Introduction 介绍
DLL Sideloading (T1574.002) stands as a remarkably effective stratagem employed by adversaries to execute their own malicious code, while clandestinely leveraging the implicit trust placed in legitimate applications. This report dissects the multifaceted nuances of DLL Sideloading, delving into its mechanics, the prevalence of victim applications, and its reverberating impact on the cybersecurity landscape.
DLL 旁加载 (T1574.002) 是攻击者用来执行自己的恶意代码的一种非常有效的策略,同时秘密利用合法应用程序中的隐式信任。本报告剖析了 DLL 旁加载的多方面细微差别,深入研究了其机制、受害者应用程序的普遍性及其对网络安全格局的反响影响。
The Art of Trust Manipulation
信任操纵的艺术
At the core of DLL Sideloading lies the manipulation of trust. Adversaries artfully exploit the trust that users confer upon genuine applications to covertly introduce their malevolent payloads. This technique operates on the premise that antimalware engines are less likely to flag such activities as malicious, given the seemingly benign context of the attack. By infiltrating the trusted environment of legitimate software, attackers can operate incognito and evade the vigilant gaze of cybersecurity defenses.
DLL 旁加载的核心是对信任的操纵。攻击者巧妙地利用用户赋予真正应用程序的信任来秘密引入其恶意有效载荷。此技术的运行前提是,鉴于攻击的看似良性的上下文,反恶意软件引擎不太可能将此类活动标记为恶意。通过渗透合法软件的可信环境,攻击者可以隐身操作并逃避网络安全防御的警惕目光。
Evidentiary Trail of Exploitation
剥削的证据线索
During 2023, Yoroi’s Malware ZLab researchers have thoroughly documented a surge in attacks orchestrated through DLL Sideloading. The 3CX Supply Chain attack is a glaring example of this technique in action, where a malicious ‘ffmpeg.dll’ played a pivotal role. Such instances bring to the forefront the vulnerability of a plethora of legitimate software applications that inadvertently serve as conduits for adversarial actions. It is imperative to take stock of the substantial array of exploitable legitimate software, prompting proactive measures such as tracking and monitoring to thwart potential attacks.
在 2023 年,Yoroi 的恶意软件 ZLab 研究人员彻底记录了通过 DLL 旁加载精心策划的攻击激增。3CX供应链攻击是这种技术的一个明显例子,其中恶意的“ffmpeg.dll”发挥了关键作用。这些事例突出了大量合法软件应用程序的脆弱性,这些应用程序无意中充当了对抗行动的渠道。必须评估大量可利用的合法软件,促使采取跟踪和监控等主动措施以阻止潜在的攻击。
Emergence of Repackaged Threats: APT29’s Chameleon Strategy
重新包装的威胁的出现:APT29的变色龙战略
An intriguing illustration of this landscape emerges with the emergence of a repackaged campaign mirroring the tactics of APT29. Palo Alto Networks’ Unit42 scrutinized a campaign bearing uncanny similarities, revealing a reengineering of techniques. A significant alteration observed in this iteration is the transition from BruteRatel to CobaltStrike, indicative of the dynamic nature of adversary tactics. The inclusion of the PDB string “OneDriveUpdaterSideloading,” connected to a public GitHub repository, points toward the meticulous orchestration behind these campaigns. Invariably, the unveiling of novel techniques leads to rapid exploitation by both malevolent cybercriminals and proactive adversary simulations.
随着反映APT29策略的重新包装活动的出现,出现了这种格局的一个有趣的例证。Palo Alto Networks的Unit42仔细研究了一场具有惊人相似之处的活动,揭示了技术的重新设计。在这次迭代中观察到的一个重大变化是从BruteRatel到CobaltStrike的过渡,这表明对手战术的动态性质。包含连接到公共GitHub存储库的PDB字符串“OneDriveUpdaterSideload”表明了这些活动背后的精心编排。新技术的推出总是会导致恶意网络犯罪分子和主动对手模拟的快速利用。
Invariably, the unveiling of novel techniques leads to rapid exploitation by both malevolent cybercriminals and proactive adversary simulations. This case serves as an eloquent testament to the transformative journey from legitimate research to a tool wielded by threat actors. This chasm between the virtuous intentions of research and the perverted objectives of cybercriminals underscores the dire need for preemptive strategies and adaptive defenses.
新技术的推出总是会导致恶意网络犯罪分子和主动对手模拟的快速利用。这个案例雄辩地证明了从合法研究到威胁行为者使用的工具的变革之旅。研究的良性意图与网络犯罪分子的目标之间的鸿沟突显了对先发制人战略和适应性防御的迫切需要。
Charting the Uncharted: A Deep Dive into Threat Landscape Dynamics
绘制未知图表:深入了解威胁形势动态
Considering these events, understanding the Tactics, Techniques, and Procedures (TTPs) that underpin DLL Sideloading has assumed paramount importance. The symbiotic relationship between exploitable legitimate software and insidious techniques necessitates a granular exploration. This investigation seeks to unravel the intricate interplay between threat actors, vulnerable software, and defensive countermeasures.
