{"id":67064,"date":"2021-02-19T09:00:00","date_gmt":"2021-02-19T01:00:00","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=67064"},"modified":"2021-04-09T14:05:14","modified_gmt":"2021-04-09T06:05:14","slug":"%e6%aa%a2%e8%a6%96%e9%ab%98%e8%aa%bf%e7%9a%84-sodinokibi-%e5%8b%92%e7%b4%a2%e7%97%85%e6%af%92%e6%94%bb%e6%93%8a","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=67064","title":{"rendered":"\u6aa2\u8996\u9ad8\u8abf\u7684 Sodinokibi (REvil)\u52d2\u7d22\u75c5\u6bd2\u653b\u64ca"},"content":{"rendered":"\n

<\/p>\n\n\n\n

\u5728\u53bb\u5e74\u6709\u597d\u5e7e\u6b21\u9ad8\u8abf\u7684\u653b\u64ca\u4e8b\u4ef6\u80cc\u5f8c\u90fd\u6709Sodinokibi(REvil)\u7684\u5f71\u5b50\u3002\u6211\u5011\u5728\u672c\u6587\u88e1\u5c07\u6703\u5229\u7528\u9047\u904e\u7684\u4e00\u4e9b\u6848\u4f8b\u4f86\u63cf\u8ff0\u5176\u653b\u64ca\u904e\u7a0b\u3002
(2021\/3\u66f4\u65b0:\u53f0\u7063\u5728\u4eca\u5e74\u4e5f\u767c\u751f\u76f8\u95dc\u653b\u64ca:\u5b8f\u7881\u50b3\u51fa\u7591\u4f3c\u906d\u5230\u52d2\u7d22\u8edf\u9ad4REvil\u653b\u64ca\uff0c\u99ed\u5ba2\u7d22\u8a0e5\u5343\u842c\u7f8e\u5143\u8d16\u91d1<\/a>)<\/p>\n\n\n\n

Sodinokibi(REvil)\u52d2\u7d22\u75c5\u6bd2 Ransomware<\/a> (\u52d2\u7d22\u8edf\u9ad4\/\u7d81\u67b6\u75c5\u6bd2)\u6700\u65e9\u662f\u57282019\u5e744\u6708\u88ab\u5075\u6e2c\u5230\uff0c\u4e26\u4e14\u548c\u5df2\u7d93\u5ba3\u5e03\u6536\u624b\u7684GandCrab\u6709\u95dc\u806f\u3002\u5f9e\u90a3\u4e4b\u5f8c\uff0cSodinokibi (REvil)\u9032\u884c\u4e86\u6578\u6b21\u5099\u53d7\u77da\u76ee\u7684\u653b\u64ca<\/a>\uff0c\u4e00\u76f4\u6301\u7e8c\u52302020\u5e74\uff0c\u8b93\u5b83\u6210\u70ba\u503c\u5f97\u6ce8\u610f\u7684\u52d2\u7d22\u75c5\u6bd2<\/a>\u5bb6\u65cf\u4e4b\u4e00\u3002\u6211\u5011\u5728\u9019\u88e1\u6703\u4ecb\u7d39Sodinokibi(REvil)\u4e00\u822c\u7684\u653b\u64ca\u904e\u7a0b\u3002<\/p>\n\n\n\n

\u5ef6\u4f38\u95b1\u8b80: REvil \u7b49\u52d2\u7d22\u75c5\u6bd2\u96c6\u5718\u8207\u7cfb\u7d71\u99ed\u5165\u96c6\u5718\u7d50\u76df,\u5c08\u653b\u5927\u578b\u4f01\u696d<\/a><\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n
<\/div>\n\n\n\n

\u6280\u8853\u5206\u6790<\/strong><\/h3>\n\n\n\n

Sodinokibi(REvil)\u7684\u4f7f\u7528\u8005\u901a\u5e38\u6703\u50f1\u7528\u5404\u7a2e\u4e0b\u6e38\u7d44\u7e54\u4f86\u9032\u884c\u521d\u59cb\u9032\u5165\u3002\u901a\u5e38\u6703\u4f7f\u7528\u719f\u6089\u7684\u624b\u6cd5\uff0c\u5982\u5e36\u6709\u9b5a\u53c9\u5f0f\u91e3\u9b5a\uff08spear phishing\uff09<\/a>\u9023\u7d50\u6216\u9644\u4ef6\u6a94\u7684\u5783\u573e\u90f5\u4ef6\uff0c\u4f7f\u7528\u6709\u6548\u5e33\u865f\u9032\u884cRDP\u9023\u7dda\uff0c\u5165\u4fb5\u7db2\u7ad9\u4ee5\u53ca\u6f0f\u6d1e\u653b\u64ca\u3002\u4e5f\u5e38\u6703\u4f7f\u7528\u5176\u4ed6\u5177\u6709\u91dd\u5c0d\u6027\u653b\u64ca\u6027\u8cea\u7684\u6280\u8853\u3002<\/p>\n\n\n\n\n\n\n\n

