{"id":1981,"date":"2022-06-10T15:18:44","date_gmt":"2022-06-10T07:18:44","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=1981"},"modified":"2023-02-13T10:58:20","modified_gmt":"2023-02-13T02:58:20","slug":"%e4%b8%80%e5%80%8b%e9%a6%96%e6%ac%a1%e8%a2%ab%e7%99%bc%e7%8f%be%e7%9a%84%e4%b8%ad%e5%9c%8bapt%e9%a7%ad%e5%ae%a2%e7%b5%84%e7%b9%94%ef%bc%8c%e4%bb%a5%e4%ba%9e%e5%a4%aa%e6%94%bf%e6%b2%bb%e5%85%83","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=1981","title":{"rendered":"\u4e00\u500b\u9996\u6b21\u88ab\u767c\u73fe\u7684\u4e2d\u570bAPT\u99ed\u5ba2\u7d44\u7e54\uff0c\u4ee5\u4e9e\u592a\u653f\u6cbb\u5143\u7d20\u6216\u8272\u60c5\u6a94\u6848\u767c\u52d5\u9593\u8adc\u6d3b\u52d5\uff0c\u5341\u5e74\u4f86\u6084\u6084\u76e3\u8996\u6771\u5357\u4e9e\u548c\u6fb3\u6d32\u7684\u76ee\u6a19"},"content":{"rendered":"\n<p>\u65e9\u5728 2013 \u5e74\uff0c\u7a31\u70baAoqin Dragon\uff0c\u4e00\u500b\u4ee5\u524d\u6c92\u88ab\u8a18\u9304\u904e\u7684\u4e2d\u570bAPT\u99ed\u5ba2\u7d44\u7e54\uff0c\u8207\u4e00\u7cfb\u5217\u91dd\u5c0d\u6771\u5357\u4e9e\u548c\u6fb3\u6d32\u653f\u5e9c\u3001\u6559\u80b2\u548c\u96fb\u4fe1\u5be6\u9ad4\u7684\u9593\u8adc\u653b\u64ca\u6709\u95dc\uff0c\u6839\u64da SentinelLabs<a href=\"https:\/\/www.sentinelone.com\/labs\/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years\/\">\u5831\u544a<\/a>\uff0c\u81ea\u5f9eAoqin Dragon\u9996\u6b21\u88ab\u767c\u73fe\u4ee5\u4f86\uff0c\u5df2\u7d93\u63a1\u7528\u4e86\u4e09\u7a2e\u4e0d\u540c\u7684\u653b\u64ca\u93c8\u3002<\/p>\n\n\n\n<p>\u6700\u65e9\u57282012 \u5e74\u81f3 2015 \u5e74\u9593\u4f7f\u7528\uff0c\u6d89\u53ca\u5229\u7528 CVE-2012-0158 \u548c CVE-2010-3333 \u7b49\u5df2\u77e5\u548c\u672a\u4fee\u88dcMicrosoft Office\u6587\u6a94\u7684\u6f0f\u6d1e\u767c\u52d5\u7db2\u8def\u91e3\u9b5a\u653b\u64ca\u3002\u7b2c\u4e8c\u7a2e\u653b\u64ca\u65b9\u6cd5\u662f\u7528\u5047\u5192\u7684McAfee \u548c Bkav\u9632\u6bd2\u5716\u6a19\u63a9\u84cb\u60e1\u610f\u53ef\u57f7\u884c\u6587\u4ef6\uff0c\u8a98\u9a19\u7528\u6236\u555f\u52d5\u5b83\u5011\uff0c\u4e26\u5728\u4ed6\u5011\u7684\u8a2d\u5099\u4e0a\u8d77\u52d5\u60e1\u610f\u8edf\u9ad4\u7684\u91cb\u653e\u7a0b\u5f0f\u3002\u5f9e 2018 \u5e74\u5230\u73fe\u5728\uff0cAoqin Dragon\u5df2\u7d93\u8f49\u5411\u4f7f\u7528\u53ef\u62c6\u5378\u8a2d\u5099\u5feb\u6377\u65b9\u5f0f\u6a94\u6848(.LNK)\uff0c\u9ede\u64ca\u8a72\u6a94\u6848\u6642\uff0c\u6703\u57f7\u884cDLL\u52ab\u6301\u6280\u8853\u4e26\u8f09\u5165\u52a0\u5bc6\u7684\u5f8c\u9580payloads\u3002\u8a72\u60e1\u610f\u8edf\u9ad4\u4ee5\u201cEvernote Tray