考虑到这些事件,了解支持 DLL 旁加载的策略、技术和过程 (TTP) 变得至关重要。可利用的合法软件和阴险技术之间的共生关系需要精细的探索。这项调查旨在揭示威胁参与者、易受攻击的软件和防御对策之间错综复杂的相互作用。
The realm of DLL Sideloading presents a formidable challenge, demanding a harmonious interplay of offensive and defensive strategies. As demonstrated by the 3CX Supply Chain attack and the evolving APT29 campaigns, the art of DLL Sideloading showcases the artful manipulation of trust. With the twin specters of exploitation and emulation looming large, the cybersecurity landscape necessitates constant evolution and proactive measures. This report embarks on a journey to decipher the complex choreography between adversary and defender, shedding light on the enigmatic realm of DLL Sideloading and its profound ramifications.
DLL 旁加载领域提出了巨大的挑战,需要进攻和防御策略的和谐相互作用。正如 3CX 供应链攻击和不断发展的 APT29 活动所证明的那样,DLL 旁加载的艺术展示了对信任的巧妙操纵。随着利用和仿真的双重幽灵迫在眉睫,网络安全格局需要不断发展和采取积极措施。本报告踏上了破译对手和防御者之间复杂编排的旅程,揭示了 DLL 旁加载的神秘领域及其深远的影响。
Technical analysis 技术分析
The genesis of this research can be traced back to the identification of a dubious sample across multiple platforms. Upon closer examination, a noteworthy revelation emerged – the characteristics and methodologies exhibited by this sample bore a striking resemblance to those elucidated in a research report published by Palo Alto Networks a year prior. This intriguing alignment prompted us to pursue an in-depth investigation, delving into the intricate intricacies of this suspicious sample and its potential implications within the broader cybersecurity landscape.
这项研究的起源可以追溯到跨多个平台的可疑样本的鉴定。经过仔细检查,出现了一个值得注意的发现 – 该样本所展示的特征和方法与Palo Alto Networks一年前发表的研究报告中阐明的特征和方法惊人地相似。这种有趣的一致性促使我们进行深入调查,深入研究这个可疑样本的错综复杂及其在更广泛的网络安全领域的潜在影响。
Our initial encounter with this enigmatic sample stirred a sense of curiosity and urgency. As we delved deeper into its attributes, we were captivated by the echoes of a previously documented research endeavor conducted by Palo Alto Networks. This congruence in techniques piqued our interest, prompting a meticulous analysis aimed at unearthing potential connections, nuances, and trends that could shed light on the evolving threat landscape.
我们最初接触这个神秘的样本激起了好奇心和紧迫感。当我们深入研究它的属性时,我们被Palo Alto Networks先前记录的研究工作的回声所吸引。这种技术的一致性激起了我们的兴趣,促使我们进行细致的分析,旨在挖掘潜在的联系、细微差别和趋势,从而揭示不断变化的威胁形势。
As a consequence, we embarked on a comprehensive journey to decipher the underlying mechanics of this suspicious sample. The contextual thread woven between these two distinct instances – separated by time yet united by technique – sparked a cascade of inquiries. What propelled the persistence of these techniques across different time frames? How have threat actors evolved and adapted over the course of a year? What implications might these shared methodologies hold for the future of cybersecurity?
因此,我们踏上了全面的旅程,以破译这个可疑样本的潜在机制。在这两个不同的实例之间编织的上下文线索 – 被时间分开,但因技术而统一 – 引发了一连串的询问。是什么推动了这些技术在不同时间范围内的持续存在?在一年的时间里,威胁行为者是如何演变和适应的?这些共享方法对网络安全的未来有何影响?
Intriguingly, the resonance between the two instances extended beyond superficial similarities. As we dissected the layers of code and behavior, we began to unravel a narrative that transcended the temporal gap. The eerie familiarity of tactics, techniques, and procedures (TTPs) underscored the tenacity of certain adversarial approaches, shedding light on the enduring effectiveness of certain tactics.
有趣的是,这两个实例之间的共鸣超出了表面上的相似性。当我们剖析代码和行为的层次时,我们开始解开一个超越时间鸿沟的叙事。战术、技术和程序 (TTP) 令人毛骨悚然的熟悉突显了某些对抗性方法的顽强性,揭示了某些战术的持久有效性。
To augment our exploration, we embarked on a comparative analysis, mapping the nuances of the suspicious sample against the backdrop of earlier research findings. This comparison not only deepened our understanding of the techniques at play but also illuminated potential evolutionary trajectories.
为了加强我们的探索,我们开始了比较分析,在早期研究结果的背景下绘制可疑样本的细微差别。这种比较不仅加深了我们对技术的理解,而且还阐明了潜在的进化轨迹。
As we traverse the landscape of this research endeavor, we unveil a tapestry interwoven with shared strategies, tactics, and modus operandi. Our journey goes beyond a mere replication of findings; it embraces a quest to discern the underlying motivations, the shifting dynamics, and the relentless pursuit of an evolving adversary.
