{"id":3212,"date":"2024-06-28T16:37:24","date_gmt":"2024-06-28T08:37:24","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=3212"},"modified":"2024-06-28T16:37:25","modified_gmt":"2024-06-28T08:37:25","slug":"%e4%b8%ad%e5%9c%8bapt%e9%a7%ad%e5%ae%a2chamelgang%e5%88%a9%e7%94%a8%e5%8b%92%e7%b4%a2%e8%bb%9f%e9%ab%94-%e9%87%9d%e5%b0%8d%e5%85%a8%e7%90%83%e6%94%bf%e5%ba%9c%e6%a9%9f%e9%97%9c%e5%9f%ba%e7%a4%8e","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=3212","title":{"rendered":"\u4e2d\u570bAPT\u99ed\u5ba2ChamelGang\u5229\u7528\u52d2\u7d22\u8edf\u9ad4 \u91dd\u5c0d\u5168\u7403\u653f\u5e9c\u6a5f\u95dc\u57fa\u790e\u8a2d\u65bd \u9032\u884c\u5927\u898f\u6a21\u52d2\u7d22 !"},"content":{"rendered":"\n
\"\"
Photo Credit: SHUTTERSTOCK<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

\u00a0\u00a0\u00a0 \u00a0\u00a0\u64da\u4fe1\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2\u8d8a\u4f86\u8d8a\u591a\u5730\u90e8\u7f72\u52d2\u7d22\u8edf\u9ad4\uff0c\u4ee5\u9020\u6210\u5e72\u64fe\u4e26\u70ba\u5176\u9593\u8adc\u6d3b\u52d5\u63d0\u4f9b\u63a9\u8b77\uff0c\u7f8e\u570b\u7db2\u8def\u5b89\u5168\u516c\u53f8SentineOne\u5206\u4eab\u7684\u4e00\u4efd\u5831\u544a\u4e2d\u986f\u793a<\/a>\uff0cChamelGang\uff08\u53c8\u540dCamoFei\uff09\u57282022\u5e74\u4f7f\u7528CatB\u52d2\u7d22\u8edf\u9ad4\u8b8a\u7a2e\u91dd\u5c0d\u5370\u5ea6\u4e3b\u8981\u91ab\u7642\u6a5f\u69cb (All India Institute of Medical Sciences (AIIMS)\u548c\u5df4\u897f\u7e3d\u7d71\u8fa6\u516c\u5ba4\u767c\u8d77\u7684\u653b\u64ca\uff0c\u4ee5\u53ca\u57282023\u5e74\u91dd\u5c0d\u6771\u4e9e\u653f\u5e9c\u5be6\u9ad4\u548c\u5370\u5ea6\u6b21\u5927\u9678\u822a\u7a7a\u7d44\u7e54\u7684\u653b\u64ca\u3002\u7814\u7a76\u4eba\u54e1\u8868\u793a\uff0cChamelGang \u7d44\u7e54\u53cd\u8986\u90e8\u7f72\u52d2\u7d22\u8edf\u9ad4\u548c\u52a0\u5bc6\u5668\uff0c\u300c\u76ee\u7684\u662f\u7372\u53d6\u7d93\u6fdf\u5229\u76ca\u3001\u7834\u58de\u3001\u5206\u6563\u6ce8\u610f\u529b\u3001\u5165\u4fb5\u6b78\u5c6c\u6216\u522a\u9664\u8b49\u64da\u300d\u3002 \u64da\u7a31\uff0cChamelGang \u5148\u524d\u66fe\u91dd\u5c0d\u591a\u7a2e\u7d44\u7e54\u767c\u52d5\u653b\u64ca\uff0c\u5305\u62ec\u6771\u4e9e\u653f\u5e9c\u3001\u5357\u4e9e\u822a\u7a7a\u7d44\u7e54\u4ee5\u53ca\u7f8e\u570b\u3001\u53f0\u7063\u548c\u65e5\u672c\u7b49\u5176\u4ed6\u570b\u5bb6\u7684\u653f\u5e9c\u548c\u79c1\u4eba\u7d44\u7e54\u3002<\/p>\n\n\n\n

