{"id":1733,"date":"2022-03-02T11:56:45","date_gmt":"2022-03-02T03:56:45","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=1733"},"modified":"2023-02-13T11:20:31","modified_gmt":"2023-02-13T03:20:31","slug":"%e4%b8%ad%e5%9c%8b%e6%9c%89%e5%8f%b2%e4%bb%a5%e4%be%86%e6%9c%80%e5%85%88%e9%80%b2%e7%9a%84%e5%be%8c%e9%96%80%e7%a8%8b%e5%bc%8f%ef%bc%8c%e9%9a%b1%e8%97%8f%e9%95%b7%e9%81%949%e5%b9%b4%ef%bc%8c%e7%9e%84","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=1733","title":{"rendered":"\u4e2d\u570b\u6709\u53f2\u4ee5\u4f86\u6700\u5148\u9032\u7684\u5f8c\u9580\u7a0b\u5f0f\uff0c\u96b1\u85cf\u9577\u90549\u5e74\uff0c\u7784\u6e96\u591a\u500b\u653f\u5e9c\u9032\u884c\u9593\u8adc\u653b\u64ca"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"865\" height=\"539\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/03\/image-4.png\" alt=\"\" class=\"wp-image-1734\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/03\/image-4.png 865w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/03\/image-4-300x187.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/03\/image-4-768x479.png 768w\" sizes=\"auto, (max-width: 865px) 100vw, 865px\" \/><figcaption class=\"wp-element-caption\">Photo Credit: Symantec Threat Hunter<\/figcaption><\/figure>\n\n\n\n<p>\u8fd1\u65e5\uff0cBroadcom \u65d7\u4e0bSymantec Threat Hunter\u5718\u968a\u7684\u7814\u7a76\u54e1<a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/daxin-backdoor-espionage\">\u63ed\u9732<\/a>\u4e86\u81f3\u5c11\u81ea 2013 \u5e74\u4ee5\u4f86\u4e2d\u570bAPT\u99ed\u5ba2\u7cbe\u5fc3\u7b56\u5283\u7684\u9577\u671f\u9593\u8adc\u6d3b\u52d5\uff0c\u4e26\u91dd\u5c0d\u9078\u5b9a\u7684\u653f\u5e9c\u548c\u5176\u4ed6\u95dc\u9375\u57fa\u790e\u76ee\u6a19\u90e8\u7f72\u4e86\u4ee5\u524d\u672a\u88ab\u8a18\u9304\u7684\u9593\u8adc\u5de5\u5177\uff0c\u4e00\u500b\u540d\u70baDaxin\u7684\u5f8c\u9580\u7a0b\u5f0f\u3002\u8a72\u5f8c\u9580\u88ab\u7814\u7a76\u54e1\u63cf\u8ff0\u70ba\u4e00\u7a2e\u6280\u8853\u5148\u9032\u7684\u60e1\u610f\u8edf\u9ad4\uff0c\u5141\u8a31\u653b\u64ca\u8005\u91dd\u5c0d\u4e2d\u570b\u5177\u6709\u6230\u7565\u5229\u76ca\u7684\u96fb\u4fe1\u3001\u904b\u8f38\u548c\u88fd\u9020\u696d\u7684\u5be6\u9ad4\u9032\u884c\u5404\u7a2e\u901a\u8a0a\u548c\u8cc7\u8a0a\u6536\u96c6\u884c\u52d5\u3002<\/p>\n\n\n\n<p>\u6839\u64da\u7f8e\u570b\u7db2\u8def\u5b89\u5168\u66a8\u57fa\u790e\u67b6\u69cb\u7ba1\u7406\u7f72(CISA)\u91dd\u5c0dDaxin\u767c\u4f48\u7684<a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/current-activity\/2022\/02\/28\/broadcom-software-discloses-apt-actors-deploying-daxin-malware\">\u8b66\u544a<\/a>\uff0cDaxin\u5f8c\u9580\u662f\u4e00\u7a2e\u9ad8\u5ea6\u8907\u96dc\u7684Rootkit\uff0c\u800cRootkit\u662f\u4e00\u7a2e\u5f88\u6703\u947d\u6d1e\u4e26\u947d\u5230\u7121\u6cd5\u88ab\u4f5c\u696d\u7cfb\u7d71\u6aa2\u6e2c\u5230\u4e4b\u6df1\u5ea6\u7684\u60e1\u610f\u8edf\u9ad4\uff0cDaxin\u5177\u6709\u8907\u96dc\u3001\u96b1\u79d8\u7684\u547d\u4ee4\u548c\u63a7\u5236 (C2) \u529f\u80fd\uff0c\u4f7f\u99ed\u5ba2\u80fd\u9060\u7aef\u8207\u672a\u76f4\u63a5\u9023\u63a5\u5230\u4e92\u806f\u7db2\u7684\u5b89\u5168\u8a2d\u5099\u9032\u884c\u901a\u8a0a\u3002Daxin\u4ee5Windows Kernel