事件概述:
详细分析:
母体样本为增强免杀能力,使用了多个开源库:ZeroMQ,Curl,Openssl等,其中执行逻辑使用ZeroMQ异步消息库框架封装了起来,通过注册事件回调异步执行,使得恶意代码隐藏在了庞大的库代码之中。
如上图所述的执行流程,共注册了4个有效的异步回调功能,“A”功能用于隐藏控制台窗口。“CHK”用于检测沙箱和虚拟机,通过枚举系统ACPI固件表识别。检测通过后执行“DLS”和“EC”,这两个步骤组合执行,先通过“DLS”下载payload解密后再传入“EC”执行shellcode。
IOC:
1e9ccf31bb24a3514171c3dcb19078ef
31eedd8d089ede700293719349f05d19
2b740ac0d2410d5f0bab45a3b3abbaf8
8870064f7582692e18fab0f400a1712a
78d8676c7142848aadfbd83a79284408
7b5798ffeb106b976f5afbd2c9fd774c
a1.jiesheng18.com
https[:]//cdn.nlark[.]com/yuque/0/2024/gif/48190910/1725488215950-f5cc8160-597e-4065-9afd-06bebb8ad56c.gif
https[:]//jockeraaa.oss-cn-beijing.aliyuncs[.]com/27_$92_
https[:]//dddxas.oss-cn-beijing.aliyuncs[.]com/commen2/c/static/0
https[:]//dddxas.oss-cn-beijing.aliyuncs[.]com/commen2/c/static/1
https[:]//dddxas.oss-cn-beijing.aliyuncs[.]com/commen2/pf/3
https[:]//dddxas.oss-cn-beijing.aliyuncs[.]com/commen2/psc/29_$10_
https[:]//dddxas.oss-cn-beijing.aliyuncs[.]com/commen2/c/static/a
8.218.198.10
References:
https://www.blackhat.com/eu-23/briefings/schedule/#the-pool-party-you-will-never-forget-new-process-injection-techniques-using-windows-thread-pools-35446
https://github.com/SafeBreach-Labs/PoolParty
https://github.com/hfiref0x/UACME/blob/ce6fb5ffe5dc33e5918d7512df558720d46890a0/Source/Akagi/methods/tyranid.c#L514
原文始发于微信公众号(鹰眼威胁情报中心):利用Python启动远控,银狐对抗又升级
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论