1.背景
腾讯安全科恩实验室(以下简称“腾讯科恩”)持续基于多源数据的威胁情报分析,以及系统自动化方式,追踪捕获基于钓鱼样本的攻击事件。近日,腾讯科恩发现“银狐团伙”正通过随机化特征的方式对抗安全软件的检测,具体行为包括样本文件hash随机化和C2地址批量生产。在情报自动化分析系统中,我们在同一天会捕获到大量的相似样本,样本之间仅存在少量字节不同,疑似通过自动化工具批量生成。同时C2 IP地址也存在A段、B段相同的情况,疑似从网络服务商批量购买了IP地址用作远控木马的C2服务器。
同时间段出现的高度相似钓鱼样本列表:
|
md5 |
文件大小 |
发现时间 |
|
5c08352f8dcf3b2a41122f249d03b942 |
25297456 |
2024-06-20 09:42:28 |
|
30c9bffeef7c5598279030e7e5675547 |
25297456 |
2024-06-20 10:51:04 |
|
93a50397e4d616811e8f4e75d60446e0 |
25272320 |
2024-06-20 10:58:10 |
|
5578bca9c64b768a9ed0202546dbf139 |
25297456 |
2024-06-20 12:07:22 |
|
e1a6bad0a3a2e1040d730a2d6694fc1c |
25284840 |
2024-06-20 14:14:25 |
|
152dba380ec0e9874d03c6c904c5b719 |
25284840 |
2024-06-20 15:18:35 |
|
e59b389e739af82429ff19e707b6eb61 |
25297456 |
2024-06-20 16:19:37 |
|
c42965e57680bb86a1ec73706df4f5cb |
25284840 |
2024-06-20 16:47:14 |
|
4cdc98b6d6922ed9a53b69f0fab3ede6 |
25284840 |
2024-06-20 17:05:28 |
|
9f9c2e9c586f2b6d9c8d4e738863e1a9 |
25284840 |
2024-06-20 17:37:50 |
|
3bfb555bfdc4c460fa55389b086496d5 |
25284840 |
2024-06-20 17:45:09 |
|
29ca6a80ce27d671392f87ad1c91fbc5 |
21843968 |
2024-06-21 09:30:47 |
|
b5f583f9ad55b3b1df72b19778c133ce |
25297456 |
2024-06-21 10:21:48 |
|
33642d364eb40bbcaa2a8db424fd7947 |
21843968 |
2024-06-21 10:30:49 |
|
679b102b2f7e22201467fa1679538b33 |
21869120 |
2024-06-21 11:27:19 |
|
a3e2e7ca1c713b9b456e8bf911e8b61b |
21869120 |
2024-06-21 12:46:37 |
|
be600a6b5fea37ad1e63270d5e1f32d4 |
21843968 |
2024-06-21 12:48:26 |
|
46b0a09df4050f163695eeb1a3e19b2b |
22319680 |
2024-06-21 14:03:10 |
|
4f6090a4699ddb1a7a1db48b3516c970 |
21869120 |
2024-06-21 14:24:57 |
|
48981e3503ded6fdc025322f0a78d585 |
22319680 |
2024-06-21 14:35:29 |
|
37a0f97f8d0a115ac4da4fc755a5baa8 |
21869120 |
2024-06-21 14:47:56 |
|
cc988bd086032e009fee7cdd58dfd442 |
21869120 |
2024-06-21 16:13:38 |
钓鱼攻击使用的同网段C&C:
|
154.39.249.194[:]3760 |
|
154.82.92.17[:]3760 |
|
154.91.64.155[:]3760 |
|
156.225.58.58[:]3760 |
|
156.234.0.20[:]3760 |
|
156.234.0.32[:]3760 |
|
206.233.128.109[:]3760 |
|
206.238.115.146[:]3760 |
|
206.238.115.184[:]3760 |
|
206.238.197.185[:]3760 |
|
206.238.198.20[:]3760 |
|
206.238.198.233[:]3760 |
|
206.238.199.40[:]3760 |
|
206.238.221.220[:]3760 |
在钓鱼样本文件的命名特点上,以"合同"、"查询"、"表格"为关键词进行命名的有所增多,此外还出现了使用"ziliao"、"mingdan"、"cailiao"等拼音来代替原有的"资料"、"名单"、"材料"等关键词,企图以此来对抗情报自动化分析系统的感知策略。