当我们穿越这项研究工作的景观时,我们揭开了一幅与共同战略、战术和作案手法交织在一起的挂毯。我们的旅程不仅仅是复制调查结果;它包括对辨别潜在动机、不断变化的动态以及对不断发展的对手的不懈追求的追求的追求。
In the pages that follow, we present a comprehensive exploration that not only expounds upon the resonating techniques but also delves into the implications and proactive measures that can be derived from this synthesis. The symbiotic relationship between past and present insights forms the bedrock of our inquiry, an inquiry driven by the pursuit of knowledge and the fortification of defenses in an ever-evolving digital landscape.
在接下来的几页中,我们将进行全面的探索,不仅阐述了共振技术,还深入研究了这种合成可以得出的含义和积极措施。过去和现在的见解之间的共生关系构成了我们探究的基石,这种探究是由在不断发展的数字环境中追求知识和加强防御所驱动的。
This new sample has the following static information:
此新示例具有以下静态信息:
| Hash 散 列 | c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8 |
| Threat 威胁 | CobaltStrike 钴罢工 |
| Brief Description 简要说明 | Campaign using DLL Sideloading emulating APT29 techiques 使用 DLL 旁加载模拟 APT29 技术的活动 |
Within the confines of this investigation, a file of significant interest emerged – an ISO archive that harbored a myriad of revelations. Upon a closer examination of its contents, a compelling correspondence was uncovered. The files encapsulated within this ISO archive resonated with those highlighted in the campaign dossier curated by Palo Alto Networks. This intriguing synchronicity, while not immediately evident, yielded insights of paramount significance.
在这次调查的范围内,出现了一个非常有趣的文件——一个包含无数启示的ISO档案。在仔细检查其内容后,发现了令人信服的信件。封装在此ISO档案中的文件与Palo Alto Networks策划的活动档案中突出显示的文件产生了共鸣。这种有趣的同步性虽然不是很明显,但产生了至关重要的见解。
The surface layer of this enigmatic ISO archive unveiled a conspicuous file – an LNK file that seemingly occupied the spotlight. Yet, beneath this visible veneer lay a concealed realm, a covert enclave of files that remained shrouded from immediate view. This intricate play of visibility and secrecy evoked a sense of intrigue, prompting us to embark on a journey of exploration to decipher the cryptic essence encoded within this repository.
这个神秘的ISO档案的表层揭示了一个显眼的文件 – 一个似乎占据聚光灯的LNK文件。然而,在这个可见的表面之下,隐藏着一个隐藏的领域,一个隐蔽的文件飞地,仍然笼罩在眼前。这种错综复杂的可见性和秘密性游戏唤起了一种阴谋感,促使我们踏上探索之旅,以破译这个存储库中编码的神秘本质。
Intricacies and intricacies danced in tandem as we navigated the landscape of this ISO archive. This tapestry of concealed files, each bearing a narrative waiting to be unveiled, spoke to the meticulous orchestration that lay at the heart of this endeavor. It beckoned us to delve deeper, to unearth the intricacies that lay beneath the surface and shed light on the grander scheme at play.
当我们浏览这个 ISO 档案馆的景观时,错综复杂和错综复杂地同时跳舞。这幅隐藏文件的挂毯,每个文件都带有等待揭开的叙述,说明了作为这项努力核心的精心编排。它召唤我们更深入地研究,挖掘隐藏在表面之下的复杂性,并阐明正在发挥作用的更宏伟的计划。
As we embarked on the process of unveiling these hidden entities, a symphony of questions resonated within our minds. What purpose did these concealed files serve? How did they intertwine with the overarching narrative of the campaign documented by Palo Alto Networks? Were they simply pawns in a larger chess game, or did they hold the key to deciphering the tactics, techniques, and procedures that defined this intricate web of activity?
当我们开始揭开这些隐藏实体的过程时,一首交响乐在我们的脑海中产生共鸣。这些隐藏文件的目的是什么?它们是如何与帕洛阿尔托网络记录的战役总体叙事交织在一起的?他们只是一场更大的国际象棋游戏中的棋子,还是掌握着破译定义这个错综复杂的活动网络的战术、技术和程序的关键?
This revelation marked a pivotal juncture in our exploration, underscoring the complexity and multifaceted nature of the threat landscape. As the layers of this ISO archive unfurled before us, we recognized the need to meticulously scrutinize each fragment, each file, and each association. In doing so, we aimed not only to decipher the tactics employed but also to glean insights into the strategic underpinnings that guided the orchestration of this campaign.
