{"id":1805,"date":"2022-03-24T15:07:13","date_gmt":"2022-03-24T07:07:13","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=1805"},"modified":"2022-03-24T15:07:14","modified_gmt":"2022-03-24T07:07:14","slug":"%e4%b8%ad%e5%9c%8bapt%e9%a7%ad%e5%ae%a2storm-cloud%e5%88%a9%e7%94%a8%e6%83%a1%e6%84%8f%e8%bb%9f%e9%ab%94gimmick%e9%87%9d%e5%b0%8dmacos%e7%94%a8%e6%88%b6","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=1805","title":{"rendered":"\u4e2d\u570bAPT\u99ed\u5ba2Storm Cloud\u5229\u7528\u60e1\u610f\u8edf\u9ad4GIMMICK\u91dd\u5c0dmacOS\u7528\u6236"},"content":{"rendered":"\n<p>GIMMICK \u662f\u4e00\u7a2e\u65b0\u767c\u73fe\u7684 macOS \u690d\u5165\u8f09\u9ad4\uff08Implant\uff09\uff0c\u7531\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2\u7d44\u7e54Storm Cloud \u958b\u767c\uff0c\u7528\u65bc\u91dd\u5c0d\u4e9e\u6d32\u5404\u5730\u7684\u7d44\u7e54\u30022021 \u5e74\u672b\uff0c\u8cc7\u5b89\u516c\u53f8<a href=\"https:\/\/www.volexity.com\/blog\/2022\/03\/22\/storm-cloud-on-the-horizon-gimmick-malware-strikes-at-macos\/\">Volexity <\/a>\u7814\u7a76\u54e1\u8abf\u67e5\u4e86\u4ed6\u5011\u6b63\u5728\u76e3\u63a7\u7684\u74b0\u5883\u4e2d\u7684\u4e00\u6b21\u5165\u4fb5\uff0c\u4e26\u767c\u73fe\u4e86\u6709\u57f7\u884c macOS 11.6 (Big Sur) \u7684\u4f5c\u696d\u7cfb\u7d71\u7684MacBook Pro\uff0c\u88ab\u4e00\u7a2e\u88ab\u8ffd\u8e2a\u70baGIMMICK\u7684\u60e1\u610f\u7a0b\u5f0f\u611f\u67d3\u3002\u7814\u7a76\u4eba\u54e1\u89e3\u91cb\u8aaa\uff0c\u4ed6\u5011\u5728\u904e\u53bb\u7684\u8abf\u67e5\u4e2d\u767c\u73fe\u4e86\u76f8\u540c<a>\u7684<\/a>\u690d\u5165\u8f09\u9ad4\uff0c\u4f46\u90fd\u662f\u91dd\u5c0dWindows\u7248\u672c\u7684\u96fb\u8166\u800c\u4f86\uff0c\u5c08\u5bb6\u5011\u4e26\u5c07\u6b64\u6b21\u91dd\u5c0dmacOS\u7528\u6236\u7684\u653b\u64ca\u6b78\u56e0\u65bc\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2Storm Cloud\uff0cStorm Cloud\u88ab\u8a8d\u70ba\u662f\u4e00\u7d44\u9032\u968e\u4e14\u591a\u624d\u591a\u85dd\u7684\u99ed\u5ba2\u7d44\u7e54\uff0c\u64c5\u9577\u8abf\u6574\u5176\u5de5\u5177\u96c6\u4ee5\u5339\u914d\u5176\u76ee\u6a19\u4f7f\u7528\u7684\u4e0d\u540c\u64cd\u4f5c\u7cfb\u7d71\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"865\" height=\"546\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/03\/image-32.png\" alt=\"\" class=\"wp-image-1806\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/03\/image-32.png 865w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/03\/image-32-300x189.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/03\/image-32-768x485.png 768w\" sizes=\"auto, (max-width: 865px) 100vw, 865px\" \/><figcaption>Photo Credit: Volexity<\/figcaption><\/figure>\n\n\n\n<p>macOS\u7248\u7684\u60e1\u610f\u8edf\u9ad4GIMMICK\u4e3b\u8981\u4f7f\u7528 Objective C \u7de8\u5beb\uff0c\u800cWindows\u7248\u672c\u5247\u540c\u6642\u4f7f\u7528 .NET \u548c Delphi\u7de8\u5beb\u3002\u4f46\u5169\u8005\u4f7f\u7528\u7684C2\u67b6\u69cb\u3001\u6a94\u6848\u8def\u5f91\u3001\u653b\u64ca\u6a21\u5f0f\u76f8\u540c\uff0c\u4e14\u6feb\u7528 C2 \u7684\u516c\u6709\u96f2\u8a17\u7ba1\u670d\u52d9\uff08\u4f8b\u5982 Google