钓鱼样本文件样例如下:
|
md5 |
文件名 |
|
6b76457c570f41f07d88c06dde996b05 |
ziliao-pdf-moban6.03.exe |
|
33fc4d1e0ff95975dc801c593474dfa4 |
ming-dan.exe |
|
30d3e1468412556b54b959dd9d2c65cf |
mingdan.exe |
|
4ddeecd15da7bf9da28de2b899010316 |
cailiaoPDF-mobanDOC.exe |
|
93a50397e4d616811e8f4e75d60446e0 |
ziliao-PDF.exe |
|
5d983954e643aa72412f8df0db713975 |
cailiao-mdPDF.exe |
|
a38651421c3f327601e6d6c28e361a7b |
mingdan-PDF.exe |
|
d50b5470a52512ed405dc9d78dad9e98 |
ziliao-PDF.exe |
|
ef1a6069c5d334a7dcb68b1ac392eb6a |
mingdan.exe |
|
9166ca99fd8d85eca258a3d671a36c87 |
mingdan.exe |
根据腾讯科恩威胁情报中心统计数据显示,6月初至7月银狐钓鱼攻击呈现增长趋势,通过威胁情报云查拦截的攻击平均每天超过11万次,高峰时期一天超过27万次。并且攻击样本呈现出批量化、自动化生产的特点,部分具有明显共同家族特征的的样本,近一个月内检测出300多个变种。
在当前重保以及银狐黑产团伙活跃的背景下,腾讯科恩提醒广大用户在打开任何从外部获取的文件之前,务必验证其来源的可靠性,不要随意打开来自未知或不可信来源的文件,特别是后缀名为".exe"、".msi"的文件。在电子邮件或即时通讯消息中,不要随意点击链接,尤其是指向不明网站或要求立即下载文件的链接。
2.技术分析
同源样本之间在二进制数据层面仅存在微小差异:
部分样本通过将PE文件入口修改到非text段来逃避检测:
母体样本运行后会通过弹窗提示迷惑用户:
然后在用户文档目录下释放木马文件Tomcat.exe并启动,然后删除母体文件:
将木马exe创建快捷方式wps.lnk,并写入开机启动项:
Tomcat.exe在内存加载并执行shellcode:
连接C2地址156.225.58[.]58[:]3760:
木马上线后搜集用户名、系统版本、CPU等信息发送至远端:
发送命令获取当前系统安装软件列表,并持续通过其他指令对机器进行远程控制,部分指令为明文字符串,例如"GetSoft"为获取当前系统安装软件列表:
相关IOC
| 118.107.42.171[:]3706 |
| 143.92.48.166[:]3706 |
| 154.39.249.194[:]3706 |
| 154.82.92.17[:]3706 |
| 154.91.64.155[:]3706 |
| 156.225.58.58[:]3706 |
| 156.234.0.20[:]3706 |
| 156.234.0.32[:]3706 |
| 156.240.242.2[:]3706 |
| 156.251.17.69[:]3706 |
| 206.233.128.109[:]3706 |
| 206.238.115.146[:]3706 |
| 206.238.115.184[:]3706 |
| 206.238.115.233[:]3706 |
| 206.238.196.149[:]3706 |
| 206.238.196.17[:]3706 |
| 206.238.197.185[:]3706 |
| 206.238.197.223[:]3706 |
| 206.238.198.20[:]3706 |
| 206.238.198.23[:]3706 |
| 206.238.198.233[:]3706 |
| 206.238.199.40[:]3706 |
| 206.238.221.220[:]3706 |
MD5:
| 93a50397e4d616811e8f4e75d60446e0 |
| 33642d364eb40bbcaa2a8db424fd7947 |
| 9f9c2e9c586f2b6d9c8d4e738863e1a9 |
| 4f6090a4699ddb1a7a1db48b3516c970 |
| 48981e3503ded6fdc025322f0a78d585 |
| 37a0f97f8d0a115ac4da4fc755a5baa8 |
| b5f583f9ad55b3b1df72b19778c133ce |
| 29ca6a80ce27d671392f87ad1c91fbc5 |
| 46b0a09df4050f163695eeb1a3e19b2b |
| 5578bca9c64b768a9ed0202546dbf139 |
| cc988bd086032e009fee7cdd58dfd442 |
| d25e9126e74f1093f35f0dd25064ce46 |
| 4cdc98b6d6922ed9a53b69f0fab3ede6 |
| 30c9bffeef7c5598279030e7e5675547 |
