{"id":3244,"date":"2024-07-26T16:24:49","date_gmt":"2024-07-26T08:24:49","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=3244"},"modified":"2024-07-26T16:26:24","modified_gmt":"2024-07-26T08:26:24","slug":"%e4%b8%ad%e5%9c%8b%e9%a7%ad%e5%ae%a2%e7%b5%84%e7%b9%94daggerfly%e5%88%a9%e7%94%a8%e6%83%a1%e6%84%8f%e8%bb%9f%e9%ab%94-mgbot-%e5%92%8c-macma%e6%94%bb%e6%93%8a%e5%8f%b0%e7%81%a3%e4%bc%81%e6%a5%ad","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=3244","title":{"rendered":"\u4e2d\u570b\u99ed\u5ba2\u7d44\u7e54Daggerfly\u5229\u7528\u60e1\u610f\u8edf\u9ad4 MgBot \u548c MACMA\u653b\u64ca\u53f0\u7063\u4f01\u696d\u548c\u7f8e\u570b\u975e\u653f\u5e9c\u7d44\u7e54"},"content":{"rendered":"\n

Daggerfly APT\u7d44\u7e54\u662f\u8207\u5317\u4eac\u6709\u5bc6\u5207\u95dc\u806f\u7684\u60c5\u5831\u8490\u96c6\/ \u99ed\u5ba2\u5718\u9ad4<\/p>\n\n\n\n

\"\"
Daggerfly\u5229\u7528\u60e1\u610f\u8edf\u9ad4\u653b\u64ca\u53f0\u7063\u4f01\u696d\u53ca\u7f8e\u570bNGO\u00a0 Photo Credit: SempreUpdate<\/figcaption><\/figure>\n\n\n\n

\u6578\u5bb6\u53f0\u7063\u4f01\u696d\u548c\u4e00\u5bb6\u7e3d\u90e8\u4f4d\u65bc\u4e2d\u570b\u7684\u7f8e\u570b\u975e\u653f\u5e9c\u7d44\u7e54 (NGO) \u5df2\u6210\u70ba\u99ed\u5ba2\u7d44\u7e54Daggerfly \u7684\u76ee\u6a19\uff0c\u8a72\u7d44\u7e54\u5c6c\u65bc\u570b\u5bb6\u8cc7\u52a9\u4e4b\u99ed\u5ba2\u5718\u9ad4\uff0c\u8ddf\u5317\u4eac\u95dc\u4fc2\u5bc6\u5207\uff0c\u76ee\u524d\u6b63\u4f7f\u7528\u4e00\u7d44\u5df2\u5347\u7d1a\u5b8c\u6210\u7684\u60e1\u610f\u8edf\u9ad4\u5de5\u5177\u3002<\/p>\n\n\n\n

\u535a\u901a(Broadcom)\u65d7\u4e0b\u7684\u8cfd\u9580\u9435\u514b(Symantec)\u5a01\u8105\u7375\u4eba\u5718\u968a\u6700\u8fd1\u767c\u5e03\u7684\u4e00\u4efd\u5831\u544a\u8868\u793a<\/a>\uff0c\u9019\u9805\u884c\u52d5\u986f\u793aDaggerfly\u300c\u4e5f\u5f9e\u4e8b\u5167\u90e8\u9593\u8adc\u6d3b\u52d5\u300d\u3002\u201c\u5728\u767c\u52d5\u7684\u653b\u64ca\u4e2d\uff0c\u99ed\u5ba2\u5229\u7528 Apache HTTP Server (\u7db2\u9801\u4f3a\u670d\u5668) \u4e2d\u7684\u6f0f\u6d1e\u4f86\u6563\u64ad MgBot \u60e1\u610f\u8edf\u9ad4\u3002\u201d<\/p>\n\n\n\n

Daggerfly\uff08\u4e5f\u7a31\u70ba Bronze Highland \u548c Evasive Panda\uff09\u5148\u524d\u88ab\u767c\u73fe<\/a>\u904b\u7528 MgBot \u6a21\u7d44\u5316\u60e1\u610f\u8edf\u9ad4\u67b6\u69cb\u4f86\u9032\u884c\u91dd\u5c0d\u975e\u6d32\u96fb\u4fe1\u670d\u52d9\u4f9b\u61c9\u5546\u7684\u60c5\u5831\u6536\u96c6\u4efb\u52d9\u3002\u6839\u64da\u76f8\u95dc\u5831\u5c0e\uff0c\u8a72\u884c\u52d5\u65e9\u81ea 2012 \u5e74\u8d77\u5c31\u5df2\u7d93\u958b\u59cb\u904b\u4f5c\u3002<\/p>\n\n\n\n

