{"id":1659,"date":"2022-02-07T13:54:49","date_gmt":"2022-02-07T05:54:49","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=1659"},"modified":"2023-02-13T11:23:11","modified_gmt":"2023-02-13T03:23:11","slug":"%e4%b8%ad%e5%9c%8b%e5%9c%8b%e5%ae%b6%e7%b4%9a%e9%a7%ad%e5%ae%a2%e7%b5%84%e7%b9%94antlion%e5%88%a9%e7%94%a8%e5%ae%a2%e8%a3%bd%e5%8c%96%e5%be%8c%e9%96%80xpack%e6%94%bb%e6%93%8a%e5%8f%b0%e7%81%a3","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=1659","title":{"rendered":"\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2\u7d44\u7e54Antlion\u5229\u7528\u5ba2\u88fd\u5316\u5f8c\u9580xPack\u653b\u64ca\u53f0\u7063\u91d1\u878d\u696d\u5be6\u9ad4\uff0c\u5728\u76ee\u6a19\u7db2\u8def\u505c\u7559\u4e86\u9577\u9054 250\u5929\u4e4b\u4e45"},"content":{"rendered":"\n
\"\"
Photo Credit:BleepingComputer<\/figcaption><\/figure>\n\n\n\n

\u6839\u64da\u8cc7\u5b89\u696d\u8005Symantec<\/a>\u7684\u5831\u544a\uff0c\u88ab\u8ffd\u8e2a\u70baAntlion\u7684\u4e00\u500b\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2\u96c6\u5718\u4f7f\u7528\u4e86\u4e00\u500b\u540d\u70baxPack \u7684\u5ba2\u88fd\u5316\u5f8c\u9580\uff0c\u5728 2020 \u5e74\u81f3 2021 \u5e74\u671f\u9593\uff0c\u91dd\u5c0d\u53f0\u7063\u5be6\u9ad4\u7684\u7db2\u8def\u9593\u8adc\u6d3b\u52d5\u4e2d\u9396\u5b9a\u4e86\u91d1\u878d\u7d44\u7e54\u548c\u88fd\u9020\u696d\u4f86\u767c\u52d5\u653b\u64ca\uff0c\u4ee5\u7aca\u53d6\u6a5f\u5bc6\u8cc7\u6599\uff0c\u8a72\u5f8c\u9580\u81f3\u5c11\u6578\u6708\u4f86\u672a\u88ab\u767c\u73fe\u3002Symantec\u7814\u7a76\u4eba\u54e1\u7684\u5206\u6790\uff0c\u653b\u64ca\u8005\u5728\u53d7\u611f\u67d3\u7684\u7cfb\u7d71\u4e0a\u90e8\u7f72\u7684xPack\u5f8c\u9580\uff0c\u80fd\u5ee3\u6cdb\u5730\u5b58\u53d6\u53d7\u5bb3\u6a5f\u5668\uff0c\u5141\u8a31\u653b\u64ca\u8005\u9060\u7aef\u57f7\u884cWMI\u6307\u4ee4\uff0c\u4e5f\u6709\u8b49\u64da\u8868\u793a\u653b\u64ca\u8005\u5728\u5f8c\u9580\u4e2d\u540c\u6642\u5229\u7528\u4e86EternalBlue\u7684\u6f0f\u6d1e\u3002<\/p>\n\n\n\n

\u64da\u6089\uff0cxPack\u5f8c\u9580\u5141\u8a31\u653b\u64ca\u8005\u9060\u7aef\u57f7\u884c WMI \u547d\u4ee4\u4e26\u901a\u904e SMB \u639b\u8f09\u5171\u7528\uff0c\u4ee5\u4fbf\u5c07\u6578\u64da\u5f9e C2 \u4f3a\u670d\u5668\u56de\u50b3\u5230\u4ed6\u5011\u3002\u653b\u64ca\u8005\u9084\u4f7f\u7528\u8a72\u60e1\u610f\u8edf\u9ad4\u4f86\u700f\u89bd\u7db2\u9801\uff0c\u5c07\u5176\u7528\u4f5cproxy\u4f86\u63a9\u84cb\u4ed6\u5011\u7684 IP \u5730\u5740\u3002<\/p>\n\n\n\n