Application\u201d\u7684\u540d\u7a31\u904b\u884c\uff0c\u4e26\u5728\u7cfb\u7d71\u555f\u52d5\u6642\u57f7\u884c\u3002\u5982\u679c\u8f09\u5165\u7a0b\u5f0f\u6aa2\u6e2c\u5230\u53ef\u62c6\u5378\u8a2d\u5099\uff0c\u5b83\u9084\u6703\u8907\u88fdpayloads\u4ee5\u611f\u67d3\u76ee\u6a19\u7db2\u8def\u4e0a\u7684\u5176\u4ed6\u8a2d\u5099\u3002Aoqin Dragon \u7684\u653b\u64ca\u93c8\u4f9d\u9760\u4e9e\u592a\u653f\u6cbb\u4e8b\u52d9\u548c\u4ee5\u8272\u60c5\u70ba\u4e3b\u984c\u7684\u6587\u4ef6\u8a98\u990c\u4ee5\u53ca USB \u5feb\u6377\u65b9\u5f0f\u4f86\u89f8\u767c\u5f8c\u9580\u7684\u90e8\u7f72\u3002<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"865\" height=\"474\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-6.png\" alt=\"\" class=\"wp-image-1982\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-6.png 865w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-6-300x164.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-6-768x421.png 768w\" sizes=\"auto, (max-width: 865px) 100vw, 865px\" \/><figcaption class=\"wp-element-caption\">\u6839\u64da\u5831\u544a\uff0cAoqin Dragon\u5728\u653b\u64ca\u6642\u4f7f\u7528\u7684\u8a98\u990c\u6587\u4ef6<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"865\" height=\"471\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-7.png\" alt=\"\" class=\"wp-image-1983\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-7.png 865w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-7-300x163.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-7-768x418.png 768w\" sizes=\"auto, (max-width: 865px) 100vw, 865px\" \/><figcaption class=\"wp-element-caption\">\u4e9e\u592a\u653f\u6cbb\u8a98\u990c\u6587\u4ef6<\/figcaption><\/figure>\n\n\n\n<p>\u6839\u64da SentinelLabs\u5831\u544a\uff0c\u5df2\u78ba\u8a8d\u4e86\u99ed\u5ba2\u7d44\u7e54\u4f7f\u7528\u7684\u5169\u500b\u4e0d\u540c\u5f8c\u9580\uff0c \u4e00\u500b\u70ba Mongall \u548c\u53e6\u4e00\u500b\u70ba\u4fee\u6539\u7248\u7684Heyoka Project\u3002\u5169\u8005\u90fd\u662f\u6ce8\u5165\u5167\u5b58\u3001\u89e3\u5bc6\u548c\u57f7\u884c\u7684 DLL\u3002<\/p>\n\n\n\n<p>Mongall\uff08\u201cHJ-client.dll\u201d\uff09\u81f3\u5c11\u5f9e 2013 \u5e74\u5c31\u958b\u59cb\u4f7f\u7528\uff0c\u5b83\u88ab\u63cf\u8ff0\u70ba\u4e00\u7a2e\u201c\u529f\u80fd\u7279\u5225\u8c50\u5bcc\u201d\u7684\u690d\u5165\u7a0b\u5f0f\uff0c\u5305\u542b\u8db3\u5920\u7684\u529f\u80fd\u4f86\u5efa\u7acb\u9060\u7aef shell \u4e26\u4e0a\u50b3\u548c\u4e0b\u8f09\u4efb\u610f\u6a94\u6848\u5230\u4f86\u81ea\u653b\u64ca\u8005\u63a7\u5236\u4f3a\u670d\u5668\u3002\u6700\u8fd1\u7684\u7248\u672c\u5177\u6709\u5347\u7d1a\u7684\u52a0\u5bc6\u5354\u8b70\u548c Themida \u6253\u5305\u8edf\u9ad4\uff0c\u65e8\u5728\u4fdd\u8b77\u5b83\u514d\u53d7\u9006\u5411\u5de5\u7a0b\u7684\u5f71\u97ff\u3002<\/p>\n\n\n\n<p>\u53e6\u4e00\u500b\u5f8c\u9580 Heyoka Project\u662f\u4e00\u500b\u958b\u6e90\u6ef2\u900f\u5de5\u5177\uff0c\u5b83\u4f7f\u7528\u6b3a\u9a19\u6027\u7684 DNS \u8acb\u6c42\u4f86\u5efa\u7acb\u96d9\u5411\u901a\u4fe1\u96a7\u9053\u3002\u5728\u5f9e\u53d7\u611f\u67d3\u8a2d\u5099\u8907\u88fd\u6587\u4ef6\u6642\u4f7f\u7528Heyoka\uff0c\u4ee5\u4f7f\u7528\u6236\u66f4\u96e3\u6aa2\u6e2c\u5230\u99ed\u5ba2\u7684\u6578\u64da\u76dc\u7aca\u6d3b\u52d5\u3002<\/p>\n\n\n\n<p>Aoqin Dragon\u5df2\u5c0d Heyoka \u9032\u884c\u4e86\u4fee\u6539\uff0c\u4ee5\u5efa\u7acb\u652f\u63f4\u4ee5\u4e0b\u547d\u4ee4\u7684\u81ea\u5b9a\u7fa9\u5f8c\u9580\uff1a<\/p>\n\n\n\n<p>*open a shell<\/p>\n\n\n\n<p>*get host drive information<\/p>\n\n\n\n<p>*search file function<\/p>\n\n\n\n<p>*input data in an exit file<\/p>\n\n\n\n<p>*create a file<\/p>\n\n\n\n<p>*create a process<\/p>\n\n\n\n<p>*get all process information in this host<\/p>\n\n\n\n<p>*kill process<\/p>\n\n\n\n<p>*create a folder<\/p>\n\n\n\n<p>*delete file or folder<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"865\" height=\"520\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-8.png\" alt=\"\" class=\"wp-image-1984\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-8.png 865w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-8-300x180.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2022\/06\/image-8-768x462.png 768w\" sizes=\"auto, (max-width: 865px) 100vw, 865px\" \/><\/figure>\n\n\n\n<p>\u4ee5\u4e0b\u662f\u6700\u8fd1\u89c0\u5bdf\u5230 Aoqin Dragon\u7684\u6700\u65b0\u653b\u64ca\u93c8\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u88fd\u4f5c\u4e00\u500b\u53ef\u79fb\u78c1\u789f\u5feb\u6377\u65b9\u5f0f\u6a94\uff0c\u5176\u4e2d\u5305\u542b\u555f\u52d5\u60e1\u610f\u8edf\u9ad4\u7684\u7279\u5b9a\u8def\u5f91\u3002<\/li>\n\n\n\n<li>\u7576\u4f7f\u7528\u8005\u9ede\u64ca\u5047\u5192\u8a2d\u5099\u6642\uff0c\u5b83\u6703\u57f7\u884c\u300cEvernoteTray Application\u300d\uff0c\u4e26\u4f7f\u7528DLL\u52ab\u6301\u8f09\u5165\u60e1\u610f\u7684encrashrep.dll\u8f09\u5165\u7a0b\u5f0f\u4f5c\u70ba\u8cc7\u6e90\u7ba1\u7406\u5668.exe\u3002<\/li>\n\n\n\n<li>\u57f7\u884c\u8f09\u5165\u7a0b\u5f0f\u5f8c\uff0c\u5b83\u5c07\u6aa2\u67e5\u5b83\u662f\u5426\u5728\u4efb\u4f55\u9023\u63a5\u7684\u53ef\u884c\u52d5\u88dd\u7f6e\u4e2d\u3002<\/li>\n\n\n\n<li>\u5982\u679c\u8f09\u5165\u7a0b\u5f0f\u4e0d\u5728\u53ef\u79fb\u52d5\u78c1\u76e4\u4e2d\uff0c\u5b83\u5c07\u8907\u88fd\u201c%USERPROFILE%\\AppData\\Roaming