      \u7531\u65bc\u7a0b\u5f0f\u78bc\u91cd\u758a\uff0c\u7814\u7a76\u4eba\u54e1\u5c07CatB\u52d2\u7d22\u8edf\u9ad4\u548cBeaconLoader\u8207ChamelGang\u95dc\u806f\u8d77\u4f86\u3002\u9032\u4e00\u6b65\u8abf\u67e5\u986f\u793a\uff0cChamelGang\u7d93\u5e38\u5c07BeaconLoader\u507d\u88dd\u6210Windows\u670d\u52d9\u6216\u8edf\u9ad4\u5143\u4ef6\uff0c\u4f8b\u5982TSVIPSrv.dll\u548cTPWinPrn.dll\u4e26\u53ef\u80fd\u900f\u904e\u5b83\u90e8\u7f72Cobalt Strike\u4f86\u57f7\u884c\u5075\u5bdf\u547d\u4ee4\u3001\u5176\u4ed6\u5de5\u5177\u4ee5\u53ca\u7aca\u53d6NTDS.dit Active Directory\u7b49\u6587\u4ef6\u8cc7\u6599\u5eab\uff0c\u5132\u5b58\u95dc\u9375\u8cc7\u8a0a\u3002<\/p>\n\n\n\n

      ChamelGang\u7684\u6b66\u5668\u5eab\u4e2d\u64c1\u6709\u8a31\u591a\u5de5\u5177\uff0c\u5305\u62ecBeaconLoader\u3001Cobalt Strike\u3001AukDoor\u548cDoorMe\u7b49\u5f8c\u9580\uff0c\u4ee5\u53ca\u540d\u70baCatB\u7684\u52d2\u7d22\u8edf\u9ad4\u8b8a\u7a2e\u3002\u6839\u64da\u5176\u5171\u901a\u6027\uff0c\u8a72\u52d2\u7d22\u8edf\u9ad4\u5df2\u88ab\u78ba\u8a8d\u7528\u65bc\u91dd\u5c0d\u5df4\u897f\u8207\u5370\u5ea6\u7684\u653b\u64ca\u3002<\/p>\n\n\n\n

      \u7814\u7a76\u4eba\u54e1\u9084\u767c\u73feChamelGang\u4f7f\u7528Jetico BestCrypt \u548cMicrosoft BitLocker\u4f86\u52a0\u5bc6\u7aef\u9ede\u4e26\u7d22\u53d6\u8d16\u91d1\u7684\u5165\u4fb5\uff0c\u57282021\u5e74\u521d\u81f32023\u5e74\u4e2d\u671f\u5f71\u97ff\u4e86\u5317\u7f8e\u3001\u5357\u7f8e\u548c\u6b50\u6d32\u7684\u5404\u500b\u5782\u76f4\u7522\u696d\u3002\u64da\u4f30\u8a08\u591a\u905437\u500b\u7d44\u7e54\uff0c\u4e3b\u8981\u662f\u7f8e\u570b\u88fd\u9020\u696d\uff0c\u53d7\u5230\u7684\u5f71\u97ff\u6700\u5927\u3002<\/p>\n\n\n\n

      \u4f7f\u7528BestCrypt\u548cBitLocker\u7684\u5165\u4fb5\u4ee5\u53ca\u985e\u4f3c\u65bcLIFARS\u6848\u4f8b\u4e2d\u7684\u52d2\u7d22\u7d00\u9304\uff0c\u5df2\u6b78\u56e0\u65bc\u540d\u70baTimisoaraHackerTeam\u548cDeepBlueMagic\u7684\u52d2\u7d22\u8edf\u9ad4\u7d44\u7e54\u3002\u9019\u4e9b\u7d44\u7e54\u8207\u91dd\u5c0d\u4ee5\u8272\u5217HillelYaffe \u91ab\u7642\u4e2d\u5fc3\u7b49\u91ab\u7642\u6a5f\u69cb\u7684\u653b\u64ca\u6709\u95dc\uff0c\u4ee5\u8272\u5217\u7576\u5c40\u8868\u793a\u61f7\u7591\u662f\u4e2d\u570b\u52d2\u7d22\u8edf\u9ad4\u7d44\u7e54\u70ba\u5e55\u5f8c\u9ed1\u624b\u3002<\/p>\n\n\n\n

