● 背景 ●
最近一段时间,腾讯安全科恩实验室威胁情报中心对钓鱼木马类攻击事件进行了跟进,并着重关注了社交软件、邮件附件等传播渠道的发展趋势。通过对相关样本的动态沙箱行为分析、威胁情报关联比对,获取了最新的威胁线索。
最新发现的一批钓鱼样本包含了财务,税务主题的MSI打包文件,以及最新的桃色新闻事件等,以作为诱饵文件进行传播。钓鱼母体文件首先从某云平台下载图片和dat后缀文件,通过白加黑加进程注入的方式启动恶意代码,安装名为Sauron(中文名"索伦")的服务进行持久化,并且尝试请求DGA域名,分析发现该批次远控程序大都通过8800、7000端口与C2地址进行通信,科恩实验室根据木马使用的互斥体和服务名特点,将其命名为**"索伦"**木马。
腾讯安全科恩实验室提醒企事业单位及个人用户,不要因为好奇而随意点开各类通信软件、群聊中包含"XXX新闻"等关键词的文件,特别是后缀名称为”.exe“的执行文件,因为这很可能是黑客投递的钓鱼木马,如果点击执行将造成不必要的损失。样例文件如下图所示:
钓鱼文件样例整理
1.诱饵MSI文件:
- 2024年*****局企业补贴政策通知.msi
- 资料全套.msi
- 2024财会人员补贴所需材料.msi
- 3月1日退税步骤详情.msi
- 2024年XXX局企业补贴政策通知.msi
2.诱饵压缩包:
- **集团一女员工被丈夫举报与领导通J聚众Y乱.rar
- **集团一女员工被丈夫举报与领导通J聚众Y乱(1).rar
- (密码123)原版视频.zip
- (密码123)原版视频(1).zip
解压出文件:
- 原版视频MP4.exe
- 原版MP4.exe
- 原版视频.exe
- 2024mp4.exe
- (密码123)原版视频.exe
- 原版视频.zip
- **集团一女员工被丈夫举报与领导通J聚众Y乱.exe
- 高中女老师出轨16岁学生.exe
技术分析
第一种诱饵文件为msi包,具体文件名会包含“财务”,“税务”等关键词,msi安装时通过命令释放和启动病毒母体dllhost.exe
第二种诱饵文件以"xxx视频.exe"命名,功能与dllhost.exe一致,都属于病毒母体。在母体文件运行后,首先从云服务平台下载多个文件,如下所示:
- https://lldwt-oss.oss-cn-beijing.a\*\*yuncs\[.\]com/b.dat
- https://lldwt-oss.oss-cn-beijing.a\*\*yuncs\[.\]com/1.png
- https://lldwt-oss.oss-cn-beijing.a\*\*yuncs\[.\]com/2.png
- https://lldwt-oss.oss-cn-beijing.a\*\*yuncs\[.\]com/3.png
- https://lldwt-oss.oss-cn-beijing.a\*\*yuncs\[.\]com/4.png
然后,在C盘根目录以及ProgramData,Microsoft目录下创建文件,并通过cmd命令启动如下文件:
- C:\xx.exe
- C:\ProgramData\xxx.rar
- C:\ProgramData\xxxx\xxx.rar
- C:\ProgramData\xxxx\xxx.exe
- C:\Microsoft\iXXX3XXX.dat
在用户的“公用视频”目录下,将释放4个文件:包含1个随机名exe,1个DLL文件,2个非PE后缀文件。其中,DLL和非PE后缀文件每次文件md5不一样。4个文件示例如下:
- 4OY.exe(hash:AE105528A6C5758CCF18705A8C208A97)
- ClassicExplorer32.dll (hash:6D9B14409057F0606F9082B5A8BEF13C)(md5对抗)
- ffff.lop (hash:91D7406CF794F1A2566C4CFD8A1A92EA)(md5对抗)
- ffff.pol (hash:35162C68560C91D773E4783929F2C9AC)(md5对抗)
其中,4OY.exe是具有数字签名(失效状态)的白文件,是Windows资源管理器的一个插件ClassicExplorerSettings。该文件被安装计划任务启动,运行后会通过白+黑加载同目录下的恶意模块ClassicExplorer32.dll。
ClassicExplorer32.dll被加载后,调用导出函数ShowExplorerSettings。
获取当前进程ID并OpenProcess后,通过WriteProcessMemory将恶意代码注入当前进程。
继续通过CreateRemoteThread执行注入的恶意代码:
读取ffff.pol到内存:
修复PE文件头:
内存加载PE执行后,首先将母体样本生成的中间文件进行清理:
然后检测是否存在调试软件/杀毒软件:
写注册表Run启动项SOFTWARE\Microsoft\Windows\CurrentVersion\Run
安装服务,服务名为"Sauron",同时也会创建名为"23.234.37[.]182:8800:Sauron"的互斥体。"Sauron"中文译为“索伦”,是《魔戒》中的一个重要角色。
连接C2地址23.234.37[.]182[:]8800
接收服务端命令,执行各类远程控制操作
附录相关IOC
EXE类
287e159f1e869a55f415cecce35a4675be624ba8ae701c23f8370c1445070d97
f65b1e283df0a8652a51699e09ffbb0fe5ca924e5fe90318901d0374ec4d73f7
5cfebd38c9ae4488feab76db086d8a6496fd47350c43fdd480475af76d164070
