{"id":1384,"date":"2021-09-17T12:26:56","date_gmt":"2021-09-17T04:26:56","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=1384"},"modified":"2021-09-17T13:02:20","modified_gmt":"2021-09-17T05:02:20","slug":"%e4%b8%ad%e5%9c%8bapt%e9%a7%ad%e5%ae%a2%e7%b5%84%e7%b9%94winnti%e7%9a%84%e5%88%86%e6%94%afgrayfly%e4%be%86%e8%a5%b2%ef%bc%81%e5%88%a9%e7%94%a8sidewalk-%e5%be%8c%e9%96%80%e9%8e%96","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=1384","title":{"rendered":"\u4e2d\u570bAPT\u99ed\u5ba2\u7d44\u7e54Winnti\u7684\u5206\u652fGrayfly\u4f86\u8972\uff01\u5229\u7528\u201dSideWalk\u201d \u5f8c\u9580\u9396\u5b9a\u5317\u7f8e\u4e9e\u6d32\u7b49\u5730\uff0c\u53f0\u7063\u4e5f\u699c\u4e0a\u6709\u540d"},"content":{"rendered":"\n<p>\u5f15\u8a00: \u9084\u8a18\u5f97\u4e2d\u6cb9\u3001\u53f0\u5851\u5316\u3001\u5c01\u6e2c\u5ee0\u529b\u6210\u906d\u60e1\u610f\u7a0b\u5f0f\u653b\u64ca\u4e8b\u4ef6\u55ce? \u53e6\u5916\u57282020\u7e3d\u7d71\u5c31\u8077\u5178\u79ae\u524d\u5915\uff0c\u767c\u751f\u4e86\u5047\u5192\u7e3d\u7d71\u5e9c\u5bc4\u91e3\u9b5a\u4fe1\u4ef6\u7d66\u7acb\u59d4\u7684\u8cc7\u5b89\u4e8b\u4ef6\u3002\u4e2d\u570bAPT \u99ed\u5ba2\u7d44\u7e54\u5c0d\u53f0\u7063\u7684\u653b\u64ca\uff0c\u5f9e\u4e0d\u9593\u65b7\u3002\u5c24\u5176\u8033\u719f\u80fd\u8a73\u7684Winnti Group\u66f4\u662f\u8d6b\u8d6b\u6709\u540d\uff0c \u6700\u8fd1\u5305\u542bESET\u548c\u8cfd\u9580\u9435\u514b\u7684\u7814\u7a76\u4eba\u54e1\u5c0dSideWalk\u5f8c\u9580\u767c\u8868\u4e86\u7814\u7a76\u5831\u544a\u3002\u7576\u4e2d\u9a5a\u898b\u53f0\u7063\u5df2\u88ab\u9396\u5b9a\u6210\u70ba\u653b\u64ca\u5c0d\u8c61\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"554\" height=\"430\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/09\/image-14.png\" alt=\"\" class=\"wp-image-1385\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/09\/image-14.png 554w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2021\/09\/image-14-300x233.png 300w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><figcaption>Photo Credit: ESET<\/figcaption><\/figure>\n\n\n\n<p>\u80cc\u666f:<\/p>\n\n\n\n<p>2020 \u5e74 9 \u6708\uff0c\u7f8e\u570b\u53f8\u6cd5\u90e8\u8d77\u8a34 5 \u540d\u4e2d\u570b\u516c\u6c11\uff0c\u4ed6\u5011\u88ab\u6307\u63a7\u70ba\u570b\u5bb6\u8cc7\u52a9\u7684\u99ed\u5ba2\u7d44\u7e54Winnti(\u53c8\u540dAPT41)\u7684\u6210\u54e1\u3002\u4ed6\u5011\u4e09\u4eba\uff08\u8523\u52f5\u5fd7\u3001\u9322\u5ddd\u548c\u5085\u5f37\uff09\u53c3\u8207\u4e86Winnti \u5206\u652f\u5c0f\u968aGrayfly(\u53c8\u540d GREF \u548c Wicked Panda\uff09\u7684\u5de5\u5177\u958b\u767c\u548c\u653b\u64ca\u7b56\u7565\u3002\u64da\u4e86\u89e3\uff0c\u653b\u64ca\u8005\u64c5\u9577\u900f\u904eExchange\u3001SQL Server\u3001MySQL\u5165\u4fb5\u53d7\u5bb3\u7d44\u7e54\u3002\u6700\u8fd1\u767c\u73feGrayfly\u5229\u7528\u4e00\u500b\u540d\u70baSideWalk\u7684\u5f8c\u9580\u96c6\u4e2d\u653b\u64ca\u591a\u570b\u7684\u96fb\u4fe1\u516c\u53f8\u3001IT\u7522\u696d\u3001\u5a92\u9ad4\u548c\u91d1\u878d\u6a5f\u69cb\u7b49\uff0c\u53f0\u7063\u4e5f\u662f\u53d7\u5bb3\u8005\u4e4b\u4e00\u3002SideWalk\u5f8c\u9580\u8207\u8a72\u5206\u968a\u4f7f\u7528\u7684\u53e6\u4e00\u500bCrosswalk\u5f8c\u9580(Backdoor.Motnug )\u6709\u5f88\u591a\u76f8\u4f3c\u4e4b\u8655\uff0cSideWalk \u662f\u4e00\u500b\u6a21\u7d44\u5316\u5f8c\u9580\uff0c\u53ef\u4ee5\u52d5\u614b\u8f09\u5165\u5f9e\u5176 C&amp;C \u4f3a\u670d\u5668\u767c\u9001\u7684\u9644\u52a0\u6a21\u7d44\uff0c\u4f7f\u7528 Google Docs \u4f5c\u70ba\u60c5\u5831\u6295\u653e\u9ede\u89e3\u6790\u5668(Drop Dead Resolver)\uff0c\u4e26\u4f7f\u7528 Cloudflare Workers\u4f5c\u70baC2\u4e2d\u7e7c\u7ad9\uff0c\u5b83\u9084\u6709\u8655\u7406\u900f\u904e\u4ee3\u7406\u4f3a\u670d\u5668\uff08Proxy\uff09\u9023\u7dda\u7684\u901a\u8a0a\u80fd\u529b\u3002<\/p>\n\n\n\n<p>\u4e00\u65e6\u7db2\u8def\u906d\u5230Grayfly\u5165\u4fb5\uff0cGrayfly\u6703\u5c07\u5176\u81ea\u8a02\u7684\u5f8c\u9580\u5b89\u88dd\u5230\u5176\u4ed6\u7cfb\u7d71\u4e0a\uff0c\u5141\u8a31\u4ed6\u5011\u5168\u9762\u9060\u7aef\u5b58\u53d6\u7db2\u8def\u548c\u4ee3\u7406\u4f3a\u670d\u5668\u9023\u7dda\uff0c\u5f9e\u800c\u5141\u8a31\u4ed6\u5011\u5b58\u53d6\u76ee\u6a19\u7db2\u8def\u4e2d\u96e3\u4ee5\u5230\u9054\u7684\u90e8\u5206\u3002Grayfly\u5c07\u88dd\u8f09\u5b9a\u88fd\u7248\u672c\u7684Mimikatz \u6191\u8b49\u522a\u9664\u5de5\u5177\uff0c\u8a72\u5de5\u5177\u4f7f\u653b\u64ca\u8005\u80fd\u5920\u5f9e\u9060\u7aef\u5b58\u53d6\u7cfb\u7d71\u548c\u4ee3\u7406\u4f3a\u670d\u5668\u9023\u7dda\uff0c\u4f7f\u653b\u64ca\u8005\u80fd\u5920\u5b58\u53d6\u76ee\u6a19\u7db2\u8def\u7684\u4efb\u4f55\u90e8\u5206\u3002\u9664\u4e86Trojan\u6728\u99ac\u81ea\u5b9a\u7fa9\u88dd\u8f09\u6a5f\u4e4b\u5916\uff0cGrayfly \u9084\u4f7f\u7528SideWalk\u5f8c\u9580\u3002<\/p>\n\n\n\n<p>\u7814\u7a76\u4eba\u54e1\u767c\u73fe\uff0cGrayfly\u6700\u8fd1\u7684\u6d3b\u52d5\u5229\u7528SideWalk\u7279\u5225\u8457\u91cd\u65bc\u653b\u64ca MySQL \u4f3a\u670d\u5668\uff0c\u6709\u8a31\u591a\u8b66\u5831\u8aaa\u660e\u6b64\u985e ProxyShell \u653b\u64ca\u7684\u6578\u91cf\u4e0d\u65b7\u589e\u52a0\u3002\u53e6\u5916\u5728\u91dd\u5c0d\u8fd1 2000 \u500b\u6613\u53d7\u653b\u64ca\u7684 Microsoft Exchange \u4f3a\u670d\u5668\u81f3\u5c11\u555f\u52d5\u4e86 140 \u500b web shell\u3002<\/p>\n\n\n\n<p>\u6839\u64da\u7814\u7a76\u5831\u544a\uff0cESET\u6b78\u7d0d\u7684\u53d7\u5bb3\u7d44\u7e54\u5982\u4e0b:<\/p>\n\n\n\n<p>*\u6fb3\u9580\u3001\u9999\u6e2f\u3001\u53f0\u7063\u5b78\u8853\u754c<\/p>\n\n\n\n<p>*\u53f0\u7063\u7684\u5b97\u6559\u7d44\u7e54<\/p>\n\n\n\n<p>*\u53f0\u7063\u67d0\u96fb\u8166\u53ca\u96fb\u5b50\u7522\u54c1\u88fd\u9020\u5546<\/p>\n\n\n\n<p>*\u6771\u5357\u4e9e\u7684\u653f\u5e9c\u6a5f\u69cb<\/p>\n\n\n\n<p>*\u97d3\u570b\u7684\u96fb\u5b50\u5546\u52d9\u5e73\u53f0<\/p>\n\n\n\n<p>*\u52a0\u62ff\u5927\u7684\u6559\u80b2\u90e8\u9580<\/p>\n\n\n\n<p>*\u5370\u5ea6\u3001\u5df4\u6797\u548c\u7f8e\u570b\u7684\u5a92\u9ad4\u516c\u53f8<\/p>\n\n\n\n<p>*\u4e00\u5bb6\u4f4d\u65bc\u7f8e\u570b\u7684\u96fb\u8166\u96f6\u552e\u696d\u8005<\/p>\n\n\n\n<p>* \u55ac\u6cbb\u4e9e(\u683c\u9b6f\u5409\u4e9e)\u7576\u5730\u653f\u5e9c<\/p>\n\n\n\n<p>*\u97d3\u570b\u548c\u65b0\u52a0\u5761\u5c1a\u672a\u78ba\u8a8d\u7684\u7d44\u7e54<\/p>\n\n\n\n<p>\u8207 CROSSWALK \u4e00\u6a23\uff0c\u5728\u521d\u59cb\u5316\u671f\u9593\uff0cSideWalk \u5728\u57f7\u884c\u958b\u59cb\u6642\u4f7f\u7528\u5faa\u74b0\u7684ROR4\u8a08\u7b97 shellcode \u768432\u4f4dhash\u503c\u3002<\/p>\n\n\n\n<p>\u5831\u544a\u986f\u793a SideWalk \u5f8c\u9580\u6536\u96c6\u985e\u4f3c\u7684\u7522\u51fa\u7269(\u76ee\u6a19\u6578\u64da)\uff1a &#8211;<\/p>\n\n\n\n<p>*IP \u914d\u7f6e<\/p>\n\n\n\n<p>*\u64cd\u4f5c\u7cfb\u7d71\u7248\u672c<\/p>\n\n\n\n<p>*\u4f7f\u7528\u8005\u540d<\/p>\n\n\n\n<p>*\u96fb\u8166\u540d\u7a31<\/p>\n\n\n\n<p>*\u6a94\u540d<\/p>\n\n\n\n<p>*Current