{"id":73300,"date":"2022-07-12T09:00:00","date_gmt":"2022-07-12T01:00:00","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=73300"},"modified":"2022-07-11T11:10:26","modified_gmt":"2022-07-11T03:10:26","slug":"%e6%96%b0%e7%9a%84-havanacrypt-%e5%8b%92%e7%b4%a2%e7%97%85%e6%af%92%e5%81%87%e6%89%ae%e6%88%90-google-software-update-%e6%87%89%e7%94%a8%e7%a8%8b%e5%bc%8f%ef%bc%8c%e4%bd%bf%e7%94%a8-microsoft","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=73300","title":{"rendered":"\u65b0\u7684 HavanaCrypt \u52d2\u7d22\u75c5\u6bd2\u5047\u626e\u6210 Google Software Update \u61c9\u7528\u7a0b\u5f0f\uff0c\u4f7f\u7528 Microsoft \u4ee3\u7ba1\u670d\u52d9 IP \u4f4d\u5740\u4f5c\u70ba C&C \u4f3a\u670d\u5668"},"content":{"rendered":"\n

<\/h1>\n\n\n\n

\u6700\u8fd1\u8da8\u52e2\u79d1\u6280<\/a>\u767c\u73fe\u4e00\u500b\u65b0\u7684\u52d2\u7d22\u75c5\u6bd2 Ransomware<\/a>\u5bb6\u65cf (\u8da8\u52e2\u79d1\u6280\u547d\u540d\u70ba\u300cHavanaCrypt\u300d)\uff0c\u5b83\u6703\u5047\u626e\u6210\u4e00\u500b Google Software Update \u61c9\u7528\u7a0b\u5f0f\uff0c\u4e26\u4f7f\u7528 Microsoft \u7db2\u7ad9\u4ee3\u7ba1\u670d\u52d9\u7684 IP \u4f4d\u5740\u4f5c\u70ba\u5176\u5e55\u5f8c\u64cd\u7e31 (C&C) \u4f3a\u670d\u5668\u4f86\u8eb2\u907f\u5075\u6e2c\u3002<\/p><\/blockquote>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

\u52d2\u7d22\u75c5\u6bd2<\/a>\u96d6\u7136\u4e0d\u662f\u4ec0\u9ebc\u65b0\u7684\u767c\u660e\uff0c\u4f46\u81f3\u4eca\u4ecd\u662f\u5168\u4e16\u754c\u6700\u56b4\u91cd\u7684\u7db2\u8def\u8cc7\u5b89\u5a01\u8105\u4e4b\u4e00\u3002\u4e8b\u5be6\u4e0a\uff0c\u6839\u64da\u8da8\u52e2\u79d1\u6280 Smart Protection Network™ \u5168\u7403\u5a01\u8105\u60c5\u5831\u7db2\u7684\u8cc7\u6599\uff0c2022 \u5e74\u7b2c 1 \u5b63\uff0c\u6211\u5011\u5728\u96fb\u5b50\u90f5\u4ef6\u3001\u7db2\u5740\u8207\u6a94\u6848\u4e09\u500b\u9632\u8b77\u5c64\u4e0a\u7e3d\u5171\u5075\u6e2c\u4e26\u6514\u622a\u4e86 \u8d85\u904e 440 \u842c\u6b21\u52d2\u7d22\u75c5\u6bd2\u5a01\u8105<\/a>\uff0c\u8f03 2021 \u5e74\u7b2c 4 \u5b63\u6574\u9ad4\u52d2\u7d22\u75c5\u6bd2\u5a01\u8105\u6578\u91cf\u6210\u9577 37%\u3002<\/p>\n\n\n\n

\u52d2\u7d22\u75c5\u6bd2\u4e4b\u6240\u4ee5\u6703\u5982\u6b64\u7316\u7357\uff0c\u4e3b\u8981\u539f\u56e0\u5c31\u5728\u65bc\u5b83\u6703\u4e0d\u65b7\u6f14\u8b8a\u3002\u5b83\u6703\u96a8\u6642\u8b8a\u63db\u624b\u6cd5\u8207\u4f0e\u5006\u4f86\u8a98\u9a19\u4e0d\u77e5\u60c5\u53d7\u5bb3\u8005\u4ee5\u5165\u4fb5\u4f01\u696d\u74b0\u5883\u3002\u4f8b\u5982\u4eca\u5e74\uff0c\u6211\u5011\u770b\u5230\u4e00\u4e9b\u52d2\u7d22\u75c5\u6bd2\u5047\u626e\u6210Windows 10<\/a>\u3001Google Chrome \u53ca Microsoft Exchange \u66f4\u65b0<\/a>\u4f86\u8a98\u9a19\u4e0d\u77e5\u60c5\u53d7\u5bb3\u8005\u4e0b\u8f09\u60e1\u610f\u6a94\u6848\u3002<\/p>\n\n\n\n

