{"id":65690,"date":"2020-09-16T09:00:00","date_gmt":"2020-09-16T01:00:00","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=65690"},"modified":"2020-10-21T14:14:18","modified_gmt":"2020-10-21T06:14:18","slug":"%e3%80%8a%e6%9c%80%e6%96%b0%e5%8b%92%e7%b4%a2%e7%97%85%e6%af%92%e3%80%8bdarkside-%e5%85%88%e8%a9%95%e4%bc%b0%e7%9b%ae%e6%a8%99%e4%bc%81%e6%a5%ad%e8%b2%a1%e5%8a%9b%ef%bc%8c%e5%86%8d%e6%b1%ba%e5%ae%9a","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=65690","title":{"rendered":"\u300a\u6700\u65b0\u52d2\u7d22\u75c5\u6bd2\u300bDarkside \u5148\u8a55\u4f30\u76ee\u6a19\u4f01\u696d\u8ca1\u529b\uff0c\u518d\u6c7a\u5b9a\u8d16\u91d1\u6578\u76ee\/ Crysis \u91cb\u51fa\u9023\u83dc\u9ce5\u99ed\u5ba2\u4e5f\u80fd\u4e0a\u624b\u7684\u5de5\u5177\u5957\u4ef6"},"content":{"rendered":"\n

<\/h3>\n\n\n\n

\u904e\u53bb\u5e7e\u9031\uff0c\u8da8\u52e2\u79d1\u6280<\/a>\u767c\u73fe\u52d2\u7d22\u75c5\u6bd2\u51fa\u73fe\u6700\u65b0\u767c\u5c55\u3002\u9996\u5148\u662f\u4e00\u500b\u65b0\u7684\u52d2\u7d22\u75c5\u6bd2\u5bb6\u65cf (\u9ed1\u6697\u9762-Darkside) \u4e4b\u5916\uff0cCrysis\/Dharma \u52d2\u7d22\u75c5\u6bd2\u96c6\u5718\u4e5f\u91cb\u51fa\u4e86\u4e00\u500b\u99ed\u5ba2\u5de5\u5177\u5957\u4ef6\u3002
\u53e6\u5916,\u5728\u8a0a\u606f\u5a01\u8105\u90e8\u5206\uff0c\u6211\u5011\u767c\u73fe\u4e86\u4e00\u6ce2\u5c08\u9580\u6563\u5e03 Negasteal\/Agent Tesla \u60e1\u610f\u7a0b\u5f0f\u7684\u91dd\u5c0d\u6027\u96fb\u5b50\u90f5\u4ef6\u653b\u64ca\u3002<\/p>\n\n\n\n

\"Darkside<\/figure>\n\n\n\n
<\/div>\n\n\n\n

Darkside \u52d2\u7d22\u75c5\u6bd2<\/strong>:\u5148\u8a55\u4f30\u653b\u64ca\u76ee\u6a19\u8ca1\u529b\uff0c\u518d\u6c7a\u5b9a\u8981\u52d2\u7d22\u591a\u5c11\u9322<\/h3>\n\n\n\n


\u4e00\u500b\u540d\u53eb\u300cDarkside(\u9ed1\u6697\u9762)\u300d\u7684\u65b0\u52d2\u7d22\u75c5\u6bd2<\/a>\u5bb6\u65cf (\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba\uff1aRansom.Win32.DARKSIDE.YXAH-THA<\/a>)\u00a0 \u6700\u8fd1\u6d6e\u4e0a\u6aaf\u9762<\/a>\u3002\u6b64\u52d2\u7d22\u75c5\u6bd2\u6703\u8981\u8105\u53d7\u5bb3\u8005\u82e5\u4e0d\u652f\u4ed8\u8d16\u91d1\uff0c\u5c07\u516c\u5e03\u53d7\u5bb3\u8005\u7684\u8cc7\u6599\uff0c\u6b64\u624b\u6cd5\u8207\u4e4b\u524d\u7684 Maze<\/a> \u548c Nefilim<\/a> \u52d2\u7d22\u75c5\u6bd2\u985e\u4f3c\u3002\u88ab\u52a0\u5bc6\u7684\u6a94\u6848\uff0c\u5176\u526f\u6a94\u540d\u6703\u88ab\u52a0\u4e0a\u53d7\u5bb3\u8005\u96fb\u8166\u7684\u7db2\u8def\u5361 (MAC) \u4f4d\u5740\u3002<\/p>\n\n\n\n