这一发现标志着我们探索的关键时刻,强调了威胁形势的复杂性和多方面性。当这个 ISO 档案的层层在我们面前展开时,我们认识到需要仔细检查每个片段、每个文件和每个关联。在此过程中,我们不仅旨在破译所采用的战术,而且还旨在深入了解指导这场战役的战略基础。
In the subsequent phases of this investigation, we delve deeper into the labyrinthine corridors of this ISO archive, mapping the interconnections, deciphering the concealed narratives, and ultimately illuminating the overarching design that binds these files together. With each layer unveiled, our understanding of the campaign’s intricacies grows, propelling us toward a more comprehensive comprehension of the tactics at play and the implications they hold within the evolving landscape of cybersecurity.
在本次调查的后续阶段,我们将更深入地研究这个ISO档案馆的迷宫般的走廊,绘制相互联系的地图,破译隐藏的叙述,并最终阐明将这些文件绑定在一起的总体设计。随着每一层的揭开,我们对活动复杂性的理解也在增加,推动我们更全面地理解正在发挥作用的策略及其在不断发展的网络安全环境中的影响。
As we traverse this uncharted terrain, the ISO archive stands as a testament to the artful concealment that underpins contemporary cyber operations. It serves as a stark reminder that within the digital realm, what meets the eye is often a fraction of the story, and it is only through unwavering diligence and meticulous scrutiny that the full narrative can be uncovered. In the pages that follow, we invite you to join us on this journey of revelation, as we endeavor to unlock the secrets that lie within the concealed confines of this enigmatic ISO archive.
当我们穿越这个未知的领域时,ISO档案证明了支撑当代网络行动的巧妙隐藏。它清楚地提醒我们,在数字领域,映入眼帘的往往是故事的一小部分,只有通过坚定不移的勤奋和细致的审查,才能发现完整的叙事。在接下来的几页中,我们邀请您加入我们的启示之旅,因为我们努力解开这个神秘的ISO档案馆隐藏范围内的秘密。
图 1:ISO 文件的内容
Nestled within this package lies a comprehensive toolkit, meticulously curated to facilitate the art of sideloading within the seemingly innocuous façade of Microsoft’s legitimate OneDrive application. This toolkit, an ensemble of elements strategically chosen to orchestrate this subversive dance, beckons us to explore the shadows that underlie this seemingly benign software.
此软件包中包含一个全面的工具包,经过精心策划,以促进在Microsoft合法 OneDrive 应用程序的看似无害的外观中进行旁加载的艺术。这个工具包是精心挑选的元素组合,用于编排这种颠覆性的舞蹈,召唤我们探索这个看似良性的软件背后的阴影。
At the epicenter of this intricate ensemble rests the “version.dll” library, a seemingly inconspicuous repository housing a nefarious payload. This malicious code, concealed within the very fabric of the library, remains poised for execution. The key to its activation lies in the sideloading mechanism facilitated by the “OneDriveStandaloneUpdater.exe” file—a seemingly innocuous entity that serves as a covert conduit for the surreptitious introduction of the malicious “version.dll.”
在这个错综复杂的合奏的中心是“版本.dll”库,这是一个看似不起眼的存储库,里面装有邪恶的有效载荷。这种隐藏在库结构中的恶意代码仍然准备执行。激活它的关键在于由“OneDriveStandaloneUpdater.exe”文件促进的旁加载机制 – 一个看似无害的实体,充当秘密引入恶意“版本.dll的秘密渠道。
In the wake of this revelation, a decision of profound significance was made. A comparative analysis was embarked upon, aimed at scrutinizing the very core of the “version.dll” library’s malevolent essence.
在这一启示之后,做出了一个具有深远意义的决定。开始了比较分析,旨在仔细检查“版本.dll”图书馆恶意本质的核心。
This journey of exploration led us to an enthralling revelation—an intricate tapestry of difference that lay between the original sample attributed to APT29 and the repackaged variant under our scrutiny. This visual depiction, akin to a comparative map charting the evolution of malevolence, unfurled before us, illustrating the subtle but significant alterations that had transpired.
这次探索之旅给我们带来了一个引人入胜的启示——APT29 的原始样本和我们审查下的重新包装变体之间的错综复杂的差异挂毯。这种视觉描绘,类似于绘制恶意演变的比较地图,在我们面前展开,说明了已经发生的微妙但重大的变化。
The juxtaposition of these versions painted a nuanced portrait—one that echoed the evolution of threat actors, their insidious innovation, and their relentless pursuit of evading detection. The side-by-side comparison unveiled a dance of modification, where the adversary’s toolset underwent refinement, adaptation, and transformation, underscoring the fluid and dynamic nature of their strategies.
这些版本的并置描绘了一幅微妙的肖像——一幅与威胁行为者的演变、他们阴险的创新以及他们对逃避检测的不懈追求相呼应的肖像。并排的比较揭示了一场修改之舞,对手的工具集经历了改进、适应和转换,强调了他们战略的流动性和动态性。
This revelation not only enriched our understanding of the adversarial mindset but also unveiled a thread that intertwined disparate instances. The synergy between past and present, original and reimagined, bore witness to the meticulous orchestration that drives the evolution of cyber threats.