| 3bfb555bfdc4c460fa55389b086496d5 |
| 81ff760fa2fd00a428fb6267b4fa397d |
| 5c08352f8dcf3b2a41122f249d03b942 |
| 152dba380ec0e9874d03c6c904c5b719 |
| 465fbf7671d5a465cbd2f5beeecdbb86 |
| a3e2e7ca1c713b9b456e8bf911e8b61b |
| e1a6bad0a3a2e1040d730a2d6694fc1c |
| 1e8a2685e7a5f270ae24c1085a7cf5e3 |
| 6c96511bba4923cf2bfce64aa6892151 |
| ba3cc50a8b7e6ffc7dfc29622e5cf5dc |
| 679b102b2f7e22201467fa1679538b33 |
| c42965e57680bb86a1ec73706df4f5cb |
| e59b389e739af82429ff19e707b6eb61 |
| be600a6b5fea37ad1e63270d5e1f32d4 |
| 4ea960dd8a5f718f9b2b24b79b4892df |
| e639842e49a5f0ae3578e412f80ea46a |
| 915475082c4ece8f159f3a794fe90bbb |
| 213c108fe48d438061df6e197a03c366 |
| 37ecc6c2799fd75ab3ab21deffc00221 |
| c2ca3b28cbe12eae825c1f0244e19183 |
| 29dd8cd8dbd9adbf22185189b8849595 |
| 24ce1fcccdfafec78996363c2cb039f6 |
| adc365e56603387842aba7f786b03872 |
| a44b6fe4ce2c657ae1f0ab5bffd62b48 |
| 71b28e612164f586d22e4d73b8eab477 |
| 3776f123f9b462909122438b4992fe31 |
| 618e4cbc6dde5c9a2bb60fc515d69c2c |
| 1fdf0817c288c1e18af81f8ca08bf5f2 |
| e6337af355c5daabb068fb740a996eab |
| 3f71703f4d6db77023f777c773d17199 |
| b2ebd322e5d28537dab96ddf4a8923e0 |
| 2b167c677a4b530ea698976ab95738ea |
| 0e83e54d79252cc7e1af2e09cf3bbef1 |
| efc3b07380d322d9713da132001235dd |
| 5cd294b94371d13efabcd5da87debb1e |
| 8d91d692064e16f228a76a9c3b7bba18 |
| 43a44ea09fafa570aead6275cb5a7732 |
| 775e1e9ee1aaaaf336a5aa70e971829a |
| e0056f09d421a4dcfbc069e74c96a89c |
| 495809d6f7bc1080fe8d119d7a0dc72c |
| 23d6b3b2891f74ae1bcac00c572077c9 |
| ae9602f2aef92b96059d170dfbb6c82d |
| c2a6d29f4c94aeeef93161a12ab656c1 |
| 98b2de18f7878ee0db91718bc0777dc2 |
| 8c59ff8b2d4c5d685b82e5a868c25f2e |
| 93b581ed8cef9df055d52650afca8014 |
| daa8f08b53d07b29ae0428f67feb09fb |
| 0bd82b66a22bf6e2ad996f5ddd748ef9 |
| 3becaca2dcdddc45fd722348300e0f1a |
| 83c90e61a05818faa962ea43ca71d490 |
| c239b795d1c76a873406b8cc592f2e0b |
| f41d951ca062b0ed7b280c8162af5e28 |
| 7a82efce200c49f85645b1c2048b495c |
| 4ad09c5d1a431702b37931af6624a2d6 |
| 19936b848f813d4addb7efc3dbe970c6 |
| 71c7bfe08e4f10d1bdcf230837add319 |
| 1cd0d13eec14647afed2c853ebc2efea |
| e6414b1427d54f2d551c99b831244b3e |
| 94fc00f3b2738678eaabf10e1371c968 |
| 8f368b5ba983b61bf6d43a96ec34c492 |
| a5e8f005873aaa08e426e4baf0f9b5b5 |
| aad4360f411a6d350f1b5b3c01526ae3 |
| e711531569d2e446c3501c635b41e89c |
