{"id":6999,"date":"2013-12-16T10:10:52","date_gmt":"2013-12-16T02:10:52","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=6999"},"modified":"2013-12-12T12:00:56","modified_gmt":"2013-12-12T04:00:56","slug":"%e9%87%9d%e5%b0%8d%e6%97%a5%e6%9c%ac%e5%92%8c%e4%b8%ad%e5%9c%8b%e5%8f%af%e5%ae%a2%e8%a3%bd%e5%8c%96%e6%94%bb%e6%93%8a%e7%9a%84-evilgrab-%e7%94%a2%e7%94%9f%e5%99%a8","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=6999","title":{"rendered":"\u91dd\u5c0d\u65e5\u672c\u548c\u4e2d\u570b,\u53ef\u5ba2\u88fd\u5316\u653b\u64ca\u7684 EvilGrab \u7522\u751f\u5668"},"content":{"rendered":"<p style=\"text-align: left;\"><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u6700\u8fd1\u767c\u8868\u5c0d\u4e00\u8d77\u65b0\u653b\u64ca\u6d3b\u52d5\u7684\u8abf\u67e5\u7d50\u679c\uff0c\u9019\u8d77\u653b\u64ca\u6d3b\u52d5\u7a31\u70ba<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/evilgrab-malware-family-used-in-targeted-attacks-in-asia\/\">EvilGrab<\/a>\uff0c\u4e00\u822c\u91dd\u5c0d\u65e5\u672c\u548c\u4e2d\u570b\u7684\u53d7\u5bb3\u8005\u3002\u9019\u8d77\u653b\u64ca\u6d3b\u52d5\u4ecd\u5728\u653b\u64ca\u4f7f\u7528\u8005\uff0c\u6211\u5011\u73fe\u5728\u5df2\u7d93\u53d6\u5f97\u7528\u4f86\u88fd\u9020\u6b64\u6b21\u653b\u64ca\u6d3b\u52d5\u6240\u7528\u60e1\u610f\u7a0b\u5f0f\u7684\u7522\u751f\u5668\u3002<\/p>\n<p style=\"text-align: left;\"><a href=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2012\/10\/hacker-with-hat.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter  wp-image-2906\" alt=\"hacker with hat\" src=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2012\/10\/hacker-with-hat.jpg\" width=\"360\" height=\"523\" srcset=\"https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2012\/10\/hacker-with-hat.jpg 600w, https:\/\/blog.trendmicro.com.tw\/wp-content\/uploads\/2012\/10\/hacker-with-hat-206x300.jpg 206w\" sizes=\"(max-width: 360px) 100vw, 360px\" \/><\/a><\/p>\n<p><strong><i>\u5728\u73fe\u5728\u73fe\u5be6\u4e16\u754c\u7684EvilGrab\u7522\u751f\u5668<\/i><\/strong><\/p>\n<p>\u5e36\u6211\u5011\u627e\u5230EvilGrab\u7522\u751f\u5668\u7684\u662f\u500b\u507d\u88dd\u6210Word\u6587\u4ef6\u6a94\u7684\u60e1\u610f\u6a94\u6848 \u2013 <i>\u6700\u65b0\u7248\u672c\u7684\u8bf7\u613f\u4e66-\u8ba9\u6211\u4eec\u4e00\u540c\u4e3a\u4e66\u8bb0\u5450\u558a\uff08\u8bf7\u4fee\u6539\u6307\u6b63).doc.exe<\/i>\u3002\u6a94\u540d\u662f\u7528\u7c21\u9ad4\u4e2d\u6587\uff08\u5b83\u7684MD5\u503c\u662fb48c06ff59987c8a6c7bda3e1150bea1\uff0c<a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u5c07\u5176\u5075\u6e2c\u70ba<a