Driver(\u6838\u5fc3\u6a21\u5f0f\u9a45\u52d5\u7a0b\u5f0f)\u7684\u578b\u614b\u51fa\u73fe\uff0c\u9019\u662f\u76f8\u5c0d\u7f55\u898b\u7684\u60e1\u610f\u8edf\u9ad4\u683c\u5f0f\u3002\u8a72\u9a45\u52d5\u7a0b\u5f0f\u5be6\u73fe\u4e86\u7cbe\u5fc3\u8a2d\u8a08\u7684\u901a\u8a0a\u6a5f\u5236\uff0c\u70ba\u60e1\u610f\u8edf\u9ad4\u63d0\u4f9b\u4e86\u9ad8\u5ea6\u7684\u96b1\u85cf\u6027\u4ee5\u53ca\u8207\u672a\u76f4\u63a5\u9023\u63a5\u5230\u4e92\u806f\u7db2\u7684\u96fb\u8166\u901a\u8a0a\u7684\u80fd\u529b\u3002\u5927\u90e8\u5206\u7684\u60e1\u610f\u8edf\u9ad4\u90fd\u4f9d\u9760\u690d\u5165\u96fb\u8166\u4e2d\u4e26\u9032\u884c\u653b\u64ca\uff0cDaxin\u5247\u662f\u900f\u904e\u7b2c\u4e09\u65b9\u6216\u5916\u90e8\u9023\u7d50\u5c0d\u96fb\u8166\u9032\u884c\u653b\u64ca\uff0c\u4f7f\u5927\u591a\u6578\u4eba\u7121\u6cd5\u767c\u73fe\u5176\u8e64\u5f71\u3002<\/p>\n\n\n\n<p>Daxin\u80fd\u52ab\u6301\u5408\u6cd5\u7684TCP \/ IP\u9023\u63a5\uff08TCP\/IP\u4ee3\u8868\u50b3\u8f38\u63a7\u5236\u5354\u5b9a\/\u4e92\u806f\u7db2\u5354\u5b9a\uff0c\u7528\u65bc\u5728\u96fb\u8166\u4e4b\u9593\u9032\u884c\u901a\u8a0a\uff09\u4e26\u8207\u9060\u7aef\u5c0d\u7b49\u8005\u4ea4\u63db\u6578\u4f4d\u5bc6\u9470\u3002\u7136\u5f8c\u6210\u529f\u7684\u91d1\u9470\u4ea4\u63db\u5141\u8a31Daxin\u6253\u958b\u52a0\u5bc6\u7684\u901a\u8a0a\u901a\u9053\uff0c\u7528\u65bc\u63a5\u6536\u547d\u4ee4\u4e26\u5c07\u8cc7\u8a0a\u767c\u9001\u56de\u99ed\u5ba2\u3002\u5831\u544a\u7a31\uff0cDaxin\u4f7f\u7528\u88ab\u52ab\u6301\u7684TCP\u9023\u63a5\u70ba\u5176\u901a\u8a0a\u63d0\u4f9b\u4e86\u9ad8\u5ea6\u7684\u96b1\u8eab\u6027\uff0c\u4e26\u6709\u52a9\u65bc\u5728\u5177\u6709\u56b4\u683c\u9632\u706b\u7246\u898f\u5247\u7684\u7db2\u8def\u4e0a\u5efa\u7acb\u9023\u63a5\uff0c\u4e26\u53ef\u964d\u4f4e\u5b89\u5168\u904b\u71df\u4e2d\u5fc3(SOC)\u5206\u6790\u5e2b\u76e3\u63a7\u7db2\u8def\u7570\u5e38\u7684\u98a8\u96aa\u3002<\/p>\n\n\n\n<p>\u5c08\u5bb6\u8a8d\u70ba\uff0c\u8003\u91cf\u5230\u5176\u529f\u80fd\u548c\u6240\u90e8\u7f72\u653b\u64ca\u7684\u6027\u8cea\uff0cDaxin\u4f3c\u4e4e\u5df2\u91dd\u5c0d\u5f37\u5316\u76ee\u6a19\u9032\u884c\u4e86\u512a\u5316\uff0c\u5141\u8a31\u653b\u64ca\u8005\u6df1\u5165\u76ee\u6a19\u7db2\u8def\u4e26\u7aca\u53d6\u6578\u64da\u800c\u4e0d\u6703\u5f15\u8d77\u61f7\u7591\uff0c\u5f8c\u9580\u5be6\u73fe\u7684\u529f\u80fd\u8b93\u4eba\u60f3\u8d772014 \u5e74\u767c\u73fe\u7684<a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.regin\">Regin\u60e1\u610f\u8edf\u9ad4<\/a>\u3002\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0cDaxin\u5c07\u81ea\u8eab\u6574\u5408\u5230\u5408\u6cd5\u6a5f\u5668\u884c\u70ba\u4e2d\uff0c\u4f7f\u5176\u4e0d\u6703\u7522\u751f\u53ef\u7591\u7684\u7db2\u8def\u6d41\u91cf\uff0c\u9019\u500b\u6280\u5de7\u5141\u8a31\u5f8c\u9580\u5728\u660e\u986f\u5408\u6cd5\u7684\u901a\u8a0a\u4e2d\u96b1\u85cf\u60e1\u610f\u6d41\u91cf\uff0c\u800c\u4e14\u5b83\u53ef\u4ee5\u5efa\u7acb\u53d7\u611f\u67d3\u96fb\u8166\u7bc0\u9ede\u7684\u5c0d\u7b49\u7db2\u8def\uff0c\u5141\u8a31\u653b\u64ca\u8005\u6df1\u5165\u6ef2\u900f\u5230\u53d7\u4fdd\u8b77\u7684\u8cc7\u7522\u4e2d\u3002<\/p>\n\n\n\n<p>\u53e6\u5916\uff0cSymantec Threat