| 52740e63c9a6b6e9aeea0f278de455b3 |
| 5aa7afc7d25ab48dbb218946ad6ee500 |
| 4c1cd201918591cbe98e6db0f21b2488 |
| 05d001649a3c44a1ba5bf974ee43d36f |
| 05667500c91e8d0fcf6458a6b8c68e2c |
| 8e7de5a170ea663b6823f5c67e36a46f |
| aaaac616aaae31df11c06b5f5f3666a1 |
| c30a5e14826f692ccb575002c100f347 |
| b0f837bd1799ccee00f37d2f0a8d210d |
| 4b53eda46731a348cf96a1f9f5e55d79 |
| 1d8800e1624a1cb6d92dee6bf0b853a6 |
| 9b623075e89c0d0bace91c7edac91b4e |
| d6e6d04854f4453e988f8bc095e47ef4 |
| 9386d3ff6eb4f00f70b503c5152fd6db |
| f5ea12474b1461fec0a6a88a3831062f |
| 40b01c9a816fdd1bed905be01065f71c |
| 26099604c50660ac7a2091ce0fb4bfc7 |
| 73f85063864d930740cb2ba6af60567e |
| 7aa437395bd17c4118f1ec65be5639cd |
| bf744baa82e827d0cff43df998d5efe3 |
| 3ac79c6e0bf89908d3299c0626ce27a9 |
| f9d772a1dba21d2b96fd42fead7e82d5 |
| 043ce29831861a0ed54e4e83ed463975 |
| bccd141d7b45eeb996a02b1b054ac35f |
| 62c1ce5d8ab09a3cbc5727ee1fbb757b |
| a0326096e584c1194159f024e1fcd775 |
| 9b2dc63c0e916513630fe4660b45cb2d |
| b528d0802179997ffbd993bd93c4628d |
| e2e42d8337b5cd9ba970b5cbb2d94e63 |
| 41899f4832976a54f3763d6789299dca |
| 2111aeb82504e96133f3fbb01645df56 |
| 49116c4dba1f8959bbbda70a29660821 |
| 0754b50fb12b5e7d5d441ca2130784d3 |
| d41be81c052d01d8c1631f9e9661cf07 |
| 3f1ead10e9fec39370ba0a2c07c34d2a |
| 83ac773d2f5214b2857d8665169e93b2 |
| a1967396e294689ef71433fe1f3b10c6 |
| 878d775f3ed264f8354502e1226fc012 |
| 44cee02b8c97c1f06fbdd9e02b3e865a |
| d39b87d6d056ecedb33f573f8deacded |
| 4122f234a63d6e7fabf4c6f85d3176b0 |
| bf34768f65eac1332faa190d0970cc1d |
| 6dfe366e08951950ad22a0c2fce9d4c3 |
| 1d98e2cfd25a41547a90802556919cc9 |
| 721be4b4e73421dc34ef5d5c19bb211e |
| 49ed775e66e2cd74be732cc95bab5ef0 |
| 9166ca99fd8d85eca258a3d671a36c87 |
| 241013fa7d60361d06e5b741bafea26d |
| 3aae84c3e1eafdad49eb2632c85ba74d |
| d9c28cbb35cdb73cf320d100082ee943 |
| 74874c09492735908887e233687d0cab |
| a8aa01f4a43fea827102d1bce46213c6 |
| 6257c39e7a1172cc915d9ff377a13203 |
| d2be59033da6fe93168d2840c8554039 |
| f97ac05643c9123104268af0b6d4423a |
| b92f1fcc85ce32e421c1f19fb1aa6e03 |
| 6f463e2c7df43f974a76161da2583b23 |
| f2585a7f7894747d17eac78ee15ff05c |
| ddd1f1f54e7106437136f0185de60af8 |
| ef1a6069c5d334a7dcb68b1ac392eb6a |
| e594dd8eb79861283c19aa7318b89c42 |
| 91c1233768f6271258333507cd373530 |
| 5d36af000f21e3d74e88c420370f197f |