\u6700\u8fd1\u6211\u5011\u767c\u73fe\u4e00\u500b\u65b0\u7684\u52d2\u7d22\u75c5\u6bd2\u5bb6\u65cf\u540c\u6a23\u4e5f\u662f\u4f7f\u7528\u985e\u4f3c\u4f0e\u5006\uff0c\u5b83\u6703\u5047\u626e\u6210\u4e00\u500b Google Software Update \u61c9\u7528\u7a0b\u5f0f\uff0c\u4e26\u4f7f\u7528 Microsoft \u7db2\u7ad9\u4ee3\u7ba1\u670d\u52d9\u7684 IP \u4f4d\u5740\u4f5c\u70ba\u5176\u5e55\u5f8c\u64cd\u7e31 (C&C) \u4f3a\u670d\u5668\u4f86\u8eb2\u907f\u5075\u6e2c\u3002\u6839\u64da\u6211\u5011\u7684\u7814\u7a76\u986f\u793a\uff0c\u9019\u500b\u52d2\u7d22\u75c5\u6bd2\u6703\u5728\u5176\u52a0\u5bc6\u904e\u7a0b\u4e2d\u4f7f\u7528 .NET System.Threading \u547d\u540d\u7a7a\u9593\u4e2d\u7528\u4f86\u5c07\u5de5\u4f5c\u6392\u5165\u57f7\u884c\u4f47\u5217\u7684 QueueUserWorkItem<\/a>  \u51fd\u5f0f\uff0c\u4ee5\u53ca\u958b\u653e\u539f\u59cb\u78bc\u5bc6\u78bc\u7ba1\u7406\u8edf\u9ad4 KeePass Password Safe<\/a> \u7684\u6a21\u7d44\u3002<\/p>\n\n\n\n

\u672c\u6587\u5c07\u5f9e\u6280\u8853\u9762\u6df1\u5165\u5206\u6790\u9019\u500b\u6211\u5011\u547d\u540d\u70ba\u300cHavanaCrypt\u300d\u7684\u6700\u65b0\u52d2\u7d22\u75c5\u6bd2\u5bb6\u65cf\u8207\u5176\u611f\u67d3\u6280\u5de7\u3002<\/p>\n\n\n\n\n\n\n\n

<\/div>\n\n\n\n

\u9032\u5165\u7cfb\u7d71<\/h1>\n\n\n\n


HavanaCrypt \u6703\u5047\u626e\u6210 Google Software Update \u61c9\u7528\u7a0b\u5f0f\u4f86\u9032\u5165\u7cfb\u7d71\u3002<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/a>
\u5716 1\uff1aHavanaCrypt \u57f7\u884c\u6a94\u8a73\u7d30\u8cc7\u8a0a\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u6b64\u60e1\u610f\u7a0b\u5f0f\u662f\u4e00\u500b\u4f7f\u7528 .NET \u7d44\u8b6f\u7684\u61c9\u7528\u7a0b\u5f0f\uff0c\u4e26\u4f7f\u7528\u958b\u653e\u539f\u59cb\u78bc .NET \u52a0\u5bc6\u7de8\u78bc\u8edf\u9ad4 Obfuscar<\/a> \u4f86\u4fdd\u8b77\u5176 .NET assembly \u4e2d\u7684\u7a0b\u5f0f\u78bc\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 2\uff1a\u4f7f\u7528 Detect It Easy \u5de5\u5177\u6240\u770b\u5230\u7684 HavanaCrypt \u57f7\u884c\u6a94\u5c6c\u6027\u8cc7\u6599 (\u8a72\u5de5\u5177\u53ef\u7528\u4f86\u67e5\u770b\u6a94\u6848\u7684\u985e\u578b)\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u6b64\u5916\uff0c\u9019\u500b\u60e1\u610f\u7a0b\u5f0f\u9084\u5177\u5099\u591a\u7a2e\u53cd\u5236\u865b\u64ec\u74b0\u5883\u7684\u6280\u5de7\uff0c\u85c9\u6b64\u9632\u6b62\u7814\u7a76\u4eba\u54e1\u5728\u865b\u64ec\u74b0\u5883\u7576\u4e2d\u5c0d\u5b83\u9032\u884c\u5206\u6790\u3002\u70ba\u4e86\u5206\u6790\u9019\u500b\u6a23\u672c\u4e26\u89e3\u958b\u5176\u7a0b\u5f0f\u78bc\uff0c\u6211\u5011\u4f7f\u7528\u4e86 de4dot<\/a> \u548c DeObfuscar<\/a> \u9019\u985e\u5de5\u5177\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 3\uff1aHavanaCrypt \u52d2\u7d22\u75c5\u6bd2\u539f\u672c\u7d93\u904e\u52a0\u5bc6\u7de8\u78bc\u7684\u7a0b\u5f0f\u78bc\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