\u6839\u64da\u52d2\u7d22\u75c5\u6bd2\u7684 Tor \u7db2\u9801\uff0c\u5176\u5e55\u5f8c\u72af\u7f6a\u96c6\u5718\u5176\u5be6\u6703\u8a55\u4f30\u76ee\u6a19\u4f01\u696d\u7684\u8ca1\u529b\uff0c\u7136\u5f8c\u518d\u6c7a\u5b9a\u8981\u52d2\u8d16\u7684\u91d1\u984d\u3002\u9664\u6b64\u4e4b\u5916\uff0c\u99ed\u5ba2\u4f3c\u4e4e\u4e0d\u6703\u653b\u64ca\u91ab\u7642\u3001\u6559\u80b2\u3001\u975e\u71df\u5229\u53ca\u653f\u5e9c\u7b49\u6a5f\u69cb\u3002

<\/p>\n\n\n\n

\"\"\/
\u5716 1\uff1aDarkside \u52d2\u7d22\u8a0a\u606f\u5167\u5bb9\u3002<\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

Crysis \u52d2\u7d22\u75c5\u6bd2\u91cb\u51fa<\/strong>\u5c31\u9023\u83dc\u9ce5\u99ed\u5ba2\u4e5f\u80fd\u8f15\u9b06\u6ef2\u900f\u7db2\u8def\u7684\u99ed\u5ba2\u5de5\u5177\u5957\u4ef6<\/strong><\/h3>\n\n\n\n


Crysis\/Dharma \u52d2\u7d22\u75c5\u6bd2 (\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba  Ransom.Win32.CRYSIS.TIBGGS<\/a>) \u6700\u8fd1\u91cb\u51fa\u4e86\u4e00\u500b\u540d\u70ba\u300cToolbox\u300d\u7684\u99ed\u5ba2\u5de5\u5177\u5957\u4ef6\u3002 Toolbox \u7576\u4e2d\u5305\u542b\u4e86\u5c08\u9580\u7528\u4f86\u641c\u522e\u5bc6\u78bc\u7684 Mimikatz\u3001\u5c08\u9580\u7528\u4f86\u7aca\u53d6\u9060\u7aef\u684c\u9762\u5354\u5b9a (RDP) \u5bc6\u78bc\u7684 NirSoft Remote Desktop PassView\u3001\u5c08\u9580\u7528\u4f86\u7aca\u53d6\u96dc\u6e4a\u78bc\u7684 Hash Suite Tools Free\uff0c\u4ee5\u53ca\u5176\u4ed6\u7528\u4f86\u641c\u5c0b\u653b\u64ca\u76ee\u6a19\u96fb\u8166\u4e26\u690d\u5165\u52d2\u7d22\u75c5\u6bd2\u7684\u5de5\u5177\u3002\u6709\u4e86\u9019\u500b\u5957\u4ef6\uff0c\u5c31\u9023\u83dc\u9ce5\u99ed\u5ba2\u4e5f\u80fd\u8f15\u9b06\u6ef2\u900f\u7db2\u8def\u3002<\/p>\n\n\n\n

\u7531\u65bc Crysis \u63a1\u7528\u7684\u662f\u52d2\u7d22\u75c5\u6bd2\u670d\u52d9<\/a>  (RaaS) \u7684\u7d93\u71df\u6a21\u5f0f\uff0c\u56e0\u6b64\u9019\u5957\u5de5\u5177\u6709\u52a9\u65bc\u8b93\u5b83\u6563\u64ad\u5f97\u66f4\u5ee3\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u5ef6\u4f38\u95b1\u8b80:\u201d \u53ea\u8981 39 \u7f8e\u5143\u4fbf\u63d0\u4f9b\u300c\u7d42\u8eab\u6388\u6b0a\u300d\u201d \u2014\u6df1\u5c64\u7db2\u8def\u4e0a\u7684\u52d2\u7d22\u75c5\u6bd2\u670d\u52d9(RaaS),\u5c0d\u4f01\u696d\u7684\u610f\u7fa9\u70ba\u4f55?<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n

