{"id":3473,"date":"2024-12-04T14:53:33","date_gmt":"2024-12-04T06:53:33","guid":{"rendered":"https:\/\/blog.billows.com.tw\/?p=3473"},"modified":"2024-12-04T15:06:07","modified_gmt":"2024-12-04T07:06:07","slug":"smokeloader-%e6%83%a1%e6%84%8f%e8%bb%9f%e9%ab%94%e9%87%8d%e5%87%ba%e6%aa%af%e9%9d%a2%ef%bc%8c%e9%87%9d%e5%b0%8d%e5%8f%b0%e7%81%a3%e7%9a%84%e8%a3%bd%e9%80%a0%e6%a5%ad%e5%92%8c-it-%e7%94%a2%e6%a5%ad","status":"publish","type":"post","link":"https:\/\/blog.billows.com.tw\/?p=3473","title":{"rendered":"SmokeLoader \u60e1\u610f\u8edf\u9ad4\u91cd\u51fa\u6aaf\u9762\uff0c\u91dd\u5c0d\u53f0\u7063\u7684\u88fd\u9020\u696d\u548c IT \u7522\u696d"},"content":{"rendered":"\n<p><strong>SmokeLoader<\/strong>&nbsp;\u60e1\u610f\u8edf\u9ad4\u56e0\u5176\u591a\u529f\u80fd\u6027\u8207\u9032\u968e\u7684\u898f\u907f\u6280\u8853\u800c\u805e\u540d\uff0c\u53f0\u7063\u4f01\u696d\u6210\u70ba\u6700\u65b0\u76ee\u6a19<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"820\" height=\"480\" src=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/12\/SmokeLoader-Malware-1.png\" alt=\"\" class=\"wp-image-3474\" srcset=\"https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/12\/SmokeLoader-Malware-1.png 820w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/12\/SmokeLoader-Malware-1-300x176.png 300w, https:\/\/blog.billows.com.tw\/wp-content\/uploads\/2024\/12\/SmokeLoader-Malware-1-768x450.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\" \/><figcaption class=\"wp-element-caption\">Photo Credit: SOC Prime<\/figcaption><\/figure>\n\n\n\n<p>\u53f0\u7063\u7684\u88fd\u9020\u696d\u3001\u91ab\u7642\u4fdd\u5065\u53ca\u8cc7\u8a0a\u79d1\u6280\u7b49\u9818\u57df\u7684\u4f01\u696d\uff0c\u8fd1\u65e5\u6210\u70ba\u65b0\u7684&nbsp;<strong>SmokeLoader<\/strong>&nbsp;\u60e1\u610f\u8edf\u9ad4\u653b\u64ca\u6d3b\u52d5\u7684\u76ee\u6a19\u3002<strong>SmokeLoader<\/strong>&nbsp;\u662f\u4e00\u6b3e\u4ee5\u5176\u9069\u61c9\u6027\u548c\u898f\u907f\u6280\u8853\u805e\u540d\u7684\u6a21\u7d44\u5316\u60e1\u610f\u8edf\u9ad4\u3002\u5728\u6b64\u6b21\u653b\u64ca\u4e2d\uff0c\u5b83\u88ab\u7528\u4f86\u76f4\u63a5\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u53ca\u6307\u4ee4\uff0c\u800c\u975e\u50c5\u4f5c\u70ba\u5176\u4ed6\u60e1\u610f\u8edf\u9ad4\u7684\u4e0b\u8f09\u5a92\u4ecb\u3002<\/p>\n\n\n\n<p>\u7db2\u8def\u5b89\u5168\u516c\u53f8 Fortinet