\"\"<\/a>
\u5716 4\uff1aHavanaCrypt \u52d2\u7d22\u75c5\u6bd2\u89e3\u958b\u5f8c\u7684\u7a0b\u5f0f\u78bc\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

\u5728\u57f7\u884c\u6642\uff0cHavanaCrypt \u6703\u4f7f\u7528 ShowWindow \u51fd\u5f0f\u4e26\u50b3\u5165 0 (SW_HIDE) \u4f5c\u70ba\u53c3\u6578\u4f86\u96b1\u85cf\u5b83\u7684\u8996\u7a97\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 5\uff1aHavanaCrypt \u4f7f\u7528 ShowWindow \u51fd\u5f0f\u4f86\u96b1\u85cf\u5176\u8996\u7a97\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u63a5\u8457\uff0cHavanaCrypt \u6703\u6aa2\u67e5\u7cfb\u7d71\u767b\u9304\u7684 AutoRun \u6a5f\u78bc\uff0c\u770b\u770b\u300cGoogleUpdate\u300d\u9019\u500b\u6a5f\u78bc\u662f\u5426\u5b58\u5728\u3002\u5982\u679c\u4e0d\u5b58\u5728\uff0c\u5c31\u7e7c\u7e8c\u57f7\u884c\u5176\u60e1\u610f\u884c\u70ba\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 6\uff1aHavanaCrypt \u7528\u4f86\u6aa2\u67e5\u7cfb\u7d71\u767b\u9304\u6a5f\u78bc\u7684\u51fd\u5f0f\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u63a5\u8457\uff0c\u5b83\u6703\u6aa2\u67e5\u81ea\u5df1\u662f\u5426\u5728\u865b\u64ec\u74b0\u5883\u4e2d\u57f7\u884c\uff0c\u5982\u679c\u662f\uff0c\u5c31\u6703\u7d42\u6b62\u57f7\u884c\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u865b\u64ec\u74b0\u5883\u53cd\u5236<\/h1>\n\n\n\n


HavanaCrypt \u6703\u5c0d\u53d7\u5bb3\u7cfb\u7d71\u9032\u884c\u56db\u9805\u6aa2\u67e5\u4f86\u770b\u770b\u5b83\u662f\u5426\u70ba\u4e00\u53f0\u865b\u64ec\u6a5f\u5668\u3002<\/p>\n\n\n\n

\"\"<\/a>

\u5716 7\uff1aHavanaCrypt \u7528\u4f86\u53cd\u5236\u865b\u64ec\u74b0\u5883\u7684\u51fd\u5f0f\u3002<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/a>
\u5716 8\uff1aHavanaCrypt \u5b8c\u6574\u7684\u865b\u64ec\u74b0\u5883\u53cd\u5236\u7a0b\u5f0f\u78bc\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

\u7b2c\u4e00\uff0c\u5b83\u6703\u6aa2\u67e5\u865b\u64ec\u6a5f\u5668\u6240\u4f7f\u7528\u7684\u4e00\u4e9b\u670d\u52d9\u662f\u5426\u5b58\u5728\uff0c\u4f8b\u5982\uff1aVMWare Tools<\/a> \u548c vmmouse<\/a>\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 9\uff1aHavanaCrypt \u6703\u6aa2\u67e5\u7684\u670d\u52d9\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u7b2c\u4e8c\uff0c\u5b83\u6703\u6aa2\u67e5\u4e00\u4e9b\u865b\u64ec\u6a5f\u5668\u5e38\u6709\u7684\u6a94\u6848\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 10\uff1aHavanaCrypt \u6703\u6aa2\u67e5\u865b\u64ec\u6a5f\u5668\u76f8\u95dc\u7684\u6a94\u6848\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

\u7b2c\u4e09\uff0c\u5b83\u6703\u6aa2\u67e5\u865b\u64ec\u6a5f\u5668\u4f7f\u7528\u7684\u57f7\u884c\u6a94\u540d\u7a31\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 11\uff1aHavanaCrypt \u6703\u6aa2\u67e5\u865b\u64ec\u6a5f\u5668\u7684\u57f7\u884c\u6a94\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u6700\u5f8c\uff0c\u5b83\u6703\u6aa2\u67e5\u96fb\u8166\u7684\u7db2\u8def\u5361 (MAC) \u4f4d\u5740\uff0c\u6838\u5c0d\u5b83\u7684\u524d\u5c0e\u5b57\u5143 (prefix)\uff0c\u4e5f\u5c31\u662f\u6a5f\u69cb\u8b58\u5225\u78bc (OUI ) \u662f\u5426\u5c6c\u65bc\u4e00\u4e9b\u5e38\u898b\u7684\u865b\u64ec\u6a5f\u5668\u6240\u6709\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 12\uff1aHavanaCrypt \u6703\u6aa2\u67e5\u6a5f\u69cb\u8b58\u5225\u78bc (OUI)\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