process ID<\/p>\n\n\n\n<p>*Current time<\/p>\n\n\n\n<p><a><\/a>\u4e2d\u570b\u5c0d\u53f0\u7063\u7684\u5a01\u8105\u65e9\u5df2\u8de8\u5165\u7db2\u8def\u653b\u64ca\uff0c\u653b\u64ca\u5c0d\u8c61\u5f9e\u79d1\u6280\u696d\u3001\u653f\u5e9c\u6a5f\u95dc\u81f3\u6cb9\u6c34\u96fb\u7b49\u6c11\u751f\u57fa\u790e\u8a2d\u65bd\u7121\u6240\u4e0d\u5728\uff0c\u56e0\u6b64\u8fd1\u5e74\u4f86\u53f0\u7063\u7684\u4f01\u696d\u53ca\u653f\u5e9c\u90e8\u9580\u5c0d\u8cc7\u5b89\u7684\u610f\u8b58\u4e5f\u4e0d\u65b7\u63d0\u9ad8\uff0c\u7136\u800c\u653b\u64ca\u4e8b\u4ef6\u4ecd\u983b\u983b\u50b3\u51fa\uff0c\u90a3\u9ebc\u8a72\u5982\u4f55\u9632\u7bc4\uff1f\u6839\u64da\u7f8e\u570b\u7684MITRE ATT&amp;CK\u6846\u67b6\uff0c\u65d7\u4e0b\u7684<a href=\"https:\/\/engage.mitre.org\/matrix\/\">Mitre Engage<\/a>(Shield) \uff0c\u4f01\u696d\u61c9\u53cd\u88ab\u52d5\u70ba\u4e3b\u52d5\uff0c\u6539\u5584\u4f5c\u6230\u8a08\u756b\uff0c\u5728\u9632\u5b88\u8005\u53ef\u9632\u79a6\u7bc4\u570d\u4e4b\u5167\uff0c\u9032\u4e00\u6b65\u63a7\u5236\u5c0d\u624b\uff0c\u4f7f\u7528\u7db2\u8def\u6b3a\u6575(Deception) \u81f3\u95dc\u91cd\u8981\uff0c\u900f\u904e\u4ea6\u771f\u4ea6\u5047\u7684\u6b3a\u6575\u624b\u6bb5\uff0c\u4f86\u8aa4\u5c0e\u5c0d\u624b\uff0c\u85c9\u7531\u96b1\u779e\u95dc\u9375\u4e8b\u5be6\u8207\u865b\u69cb\u74b0\u5883\u548c\u7cfb\u7d71\uff0c\u8b93\u653b\u64ca\u8005\u7121\u6cd5\u5206\u8fa8\u548c\u8a55\u4f30\uff0c\u6216\u7e7c\u7e8c\u9032\u884c\u884c\u52d5\u3002\u7e31\u6df1\u9632\u79a6\u4e0d\u662f\u4e00\u7ad9\u5f0f\u670d\u52d9\uff0c\u4f01\u696d\u5fc5\u9808\u5177\u6709\u6b3a\u9a19\u80fd\u529b\u624d\u80fd\u5be6\u73fe\u4e3b\u52d5\u9632\u79a6\u8986\u84cb\u3002Mitre Engage\u5f37\u8abf\u7684\u662f\uff0c\u6b3a\u6575\u53ef\u4ee5\u8aaa\u662fMitre\u4e3b\u52d5\u9632\u79a6\u65b9\u6cd5\u7684\u6838\u5fc3\u3002<\/p>\n\n\n\n<p>\u53e6\u5916\uff0c\u7a4d\u6975\u4fee\u88dc\u7cfb\u7d71\u5f31\u9ede\u3001\u4f48\u7f72\u8cc7\u5b89\u5075\u6e2c\u9632\u79a6\u7cfb\u7d71\u4ee5\u53ca\u5b58\u53d6\u653f\u7b56\u7dca\u7e2e\uff0c\u4ecd\u662f\u61c9\u5c0d\u91dd\u5c0d\u6027\u653b\u64ca\u7684\u6700\u4f73\u5be6\u8e10\u65b9\u5f0f\uff0c\u9664\u4e86\u6e1b\u4f4e\u88ab\u653b\u64ca\u6210\u529f\u7684\u6a5f\u7387\uff0c\u5728\u4e