| 33437540fd3127caaac11cff4463d76a |
| 0d3656e6be2535d30f50dd337a7d699d |
| 96923d284853213e7aace419750ee040 |
| 3d834811b31f5ab9e3c24abff4aa8faa |
| 89e72fdac1a9026c7497f87085c57cb3 |
| 2b2623e8238e191e75d1cf95cadbacd7 |
| d50b5470a52512ed405dc9d78dad9e98 |
| a38651421c3f327601e6d6c28e361a7b |
| 46a2885a769e205acbbe0dee272aacab |
| 1a931ae24935a6fe5dce82d3148caf2e |
| 35d2c163a83bc6268452ca090ac84a65 |
| fa2c637ca4e1cb0ca5e2547542a5a10a |
| 5d8f00b5297f7a7cbf19ee1f8948d94e |
| 188b5ed90295582678320c1a6acced38 |
| 8aaf1bf2e74e420a3bdf0fb49d8ee326 |
| 1b371ddabe058687147de7f3c50fe85e |
| 6a2b7ff58724ee54dc269f03c22bbc82 |
| 330dcfe2ca29a557aaf366ec51b04e85 |
| 8eb0d603bab47cb997d31bf8752097ea |
| acdef0db16fabc13735e34d817f37059 |
| 43f818bab0e589c4f1fbf12d7057628a |
| bbb7342ea6de274965dc25231b2885e9 |
| afecc5153abef4191481f7f19cad65fd |
| 83d91cdb1ebfb015f8ab417426d2ebec |
| 31e5bfa1d6acfc69648eecd70e905ced |
| 1aa9af059403e322c754ffbd8bdce04d |
| 73c96ad0a1c5d3f0857439eaa7a475a4 |
| 80065575480b7ef12c48a32987608e90 |
| 66749718ff7cb1bd19d07c98d2982a6a |
| 775c29c41d442cbd62bfd4248c7e9637 |
| 8587ef26e77d69a0beccc75044ede529 |
| 175b55c22f109c44566896347181daec |
| 5d983954e643aa72412f8df0db713975 |
| 2f3cd2d1d52ee8f27d745cf573a6e702 |
| 7239bd003c04acad686e2a05e2a6f831 |
| 7cefd5c28dce8776d10f4278ae698498 |
| 2ab727082a3544482d3a2ec3695272ee |
| 9dc7412c7d5e95f958880f7f71a6c115 |
| 5645d43d27697d40925bc82820a9d9ed |
| 6c49dd2bcd979c42ab91b5c5260f0e7b |
| fe696a3faf727be637c67d65c182571d |
| ebc01f4dd0f592783299f5a013ab8b0a |
| 30d3e1468412556b54b959dd9d2c65cf |
| a0d353d9f63e272952ee568d18331c55 |
| c063b4f319d232add8be3d45a213b4ef |
| ccb5172876effc2cd6cc25896391e3a8 |
| be911fe3973e63a8532351e4988be16b |
| 8e1a23264ebcf3b6fffb41ae88c27ac7 |
| 7e59c45c1d129d77f15d03b87005f9ac |
| deacdcb415f2096dd45eb4912798ff31 |
| e2d98bf5a5e988e3ab2bf7491edba620 |
| fca16da1b848e82a83e89d8ecbb63ee9 |
| d776c27d16c83279d78ddc9b67a561f9 |
| f52320d9ff7f4cb8b9986703427d1ef6 |
| 741a6c3c68832ed7a822324464c3eff2 |
| d3a2d394d602ed0fc01fe5e44506c333 |
| d2542bd1192aad475bc9d5d58707da21 |
| c2b9294bbc8be37f3ed7836af1c33493 |
| 39cfbf361ee0885d6c267c18a5a6bf37 |
| 00a9cf23426afed330fe186bf2fab166 |
| 1e6931316c72586349fab023d6c48588 |
| 0185d2869f57f204f9a6900fd64d03ae |