href=\"https:\/\/about-threats.trendmicro.com\/us\/malware\/BKDR_EVILOGE.SM\">BKDR_EVILOGE.SM<\/a>\uff09\u3002\u5b83\u6703\u9023\u5230\u547d\u4ee4\u548c\u63a7\u5236\u4f3a\u670d\u5668\uff08203.186.75.184\u548c182.54.177.4\uff09\uff0c\u5206\u5225\u4f4d\u5728\u9999\u6e2f\u548c\u65e5\u672c\u3002\u5b83\u9084\u6703\u5c07\u81ea\u5df1\u8907\u88fd\u5230\u555f\u52d5\u8cc7\u6599\u593e\uff0c\u4e26\u4e14\u5c0dWindows\u8a3b\u518a\u8868\u505a\u7de8\u8f2f\u3002\u9019\u4e9b\u90fd\u662f\u9019\u985e\u578b\u60e1\u610f\u8edf\u9ad4\u7684\u5178\u578b\u8209\u52d5\u3002<\/p>\n<p>\u7136\u800c\uff0c\u6709\u4e9b\u88ab\u52a0\u5165\u7684\u8a3b\u518a\u78bc\u6709\u8457\u7279\u6b8a\u610f\u7fa9\uff1a<\/p>\n<p>HKEY_LOCAL_MACHINE\\SOFTWARE\\{AV vendor}\\settings<\/p>\n<p>HKEY_LOCAL_MACHINE\\SOFTWARE\\{AV vendor}\\environment<\/p>\n<p>\u9019\u4e9b\u8a3b\u518a\u78bc\u4f3c\u4e4e\u8a66\u5716\u5c07\u81ea\u5df1\u6ce8\u5165\u5230\u9632\u6bd2\u7522\u54c1\u7684\u7a0b\u5e8f\u5167\u3002\u548c\u6211\u5011\u4e4b\u524d\u6240\u8a0e\u8ad6\u7684EvilGrab\u6a23\u672c\u985e\u4f3c\uff0c\u9019\u60e1\u610f\u8edf\u4ef6\u6703\u5c0d\u9a30\u8a0aQQ\uff08\u4e00\u500b\u6d41\u884c\u7684\u4e2d\u570b\u5373\u6642\u901a\u7cfb\u7d71\uff09\u9032\u884c\u76f8\u540c\u6aa2\u67e5\u3002<\/p>\n<p>\u96d6\u7136\u60e1\u610f\u8edf\u9ad4\u672c\u8eab\u4e26\u6c92\u6709\u7279\u5225\u4e0d\u5c0b\u5e38\u7684\u5730\u65b9\uff0c\u4f46\u662f\u5206\u6790\u5b83\u8b93\u6211\u5011\u627e\u5230\u7528\u4f86\u7522\u751f\u9019\u4e9b\u60e1\u610f\u8edf\u9ad4\u7684\u7522\u751f\u5668\u3002\u9019\u500b\u7522\u751f\u5668\u88ab\u78ba\u8a8d\u78ba\u5be6\u5b58\u5728\uff0c\u800c\u4e14\u547d\u540d\u70ba<i>Property4.exe<\/i>\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2013\/11\/evilgrab1.png\" width=\"550\" height=\"411\" \/><\/p>\n<p>\u6211\u5011\u53ef\u4ee5\u770b\u5230\u653b\u64ca\u8005\u53ef\u4ee5\u8f38\u5165\u597d\u5e7e\u500b\u6b04\u4f4d\u3002\u5176\u4e2d\u5305\u62ec\u4e86\uff1a<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>\u6307\u5b9a\u547d\u4ee4\u548c\u63a7\u5236\uff08C&amp;C\uff09\u4f3a\u670d\u5668\uff08IP\u5730\u5740\u6216\u7db2\u57df\u540d\u7a31\uff09\uff0c\u7aef\u53e3\u548c\u9023\u63a5\u6642\u9593\u9593\u9694\u3002<\/li>\n<li>\u9078\u64c7\u6a94\u6848\u5716\u793a\uff08\u5b89\u88dd\u6a94\u6848\u5716\u793a\uff0c\u6a94\u6848\u593e\u5716\u793a\u548c\u6587\u4ef6\u5716\u793a\uff09<\/li>\n<li>\u522a\u9664\u81ea\u5df1<\/li>\n<li>\u9375\u76e4\u8a18\u9304<\/li>\n<li>\u6309\u9375\u8a18\u9304<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>\u53e6\u5916\uff0c\u5728\u9019\u7522\u751f\u5668\u7684\u7b2c\u4e8c\u9078\u9805\u9801\u5167\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u9078\u64c7\u8a66\u5716\u7e5e\u904e\u7684\u9632\u6bd2\u7522\u54c1\uff1a<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2013\/11\/evilgrab2.png\" width=\"550\" height=\"411\" \/><\/p>\n<p><i>\u5716\u4e8c\u3001\u7e5e\u904e\u9632