\\EverNoteService\u201d\u4e0b\u7684\u6240\u6709\u6a21\u7d44\uff0c\u5176\u4e2d\u5305\u62ec\u666e\u901a\u6a94\uff0c\u5f8c\u9580\u8f09\u5165\u7a0b\u5f0f\u548c\u52a0\u5bc6\u7684\u5f8c\u9580\u6709\u6548\u8ca0\u8f09\u3002<\/li>\n\n\n\n<li>\u60e1\u610f\u8edf\u9ad4\u4f7f\u7528\u503c\u70ba\u300cEverNoteTrayUService\u300d\u8a2d\u7f6e\u81ea\u52d5\u555f\u52d5\u529f\u80fd\u3002\u7576\u4f7f\u7528\u8005\u91cd\u65b0\u555f\u52d5\u96fb\u8166\u6642\uff0c\u5b83\u5c07\u57f7\u884c\u300cEvernote Tray Appliacation\u300d\u4e26\u4f7f\u7528DLL\u52ab\u6301\u4f86\u8f09\u5165\u60e1\u610f\u8f09\u5165\u7a0b\u5f0f\u3002<\/li>\n\n\n\n<li>\u8f09\u5165\u7a0b\u5f0f\u5c07\u9996\u5148\u6aa2\u67e5\u6a94\u8def\u5f91\u4e26\u89e3\u5bc6\u6709\u6548\u8ca0\u8f09\u3002\u6b64\u653b\u64ca\u93c8\u4e2d\u6709\u5169\u500b\u6709\u6548\u8ca0\u8f09\uff1a\u7b2c\u4e00\u500b\u6709\u6548\u8ca0\u8f09\u662f\u50b3\u64ad\u5668\uff0c\u5b83\u5c07\u6240\u6709\u60e1\u610f\u6a94\u8907\u88fd\u5230\u53ef\u884c\u52d5\u88dd\u7f6e;\u7b2c\u4e8c\u500b\u662f\u52a0\u5bc6\u7684\u5f8c\u9580\uff0c\u5b83\u5c07\u81ea\u8eab\u6ce8\u5165rundll32\u7684\u8a18\u61b6\u9ad4\u4e2d\u3002<\/li>\n<\/ol>\n\n\n\n<p>\u6709\u95dcAoqin Dragon\u7684\u90e8\u5206\u5165\u4fb5\u6307\u6a19(Indicator of compromise -IOCs):<\/p>\n\n\n\n<p>SHA1<br>a96caf60c50e7c589fefc62d89c27e6ac60cdf2c<br>ccccf5e131abe74066b75e8a49c82373414f5d95<br>5408f6281aa32c02e17003e0118de82dfa82081e<br>a37bb5caa546bc4d58e264fe55e9e9155f36d9d8<\/p>\n\n\n\n<p>\u00a0&#8220;\u8f49\u8cbc\u3001\u5206\u4eab\u6216\u5f15\u7528\u6587\u7ae0\u5167\u5bb9\uff0c\u8acb\u8a3b\u660e\u51fa\u8655\u70ba\u7ae3\u76df\u79d1\u6280\u00a0<a href=\"https:\/\/www.billows.com.tw\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.billows.com.tw<\/a>\u00a0, \u4ee5\u514d\u89f8\u6cd5&#8221;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u65e9\u5728 2013 \u5e74\uff0c\u7a31\u70baAoqin Dragon\uff0c\u4e00\u500b\u4ee5\u524d\u6c92\u88ab\u8a18\u9304\u904e\u7684\u4e2d\u570bAPT\u99ed\u5ba2\u7d44\u7e54\uff0c\u8207\u4e00\u7cfb\u5217\u91dd\u5c0d\u6771\u5357\u4e9e\u548c <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=1981\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-1981","post","type-post","status-publish","format-standard","hentry","category-6"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1981"}],"version-history":[{"count":2,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1981\/revisions"}],"predecessor-version":[{"id":2434,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/1981\/revisions\/2434"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}