这一发现不仅丰富了我们对对抗心态的理解,而且还揭示了一条将不同实例交织在一起的线索。过去与现在、原创与重新构想之间的协同作用见证了推动网络威胁演变的精心编排。
图 2:原始样品和重新包装之间的比较
The orchestrated sequence of events unfolds with a remarkable symmetry, presenting an execution flow that mirrors its predecessor in meticulous detail. This intricate choreography culminates in a seamless continuum where the LNK file, with its understated yet pivotal role, acts as the conductor of this malevolent orchestra.
精心编排的事件序列以非凡的对称性展开,呈现出一个执行流程,在细致的细节上反映了其前身。这种错综复杂的编舞在一个无缝的连续体中达到高潮,LNK文件以其低调但关键的作用,充当了这个恶意管弦乐队的指挥。
At the crux of this orchestrated symphony lies the moment of ignition—a seemingly innocent activation of “OneDriveStandaloneUpdater.exe.” However, beneath this innocuous veneer lies a subversive intent that sets in motion a cascade of actions. Like a masterful magician, this executable skillfully undertakes the process of sideloading the formidable “version.dll,” a vessel housing the malicious code that underpins the adversary’s covert ambitions.
这首精心编排的交响乐的关键在于点火的时刻——看似无辜的“OneDriveStandaloneUpdater.exe激活。然而,在这种无害的外表下,隐藏着一种颠覆意图,它启动了一连串的行动。就像一个高超的魔术师一样,这个可执行文件巧妙地承担了旁加载强大的“版本.dll的过程,这是一个容纳恶意代码的容器,支撑着对手的秘密野心。
Parallel to this intricate dance of deception, the authentic “vresion.dll”—its legitimate counterpart—resides with unassuming grace. This nuanced mimicry serves as a shroud of authenticity, a ruse designed to ensure the execution proceeds without raising the alarm. As “OneDriveStandaloneUpdater.exe” navigates the labyrinthine network of exported functions, a cunning ruse is enacted.
与这种错综复杂的欺骗之舞平行的是,真正的“vresion.dll”——它的合法对应物——以谦逊的优雅存在。这种细致入微的模仿充当了真实性的笼罩,旨在确保执行在不发出警报的情况下进行。当“OneDriveStandaloneUpdater.exe”在迷宫般的导出功能网络中导航时,一个狡猾的诡计被制定出来。
In a mesmerizing twist of ingenuity, the calls initiated by “OneDriveStandaloneUpdater.exe” are deftly redirected, a seamless proxying of intentions. The facade of “vresion.dll” acts as the intermediary, its presence imperceptibly guiding the execution towards the intended destination. This orchestrated misdirection ensures that the adversary’s intent remains concealed, even as the wheels of execution turn.
在令人着迷的独创性转折中,由“OneDriveStandaloneUpdater.exe”发起的呼叫被巧妙地重定向,无缝代理意图。“vresion.dll”的门面充当中介,它的存在在不知不觉中将执行引导到预定目的地。这种精心策划的误导确保了对手的意图保持隐藏,即使执行的车轮转动也是如此。
This intricate ballet of deception showcases a level of sophistication that is emblematic of an evolving threat landscape. It underscores the adversary’s astute understanding of software intricacies and their resourceful manipulation of trusted processes. With every seamlessly proxied call, the adversary gains a foothold in the digital ecosystem, inching closer to their nefarious objectives.
这部错综复杂的欺骗芭蕾舞展示了一种复杂程度,象征着不断变化的威胁形势。它强调了对手对软件复杂性的敏锐理解以及他们对可信流程的足智多谋的操纵。随着每一次无缝代理的呼叫,对手在数字生态系统中站稳了脚跟,逐渐接近他们的邪恶目标。
As we delve further into the depths of this orchestrated symphony, we unravel not just a mere sequence of events, but a narrative that highlights the convergence of innovation and malevolence. In the subsequent sections, we venture into the heart of this intricate mechanism, peeling back the layers to expose the techniques, tactics, and procedures that underlie this deceptive dance. Through this exploration, we aim not only to dissect the mechanics of deception but also to arm defenders with the insights needed to fortify their defenses and thwart the relentless advances of cyber adversaries.
当我们进一步深入研究这首精心编排的交响乐的深处时,我们不仅解开了一连串的事件,而且揭示了一个突出创新和恶意融合的叙事。在随后的章节中,我们将冒险进入这种错综复杂的机制的核心,剥开层层,以揭示这种欺骗性舞蹈背后的技术、战术和程序。通过这次探索,我们的目标不仅是剖析欺骗的机制,而且还要为防御者提供加强防御和挫败网络对手无情发展所需的洞察力。
图 3:代理到合法 DLL 的导出的动态和静态视图
Subsequently, the examined sample meticulously undertakes a comprehensive process enumeration, diligently seeking out the presence of the “RuntimeBroker.exe” entity. This intricate pursuit serves as a pivotal moment in the unfolding narrative, as it sets the stage for a series of meticulously orchestrated maneuvers that reveal the adversary’s ingenuity.