<\/div>\n\n\n\n

\u521d\u59cb\u9032\u5165<\/em><\/strong><\/h3>\n\n\n\n


\u6211\u5011\u770b\u5230\u4f7f\u7528\u4e86\u4e00\u4e9b\u521d\u59cb\u9032\u5165\u6280\u8853\u3002\u5c31\u8ddf\u60e1\u610f\u653b\u64ca\u6d3b\u52d5\u4e00\u6a23\uff0c\u6211\u5011\u770b\u5230\u6703\u5229\u7528CVE-2019-2725<\/a>\u6f0f\u6d1e\uff0c\u540c\u6642\u5728\u4e00\u6848\u4f8b\u4e2d\u770b\u5230\u5229\u7528\u6620\u5c04\u8f09\u5165\u6280\u8853\u5c07Sodinokibi\u8f09\u5165PowerShell\u8a18\u61b6\u9ad4\uff0c\u800c\u975e\u76f4\u63a5\u57f7\u884c\u6a94\u6848\u3002\u6211\u5011\u9084\u770b\u904e\u6703\u5c0e\u81f4\u7528\u5de8\u96c6\u4e0b\u8f09\u4e26\u57f7\u884c\u60e1\u610f\u8edf\u9ad4\u7684\u60e1\u610f\u5783\u573e\u90f5\u4ef6\u3002<\/p>\n\n\n\n

\u60e1\u610f\u8edf\u9ad4\u4e5f\u6703\u5229\u7528CVE-2018-13379<\/a>\u548cCVE-2019-11510<\/a>\u9084\u6709\u88ab\u7aca\u7684\u6709\u6548\u5e33\u865f\u3002\u8b93\u99ed\u5ba2\u53ef\u4ee5\u690d\u5165\u4e26\u57f7\u884c\u5176\u4ed6\u7d44\u4ef6\uff0c\u4f8b\u5982\u53cd\u9632\u6bd2\u529f\u80fd\u3001\u8cc7\u6599\u6ef2\u51fa\u5de5\u5177\u4ee5\u53ca\u6700\u7d42\u7684Sodinokibi\u672c\u8eab\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u6a6b\u5411\u79fb\u52d5\u548c\u8eb2\u907f\u6230\u8853<\/em><\/strong><\/h3>\n\n\n\n


\u8ddf\u4eca\u5929\u8a31\u591a\u52d2\u7d22\u75c5\u6bd2\u5bb6\u65cf\u4e00\u6a23\uff0cSodinokibi(REvil) \u6703\u5c07\u91dd\u5c0d\u6027\u6280\u8853\u7528\u5728\u653b\u64ca\u6d3b\u52d5\u4e2d\u3002\u6bd4\u65b9\u8aaa\uff0c\u6211\u5011\u53ef\u4ee5\u770b\u5230\u5b83\u4f7f\u7528RDP\u548cPsExec\u9032\u884c\u6a6b\u5411\u79fb\u52d5\uff08\u9019\u662f\u7a2e\u91dd\u5c0d\u6027\u653b\u64ca\u7684\u8de1\u8c61\uff09\uff0c\u4f86\u690d\u5165\u548c\u57f7\u884c\u5176\u4ed6\u7d44\u4ef6\u548c\u52d2\u7d22\u75c5\u6bd2\u672c\u8eab\u3002<\/p>\n\n\n\n

\u6211\u5011\u9084\u89c0\u5bdf\u5230\u5b83\u6703\u7528PC Hunter\u548cProcess Hacker\u4f86\u7d42\u6b62\u670d\u52d9\u6216\u7a0b\u5e8f\uff0c\u5c24\u5176\u662f\u9632\u6bd2\u8edf\u9ad4\u76f8\u95dc\u7684\u670d\u52d9\u548c\u7a0b\u5e8f\u3002<\/p>\n\n\n\n

\u4e00\u65e6\u7cfb\u7d71\u53d7\u5230\u611f\u67d3\uff0cSodinokibi(REvil)\u5c31\u6703\u5c0d\u547d\u4ee4\u548c\u63a7\u5236\uff08C&C\uff09\u4f3a\u670d\u5668\u767c\u9001\u5831\u544a\u548c\u7cfb\u7d71\u8cc7\u8a0a\u3002\u5b83\u6703\u7528\u56fa\u5b9a\u683c\u5f0f\u4f86\u7522\u751f\u96a8\u6a5f\u7db2\u5740\uff0c\u4e26\u52a0\u9032\u8a2d\u5b9a\u6a94\u5167\u7684\u7db2\u57df\u5217\u8868\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u8cc7\u5b89\u5efa\u8b70<\/strong><\/h3>\n\n\n\n


\u773e\u6240\u5468\u77e5 Sodinokibi (REvil)\u5c07\u76ee\u6a19\u653e\u5728\u77e5\u540d\u5be6\u9ad4\uff0c\u4e26\u4e14\u6703\u4f7f\u7528\u660e\u986f\u7684\u8eb2\u907f\u5075\u6e2c\u624b\u6cd5\u3002\u56e0\u6b64\uff0c\u4f01\u696d\u61c9\u8a72\u5c0f\u5fc3\u6ce8\u610f\u5176\u4f7f\u7528\u7684\u6280\u8853\u3002\u800c\u73fe\u5728\uff0c\u9019\u88e1\u6709\u4e00\u4e9b\u9632\u6b62\u9019\u985e\u52d2\u7d22\u75c5\u6bd2\u653b\u64ca\u7684\u6700\u4f73\u4f5c\u6cd5\uff1a<\/p>\n\n\n\n