      \u6839\u64da\u4fc4\u7f85\u65af\u8cc7\u5b89\u7814\u7a76\u516c\u53f8Positive Technologies\u65bc2021\u5e74\u9996\u6b21\u7d00\u9304<\/a>\uff0cChamelGang\u88ab\u8a55\u4f30\u70ba\u4e00\u500b\u8207\u4e2d\u570b\u6709\u806f\u7e6b\u7684\u7d44\u7e54\uff0c\u5176\u904b\u4f5c\u52d5\u6a5f\u591a\u7a2e\u591a\u6a23\uff0c\u5305\u62ec\u60c5\u5831\u6536\u96c6\u3001\u8cc7\u6599\u7aca\u53d6\u3001\u7d93\u6fdf\u5229\u76ca\u3001\u62d2\u7d55\u670d\u52d9(DoS)\u653b\u64ca\u548c\u8cc7\u8a0a\u64cd\u4f5c\u3002<\/p>\n\n\n\n

      SentineOne\u7684\u5831\u544a\u5f37\u8abfChamelGang\u662f\u4e00\u500b\u6301\u7e8c\u5b58\u5728\u7684\u5168\u7403\u7db2\u8def\u9593\u8adc\u7d44\u7e54\uff0c\u5176\u76ee\u6a19\u662f\u53d7\u6230\u7565\u5229\u76ca\u3001\u5340\u57df\u7af6\u722d\u3001\u5730\u7de3\u653f\u6cbb\u7dca\u5f35\u5c40\u52e2\u548c\u6280\u8853\u7af6\u722d\u529b\u9a45\u52d5\u7684\u5370\u5ea6\u548c\u6771\u4e9e\u7b49\u95dc\u9375\u57fa\u790e\u8a2d\u65bd\u90e8\u9580(\u5305\u542b\u91ab\u7642\u4fdd\u5065\u3001\u822a\u7a7a\u548c\u88fd\u9020\u696d)\u3002<\/p>\n\n\n\n

      SentineOne\u9032\u4e00\u6b65\u8868\u793a\uff0c\u4e0d\u80fd\u6392\u9664\u9019\u4e9b\u6d3b\u52d5\u662f\u66f4\u5ee3\u6cdb\u7684\u7db2\u8def\u72af\u7f6a\u8a08\u756b\u7684\u4e00\u90e8\u5206\u7684\u53ef\u80fd\u6027\uff0c\u7279\u5225\u662f\u8003\u616e\u5230\u570b\u5bb6\u7d1a\u99ed\u5ba2\u4e5f\u4e0d\u6642\u53c3\u8207\u51fa\u65bc\u7d93\u6fdf\u52d5\u6a5f\u7684\u653b\u64ca\u3002<\/p>\n\n\n\n