8b\u6545\u767c\u751f\u6642\u66f4\u80fd\u53ca\u65e9\u767c\u73fe\uff0c\u964d\u4f4e\u640d\u5bb3\u8207\u885d\u64ca\uff1b\u800c\u7cfb\u7d71\u8207\u6a94\u6848\u5099\u4efd\u5247\u662f\u4e8b\u6545\u767c\u751f\u5f8c\u552f\u4e00\u7684\u5584\u5f8c\u65b9\u6cd5<\/p>\n\n\n\n<p>\u6709\u95dcSideWalk\u5f8c\u9580\u7684\u5165\u4fb5\u6307\u6a19(Indicator of compromise -IOCs):<\/p>\n\n\n\n<p>SHA 256:<\/p>\n\n\n\n<p>b732bba813c06c1c92975b34eda400a84b5cc54a460eeca309dfecbe9b559bd4<\/p>\n\n\n\n<p>b3eb783b017da32e33d19670b39eae0b11de8e983891dd4feb873d6e9333608d<\/p>\n\n\n\n<p>25a7c1f94822dc61211de253ff0a5805a0eb83921126732a0d52b1f1967cf079<\/p>\n\n\n\n<p>SHA 1:<\/p>\n\n\n\n<p>9d1940ed48190277c9d98ddbd7e4ea63ade5ceae<\/p>\n\n\n\n<p>8c877f583dd1e317af4eb9e15c2d202f2f63e0d1<\/p>\n\n\n\n<p>4c8194c94e25d51a062fab3e0a3edcec349fe914<\/p>\n\n\n\n<p>MD 5:<\/p>\n\n\n\n<p>7007877ec8545265722325231b434c79<\/p>\n\n\n\n<p>5251b3f47b1ae8feb79642011b3a925b<\/p>\n\n\n\n<p>Source:<\/p>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/www.welivesecurity.com\/2021\/08\/24\/sidewalk-may-be-as-dangerous-as-crosswalk\/\n<\/div><\/figure>\n\n\n\n<figure class=\"wp-block-embed\"><div class=\"wp-block-embed__wrapper\">\nhttps:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/grayfly-china-sidewalk-malware\n<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>\u5f15\u8a00: \u9084\u8a18\u5f97\u4e2d\u6cb9\u3001\u53f0\u5851\u5316\u3001\u5c01\u6e2c\u5ee0\u529b\u6210\u906d\u60e1\u610f\u7a0b\u5f0f\u653b\u64ca\u4e8b\u4ef6\u55ce? \u53e6\u5916\u57282020\u7e3d\u7d71\u5c31\u8077\u5178\u79ae\u524d\u5915\uff0c\u767c\u751f\u4e86\u5047\u5192\u7e3d\u7d71\u5e9c <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=1384\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[79],"class_list":["post-1384","post","type-post","status-publish","format-standard","hentry","category-6","tag-winnti-group"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1384"}],"version-history":[{"count":3,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1384\/revisions"}],"predecessor-version":[{"id":1390,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1384\/revisions\/1390"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}