<\/div>\n\n\n\n
\u7bc4\u570d\u6216\u524d\u5c0e\u5b57\u5143<\/td>\u7522\u54c1<\/td><\/tr>
00:05:69<\/td>VMware ESX \u548c VMware GSX Server<\/td><\/tr>
00:0C:29<\/td>\u7368\u7acb\u7684 VMware vSphere\u3001VMware Workstation \u53ca VMware Horizon<\/td><\/tr>
00:1C:14<\/td>VMWare<\/td><\/tr>
00:50:56<\/td>VMware vSphere\u3001VMware Workstation \u548c VMware ESX Server<\/td><\/tr>
08:00:27<\/td>Oracle VirtualBox 5.2<\/td><\/tr><\/tbody><\/table>
\u8868 1\uff1a\u865b\u64ec\u6a5f\u5668\u7684 OUI \u7bc4\u570d\u6216\u524d\u5c0e\u5b57\u5143\u3002<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

\u5728\u78ba\u5b9a\u53d7\u5bb3\u7684\u96fb\u8166\u4e0d\u662f\u4e00\u53f0\u865b\u64ec\u6a5f\u5668\u4e4b\u5f8c\uff0cHavanaCrypt \u63a5\u8457\u6703\u5f9e 20[.]227[.]128[.]33 \u9019\u500b IP \u4f4d\u5740\u4e0b\u8f09\u4e00\u500b\u540d\u70ba\u300c2.txt\u300d\u7684\u6a94\u6848 (\u6b64\u4f4d\u5740\u662f\u4e00\u500b Microsoft \u7db2\u7ad9\u4ee3\u7ba1\u670d\u52d9\u7684 IP \u4f4d\u5740)\uff0c\u7136\u5f8c\u5c07\u6a94\u6848\u5132\u5b58\u6210\u6279\u6b21\u6a94 (.bat)\uff0c\u6a94\u540d\u7531 20 \u5230 25 \u500b\u96a8\u6a5f\u5b57\u5143\u7d44\u6210\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 13\uff1aMicrosoft \u7db2\u7ad9\u4ee3\u7ba1\u670d\u52d9 IP \u4f4d\u5740\u8a73\u7d30\u5167\u5bb9\u3002
(\u5716\u7247\u4f86\u6e90\uff1a\u00a0AbuseIPDB<\/a>)<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

\u63a5\u8457\uff0c\u5b83\u6703\u4f7f\u7528\u300c\u547d\u4ee4\u63d0\u793a\u5b57\u5143\u300d(cmd.exe) \u4f86\u57f7\u884c\u9019\u500b\u6279\u6b21\u6a94\uff0c\u4e26\u50b3\u5165\u300c\/c start\u300d\u4f5c\u70ba\u53c3\u6578\u3002\u6279\u6b21\u6a94\u4e2d\u5305\u542b\u4e00\u4e9b\u8a2d\u5b9a Windows Defender \u6383\u63cf\u504f\u597d\u7684\u6307\u4ee4\uff0c\u8b93\u5b83\u5141\u8a31\u4efb\u4f55\u5728\u300c%Windows%\u300d\u548c\u300c%User%\u300d\u76ee\u9304\u4e2d\u5075\u6e2c\u5230\u7684\u5a01\u8105\u3002<\/p>\n\n\n\n

\"\"<\/a>
\u5716 14\uff1a\u8ca0\u8cac\u4e0b\u8f09\u4e26\u57f7\u884c\u6279\u6b21\u6a94\u7684\u51fd\u5f0f\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

\"\"<\/a>
\u5716 15\uff1a\u4f4d\u65bc Microsoft \u7db2\u7ad9\u4ee3\u7ba1\u670d\u52d9 IP \u4f4d\u5740\u7684 Base64 \u7de8\u78bc\u300c2.txt\u300d\u6a94\u6848\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n


<\/p>\n\n\n\n

\"\"<\/a>
\u5716 16\uff1a\u5f9e Microsoft \u7db2\u7ad9\u4ee3\u7ba1\u670d\u52d9 IP \u4f4d\u5740\u4e0b\u8f09\u4e26\u5df2\u89e3\u78bc\u7684\u6279\u6b21\u6a94\u6848\u3002<\/figcaption><\/figure>\n\n\n\n


<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u9664\u6b64\u4e4b\u5916\uff0cHavanaCrypt \u9084\u6703\u7d42\u6b62\u53d7\u5bb3\u96fb\u8166\u4e0a\u67d0\u4e9b\u57f7\u884c\u4e2d\u7684\u8655\u7406\u7a0b\u5e8f\uff1a<\/p>\n\n\n\n