2021 \u5e74Google\u9996\u6b21\u8a73\u7d30\u4ecb\u7d39\u4e86<\/a>Macma macOS \u5f8c\u9580\u7a0b\u5f0f (backdoor)  \uff0c\u81f3\u5c11\u5f9e 2019 \u5e74\u8d77\u9019\u500b\u60e1\u610f\u8edf\u9ad4\u5c31\u6709\u958b\u59cb\u88ab\u4f7f\u7528\u4e86\u3002\u99ed\u5ba2\u5229\u7528Macma\u4f86\u9032\u884c\u6c34\u5751\u653b\u64ca (watering hole attacks)\uff0c\u76ee\u6a19\u662f\u9999\u6e2f\u7684\u7db2\u7ad9\u3002\u9019\u4e9b\u653b\u64ca\u5229\u7528\u4e86 iOS \u548c macOS \u88dd\u7f6e\u4e0a\u7684\u6f0f\u6d1e\u3002\u653b\u64ca\u8005\u5229\u7528\u8d8a\u6b0a\u6f0f\u6d1e<\/a>(privilege escalation vulnerability) CVE-2021-30869<\/a>\u5728macOS\u8a2d\u5099\u4e0a\u5b89\u88ddMacma\u3002<\/p>\n\n\n\n

Macma \u662f\u4e00\u500b\u6a21\u7d44\u5316\u5f8c\u9580\u7a0b\u5f0f\uff0c\u80fd\u652f\u63f4\u591a\u7a2e\u529f\u80fd\uff0c\u5176\u4e2d\u5305\u62ec\u88dd\u7f6e\u6307\u7d0b\u8fa8\u8b58\u3001\u57f7\u884c\u6307\u4ee4\u3001\u87a2\u5e55\u622a\u5716\u3001\u9375\u76e4\u8a18\u9304\u3001\u97f3\u8a0a\u64f7\u53d6\u3001\u4e0a\u50b3\u548c\u4e0b\u8f09\u6a94\u6848\u7b49\u7b49\u3002<\/p>\n\n\n\n

\u5118\u7ba1 Macma \u88ab\u570b\u5bb6\u652f\u6301\u7684\u653b\u64ca\u8005\u5ee3\u6cdb\u5730\u4f7f\u7528\u65bc\u7db2\u8def\u884c\u52d5\uff0c\u4f46\u5b83\u4e0d\u4e00\u5b9a\u6b78\u5c6c\u65bc\u67d0\u7279\u5b9a\u7d44\u7e54\u3002\u7136\u800c\uff0c\u8cfd\u9580\u9435\u514b\u767c\u73fe\u6709\u8b49\u64da\u8868\u660e\u5b83\u662f Daggerfly \u6240\u4f7f\u7528\u7684\u653b\u64ca\u6b66\u5668\u4e4b\u4e00\u3002 \u53e6\u5916\u4e5f\u88ab\u767c\u73fe\u6709\u90e8\u5206\u7684MgBot\u653b\u64ca\u8005\uff0c\u4e5f\u5728\u4f7f\u7528Macma\u5f8c\u9580\u7a0b\u5f0f C2 server (103.243.212[.]98) \u7684\u8b8a\u7570\u7a0b\u5f0f\u3002<\/p>\n\n\n\n

\u57283\u6708\u7684\u6642\u5019\uff0c\u8cc7\u5b89\u5c08\u5bb6\u4e5f\u767c\u73fe\u5230\u4e86\u53e6\u4e00\u7a2e\u60e1\u610f\u8edf\u9ad4\uff0c\u540d\u70ba Suzafk\uff08\u53c8\u7a31\u300cNetMM\u300d\u3001Nightdoor\uff09\uff0c\u96fb\u8166\u5b89\u5168\u8edf\u9ad4\u516c\u53f8ESET\u7814\u7a76\u54e1\u8b49\u5be6\u4e86\u5b83\u8207 Daggerfly \u7684\u95dc\u806f\u6027<\/a>\u3002<\/p>\n\n\n\n

\u5831\u544a\u4e2d\u8aaa\u660e\uff1a\u300cSuzafk \u662f\u4e00\u500b\u591a\u968e\u6bb5\u5f8c\u9580\u7a0b\u5f0f\uff0c\u80fd\u5920\u4f7f\u7528 TCP (\u50b3\u8f38\u63a7\u5236\u5354\u5b9a) \u6216 OneDrive\u96f2\u7aef\u786c\u789f\u4f86\u9054\u6210 Command and Control (\u6309\u7167\u99ed\u5ba2\u7684\u547d\u4ee4\u8207\u63a7\u5236) \u7684\u76ee\u7684\u3002\u5f9e\u9019\u500b\u60e1\u610f\u8edf\u9ad4\u4e4b\u4e2d\u6240\u5305\u542b\u7684\u7d44\u614b\u53c3\u6578\u548c\u76f8\u95dc\u8a2d\u5b9a\u4f86\u770b\uff0c\u53ef\u4ee5\u63a8\u6e2c\u5b83\u9023\u7d50\u5230 OneDrive \u7684\u529f\u80fd\u6b63\u5728\u958b\u767c\u4e2d\uff0c\u4ea6\u6709\u53ef\u80fd\u5b83\u7684\u8b8a\u7570\u7248\u672c\u5df2\u7d93\u64c1\u6709\u9019\u6a23\u7684\u529f\u80fd\u3002\u300d<\/p>\n\n\n\n