Hunter\u7684\u5206\u6790\u4eba\u54e1\u767c\u73fe\u4e86\u5c07Daxin\u8207\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2\u7d44\u7e54 Slug\uff08\u53c8\u540d Owlproxy\uff09\u806f\u7e6b\u8d77\u4f86\u7684\u8b49\u64da\u3002\u64da\u6089\uff0cDaxin\u5f8c\u9580\u81f3\u5c11\u81ea 2019 \u5e74 11 \u6708\u4ee5\u4f86\u4e00\u76f4\u88ab\u7a4d\u6975\u7528\u65bc\u653b\u64ca\uff0c\u800c\u7814\u7a76\u4eba\u54e1\u5728 2020 \u5e74 5 \u6708\u548c 2020 \u5e74 7 \u6708\u518d\u6b21\u767c\u73fe\u4e86\u5176\u90e8\u7f72\u7684\u8de1\u8c61\u30022021 \u5e74 11 \u6708\u89c0\u5bdf\u5230\u6d89\u53caDaxin\u7684\u6700\u8fd1\u4e00\u6b21\u653b\u64ca\uff0c\u91dd\u5c0d\u96fb\u4fe1\u3001\u4ea4\u901a\u548c\u88fd\u9020\u696d\u3002\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u5831\u544a\u7a31\u8a72\u60e1\u610f\u8edf\u9ad4\u65bc 2013 \u5e74\u9996\u6b21\u63a1\u6a23\uff0c\u7576\u6642\u5df2\u7d93\u63a1\u7528\u4e86\u6211\u5011\u5728\u4eca\u5929\u7684\u7248\u672c\u4e2d\u770b\u5230\u7684\u9ad8\u7d1a\u6aa2\u6e2c\u9003\u907f\u6280\u8853\u3002\u7f8e\u570bCISA\u8868\u793a\uff0c\u904e\u53bb\u751a\u5c11\u770b\u5230\u5982\u6b64\u8907\u96dc\u7684\u60e1\u610f\u8edf\u9ad4\uff0c\u4ed6\u5011\u6b63\u5354\u540cFBI\u5c0dDaxin\u9032\u884c\u6df1\u5165\u8abf\u67e5\u4ee5\u6d88\u9664\u6b64\u5f8c\u9580\u3002<\/p>\n\n\n\n<p>\u6b32\u4e86\u89e3\u66f4\u591a\u95dc\u65bc\u6b64\u5831\u544a\uff0c\u60a8\u53ef\u4ee5\u6309<a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/daxin-backdoor-espionage\">\u6b64<\/a><\/p>\n\n\n\n<p>\u6709\u95dcDaxin\u5f8c\u9580\u7684\u90e8\u5206\u5165\u4fb5\u6307\u6a19(Indicator of compromise -IOCs):<\/p>\n\n\n\n<p>SHA 256<\/p>\n\n\n\n<p>ea3d773438c04274545d26cc19a33f9f1dbbff2a518e4302addc1279f9950cef<\/p>\n\n\n\n<p>e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e<\/p>\n\n\n\n<p>e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217<\/p>\n\n\n\n<p>cf00e7cc04af3f7c95f2b35a6f3432bef990238e1fa6f312faf64a50d495630a<\/p>\n\n\n\n<p>c791c007c8c97196c657ac8ba25651e7be607565ae0946742a533af697a61878<\/p>\n\n\n\n<p>c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c<\/p>\n\n\n\n<p>b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3<\/p>\n\n\n\n<p>\u00a0&#8220;\u8f49\u8cbc\u3001\u5206\u4eab\u6216\u5f15\u7528\u6587\u7ae0\u5167\u5bb9\uff0c\u8acb\u8a3b\u660e\u51fa\u8655\u70ba\u7ae3\u76df\u79d1\u6280\u00a0<a href=\"https:\/\/www.billows.com.tw\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.billows.com.tw<\/a>\u00a0, \u4ee5\u514d\u89f8\u6cd5&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u8fd1\u65e5\uff0cBroadcom \u65d7\u4e0bSymantec Threat Hunter\u5718\u968a\u7684\u7814\u7a76\u54e1\u63ed\u9732\u4e86\u81f3\u5c11\u81ea 2013 \u5e74 <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=1733\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[174],"class_list":["post-1733","post","type-post","status-publish","format-standard","hentry","category-6","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1733"}],"version-history":[{"count":3,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1733\/revisions"}],"predecessor-version":[{"id":2460,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1733\/revisions\/2460"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}