\u7814\u7a76\u4eba\u54e1\u767c\u73feAntlion\u5728\u653b\u64ca\u5728\u4e00\u5bb6\u53f0\u7063\u88fd\u9020\u696d\u6642\uff0c\u99ed\u5ba2\u5728\u53d7\u611f\u67d3\u7684\u7db2\u8def\u4e2d\u505c\u7559\u4e86 175 \u5929\uff0c\u53e6\u4e00\u6b21\u5728\u653b\u64ca\u91d1\u878d\u696d\u7d44\u7e54\u6642\u505c\u7559\u4e86\u9577\u9054 250\u5929\u4e4b\u4e45\uff0c\u96d6\u7136\u76ee\u524d\u5c1a\u4e0d\u6e05\u695a\u99ed\u5ba2\u6700\u521d\u7684\u611f\u67d3\u9014\u5f91\uff0c\u4f46\u7531\u65bc\u7814\u7a76\u4eba\u54e1\u5728\u4e00\u6b21\u653b\u64ca\u4e2d\u89c0\u5bdf\u5230\u653b\u64ca\u8005\u5229\u7528 MSSQL\u670d\u52d9\u57f7\u884c\u7cfb\u7d71\u547d\u4ee4\uff0c\u6545\u63a8\u6e2c\u653b\u64ca\u8005\u5229\u7528\u4e86 Web\u61c9\u7528\u7a0b\u5f0f\u6216\u670d\u52d9\u9032\u5165\u53d7\u5bb3\u7d44\u7e54\u3002<\/p>\n\n\n\n

xPack \u5f8c\u9580\u662f\u4e00\u500b .NET\u7a0b\u5f0f\u555f\u52d5\u5668\uff0c\u53ef\u7372\u53d6\u4e26\u57f7\u884c AES \u52a0\u5bc6\u7684\u6709\u6548\u8ca0\u8f09\u4e26\u652f\u63f4\u591a\u500b\u547d\u4ee4\u3002xPack\u5f8c\u9580\u53ef\u4ee5\u4f5c\u70ba\u7368\u7acb\u61c9\u7528\u7a0b\u5f0f\u6216\u670d\u52d9\uff08xPackSvc\u8b8a\u7a2e\uff09\u4f86\u57f7\u884c\u3002Symantec\u9032\u4e00\u6b65\u8aaa\uff0c\u5728\u91dd\u5c0d\u81fa\u7063\u7684\u653b\u64ca\u884c\u52d5\u4e2d\uff0cxPack\u60e1\u610f\u8edf\u9ad4\u53ca\u5176\u76f8\u95dc\u6709\u6548\u8ca0\u8f09\u7528\u65bc\u521d\u59cb\u5b58\u53d6\uff1b\u57f7\u884c\u7cfb\u7d71\u547d\u4ee4\u3001\u522a\u9664\u5f8c\u7e8c\u60e1\u610f\u8edf\u9ad4\u548c\u5de5\u5177\uff0c\u4ee5\u53ca\u66ab\u5b58\u6578\u64da\u4ee5\u9032\u884c\u8cc7\u6599\u7aca\u53d6\u3002\u64da\u4e86\u89e3\uff0c\u653b\u64ca\u8005\u9084\u4f7f\u7528\u4e86\u4e00\u500b\u5ba2\u88fd\u5316\u9375\u76e4\u8a18\u9304\u5668(keylogger)\u548c\u4e09\u500b\u5ba2\u88fd\u5316\u4e0b\u8f09\u5668\u3002<\/p>\n\n\n\n

Symantec\u7814\u7a76\u4eba\u54e1\u767c\u73fe Antlion \u5728\u91dd\u5c0d\u81fa\u7063\u6d3b\u52d5\u4e2d\u4f7f\u7528\u4e86\u4ee5\u4e0b\u5ba2\u88fd\u5316\u5de5\u5177\uff1a<\/p>\n\n\n\n

