{"id":67265,"date":"2021-03-18T09:00:00","date_gmt":"2021-03-18T01:00:00","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=67265"},"modified":"2021-03-15T16:49:27","modified_gmt":"2021-03-15T08:49:27","slug":"%e8%a7%a3%e6%9e%90%e9%9b%99%e9%87%8d%e6%94%bb%e6%93%8a%e5%8b%92%e7%b4%a2%e7%97%85%e6%af%92-nefilim","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=67265","title":{"rendered":"\u89e3\u6790\u96d9\u91cd\u653b\u64ca\u52d2\u7d22\u75c5\u6bd2 Nefilim"},"content":{"rendered":"\n

<\/p>\n\n\n\n

\u60e1\u540d\u662d\u5f70\u7684 Nefilim<\/a>\u4ee5\u5176\u96d9\u91cd\u52d2\u7d22\u624b\u6bb5\u57282020\u5e74\u5c55\u958b\u9ad8\u8abf\u653b\u64ca\u3002\u672c\u6587\u88e1\u5c07\u6982\u8ff0\u5176\u6240\u7528\u7684\u6280\u8853\u548c\u5de5\u5177\u3002
<\/p><\/blockquote>\n\n\n\n

Nefilim\u662f\u6700\u70ba\u4eba\u6240\u77e5\u7684\u52d2\u7d22\u75c5\u6bd2Ransomware<\/a> (\u52d2\u7d22\u8edf\u9ad4\/\u7d81\u67b6\u75c5\u6bd2)\u4e4b\u4e00\uff0c\u6703\u5728\u6d3b\u52d5\u6642\u904b\u7528\u96d9\u91cd\u52d2\u7d22\u624b\u6bb5\u3002Nefilim\u6700\u521d\u65bc2020\u5e74\u4e09\u6708<\/a>\u51fa\u73fe \uff0c\u63da\u8a00\u516c\u958b\u53d7\u5bb3\u8005\u88ab\u7aca\u7684\u8cc7\u6599\u4f86\u8feb\u4f7f\u4ed6\u5011\u652f\u4ed8\u8d16\u91d1\u3002\u9664\u4e86\u4f7f\u7528\u9019\u7a2e\u7b56\u7565\u5916\uff0cNefilim\u53e6\u4e00\u500b\u77e5\u540d\u7279\u8272\u662f\u8207Nemty\u7684\u76f8\u4f3c\u3002\u4e8b\u5be6\u4e0a\uff0c\u5b83\u88ab\u8a8d\u70ba\u662f\u65e9\u671f\u52d2\u7d22\u75c5\u6bd2\u7684\u6f14\u9032\u7248\u672c\u3002<\/p>\n\n\n\n

\u6211\u5011\u5c0d\u6b64\u6d3b\u8e8d\u7684\u52d2\u7d22\u75c5\u6bd2\u9032\u884c\u4e86\u7c21\u8981\u5206\u6790\uff0c\u4e26\u4e14\u4ecb\u7d39\u5982\u4f55\u4fdd\u8b77\u7cfb\u7d71\u62b5\u79a6\u653b\u64ca\u3002<\/p>\n\n\n\n

\u5ef6\u4f38\u95b1\u8b80:Nefilim \u52d2\u7d22\u75c5\u6bd2\u5a01\u8105\u66dd\u5149\u4f01\u696d\u8cc7\u6599, \u8da8\u52e2\u79d1\u6280\u5efa\u8b70\u56db\u6b65\u9a5f\u9632\u6b62 RDP \u906d\u5229\u7528<\/a><\/p>\n\n\n\n