      \u5b89\u5168\u7814\u7a76\u4eba\u54e1Aleksander Milenkoski\u544a\u8a34  : \u300c\u6211\u5011\u89c0\u5bdf\u5230\u7684\u6d3b\u52d5\u8207\u904e\u53bb\u7684\u5165\u4fb5\u91cd\u758a\uff0c\u6d89\u53ca\u8207\u7591\u4f3c\u4e2d\u570b\u548c\u5317\u97d3APT\u99ed\u5ba2\u7d44\u7e54\u76f8\u95dc\u7684\u5de5\u4f5c\u3002\u300d\u4ed6\u8868\u793a\uff0c\u53ef\u898b\u6027\u9650\u5236\u53ef\u80fd\u5c0e\u81f4\u7121\u6cd5\u6aa2\u6e2c\u5230\u60e1\u610f\u5de5\u5177\u672c\u8eab\u3002\u507d\u88dd\u6210\u52d2\u7d22\u8edf\u9ad4\u6d3b\u52d5\u7684\u7db2\u8def\u9593\u8adc\u6d3b\u52d5\u70ba\u6575\u5c0d\u570b\u5bb6\u63d0\u4f9b\u4e86\u4e00\u500b\u6a5f\u6703\uff0c\u900f\u904e\u5c07\u9019\u4e9b\u884c\u70ba\u6b78\u548e\u65bc\u7368\u7acb\u7684\u7db2\u8def\u884c\u70ba\u8005\u800c\u4e0d\u662f\u570b\u5bb6\u652f\u6301\u7684\u99ed\u5ba2\u7d44\u7e54\uff0c\u5f9e\u800c\u8072\u7a31\u53ef\u4ee5\u9032\u884c\u5408\u7406\u7684\u63a8\u8ac9\u3002<\/p>\n\n\n\n

      \u300c\u7db2\u8def\u9593\u8adc\u99ed\u5ba2\u7d44\u7e54\u4f7f\u7528\u52d2\u7d22\u8edf\u9ad4\u6a21\u7cca\u4e86\u7db2\u8def\u72af\u7f6a\u548c\u7db2\u8def\u9593\u8adc\u6d3b\u52d5\u4e4b\u9593\u7684\u754c\u7dda\uff0c\u5f9e\u6230\u7565\u548c\u71df\u904b\u89d2\u5ea6\u70ba\u5c0d\u624b\u63d0\u4f9b\u4e86\u512a\u52e2\u3002\u300d<\/p>\n\n\n\n

\u4e2d\u570bAPT\u99ed\u5ba2ChamelGang\u76f8\u95dc\u7684\u90e8\u5206\u7684\u5165\u4fb5\u6307\u6a19\uff08IOCs\uff09:<\/p>\n\n\n\n

5a6baf931adad480b920394568c52a9d              <\/p>\n\n\n\n

7b5bbc29e6addfa1fdaea839e500f995                          <\/p>\n\n\n\n

88ef5955f8fa58e141da85580006b284                          <\/p>\n\n\n\n

8dfeaaf7351f695024ed3604a4985e98                <\/p>\n\n\n\n

b9337830c32f71a6ecccec60ba42de00              <\/p>\n\n\n\n

edc87da8654e966bee0e5c9b92ed67cb                       <\/p>\n\n\n\n

098e60cd5053ec9613d32a7ced68e44f1a417353             <\/p>\n\n\n\n

09959be9b5f8ca21caa55577ce620034632a3f92              <\/p>\n\n\n\n

0c762bff5b4a0bf5abbdf28afc15cfc6dce575b1<\/p>\n","protected":false},"excerpt":{"rendered":"

\u00a0\u00a0\u00a0 \u00a0\u00a0\u64da\u4fe1\u4e2d\u570b\u570b\u5bb6\u7d1a\u99ed\u5ba2\u8d8a\u4f86\u8d8a\u591a\u5730\u90e8\u7f72\u52d2\u7d22\u8edf\u9ad4\uff0c\u4ee5\u9020\u6210\u5e72\u64fe\u4e26\u70ba\u5176\u9593\u8adc\u6d3b\u52d5\u63d0\u4f9b\u63a9\u8b77\uff0c\u7f8e\u570b\u7db2\u8def\u5b89\u5168\u516c\u53f8Sen READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[174],"class_list":["post-3212","post","type-post","status-publish","format-standard","hentry","category-6","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3212"}],"version-history":[{"count":1,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3212\/revisions"}],"predecessor-version":[{"id":3214,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3212\/revisions\/3214"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}