*EHAGBPSL\u4e0b\u8f09\u5668–\u7528 C++ \u7de8\u5beb\u7684\u5ba2\u88fd\u5316\u4e0b\u8f09\u5668\u2014\u2014\u7531 JpgRun\u4e0b\u8f09\u5668\u52a0\u8f09<\/p>\n\n\n\n

*JpgRun loader: \u7528 C++ \u7de8\u5beb\u7684\u5ba2\u88fd\u5316\u4e0b\u8f09\u5668\u2013 \u4f3c\u65bcxPack\uff0c\u5f9e\u547d\u4ee4\u884c\u8b80\u53d6\u89e3\u5bc6\u5bc6\u9470\u548c\u6a94\u540d – \u89e3\u78bc\u6a94\u4e26\u57f7\u884c\u5b83<\/p>\n\n\n\n

*CheckID \u2013 \u7528 C++ \u7de8\u5beb\u7684\u5ba2\u88fd\u5316\u4e0b\u8f09\u5668\u2013 \u57fa\u65bc BlackHole RAT \u4f7f\u7528\u7684\u4e0b\u8f09\u5668<\/p>\n\n\n\n

*NetSessionEnum \u2013 \u5ba2\u88fd\u5316 SMB\u671f\u9593\u679a\u8209\u5de5\u5177<\/p>\n\n\n\n

*ENCODE MMC \u2013 \u5ba2\u88fd\u5316\u7d81\u5b9a\/\u53cd\u5411\u6a94\u6848\u50b3\u8f38\u5de5\u5177<\/p>\n\n\n\n

*\u57fa\u65bc Mimikatz \u6191\u8b49\u7aca\u53d6\u5668\u7684 Kerberos golden ticket\u5de5\u5177\uff0c\u7528\u4f86\u507d\u9020\u7528\u6236<\/p>\n\n\n\n

\u5c08\u5bb6\u5011\u9084\u6ce8\u610f\u5230\uff0cAntlion\u9084\u4f7f\u7528\u4e86\u5e7e\u500b\u53d7\u5bb3\u96fb\u8166\u88e1\u73fe\u6210\u7684\u5de5\u5177(Living -off -the -land)\u5305\u62ecPowerShell\u3001WMIC\u3001ProcDump\u3001LSASS \u548c PsExec\u7b49\uff0c\u4e26\u540c\u6642\u958b\u63a1CVE-2019-1458\u6b0a\u9650\u64f4\u5f35\u6f0f\u6d1e\uff0c\u9032\u884c\u6b0a\u9650\u63d0\u5347\u548c\u9060\u7aef\u8a08\u5283\u4efb\u52d9\u4f86\u57f7\u884c\u4ed6\u5011\u7684\u5f8c\u9580\uff0c\u6216\u85c9\u7531\u958b\u63a1WinRAR \u7684\u5408\u6cd5\u7248\u672c\u4f86\u7aca\u53d6\u8cc7\u6599\uff0c\u4e26\u5b9a\u671f\u8fd4\u56de\u53d7\u611f\u67d3\u7684\u7db2\u8def\u4ee5\u518d\u6b21\u555f\u52d5 xPack\uff0c\u5f9e\u53d7\u611f\u67d3\u7684\u7d44\u7e54\u7aca\u53d6\u7528\u6236\u6191\u8b49\u3002<\/p>\n\n\n\n

\u64da\u4fe1 Antlion\u99ed\u5ba2\u7d44\u7e54\u81f3\u5c11\u5f9e 2011 \u5e74\u8d77\u5c31\u53c3\u8207\u4e86\u591a\u7a2e\u7db2\u8def\u9593\u8adc\u6d3b\u52d5\uff0c\u56e0\u6b64\u5341\u591a\u5e74\u4f86\uff0c\u4e00\u76f4\u5c0d\u5404\u7d44\u7e54\u69cb\u6210\u5a01\u8105\u3002<\/p>\n\n\n\n