<\/div>\n\n\n\n\n\n\n\n
<\/div>\n\n\n\n

\u6280\u8853\u7d30\u7bc0<\/strong><\/h3>\n\n\n\n
<\/div>\n\n\n\n

\u521d\u59cb\u9032\u5165<\/strong><\/em><\/p>\n\n\n\n

\u70ba\u4e86\u505a\u5230\u521d\u59cb\u9032\u5165\uff0cNefilim\u80cc\u5f8c\u7684\u64cd\u7e31\u8005\u6703\u5229\u7528\u591a\u500b\u4e0b\u6e38\u7d44\u7e54\u4f86\u6563\u64ad\u5176\u60e1\u610f\u8edf\u9ad4\u3002\u9019\u4e9b\u4e0b\u6e38\u7d44\u7e54\u6703\u904b\u7528\u5404\u7a2e\u624b\u6bb5\u3002\u6839\u64da\u4ee5\u5f80\u7684\u653b\u64ca\uff0cNefilim\u4e3b\u8981\u662f\u900f\u904e\u66b4\u9732\u7684RDP\u9032\u5165\u7cfb\u7d71\u3002\u4e00\u4e9b\u4e0b\u6e38\u7d44\u7e54\u9084\u6703\u5229\u7528\u5df2\u77e5\u6f0f\u6d1e\u4f86\u505a\u5230\u521d\u59cb\u9032\u5165\u3002\u9019\u4e00\u9ede\u5f97\u5230\u5404\u5bb6\u5831\u544a\u7684\u652f\u6301\uff0c\u6211\u5011\u767c\u73fe\u5b83\u6703\u5229\u7528Citrix\u6f0f\u6d1e\uff08CVE-2019-19781<\/a>\uff09\uff0c\u4e00\u7a2e\u4e0d\u5b89\u5168\u800c\u53ef\u88ab\u66b4\u529b\u653b\u64ca\u7684RDP\u4f86\u9032\u5165\u7cfb\u7d71\u3002<\/p>\n\n\n\n

\u9084\u80fd\u5920\u770b\u5230Nefilim\u5229\u7528\u5404\u7a2e\u5de5\u5177\uff08\u5305\u62ecMimikatz\u3001LaZagne\u548cNirSoft\u7684NetPass\uff09\u4f86\u6536\u96c6\u5e33\u5bc6\u3002\u88ab\u7aca\u5e33\u5bc6\u6703\u88ab\u7528\u4f86\u9032\u5165\u4f3a\u670d\u5668\u7b49\u5177\u6709\u9ad8\u50f9\u503c\u7684\u6a5f\u5668\u3002<\/p>\n\n\n\n

\u4e00\u65e6\u9032\u5165\u4e86\u53d7\u5bb3\u7cfb\u7d71\uff0c\u52d2\u7d22\u75c5\u6bd2\u4fbf\u6703\u958b\u59cb\u690d\u5165\u4e26\u57f7\u884c\u5982\u53cd\u9632\u6bd2\u3001\u8cc7\u6599\u6ef2\u51fa\u5de5\u5177\u7b49\u7d44\u4ef6\uff0c\u6700\u5f8c\u662fNefilim\u672c\u8eab\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u5728\u7db2\u8def\u4e0a\u6a6b\u5411\u79fb\u52d5<\/strong><\/em><\/p>\n\n\n\n


\u653b\u64ca\u8005\u6703\u5229\u7528\u597d\u5e7e\u7a2e\u5408\u6cd5\u5de5\u5177\u4f86\u9032\u884c\u6a6b\u5411\u79fb\u52d5\u3002\u4f8b\u5982\uff0c\u5b83\u6703\u5229\u7528PsExec\u6216Windows Management Instrumentation\uff08WMI\uff09\u4f86\u9032\u884c\u6a6b\u5411\u79fb\u52d5\u3001\u690d\u5165\u548c\u57f7\u884c\u5305\u62ec\u52d2\u7d22\u75c5\u6bd2\u672c\u8eab\u7b49\u7d44\u4ef6\u3002\u6839\u64da\u89c0\u5bdf\uff0cNefilim\u6703\u7528\u6279\u6b21\u6a94\u7d42\u6b62\u67d0\u4e9b\u7a0b\u5e8f\u548c\u670d\u52d9\u3002\u5b83\u751a\u81f3\u6703\u7528PC Hunter\u3001Process Hacker\u548cRevo Uninstaller\u7b49\u7b2c\u4e09\u65b9\u5de5\u5177\u4f86\u7d42\u6b62\u9632\u6bd2\u76f8\u95dc\u7684\u7a0b\u5e8f\u3001\u670d\u52d9\u548c\u61c9\u7528\u7a0b\u5f0f\u3002\u5b83\u9084\u6703\u5229\u7528AdFind\u3001BloodHound\u6216SMBTool\u4f86\u627e\u51faActive Directory\u6216\u9023\u5230\u7db2\u57df\u7684\u96fb\u8166\u3002
<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u8cc7\u6599\u6ef2\u51fa<\/strong><\/em><\/p>\n\n\n\n