FortiGuard Labs \u5728\u4e00\u4efd\u5831\u544a\u4e2d<a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/sophisticated-attack-targets-taiwan-with-smokeloader\" target=\"_blank\" rel=\"noreferrer noopener\">\u6307\u51fa<\/a>\uff1a\u300c<strong>SmokeLoader<\/strong>\u00a0\u56e0\u5176\u591a\u529f\u80fd\u6027\u8207\u9ad8\u968e\u7684\u898f\u907f\u6280\u8853\u800c\u805e\u540d\uff0c\u5176\u6a21\u7d44\u5316\u7684\u8a2d\u8a08\u4f7f\u5b83\u80fd\u57f7\u884c\u5ee3\u6cdb\u7684\u653b\u64ca\u6a21\u5f0f\u3002\u300d\u300c\u96d6\u7136\u00a0<strong>SmokeLoader<\/strong>\u00a0\u4e3b\u8981\u662f\u4f5c\u70ba\u4e0b\u8f09\u5668\u4f86\u50b3\u9001\u5176\u4ed6\u60e1\u610f\u8edf\u9ad4\uff0c\u4f46\u5728\u6b64\u6848\u4f8b\u4e2d\uff0c\u5b83\u662f\u5f9e\u6307\u4ee4\u8207\u63a7\u5236\uff08C2\uff09\u4f3a\u670d\u5668\u4e0b\u8f09\u5916\u639b\u7a0b\u5f0f\u4f86\u81ea\u884c\u57f7\u884c\u653b\u64ca\u3002\u300d<\/p>\n\n\n\n<p><strong><strong><a href=\"https:\/\/thehackernews.com\/2022\/07\/smokeloader-infecting-targeted-systems.html\" target=\"_blank\" rel=\"noreferrer noopener\">SmokeLoader<\/a><\/strong><\/strong>\u00a0\u662f\u4e00\u6b3e\u65bc 2011 \u5e74\u9996\u6b21\u5728\u7db2\u8def\u72af\u7f6a\u8ad6\u58c7\u4e0a\u516c\u958b\u7684\u60e1\u610f\u8edf\u9ad4\u4e0b\u8f09\u5668\uff0c\u4e3b\u8981\u7528\u9014\u662f\u57f7\u884c\u5f8c\u7e8c\u7684\u60e1\u610f\u7a0b\u5f0f\u53ca\u6307\u4ee4\u3002\u6b64\u5916\uff0c\u5b83\u9084\u80fd\u4e0b\u8f09\u66f4\u591a\u6a21\u7d44\uff0c\u64f4\u5145\u5176\u529f\u80fd\u4ee5\u7aca\u53d6\u8cc7\u6599\u3001\u767c\u52d5\u5206\u6563\u5f0f\u963b\u65b7\u670d\u52d9\uff08DDoS\uff09\u653b\u64ca\uff0c\u4ee5\u53ca\u9032\u884c\u52a0\u5bc6\u8ca8\u5e63\u6316\u7926\u3002<\/p>\n\n\n\n<p>\u96f2\u7aef\u904b\u7b97\u5b89\u5168\u516c\u53f8 Zscaler ThreatLabz \u5c0d\u8a72\u60e1\u610f\u8edf\u9ad4\u7684\u5206\u6790\u8868\u793a\uff1a\u300c<strong>SmokeLoader<\/strong>&nbsp;\u6703\u5075\u6e2c\u5206\u6790\u74b0\u5883\uff0c\u751f\u6210\u5047\u7684\u7db2\u8def\u6d41\u91cf\uff0c\u4e26\u6df7\u6dc6\u7a0b\u5f0f\u78bc\u4f86\u898f\u907f\u5075\u6e2c\u53ca\u963b\u7919\u5206\u6790\u3002\u300d\u300c\u8a72\u60e1\u610f\u8edf\u9ad4\u7cfb\u5217\u7684\u958b\u767c\u8005\u6301\u7e8c\u63d0\u5347\u5176\u529f\u80fd\uff0c\u900f\u904e\u5f15\u5165\u65b0\u529f\u80fd\u53ca\u6df7\u6dc6\u6280\u8853\u4f86\u963b\u7919\u5206\u6790\u5de5\u4f5c\u3002\u300d<\/p>\n\n\n\n<p>\u5728 