\u6bd2\u8edf\u9ad4<\/i><\/p>\n<p>&nbsp;<\/p>\n<p><strong><i>\u6e2c\u8a66EvilGrab\u7522\u751f\u5668<\/i><\/strong><\/p>\n<p>\u9019\u6642\u5019\uff0c\u6211\u5011\u6c7a\u5b9a\u8981\u6e2c\u8a66\u9019\u7522\u751f\u5668\u7684\u529f\u80fd\uff0c\u4e26\u4e14\u5c07\u5176\u6240\u751f\u6210\u7684\u6a94\u6848\u548c\u4e4b\u524d\u6240\u770b\u5230\u7684EvilGrab\u7248\u672c\u52a0\u4ee5\u6bd4\u8f03\u3002<\/p>\n<p>\u9996\u5148\uff0c\u6211\u5011\u6253\u958b\u7522\u751f\u5668\uff0c\u8f38\u5165\u4e00\u4e9b\u57fa\u672c\u8a2d\u5b9a\u4f86\u7522\u751f\u6e2c\u8a66\u7248\u7684EvilGrab\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2013\/11\/evilgrab_screenshot_3.jpg\" width=\"448\" height=\"680\" \/><\/p>\n<p><i>\u5716\u4e09\u3001EvilGrab\u7522\u751f\u5668<\/i><\/p>\n<p>\u6211\u5011\u7684\u8f38\u51fa\u9078\u64c7\u4f7f\u7528\u5fae\u8edfWord\u6a94\u6848\u5716\u793a\uff0c\u6a94\u540d\u70baNew.doc.exe\uff0c\u5982\u4e0b\u5716\u6240\u793a\u3002\u8acb\u6ce8\u610f\uff0c\u9019\u5fae\u8edfWord\u6a94\u6848\u5716\u793a\u63cf\u7e6a\u5f97\u5f88\u7cbe\u78ba\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2013\/11\/evilgrab4.png\" width=\"279\" height=\"271\" \/><\/p>\n<p><i>\u5716\u56db\u3001EvilGrab\u6e2c\u8a66\u6a23\u672c<\/i><\/p>\n<p>\u9664\u4e86\u88fd\u9020\u60e1\u610f\u6a94\u6848\u5916\uff0c\u9084\u6703\u7522\u751f\u4e00\u500b\u5305\u542b\u9023\u7dda\u8a73\u7d30\u8cc7\u6599\u7684\u8a2d\u5b9a\u6a94\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2013\/11\/evilgrab5.png\" width=\"277\" height=\"249\" \/><\/p>\n<p><i>\u5716\u4e94\u3001EvilGrab\u8a2d\u5b9a\u6a94<!--more--><\/i><\/p>\n<p>\u6211\u5011\u63a5\u8457\u5206\u6790\u525b\u525b\u7522\u751f\u7684\u60e1\u610f\u6a94\u6848\u3002\u6211\u5011\u767c\u73fe\u8ddf\u539f\u672c\u90e8\u843d\u683c\u5167\u6240\u4ecb\u7d39\u7684EvilGrab\u60e1\u610f\u8edf\u9ad4\u529f\u80fd\u4e00\u6a23\uff0c\u5305\u62ec\u6703\u6aa2\u67e5\u9a30\u8a0aQQ\u3002\u6211\u5011\u4e5f\u770b\u5230\u5b83\u6703\u5c07\u7a0b\u5f0f\u78bc\u6ce8\u5165\u5230\u6b63\u5e38\u7684svchost.exe\u7a0b\u5e8f\u3002<\/p>\n<p><strong>\u00a0<i>\u76f8\u4f3c\u4e4b\u8655<\/i><\/strong><\/p>\n<p>\u5c07\u6211\u5011\u5728\u73fe\u5be6\u74b0\u5883\u5167\u6240\u767c\u73fe\u7684EvilGrab\u6a23\u672c\u8ddf\u7522\u751f\u5668\u6240\u88fd\u9020\u7684\u6a23\u672c\u505a\u6bd4\u8f03\uff0c\u5b83\u5011\u5728\u529f\u80fd\u65b9\u9762\u5e7e\u4e4e\u5b8c\u5168\u4e00\u6a23\u3002<\/p>\n<p>\u6bd4\u65b9\u8aaa\u8a3b\u518a\u78bc\u5e7e\u4e4e\u4e00\u6a21\u4e00\u6a23\u3002\u5f88\u5feb\u5730\u4f86\u770b\u4e00\u4e0b\u88ab\u7de8\u8f2f\u7684\u8a3b\u518a\u78bc\u6a23\u672c\u4ee5\u6aa2\u67e5\u5169\u8005\u9593\u7684\u76f8\u4f3c\u7a0b\u5ea6\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2013\/11\/evilgrab6.png\" width=\"550\" height