随后,检查的样本仔细地进行全面的过程枚举,努力寻找“RuntimeBroker.exe”实体的存在。这种错综复杂的追击是展开叙事的关键时刻,因为它为一系列精心策划的演习奠定了基础,这些演习揭示了对手的聪明才智。
With the tenacity of a digital detective, the sample delves deeper, culminating in the decryption of a concealed shellcode nestled within the cryptic confines of the “OneDrive.Update” file. This transformation is achieved through an intricate dance of algorithms, with the shellcode being XORed with a hardcoded string—an ingenious technique that serves as a key to unlock the malevolent potential encoded within.
凭借数字侦探的坚韧不拔,样本进行了更深入的研究,最终解密了位于“OneDrive.Update”文件神秘范围内的隐藏外壳代码。这种转换是通过复杂的算法舞蹈实现的,shellcode 与硬编码字符串进行 XOR 运算——这是一种巧妙的技术,可以作为解锁其中编码的恶意潜力的钥匙。
The narrative advances with a symphony of injected intent, as the decrypted shellcode takes center stage. The sample deftly leverages a sequence of operations—NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx—to breathe life into the extracted shellcode. This strategic orchestration is not just a mere act of execution; it is a carefully choreographed ballet of subversion, as the shellcode establishes its presence within the digital realm.
叙事以注入意图的交响乐推进,因为解密的shellcode占据了中心舞台。该示例巧妙地利用一系列操作(NtCreateSection、NtMapViewOfSection 和 NtCreateThreadEx)为提取的外壳代码注入活力。这种战略编排不仅仅是一种执行行为;这是一部精心编排的颠覆芭蕾舞剧,因为Shellcode在数字领域建立了自己的存在。
Within the cryptic constructs of the decrypted shellcode, a revelation of paramount significance emerges—an ephemeral connection to a Command and Control (C2) entity, the unseen puppeteer orchestrating this elaborate play. The address (193.37.254.]27) looms as a beacon of communication, a conduit through which the adversary marshals their machinations. This connectivity, laden with implications, forms the crux of a malleable C2 profile—an attribute that underscores the adversary’s adaptability and cunning.
在解密的外壳代码的神秘结构中,出现了一个具有至关重要意义的启示——与命令和控制(C2)实体的短暂联系,这个看不见的木偶师策划了这个精心设计的戏剧。地址 (193.37.254。27)隐约可见,是沟通的灯塔,是对手组织阴谋的渠道。这种充满暗示的连接性构成了可塑性C2配置文件的关键 – 这一属性强调了对手的适应性和狡猾。
Figure 4 presents the decrypted shellcode in all its intricate glory. This visual representation, akin to an artist’s canvas, showcases the intricate brushstrokes of code that define the essence of the adversary’s intent. Every line, every instruction, and every nuance is unveiled, inviting us to decipher the underlying motivations and tactical maneuvers that form the core of this cyber narrative.
图 4 展示了解密的外壳代码的所有复杂荣耀。这种视觉表现类似于艺术家的画布,展示了定义对手意图本质的复杂代码笔触。每一句台词、每一条指令和每一个细微差别都被揭开,邀请我们破译构成这种网络叙事核心的潜在动机和战术策略。
图 4:使用 XOR 解密外壳代码
Following the successful injection into the confines of the RuntimeBroker.exe process, the shellcode embarks on a sophisticated journey that showcases its dexterity and adaptability within the digital landscape. This pivotal juncture marks the commencement of a series of meticulously orchestrated actions, each layer revealing the depth of the adversary’s technical acumen.
在成功注入 RuntimeBroker.exe 流程之后,shellcode 开始了一段复杂的旅程,展示了它在数字环境中的灵巧性和适应性。这个关键时刻标志着一系列精心策划的行动的开始,每一层都揭示了对手技术敏锐度的深度。
With the precision of a master conductor, the shellcode deftly employs stackstrings as its instruments of choice. This strategic utilization serves as a testament to the shellcode’s flexibility and resourcefulness, allowing it to dynamically load a carefully curated selection of Libraries and Application Programming Interfaces (APIs). This dynamic loading process emerges as a cornerstone of the shellcode’s operational strategy—a technique that empowers it to interact with its environment, ensuring a seamless and covert execution of its intent.
凭借主导体的精度,外壳代码巧妙地使用堆栈弦作为其首选乐器。这种战略性利用证明了shellcode的灵活性和足智多谋,允许它动态加载精心策划的库和应用程序编程接口(API)选择。这种动态加载过程成为shellcode运营策略的基石 – 一种使其能够与环境交互的技术,确保其意图的无缝和隐蔽执行。
In essence, the use of stackstrings forms a harmonious bridge between the shellcode and the targeted Libraries and APIs. This nuanced interaction not only underscores the sophistication of the adversary’s design but also serves as a testament to their intricate understanding of software dynamics. Through this strategic dance, the shellcode lays the foundation for a symphony of actions, orchestrating an ensemble of interactions that operate beneath the surface, concealed from prying eyes.