2024 \u5e74 5 \u6708\u4e0b\u65ec\uff0c\u7531\u6b50\u6d32\u5211\u8b66\u7d44\u7e54\uff08Europol\uff09\u4e3b\u5c0e\u7684\u00a0<strong><strong><a href=\"https:\/\/thehackernews.com\/2024\/05\/europol-dismantles-100-servers-linked.html\" target=\"_blank\" rel=\"noreferrer noopener\">Operation Endgame<\/a><\/strong><\/strong>\u00a0\u884c\u52d5\u4e2d\uff0c\u8207\u6578\u500b\u60e1\u610f\u8edf\u9ad4\u5bb6\u65cf\uff08\u4f8b\u5982 IcedID\u3001SystemBC\u3001PikaBot\u3001SmokeLoader\u3001Bumblebee \u548c TrickBot\uff09\u76f8\u95dc\u7684\u57fa\u790e\u8a2d\u65bd\u88ab\u62c6\u9664\uff0c\u5c0e\u81f4\u00a0<strong>SmokeLoader<\/strong>\u00a0\u7684\u6d3b\u52d5\u5927\u5e45\u6e1b\u5c11\u3002<\/p>\n\n\n\n<p>\u591a\u9054 1,000 \u500b\u8207\u00a0<strong>SmokeLoader<\/strong>\u00a0\u9023\u7d50\u7684 C2 \u7db2\u57df\u88ab\u79fb\u9664\uff0c\u8d85\u904e 50,000 \u500b\u53d7\u611f\u67d3\u7cfb\u7d71\u7d93\u7531\u9060\u7aef\u6e05\u7406\u3002\u7136\u800c\uff0c\u8a72\u60e1\u610f\u8edf\u9ad4\u4ecd\u820a\u88ab\u7db2\u8def\u5a01\u8105\u5718\u9ad4\u5229\u7528\uff0c\u900f\u904e\u65b0\u7684 C2 \u57fa\u790e\u8a2d\u65bd\u6563\u767c\u60e1\u610f\u7a0b\u5f0f\u53ca\u6307\u4ee4\u3002<a href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/smokebuster-keeping-systems-smokeloader-free\" target=\"_blank\" rel=\"noreferrer noopener\">Zscaler<\/a> \u8868\u793a\uff0c\u9019\u4e3b\u8981\u6b78\u56e0\u65bc\u7db2\u8def\u4e0a\u516c\u958b\u6d41\u901a\u7684\u8a31\u591a\u7834\u89e3\u7248\u672c\uff0c\u4f7f\u5f97\u8a72\u60e1\u610f\u8edf\u9ad4\u4ecd\u5177\u6709\u6d3b\u8e8d\u6027\u3002<\/p>\n\n\n\n<p>\u6839\u64da FortiGuard Labs \u7684\u767c\u73fe\uff0c\u6700\u65b0\u653b\u64ca\u93c8\u7684\u8d77\u9ede\u662f\u4e00\u5c01\u5e36\u6709\u5fae\u8edf Excel \u9644\u4ef6\u7684\u7db2\u8def\u91e3\u9b5a\u96fb\u5b50\u90f5\u4ef6\u3002\u7576\u9644\u4ef6\u88ab\u958b\u555f\u6642\uff0c\u5229\u7528\u4e86\u591a\u5e74\u524d\u7684\u5b89\u5168\u6f0f\u6d1e\uff08\u4f8b\u5982 <a href=\"https:\/\/thehackernews.com\/2024\/11\/cybercriminals-use-excel-exploit-to.html\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2017-0199<\/a> \u548c <a href=\"https:\/\/thehackernews.com\/2023\/12\/hackers-exploiting-old-ms-excel.html\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2017-11882<\/a>\uff09\uff0c\u633e\u5e36\u4e00\u500b\u540d\u70ba\u00a0<strong>Ande