0c\u4e5f\u6703\u4fee\u6539\u526f\u6a94\u540d\uff0c\u5c07\u300c.NEFILIM\u300d\u52a0\u5230\u526f\u6a94\u540d\u672b\u7aef\n(\u4f8b\u5982\uff0c\u5982\u679c\u539f\u672c\u7684\u6a94\u540d\u662f\u300c1.doc\u300d\uff0c\u88ab\u52a0\u5bc6\u5f8c\u7684\u6a94\u6848\u6703\u8b8a\u6210\u300c1.doc.NEFILIM\u300d)\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n


\n\u53d7\u5bb3\u8005\u82e5\u60f3\u6551\u56de\u88ab\u52a0\u5bc6\u7684\u6a94\u6848\uff0c\u5c31\u5fc5\u9808\u5411\u52d2\u7d22\u75c5\u6bd2\u958b\u767c\u8005\u53d6\u5f97\nRSA \u79c1\u5bc6\u91d1\u9470\uff0c\u81f3\u65bc\u8d16\u91d1\u7684\u7d30\u7bc0\u76ee\u524d\u5c1a\u672a\u516c\u5e03\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n


\n\u8207\u52d2\u7d22\u75c5\u6bd2\u8cfd\u8dd1<\/strong><\/h3>\n\n\n\n

<\/p>\n\n\n\n


\u52d2\u7d22\u75c5\u6bd2\u6b63\u6301\u7e8c\u64f4\u5927\u7248\u5716\uff0c\u72af\u7f6a\u96c6\u5718\u96a8\u6642\u90fd\u5728\u958b\u767c\u65b0\u7684\u52d2\u7d22\u75c5\u6bd2\u5bb6\u65cf\u548c\u8b8a\u7a2e\u3002\u6839\u64da\u8da8\u52e2\u79d1\u6280 2019 \u5e74\u5ea6\u8cc7\u5b89\u7e3d\u8a55<\/a>\u5831\u544a\u6307\u51fa\uff0c\u91ab\u7642\u3001\u653f\u5e9c\u8207\u6559\u80b2\u7522\u696d\u662f\u53bb\u5e74\u8a31\u591a\u52d2\u7d22\u75c5\u6bd2\u7684\u653b\u64ca\u76ee\u6a19\u3002\u4e0d\u5e78\u7684\u662f\uff0c\u5f88\u591a\u6a5f\u69cb\u90fd\u8feb\u65bc\u58d3\u529b\u800c\u652f\u4ed8\u4e86\u8d16\u91d1\u4ee5\u907f\u514d\u71df\u904b\u7671\u7613\u6216\u640d\u5931\u91cd\u8981\u8cc7\u6599\u3002

<\/p>\n\n\n\n


Nefilim \u548c\u8a31\u591a\u52d2\u7d22\u75c5\u6bd2\u90fd\u662f\u5229\u7528\u66b4\u9732\u5728\u5916\u7684 RDP \u9023\u63a5\u57e0\u4f86\u611f\u67d3\u96fb\u8166\u3002\u70ba\u6b64\uff0c\u4f01\u696d\u53ef\u63a1\u53d6\u4ee5\u4e0b\u56db\u6b65\u9a5f\u4f86\u9632\u6b62 RDP \u906d\u99ed\u5ba2\u5229\u7528\uff1a<\/p>\n\n\n\n