从本质上讲,堆栈字符串的使用在shellcode和目标库和API之间形成了一个和谐的桥梁。这种细致入微的互动不仅强调了对手设计的复杂性,而且还证明了他们对软件动态的复杂理解。通过这种战略性的舞蹈,shellcode为行动的交响乐奠定了基础,编排了在表面之下运作的一系列互动,隐藏在窥探的眼睛之外。
As the shellcode navigates through the labyrinthine network of stackstrings, its quest to load the desired Libraries and APIs unfolds with an air of precision. Each stackstring serves as a note in a grand musical composition, contributing to the creation of a melody that resonates within the digital realm. This symphonic interplay, while intricate, carries with it the potential for far-reaching consequences—enabling the shellcode to unlock new avenues of interaction, transcend boundaries, and execute its intentions with finesse.
当shellcode在迷宫般的堆栈字符串网络中导航时,它对加载所需库和API的追求以一种精确的方式展开。每个堆栈弦都作为宏大音乐作品中的一个音符,有助于创造在数字领域产生共鸣的旋律。这种交响乐的相互作用虽然错综复杂,但有可能产生深远的影响——使shellcode能够解锁新的交互途径,超越界限,并巧妙地执行其意图。
图 5:动态加载 API “winintet” dll 作为十六进制格式的反向字符串
In pursuit of the vital references to the shared libraries crucial for its intricate dance, the shellcode embarks on a meticulous journey that takes it through the intricate terrain of the Process Environment Block (PEB). This expedition serves as a testament to the shellcode’s strategic prowess, highlighting its ability to navigate the digital landscape with precision and purpose.
为了追求对其复杂舞蹈至关重要的共享库的重要引用,shellcode 开始了一段细致的旅程,通过流程环境块 (PEB) 的复杂地形。这次探险证明了shellcode的战略实力,突出了它精确和有目的地导航数字环境的能力。
Within the depths of the PEB, a hidden universe of Dynamic Link Libraries (DLLs) awaits discovery. The shellcode’s quest is not mere chance; it is a calculated pursuit driven by the imperative to locate the elusive key that will unlock its intended actions. Through the meticulous enumeration of DLLs, the shellcode diligently scans the virtual horizon, seeking out the beacon that will guide its next move.
在PEB的深处,一个隐藏的动态链接库(DLL)世界等待着发现。贝壳代码的追求不仅仅是偶然的;这是一种经过深思熟虑的追求,其驱动力是找到将解锁其预期行动的难以捉摸的钥匙。通过对DLL的细致枚举,shellcode勤奋地扫描虚拟地平线,寻找将指导其下一步行动的信标。
Amid this intricate dance, the shellcode’s gaze alights upon the coveted treasure—an invocation of the LoadLibraryExA function. This function, an essential tool within the shellcode’s arsenal, possesses the unique ability to summon the potent capabilities housed within the wininet.dll library. Like a skilled locksmith with a master key, the LoadLibraryExA function unfurls the gateway to the desired library, ushering in a cascade of possibilities.
在这种错综复杂的舞蹈中,shellcode的目光落在了令人垂涎的宝藏上——这是对LoadLibraryExA函数的调用。这个功能是shellcode武器库中必不可少的工具,拥有召唤wininet.dll库中的强大能力的独特能力。就像拥有万能钥匙的熟练锁匠一样,LoadLibraryExA 功能展开了通往所需图书馆的网关,带来了一连串的可能性。
The invocation of LoadLibraryExA transcends mere technicality; it is an incantation that brings forth the powers of wininet.dll into the digital realm. This library, renowned for its network-related functionalities, assumes a pivotal role in the shellcode’s unfolding narrative. With its capabilities now at the shellcode’s disposal, a new realm of interaction and manipulation is unveiled, offering the potential to traverse the digital landscape with an air of invincibility.
对 LoadLibraryExA 的调用超越了单纯的技术性;这是一种咒语,将Wininet的力量带入数字领域.dll。这个库以其与网络相关的功能而闻名,在shellcode展开的叙述中起着举足轻重的作用。凭借其现在可供shellcode使用的功能,一个新的交互和操作领域被揭开,提供了以无敌的气息穿越数字景观的潜力。
In the subsequent stages of our exploration, we venture into the intricacies of the shellcode’s interaction with LoadLibraryExA and wininet.dll. Through a meticulous analysis, we aim to not only unearth the technical mechanics at play but also to grasp the strategic implications that stem from this orchestrated sequence. By peering into the heart of this interaction, we equip ourselves with the insights needed to anticipate and counter the adversary’s movements, forging a path towards a fortified digital defense.