506a9d93ff78b1e530d496617a522a891cc4d9ef5d34d1a6932352eb1e14347e
03b262c7c88bf22a3d59523e05d5fea2bd8c191bf45533afe9fef50e99699583
46996b966610fd123d88c05b300c5f2141d46fffe572c705de5ee9b09501483c
90cc47603b0682f92d9a23d49bf850ac82c2b2d08e2f960ef48ead356a1dc504
bd3918c4c724e163f7cdc07b8027cdeb6e328494d2eed22027bc83ed1aa47b5a
6867866a5d933ad5c77274c31c7066b464e168e93208c1233737a200ae1c9011
33c5122eadc5e26e6142c169dd553eafff1a0815b8111737b3cb303949b81bac
9c0da28034144d081d0ca1f05549bd2ce267b53d33d1b3de7f17434fea418142
b61b36b087d3d15aa21f7d597c3563ebb33a2d00cf2f6c95698673be2205aee4
97a79c9e33047d0b9b228b688f086a17b6cbda8913c179f5069950873bec38ea
5f15853e591cc1211e1ee5c911f26fe3eab85cddfb226e0f9d6204490d799d7c
ae52cd7e5684630ea2cbf0298b5fabdb03ccc60f6e0783f682af6e39ef23a0c3
969db6300712fe813d96dda6c455a973c64a87d53b54376296ad6303dafdc61e
dc5e0002f84966fe05e4bdf36911c56f7b1a0b296ff3f658a0dd26e3e716a14a
d87861e5d3acb4c5a054e0141e9e037a9edacfa5a18be0db93fdeeead307588e
be2d4297d4acbeae315008d4c1ac5de734d77f36f46b2d926dfd52b281a082ff
9cc9a55b7973ffeadc5c0a37ce8bef425c40a8cd452d8dc62fea4d0ed2f56065
5ddfb1307d75d9d50673f2edd3dc2586911ec41861f307a50a9936cf1ec20e26
d28ab6fe7bb0212953bf8a59e98391e3672efb2fcf102173e6e650ca558a269e
MSI类
3aae6adb3d524bda8766b16039c97cdad58062077abfe63a2fb14f1c38e40066
71187d42357788eef197652e3cd8bce6589beee5184d9ab86e122680232dfd76
8e30d05a5937d43c2354b100b9add70f99ebfd0f3d14efb9a934c2ef57cf4cdc
0ffbf71dc661d287c2a58cb1f96170df32308a18d7840a8a4e0afe46720b4f79
bf119261019ca2e7ae39a3ca1f6e00de34b840cd9375dad3b77b2681b7225799
76b1d50b3ce96d1c049e975abe0d57422223ea345895adcfcd9aa0164e7bae04
URL
https://lldwt-oss.oss-cn-beijing.aliyuncs\[.\]com/b.dat
https://lldwt-oss.oss-cn-beijing.aliyuncs\[.\]com/1.png
https://lldwt-oss.oss-cn-beijing.aliyuncs\[.\]com/2.png
https://lldwt-oss.oss-cn-beijing.aliyuncs\[.\]com/3.png
https://lldwt-oss.oss-cn-beijing.aliyuncs\[.\]com/4.png
https://ced2-oss.oss-cn-shanghai.aliyuncs\[.\]com/default.dat
https://ced2-oss.oss-cn-shanghai.aliyuncs\[.\]com/DMR\_10.jpg
https://ced2-oss.oss-cn-shanghai.aliyuncs\[.\]com/DMR\_15.jpg
https://ced2-oss.oss-cn-shanghai.aliyuncs\[.\]com/DMR\_20.jpg
https://ced2-oss.oss-cn-shanghai.aliyuncs\[.\]com/DMR\_25.jpg
https://oss-ww.oss-cn-hangzhou.aliyuncs\[.\]com/xsu-icon1.png
https://oss-ww.oss-cn-hangzhou.aliyuncs\[.\]com/xsu-icon2.png
https://oss-ww.oss-cn-hangzhou.aliyuncs\[.\]com/xsu-icon3.png
https://oss-ww.oss-cn-hangzhou.aliyuncs\[.\]com/webkit.531.36.png