Negasteal\/Agent Tesla \u7d93\u7531\u96fb\u5b50\u90f5\u4ef6\u6563\u767c\uff0c\u9396\u5b9a\u9280\u884c\u5ba2\u6236<\/strong><\/h3>\n\n\n\n


\u6211\u5011\u6700\u8fd1\u767c\u73fe\u4e86\u4e00\u6ce2\u96fb\u5b50\u90f5\u4ef6\u653b\u64ca\u5c08\u9580\u7d93\u7531\u60e1\u610f\u9644\u4ef6\u6563\u5e03 Negasteal\/Agent Tesla \u60e1\u610f\u7a0b\u5f0f (\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba TrojanSpy.MSIL.NEGASTEAL.DYSGXT<\/a>)\uff0c\u6b64\u6ce2\u653b\u64ca\u7684\u5c0d\u8c61\u662f\u6cf0\u570b\u4e00\u5bb6\u570b\u6709\u9280\u884c Krung Thai Bank (\u6cf0\u4eac\u9280\u884c) \u7684\u5ba2\u6236\u3002\u96fb\u5b50\u90f5\u4ef6\u5167\u5bb9\u662f\u6709\u95dc\u300c\u5c0d\u5916\u532f\u6b3e\u4ea4\u6613\u300d\u7684\u6536\u64da\uff0c\u532f\u6b3e\u91d1\u984d\u5c07\u8fd1 9,000 \u7f8e\u5143\uff0c\u90f5\u4ef6\u5167\u5bb9\u6703\u8acb\u4f7f\u7528\u8005\u4e0b\u8f09\u4e26\u53c3\u95b1\u9644\u4ef6\u6a94\u6848\u3002\u9644\u4ef6\u6a94\u6848\u662f\u4e00\u4efd\u6703\u653b\u64ca Microsoft Office  CVE-2017-11882<\/a> \u6f0f\u6d1e\u7684\u6587\u4ef6 (\u9019\u662f\u4e00\u500b\u5df2\u7d93\u6709 17 \u5e74\u6b77\u53f2<\/a>\u7684 Microsoft Office \u8a18\u61b6\u9ad4\u5167\u5bb9\u640d\u6bc0\u6f0f\u6d1e)\uff0c\u4e00\u65e6\u653b\u64ca\u6210\u529f\uff0c\u5c31\u53ef\u4ee5\u4e0b\u8f09\u60e1\u610f\u6a94\u6848\u5230\u53d7\u5bb3\u96fb\u8166\u4e0a\u57f7\u884c\u3002<\/p>\n\n\n\n

\u9996\u6b21\u767c\u73fe\u65bc 2014 \u5e74<\/a>\u7684 Negasteal \u4e00\u76f4\u4ee5\u4f86\u90fd\u6703\u7d93\u7531\u7db2\u7ad9\u63a7\u5236\u53f0\u3001FTP \u6216 SMTP \u50b3\u9001\u7aca\u53d6\u7684\u8cc7\u6599\u3002\u6700\u8fd1\uff0c\u6211\u5011\u767c\u73fe\u5b83\u6703\u7d93\u7531\u53ef\u5378\u9664\u5f0f\u88dd\u7f6e\u6d41\u50b3<\/a>\uff0c\u56e0\u70ba\u5b83\u6703\u7aca\u53d6 Becky!Internet Mail \u7684\u767b\u5165\u6191\u8b49\u3002<\/p>\n\n\n\n

\"\"\/
\u5716 2\uff1a\u542b\u6709 Negasteal \u60e1\u610f\u9644\u4ef6\u7684\u96fb\u5b50\u90f5\u4ef6\u6a23\u672c\u3002<\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n
<\/code><\/pre>\n\n\n\n
\u5165\u4fb5\u6307\u6a19\u8cc7\u6599<\/strong><\/h3>\n\n\n\n
Darkside \u52d2\u7d22\u75c5\u6bd2<\/strong><\/p>\n\n\n\n