  1. \u95dc\u9589\u6c92\u7528\u5230\u7684 RDP \u9023\u63a5\u57e0\u3002\u5982\u679c\u4e0d\u53ef\u80fd\u95dc\u9589\uff0c\u90a3\u5c31\u9650\u5236\u9019\u4e9b\u9023\u63a5\u57e0\u7684\u9060\u7aef\u9023\u5165\u4f4d\u5740\u3002<\/li>
  2. \u900f\u904e\u8a2d\u5b9a\u4f86\u78ba\u4fdd\u552f\u6709\u7372\u5f97\u6388\u6b0a\u7684\u4f7f\u7528\u8005\u53ef\u53d6\u5f97 RDP \u7db2\u8def\u7cfb\u7d71\u7ba1\u7406\u54e1\u6b0a\u9650\u3002<\/li>
  3. \u76e3\u63a7\u7db2\u8def\u6d3b\u52d5\u4f86\u767c\u6398\u99ed\u5ba2\u653b\u64ca\u8de1\u8c61\u3002<\/li>
  4. \u8a2d\u5b9a\u767b\u5165\u5931\u6557\u6b21\u6578\u9650\u5236\uff0c\u9632\u6b62\u4e0d\u8096\u4e4b\u5f92\u4e0d\u65b7\u5617\u8a66\u767b\u5165\u3002<\/li><\/ol>\n\n\n\n
    <\/div>\n\n\n\n

    [\u5ef6\u4f38\u95b1\u8b80\uff1aInfoSec Guide:Remote Desktop Protocol (RDP)<\/a>]<\/p>\n\n\n\n

    <\/div>\n\n\n\n


    \u9664\u6b64\u4e4b\u5916\uff0c\u4f01\u696d\u4e5f\u61c9\u5efa\u7acb\u56b4\u683c\u7684\u898f\u7bc4\u548c\u898f\u5b9a\u4f86\u8655\u7406\u4e0d\u78ba\u5b9a\u4f86\u6e90\u7684\u96fb\u5b50\u90f5\u4ef6\uff0c\u54e1\u5de5\u61c9\u907f\u514d\u958b\u555f\u9019\u985e\u96fb\u5b50\u90f5\u4ef6\u6216\u96a8\u9644\u7684\u6a94\u6848\u3002\u70ba\u9810\u9632\u8cc7\u6599\u6bc0\u640d\uff0c\u54e1\u5de5\u4e5f\u61c9\u5b9a\u671f\u5099\u4efd\u8cc7\u6599\u3002\u6700\u5f8c\uff0c\u9084\u8981\u8b93\u8edf\u9ad4\u548c\u61c9\u7528\u7a0b\u5f0f\u96a8\u6642\u4fdd\u6301\u66f4\u65b0\uff0c\u4ee5\u78ba\u4fdd\u7cfb\u7d71\u6c92\u6709\u4efb\u4f55\u53ef\u5229\u7528\u7684\u65b0\u820a\u6f0f\u6d1e\u3002

    <\/p>\n\n\n\n

    \u4f01\u696d\u9084\u53ef\u9032\u4e00\u6b65\u7d50\u5408\u884c\u70ba\u5206\u6790\u8207\u9ad8\u6e96\u5ea6\u6a5f\u5668\u5b78\u7fd2<\/a>\u4f86\u5f37\u5316\u52d2\u7d22\u75c5\u6bd2\u9632\u8b77\uff0c\u5168\u9762\u4fdd\u8b77\u96fb\u5b50\u90f5\u4ef6\u3001\u7aef\u9ede\u3001\u4f3a\u670d\u5668\u53ca\u7db2\u8def\u3002<\/p>\n\n\n\n


    \n\u82e5\u4f01\u696d\u6b63\u906d\u5230\u52d2\u7d22\u75c5\u6bd2\u653b\u64ca\uff0c\u53ef\u5617\u8a66\u770b\u770b\u8da8\u52e2\u79d1\u6280\u514d\u8cbb\u7684\nRansomware File Decryptor \u6a94\u6848\u89e3\u5bc6\u5de5\u5177 (    Windows<\/a> \u548c macOS<\/a> \u7248\u672c\u7686\u6709)\u3002<\/p>\n\n\n\n

    <\/div>\n\n\n\n


    \n\u5165\u4fb5\u6307\u6a19\u8cc7\u6599<\/strong><\/h3>\n\n\n\n
    <\/div>\n\n\n\n