\u52d2\u7d22\u75c5\u6bd2\u6700\u8fd1\u4e00\u500b\u503c\u5f97\u6ce8\u610f\u7684\u5730\u65b9\u662f\u8cc7\u6599\u6ef2\u51fa\u80fd\u529b\u3002\u50cf\u662fNefilim\u88ab\u89c0\u5bdf\u5230\u6703\u5c07\u8cc7\u6599\u5f9e\u4f3a\u670d\u5668\u6216\u5171\u4eab\u8cc7\u6599\u593e\u8907\u88fd\u5230\u672c\u5730\u8cc7\u6599\u593e\uff0c\u4e26\u4e14\u75287-Zip\u58d3\u7e2e\u5b58\u6a94\u3002\u63a5\u8457\u5b83\u6703\u7528MEGAsync\u53d6\u51fa\u6b64\u8cc7\u6599\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u4fdd\u8b77\u7cfb\u7d71\u62b5\u79a6\u52d2\u7d22\u75c5\u6bd2<\/strong><\/h3>\n\n\n\n


\u985e\u4f3cNefilim\u7684\u653b\u64ca\u6d3b\u52d5\u6703\u5728\u521d\u59cb\u9032\u5165\u548c\u9032\u884c\u6a6b\u5411\u79fb\u52d5\u4e4b\u9593\u82b1\u8cbb\u8a31\u591a\u6642\u9593\u3002\u4e0d\u904e\u4e00\u65e6\u958b\u59cb\u9032\u884c\u6a6b\u5411\u79fb\u52d5\uff0c\u99ed\u5ba2\u5c31\u6703\u8fc5\u901f\u5730\u5de5\u4f5c\u3002\u4ed6\u5011\u6703\u512a\u5148\u8003\u616e\u5728\u4e3b\u6a5f\u9593\u9032\u884c\u79fb\u52d5\u548c\u6ef2\u51fa\u8cc7\u6599\u3002\u6240\u4ee5\u7d44\u7e54\u53ef\u4ee5\u601d\u8003\u8a72\u5982\u4f55\u9650\u5236\u99ed\u5ba2\u5728\u6a6b\u5411\u79fb\u52d5\u968e\u6bb5\u80fd\u5920\u5229\u7528\u7684\u96fb\u8166\u6578\u91cf\u3002\u9019\u727d\u6d89\u5230\u5982\u76e1\u53ef\u80fd\u4f7f\u7528\u96d9\u56e0\u5b50\u8eab\u4efd\u8a8d\u8b49\uff082FA\uff09\u3001\u5be6\u65bd\u61c9\u7528\u7a0b\u5f0f\u5b89\u5168\u5217\u8868\u4ee5\u53ca\u5be6\u65bd\u6700\u5c0f\u6b0a\u9650\u539f\u5247\u7b49\u8cc7\u5b89\u4f5c\u6cd5\u3002<\/p>\n\n\n\n

\u8ac7\u5230\u4fdd\u8b77\u7cfb\u7d71\u62b5\u79a6Nefilim\u60e1\u610f\u5a01\u8105\uff0c\u6700\u4f73\u5be6\u4f5c\u4ecd\u7136\u9069\u7528\u3002\u6700\u597d\u7684\u8fa6\u6cd5\u662f\u63a1\u7528\u9632\u6b62\u985e\u4f3c\u653b\u64ca\u9032\u884c\u6a6b\u5411\u79fb\u52d5\u7684\u9632\u79a6\u63aa\u65bd\u3002\u7d44\u7e54\u61c9\u8003\u616e\u4f7f\u7528\u8a98\u990c\u6a94\u6848\u76e3\u63a7\u3001\u52a0\u5bc6\u52d5\u4f5c\u76e3\u63a7\u548c\u7a0b\u5e8f\u7d42\u6b62\u3002\u5176\u4ed6\u8981\u5be9\u8996\u7684\u6700\u4f73\u5be6\u4f5c\u5305\u62ec\uff1a<\/p>\n\n\n\n