=\"348\" \/><\/p>\n<p><i>\u8868\u4e00\u3001\u6703\u88ab\u7de8\u8f2f\u7684Windows\u8a3b\u518a\u8868\u5167\u5bb9<\/i><\/p>\n<p>\u540c\u6a23\u5730\uff0c\u5169\u500b\u6a23\u672c\u90fd\u6709\u5e7e\u4e4e\u76f8\u540c\u7684\u8f38\u5165\u51fd\u6578\u3002\u5728\u4e0b\u8868\uff0c\u4f60\u53ef\u4ee5\u770b\u5230\u4e00\u4e9b\u8f38\u5165\u51fd\u6578\u7684\u7bc4\u4f8b\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" alt=\"\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2013\/11\/evilgrab7.png\" width=\"431\" height=\"161\" \/><\/p>\n<p><i>\u8868\u4e8c\u3001\u8f38\u5165\u51fd\u6578<\/i><\/p>\n<p>&nbsp;<\/p>\n<p><strong><i>\u7d50\u8ad6<\/i><\/strong><\/p>\n<p><strong>\u00a0<\/strong>\u6211\u5011\u5df2\u7d93\u5728\u73fe\u5be6\u74b0\u5883\u5167\u770b\u5230\u591a\u500bEvilGrab\u6a23\u672c\u597d\u4e00\u6bb5\u65e5\u5b50\u4e86\u3002\u7136\u800c\uff0c\u6709\u4e86\u9019\u7522\u751f\u5668\uff0c\u6211\u5011\u4fbf\u53ef\u4ee5\u958b\u767c\u66f4\u5f37\u5927\u7684\u9632\u8b77\u5f62\u5f0f\uff0c\u4e26\u6301\u7e8c\u4fdd\u8b77\u6211\u5011\u7684\u5ba2\u6236\u4f86\u5c0d\u6297\u60e1\u610f\u8edf\u9ad4\u5bb6\u65cf\u3002\u5b83\u4e5f\u8b93\u6211\u5011\u52a0\u5f37\u73fe\u6709\u7684\u5a01\u8105\u60c5\u5831\uff0c\u4f86\u5c0d\u4ed8\u4f7f\u7528\u548c\u958b\u767c\u5b83\u7684\u60e1\u610f\u653b\u64ca\u8005\u3002<\/p>\n<p>\u60f3\u77e5\u9053\u6211\u5011\u5728\u4e4b\u524d\u6240\u62ab\u9732\u95dc\u65bcEvilGrab\u7684\u8cc7\u8a0a\uff0c\u53ef\u4ee5\u53c3\u8003\u6211\u5011<a href=\"https:\/\/about-threats.trendmicro.com\/cloud-content\/us\/ent-primers\/pdf\/2q-report-on-targeted-attack-campaigns.pdf\">\u4e4b\u524d\u95dc\u65bcAPT\u76ee\u6a19\u653b\u64ca\u7684\u5831\u544a<\/a>\uff0c\u88e1\u9762\u4e5f\u63d0\u5230\u4e86EvilGrab\u3002<\/p>\n<p>&nbsp;<\/p>\n<p>@\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/evilgrabs-evil-still-propagating\/\">EvilGrab\u2019s Evil, Still Propagating\u4f5c\u8005\uff1a<\/a><a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/author\/kylewilhoit\/\">Kyle Wilhoit\uff08\u8cc7\u6df1\u5a01\u8105\u7814\u7a76\u54e1\uff09<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8da8\u52e2\u79d1\u6280\u6700\u8fd1\u767c\u8868\u5c0d\u4e00\u8d77\u65b0\u653b\u64ca\u6d3b\u52d5\u7684\u8abf\u67e5\u7d50\u679c\uff0c\u9019\u8d77\u653b\u64ca\u6d3b\u52d5\u7a31\u70baEvilGrab\uff0c\u4e00\u822c\u91dd\u5c0d\u65e5\u672c\u548c\u4e2d\u570b\u7684\u53d7\u5bb3\u8005\u3002\u9019\u8d77 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[10,820],"tags":[44,45,358,357,498,1316,1317],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/6999"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6999"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/6999\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}