Domain
squxdw.net
vlstjq.net
uywtex.net
squxdw.net
squckw.net
uywtex.net
IP
23.234.37[.]182
122.10.18[.]42
206.238.114[.]116
45.195.57[.]10
23.234.37[.]182
122.10.26[.]236
产品体验
![https://lldwt-oss.oss-cn-beijing.a\*\*yuncs\[.\]com/1.png](https://lldwt-oss.oss-cn-beijing.a%5C*%5C*yuncs%5C%5B.%5C%5Dcom/1.png){kind=link}
![https://lldwt-oss.oss-cn-beijing.a\*\*yuncs\[.\]com/2.png](https://lldwt-oss.oss-cn-beijing.a%5C*%5C*yuncs%5C%5B.%5C%5Dcom/2.png){kind=link}
![https://lldwt-oss.oss-cn-beijing.a\*\*yuncs\[.\]com/3.png](https://lldwt-oss.oss-cn-beijing.a%5C*%5C*yuncs%5C%5B.%5C%5Dcom/3.png){kind=link}
![https://lldwt-oss.oss-cn-beijing.a\*\*yuncs\[.\]com/4.png](https://lldwt-oss.oss-cn-beijing.a%5C*%5C*yuncs%5C%5B.%5C%5Dcom/4.png){kind=link}
![https://lldwt-oss.oss-cn-beijing.aliyuncs\[.\]com/1.png](https://lldwt-oss.oss-cn-beijing.aliyuncs%5C%5B.%5C%5Dcom/1.png){kind=link}
![https://lldwt-oss.oss-cn-beijing.aliyuncs\[.\]com/2.png](https://lldwt-oss.oss-cn-beijing.aliyuncs%5C%5B.%5C%5Dcom/2.png){kind=link}
![https://lldwt-oss.oss-cn-beijing.aliyuncs\[.\]com/3.png](https://lldwt-oss.oss-cn-beijing.aliyuncs%5C%5B.%5C%5Dcom/3.png){kind=link}
![https://lldwt-oss.oss-cn-beijing.aliyuncs\[.\]com/4.png](https://lldwt-oss.oss-cn-beijing.aliyuncs%5C%5B.%5C%5Dcom/4.png){kind=link}
![https://ced2-oss.oss-cn-shanghai.aliyuncs\[.\]com/DMR\_10.jpg](https://ced2-oss.oss-cn-shanghai.aliyuncs%5C%5B.%5C%5Dcom/DMR%5C_10.jpg){kind=link}
![https://ced2-oss.oss-cn-shanghai.aliyuncs\[.\]com/DMR\_15.jpg](https://ced2-oss.oss-cn-shanghai.aliyuncs%5C%5B.%5C%5Dcom/DMR%5C_15.jpg){kind=link}
![https://ced2-oss.oss-cn-shanghai.aliyuncs\[.\]com/DMR\_20.jpg](https://ced2-oss.oss-cn-shanghai.aliyuncs%5C%5B.%5C%5Dcom/DMR%5C_20.jpg){kind=link}
![https://ced2-oss.oss-cn-shanghai.aliyuncs\[.\]com/DMR\_25.jpg](https://ced2-oss.oss-cn-shanghai.aliyuncs%5C%5B.%5C%5Dcom/DMR%5C_25.jpg){kind=link}
![https://oss-ww.oss-cn-hangzhou.aliyuncs\[.\]com/xsu-icon1.png](https://oss-ww.oss-cn-hangzhou.aliyuncs%5C%5B.%5C%5Dcom/xsu-icon1.png){kind=link}
![https://oss-ww.oss-cn-hangzhou.aliyuncs\[.\]com/xsu-icon2.png](https://oss-ww.oss-cn-hangzhou.aliyuncs%5C%5B.%5C%5Dcom/xsu-icon2.png){kind=link}
![https://oss-ww.oss-cn-hangzhou.aliyuncs\[.\]com/xsu-icon3.png](https://oss-ww.oss-cn-hangzhou.aliyuncs%5C%5B.%5C%5Dcom/xsu-icon3.png){kind=link}
![https://oss-ww.oss-cn-hangzhou.aliyuncs\[.\]com/webkit.531.36.png](https://oss-ww.oss-cn-hangzhou.aliyuncs%5C%5B.%5C%5Dcom/webkit.531.36.png){kind=link}