\u8cfd\u9580\u9435\u514b\u8868\u793a\uff1a\u300c\u8a72\u7d44\u7e54\u6240\u5275\u5efa\u7684\u60e1\u610f\u8edf\u9ad4\u5de5\u5177\u662f\u4ee5\u5927\u591a\u6578\u4e3b\u8981\u4f5c\u696d\u7cfb\u7d71\u5e73\u53f0\u70ba\u76ee\u6a19\u3002\u300d\u4e26\u88dc\u5145\u8aaa\uff0c\u300c\u76f8\u95dc\u8b49\u64da\u986f\u793a\u9019\u4e9b\u60e1\u610f\u8edf\u9ad4\u6709\u80fd\u529b\u5c07Android APK\u3001SMS\u7c21\u8a0a\u6514\u622a\u5de5\u5177\u3001DNS \u8acb\u6c42\u6514\u622a\u5de5\u5177\uff0c\u751a\u81f3\u91dd\u5c0dSolaris \u4f5c\u696d\u7cfb\u7d71\u7684\u60e1\u610f\u8edf\u9ad4\u8f49\u63db\u6210\u6728\u99ac\u7a0b\u5f0f\u4f9b\u5176\u6240\u7528\u300d\u3002<\/p>\n\n\n\n

\u6b63\u503c\u4e8b\u614b\u767c\u5c55\u4e4b\u969b\uff0c\u4e2d\u570b\u570b\u5bb6\u96fb\u8166\u75c5\u6bd2\u61c9\u6025\u8655\u7406\u4e2d\u5fc3\uff08CVERC\uff09\u8072\u7a31\uff1a\u201c\u4f0f\u7279\u98b1\u98a8 (Volt Typhoon)\u201d<\/a> \u7d44\u7e54\u662f\u7f8e\u570b\u60c5\u5831\u6a5f\u69cb\u865b\u69cb\u7684\uff0c\u8207\u5176\u6709\u95dc\u5831\u5c0e\u7686\u5c6c\u4e0d\u5be6\u6d88\u606f\u3002\u7136\u800c\uff0c\u4e94\u773c\u806f\u76df\u570b\u5bb6\u5c07Volt Typhoon\u6b78\u5c6c\u65bc\u8207\u4e2d\u570b\u6709\u806f\u7e6b\u7684\u9593\u8adc\u7d44\u7e54\u3002<\/p>\n\n\n\n

MgBot, MacMa\u60e1\u610f\u8edf\u9ad4\u76f8\u95dc\u7684\u90e8\u5206\u7684\u5165\u4fb5\u6307\u6a19\uff08IOCs\uff09:<\/p>\n\n\n\n

12c2e058e0665bcbff3dbee38a1ef754<\/p>\n\n\n\n

5535bbcf24a5767df085a1e34804c913<\/p>\n\n\n\n

784dc986f0006aa47c35e60080c7ebf2<\/p>\n\n\n\n

9bf90d7ea1e0f7e5086ce70771f44101<\/p>\n\n\n\n

a48ea150eae374e7a79d6d4859aae710<\/p>\n\n\n\n

a6bdcda8b125a6f2cb6a4ff705446793<\/p>\n\n\n\n

b7720de6a3d438aee46f01d78e8fa806<\/p>\n\n\n\n

c4db2081fb0c38afe5c6f7ea21805eb4<\/p>\n","protected":false},"excerpt":{"rendered":"

Daggerfly APT\u7d44\u7e54\u662f\u8207\u5317\u4eac\u6709\u5bc6\u5207\u95dc\u806f\u7684\u60c5\u5831\u8490\u96c6\/ \u99ed\u5ba2\u5718\u9ad4 \u6578\u5bb6\u53f0\u7063\u4f01\u696d\u548c\u4e00\u5bb6\u7e3d\u90e8\u4f4d\u65bc\u4e2d\u570b\u7684\u7f8e\u570b\u975e READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[174,255],"class_list":["post-3244","post","type-post","status-publish","format-standard","hentry","category-6","tag-news","tag-255"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3244"}],"version-history":[{"count":1,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3244\/revisions"}],"predecessor-version":[{"id":3246,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3244\/revisions\/3246"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}