Loader<\/strong>\u00a0\u7684\u60e1\u610f\u8edf\u9ad4\u8f09\u5165\u5668\uff0c\u96a8\u5f8c\u5c07\u00a0<strong>SmokeLoader<\/strong>\u00a0\u90e8\u7f72\u5230\u53d7\u611f\u67d3\u7684\u4e3b\u6a5f\u4e0a\u3002<\/p>\n\n\n\n<p><strong>SmokeLoader<\/strong>&nbsp;\u5305\u542b\u5169\u500b\u5143\u4ef6\uff1a<strong>stager<\/strong>&nbsp;\u548c\u4e3b\u6a21\u7d44\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stager<\/strong>&nbsp;\u7684\u76ee\u7684\u662f\u89e3\u5bc6\u3001\u89e3\u58d3\u7e2e\u4e26\u5c07\u4e3b\u6a21\u7d44\u6ce8\u5165\u5230&nbsp;<strong>explorer.exe<\/strong>&nbsp;\u7a0b\u5e8f\u4e2d\u57f7\u884c\u3002<\/li>\n\n\n\n<li>\u4e3b\u6a21\u7d44\u5247\u8ca0\u8cac\u5efa\u7acb\u4e26\u7dad\u7e8c\u6301\u7e8c\u6027\u3001\u8207 C2 \u57fa\u790e\u8a2d\u65bd\u901a\u8a0a\u4e26\u57f7\u884c\u6307\u4ee4\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u8a72\u60e1\u610f\u8edf\u9ad4\u652f\u6301\u6578\u7a2e\u5916\u639b\u7a0b\u5f0f\uff0c\u53ef\u4ee5\u7aca\u53d6\u767b\u9304\u6191\u8b49\u3001FTP \u9a57\u8b49\u8cc7\u6599\u3001\u96fb\u5b50\u90f5\u4ef6\u5730\u5740\u3001Cookie\uff0c\u4ee5\u53ca\u4f86\u81ea\u7db2\u9801\u700f\u89bd\u5668\u3001Outlook\u3001Thunderbird\u3001FileZilla \u548c WinSCP \u7684\u5176\u4ed6\u8cc7\u8a0a\u3002<\/p>\n\n\n\n<p>FortiGuard Labs \u63d0\u51fa\u5e7e\u9805\u9632\u79a6\u63aa\u65bd\u4ee5\u61c9\u5c0d\u5982&nbsp;<strong>SmokeLoader<\/strong>&nbsp;\u7684\u5a01\u8105\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u9632\u6bd2\u8edf\u9ad4\u4fdd\u8b77\uff1a<\/strong>&nbsp;\u78ba\u4fdd\u9632\u6bd2\u8edf\u9ad4\u7684\u7279\u5fb5\u78bc\u662f\u6700\u65b0\u7248\u672c\uff0c\u4ee5\u6709\u6548\u5075\u6e2c\u53ca\u963b\u7d55\u60e1\u610f\u8edf\u9ad4\u3002<\/li>\n\n\n\n<li><strong>\u7db2\u8def\u91e3\u9b5a\u653b\u64ca\u610f\u8b58\u57f9\u8a13\uff1a<\/strong>&nbsp;\u9f13\u52f5\u4f01\u696d\u7d44\u7e54\u5229\u7528\u514d\u8cbb\u8cc7\u6e90\u4f86\u9032\u884c\u8cc7\u8a0a\u5b89\u5168\u610f\u8b58\u7684\u57f9\u8a13\u3002<\/li>\n\n\n\n<li><strong>\u5167\u5bb9\u62c6\u89e3\u8207\u91cd\u5efa\uff08CDR<\/strong><strong>\uff09\uff1a<\/strong>&nbsp;\u5efa\u7f6e CDR \u670d\u52d9\uff0c\u80fd\u4f7f\u6a94\u6848\u6587\u4ef6\u4e2d\u5d4c\u5165\u7684\u60e1\u610f\u5de8\u96c6\u5931\u6548\u3002<\/li>\n<\/ul>\n\n\n\n<p>Fortinet \u89e3\u91cb\uff1a\u300c<strong>SmokeLoader<\/strong>&nbsp;\u662f\u4e00\u7a2e\u80fd\u9069\u61c9\u4e0d\u540c\u9700\u6c42\u7684\u6a21\u7d44\u5316\u60e1\u610f\u8edf\u9ad4\u3002\u5728\u6b64\u6848\u4f8b\u4e2d\uff0c<strong>SmokeLoader<\/strong>&nbsp;\u662f\u900f\u904e\u5176\u5916\u639b\u7a0b\u5f0f\u4f86\u57f7\u884c\u653b\u64ca\uff0c\u800c\u975e\u4e0b\u8f09\u5b8c\u6574\u6a94\u6848\u4f86\u5b8c\u6210\u6700\u5f8c\u968e\u6bb5\u3002\u9019\u5c55\u73fe\u4e86&nbsp;<strong>SmokeLoader<\/strong>&nbsp;\u7684\u9748\u6d3b\u5ea6\uff0c\u540c\u6642\u4e5f\u8b66\u793a\u5206\u6790\u4eba\u54e1\uff0c\u5373\u4f7f\u9762\u5c0d\u50cf\u9019\u6a23\u7684\u77e5\u540d\u60e1\u610f\u8edf\u9ad4\uff0c\u4e5f\u9700\u8981\u7279\u5225\u8b39\u614e\u5c0f\u5fc3\u3002\u300d<\/p>\n\n\n\n<p>&nbsp;<strong>SmokeLoader<\/strong>&nbsp;\u60e1\u610f\u8edf\u9ad4\u76f8\u95dc\u7684\u90e8\u5206\u7684\u5165\u4fb5\u6307\u6a19\uff08IOCs\uff09:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>15b00779bb5d457e76712ec3dd196c46<\/td><\/tr><tr><td>5fc6f24d43bc7ca45a81d159291955d1<\/td><\/tr><tr><td>89212a84f1b81d0834edb03b16a9db49<\/td><\/tr><tr><td>9ac835c38d4d0c6466e641427a2cf8f1<\/td><\/tr><tr><td>9edbf77e52249cc7c179ed1334847cdb<\/td><\/tr><tr><td>d0c53c25e4814001be39bd8e1d19e1f2<\/td><\/tr><tr><td>d20d31a0e64cf722051a8fb411748913<\/td><\/tr><tr><td>108a8b5f1eaf9ef078a3dc0210e6aa961d6b3787<\/td><\/tr><tr><td>431d44995111a40b0f8934c2f6e2406119ceeb92<\/td><\/tr><tr><td>4b37270aedc88397c027703f444ccaed9c23b862<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>SmokeLoader&nbsp;\u60e1\u610f\u8edf\u9ad4\u56e0\u5176\u591a\u529f\u80fd\u6027\u8207\u9032\u968e\u7684\u898f\u907f\u6280\u8853\u800c\u805e\u540d\uff0c\u53f0\u7063\u4f01\u696d\u6210\u70ba\u6700\u65b0\u76ee\u6a19 \u53f0\u7063\u7684\u88fd\u9020 <a class=\"read-more\" href=\"https:\/\/blog.billows.com.tw\/?p=3473\">READ MORE<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[183,174],"class_list":["post-3473","post","type-post","status-publish","format-standard","hentry","category-6","tag-iocs","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3473","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3473"}],"version-history":[{"count":2,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3473\/revisions"}],"predecessor-version":[{"id":3477,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/3473\/revisions\/3477"}],"wp:attachment":[{"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.billows.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}