Drive\uff09\u4f86\u9003\u907f\u6aa2\u6e2c\u3002\u90e8\u7f72\u5f8c\uff0cGIMMICK\u53ef\u4ee5\u4f5c\u70ba\u5b88\u8b77\u7a0b\u5f0f\u555f\u52d5\uff0c\u4e5f\u53ef\u4ee5\u4ee5\u5ba2\u88fd\u5316\u61c9\u7528\u7a0b\u5f0f\u7684\u5f62\u5f0f\u555f\u52d5\uff0c\u4e26\u65e8\u5728\u6a21\u64ec\u76ee\u6a19\u7528\u6236\u7d93\u5e38\u555f\u52d5\u7684\u7a0b\u5f0f\u3002\u8a72\u60e1\u610f\u8edf\u9ad4\u88ab\u914d\u7f6e\u70ba\u50c5\u5728\u5de5\u4f5c\u65e5\u8207\u5176\u57fa\u65bc Google Drive \u7684 C2 \u4f3a\u670d\u5668\u9032\u884c\u901a\u4fe1\uff0c\u4ee5\u9032\u4e00\u6b65\u878d\u5165\u76ee\u6a19\u74b0\u5883\u4e2d\u7684\u7db2\u8def\u6d41\u91cf\u3002<\/p>\n\n\n\n<p>\u66f4\u91cd\u8981\u7684\u662f\uff0c\u5f8c\u9580\u9664\u4e86\u5f9eC2\u4f3a\u670d\u5668\u6aa2\u7d22\u4efb\u610f\u6a94\u6848\u548c\u57f7\u884c\u547d\u4ee4\u5916\uff0c\u9084\u5177\u6709\u81ea\u6211\u89e3\u9664\u5b89\u88dd\u529f\u80fd\uff0c\u4f7f\u5176\u80fd\u5920\u5f9e\u53d7\u611f\u67d3\u7684\u6a5f\u5668\u4e2d\u81ea\u6211\u522a\u9664\u3002<\/p>\n\n\n\n<p>\u70ba\u4e86\u4fdd\u8b77\u7528\u6236\u514d\u53d7\u60e1\u610f\u8edf\u9ad4\u7684\u4fb5\u5bb3\uff0c<a href=\"https:\/\/support.apple.com\/zh-tw\/guide\/security\/sec469d47bd8\/web\">Apple <\/a>\u5df2\u65bc2022 \u5e74 3 \u6708 17 \u65e5\u70ba\u5176\u5167\u7f6e\u7684\u53cd\u60e1\u610f\u8edf\u9ad4\u4fdd\u8b77\u5957\u4ef6 XProtect\u767c\u5e03\u4e86\u65b0\u7279\u5fb5\u78bc\uff0c\u4ee5\u901a\u904e\u5176\u60e1\u610f\u8edf\u9ad4\u522a\u9664\u5de5\u5177(Malware Removal Tool \u2013 MRT)\u6514\u622a\u548c\u522a\u9664\u611f\u67d3\u3002<\/p>\n\n\n\n<p>\u7814\u7a76\u54e1\u7e3d\u7d50\u5206\u6790\u8aaa\uff0c\u5c07\u9019\u7a2e\u60e1\u610f\u8edf\u9ad4\u79fb\u690d\u4e26\u4f7f\u5176\u7cfb\u7d71\u9069\u61c9\u65b0\u7684\u64cd\u4f5c\u7cfb\u7d71 (macOS) \u6240\u6d89\u53ca\u7684\u958b\u767c\u4e26\u975e\u6613\u4e8b\uff0c\u9019\u8868\u660e\u5176\u60e1\u610f\u8edf\u9ad4\u7684\u80cc\u5f8c\u53c3\u8207\u8005\u8cc7\u6e90\u5145\u8db3\u3001\u719f\u7df4\u4e14\u591a\u624d\u591a\u85dd\u3002<\/p>\n\n\n\n<p>\u6709\u95dcGIMMICK\u7684\u90e8\u5206\u5165\u4fb5\u6307\u6a19(Indicator of compromise -IOCs):<\/p>\n\n\n\n<p>SHA 256:<\/p>\n\n\n\n<p>2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f<\/p>\n\n\n\n<p>SHA 1:<\/p>\n\n\n\n<p>fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8<\/p>\n\n\n\n<p>MD5:<\/p>\n\n\n\n<p>943c3743f72f06e58e60fa147481db83<\/p>\n","protected":false},"excerpt":{"rendered":"<p>GIMMICK \u662f\u4e00\u7a2e\u65b0\u767c\u73fe\u7684 macOS \u690d\u5165\u8f09\u9ad4\uff08Implant\uff09\uff0c\u7531\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2\u7d44\u7e54Storm Clo <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=1805\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[183,174,207],"class_list":["post-1805","post","type-post","status-publish","format-standard","hentry","category-6","tag-iocs","tag-news","tag-207"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1805"}],"version-history":[{"count":1,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1805\/revisions"}],"predecessor-version":[{"id":1807,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1805\/revisions\/1807"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}