\u6709\u95dcAntlion\u4f7f\u7528\u5ba2\u88fd\u5316\u5f8c\u9580xPack\u7784\u6e96\u53f0\u7063\u91d1\u878d\u6a5f\u69cb\u7684\u60c5\u8cc7:<\/p>\n\n\n\n

SHA 256: f7cab241dac6e7db9369a4b85bd52904022055111be2fc413661239c3c64af3d<\/p>\n\n\n\n

f4534e04caced1243bd7a9ce7b3cd343bf8f558982cbabff93fa2796233fe929<\/p>\n\n\n\n

f01a4841f022e96a5af613eb76c6b72293400e52787ab228e0abb862e5a86874<\/p>\n\n\n\n

eb7a23136dc98715c0a3b88715aa7e936b88adab8ebae70253a5122b8a402df3<\/p>\n\n\n\n

e968e0d7e62fbc36ad95bc7b140cf7c32cd0f02fd6f4f914eeb7c7b87528cfe2<\/p>\n\n\n\n

e5259b6527e8612f9fd9bba0b69920de3fd323a3711af39f2648686fa139bc38<\/p>\n\n\n\n

e4a15537f767332a7ed08009f4e0c5a7b65e8cbd468eb81e3e20dc8dfc36aeed<\/p>\n\n\n\n

e488f0015f14a0eff4b756d10f252aa419bc960050a53cc04699d5cc8df86c8a<\/p>\n\n\n\n

e1a0c593c83e0b8873278fabceff6d772eeaaac96d10aba31fcf3992bc1410e5<\/p>\n\n\n\n

dfee6b3262e43d85f20f4ce2dfb69a8d0603bb261fb3dfa0b934543754d5128b<\/p>\n\n\n\n

de9bd941e92284770b46f1d764905106f2c678013d3793014bdad7776540a451<\/p>\n\n\n\n

a74cb0127a793a7f4a616613c5aae72142c1166f4bb113247e734f0efd48bdba<\/p>\n\n\n\n

SHA 1:<\/p>\n\n\n\n

ea39084f647ce3c9f2892118d850a05dd65d750b<\/p>\n\n\n\n

d7b0ba4958f88b3e7606ee536c90cb08ac258815<\/p>\n\n\n\n

ca3b0cbff477bc67d2a71731d93a420f2e298be0<\/p>\n\n\n\n

MD5:<\/p>\n\n\n\n

b51aa600db0615a4971ce75919a93f4f<\/p>\n\n\n\n

4a448d283c8b112115a8e3807fa3744a<\/p>\n\n\n\n

0ee7731c202b82c1822e563428a51da4<\/p>\n\n\n\n

CVE:<\/p>\n\n\n\n

CVE-2019-1458<\/p>\n\n\n\n

\u00a0“\u8f49\u8cbc\u3001\u5206\u4eab\u6216\u5f15\u7528\u6587\u7ae0\u5167\u5bb9\uff0c\u8acb\u8a3b\u660e\u51fa\u8655\u70ba\u7ae3\u76df\u79d1\u6280\u00a0https:\/\/www.billows.com.tw<\/a>\u00a0, \u4ee5\u514d\u89f8\u6cd5”<\/p>\n","protected":false},"excerpt":{"rendered":"

\u6839\u64da\u8cc7\u5b89\u696d\u8005Symantec\u7684\u5831\u544a\uff0c\u88ab\u8ffd\u8e2a\u70baAntlion\u7684\u4e00\u500b\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2\u96c6\u5718\u4f7f\u7528\u4e86\u4e00\u500b\u540d\u70baxPack \u7684 READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[201,174],"class_list":["post-1659","post","type-post","status-publish","format-standard","hentry","category-6","tag-antlion","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1659"}],"version-history":[{"count":4,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1659\/revisions"}],"predecessor-version":[{"id":2465,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1659\/revisions\/2465"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}