| 915a23beb4886796c9629f3622cf0a8d |
| ebc30b9cad91be74268130443151f34e |
| 0776775e35d5c1b5a95e011096b73b98 |
| b0572b1f4f3fc1c8d1bec8179053debe |
| 43eab78f19505795a54b87406ee8afe6 |
| 905706524807e4dc00d435c14f7a65b0 |
| 1157b10101d4d568e711c545a28644c1 |
| cc6e18e79d231e313a348bcd08f26f02 |
| 06c5fd15041c469f7a4f5fdc6ff9524e |
| cf6d909a57368dc64fd30ee8f3e6e9f9 |
| 3089b6b3986fd315807a7e3fcdea5255 |
| 44e63f0cc4ec4fa2ce6d61597a97ecd5 |
| 19c3ba2e9154706a48f689fdacb17579 |
| a6520fb81c1af13b699fab929b02cd42 |
| 6c5ed72d2e305a871b953eedf1245287 |
| 7796cd00f37302ad85b0b9fde1c24a5e |
| 33fc4d1e0ff95975dc801c593474dfa4 |
| 5b45d02d76b4dc5cdfe79aa95d98a357 |
| 758620433c51d56fd7e3353519a9dd9a |
| 84a241afa01c1e480c0278403db07d25 |
| a7e8512f3b9a08aa8ef70e6112cff464 |
| cc8d2862d13c86e2b246817ecfdb6825 |
| 4ddeecd15da7bf9da28de2b899010316 |
| cbcf0954033bb825bf5ed579f7c70762 |
| 419d3b0d26bcc2e8854d53baa37a9bc7 |
| dacddef361efc350cceec4cd3ad1e9b1 |
| 0d332e188cce9d1cb2f279e4a2d4fd8e |
| 1d6d15297fa5f4d84256535f8c54e7f3 |
| 04682c46af5e600b8b327001d0d8def8 |
| 510283695a0cbf3a2cfe4732affd60a3 |
| 6fe6ac2510c084264e735a0362eb041c |
| 846831c799b1e57c14ecc6268c4954aa |
| 370b9354b175b2f638a07743b6e5bce0 |
| 688ad6cc5d8cbcc979df5ecc436b0db2 |
| c7aafd2edeb7f854567fd8655a662b3d |
| 4450058efd92854936ddb1c7a7619c4a |
| a10b79d01959130566e0030478f4f112 |
| d35580d2f551e9639337df35d79f8db2 |
| 0389c154e6dcf81f4a643991eedd6d8b |
| a0e36bf7ec2355d9304df551bec2d7be |
| e45d9aa16f07fbf6264a84f02ebb2009 |
| bf46b5872582b912e6bfb75a235c957b |
| cf479fa6639785ff8f27bfa55613f7e2 |
| 699f692c8a12e74ba726ac2339ce89ab |
| 0f0578d5751a82fb4020443ff379958a |
| 423b3013bddf9f736b0f9dec42f9e734 |
| e184580805c3944c06d1f27ac7b7e825 |
| 6b76457c570f41f07d88c06dde996b05 |
| 755d4e935bce40277ee8c3ceb1eef463 |
| 52fa6d8f45f160b057efeca4c505849a |
| 4d9f9ecbfdc63fd7afd62eac8cea1496 |
| 547aec3c6fe67362189e007400e90575 |
| cfb35e7ed9135540eec21bcece9684f8 |
| 0b1e09264d0973e20ecc888d3071d354 |
| bc467552d6cd82ed8c8452d6bc7f1b05 |
| c14f82f1a9f8de0a23a5f3c709b8741c |
| ac3ce2b00b8f9fec31faa522c96a153f |
| bc1a06fbaec8e9c6180800281d64c161 |
| c5c524c0d86f0f2d61088e8a2aff4ac3 |
| 28f784e18cbd562cbe24a4585d26a233 |
原文始发于微信公众号(腾讯安全威胁情报中心):情报速递20240705|“银狐”变种木马正通过随机化特征进行攻击
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论