在探索的后续阶段,我们冒险探讨shellcode与LoadLibraryExA和wininet.dll交互的复杂性。通过细致的分析,我们不仅要挖掘技术机制,还要掌握这一精心策划的序列所产生的战略含义。通过窥视这种互动的核心,我们掌握了预测和对抗对手行动所需的洞察力,为强化的数字防御开辟了一条道路。
图 6:通过 PEB 的导航加载 wininet.dll
Regrettably, as of the time of compiling this report, the Command and Control (C2) channel has been rendered dormant—an elusive echo in the vast expanse of the digital realm. This poignant pause underscores the fluidity of the cyber landscape, where adversaries and defenders engage in a perpetual dance, their movements often concealed within the labyrinthine corridors of the virtual domain.
遗憾的是,截至编写本报告时,指挥与控制(C2)频道已经处于休眠状态——在广阔的数字领域里,这是一个难以捉摸的回声。这种尖锐的停顿突显了网络格局的流动性,对手和防御者在进行永恒的舞蹈,他们的动作往往隐藏在虚拟领域的迷宫般的走廊内。
Yet, the narrative doesn’t conclude with this temporary stillness. As we delve deeper into the layers of this orchestrated sequence, a multifaceted symphony of actions unfolds, each note resonating with purpose and intent. The shellcode, akin to an adept orchestrator, harnesses the power of VirtualAlloc and InternetReadFile—two indispensable tools within its expansive toolkit.
然而,叙事并没有以这种暂时的静止结束。当我们深入研究这个编排序列的层次时,一个多方面的行动交响乐展开,每个音符都与目的和意图产生共鸣。shellcode类似于一个熟练的编排器,利用VirtualAlloc和InternetReadFile的强大功能,这是其广泛的工具包中不可或缺的两个工具。
With the mastery of a virtuoso, the shellcode leverages VirtualAlloc to carve out a dedicated enclave within the virtual memory landscape. This strategic maneuver serves as a prelude to a meticulously choreographed act— the retrieval and execution of additional malicious code. The narrative unfurls as the shellcode deftly invokes InternetReadFile, an instrument that enables it to draw upon external resources, thereby extending its influence beyond the confines of its current abode.
凭借大师的掌握,shellcode利用VirtualAlloc在虚拟内存环境中开辟了一个专用的飞地。这一战略策略是精心编排的行为的前奏——检索和执行额外的恶意代码。随着shellcode巧妙地调用InternetReadFile,一种使其能够利用外部资源的工具,从而将其影响力扩展到其当前住所的范围之外,叙事展开。
However, the intrigue doesn’t halt there. Our investigative journey takes us beyond the confines of the shellcode’s intricate maneuvers and towards the heart of the malicious infrastructure—a realm pulsating with clandestine activities and orchestrated chaos. As we sift through the digital footprints left by this enigmatic presence, a revelation of startling significance emerges.
然而,阴谋并不止于此。我们的调查之旅将我们带出shellcode错综复杂的操作范围,进入恶意基础设施的核心 – 一个充满秘密活动和精心策划的混乱的领域。当我们筛选这个神秘的存在留下的数字足迹时,一个具有惊人意义的启示出现了。
The numerical beacon, 193.37.254.]27, emerges as a focal point within this sprawling landscape—a nexus that intertwines with the operations of TA542, colloquially known as the Emotet gang. This affiliation, drawn from a series of painstaking connections, hints at a complex interplay between threat actors and their tactical inspirations.
数字信标,193.37.254。27,成为这个广阔景观中的一个焦点——这种联系与TA542(俗称Emotet帮)的行动交织在一起。这种隶属关系源于一系列艰苦的联系,暗示了威胁行为者与其战术灵感之间的复杂相互作用。
The chronicle of TA542 is marked by its undulating cadence—a rhythmic ebb and flow that occasionally dips into periods of dormancy. As we dissect the temporal tapestry, we discern a pattern, a rhythm that occasionally wanes, akin to the stillness that envelops the C2 channel. It is within these moments of dormancy that an opportunity arises, a canvas upon which related members of the gang may seek to replicate the maneuvers of the APT29 adversary.
TA542的编年史以其起伏的节奏为标志 – 一种有节奏的潮起潮落,偶尔会陷入休眠期。当我们剖析时间挂毯时,我们辨别出一种模式,一种偶尔减弱的节奏,类似于包裹C2通道的静止。正是在这些休眠时刻,机会出现了,该团伙的相关成员可能会在此画布上寻求复制 APT29 对手的演习。
This hypothesis takes form as an intricate web of possibilities—a daring attempt to emulate the Tactics, Techniques, and Procedures (TTPs) of APT29, not merely as an act of replication, but as a calculated endeavor to glean insights. The objective is clear—observing the reactions of unsuspecting victims when confronted with a distinct approach to threats, thus enhancing their understanding of the psychological underpinnings that govern the response to cyber intrusions.
这个假设的形式是一个错综复杂的可能性网络——大胆地试图模仿APT29的战术、技术和程序(TTP),不仅仅是一种复制行为,而是一种收集见解的精心设计的努力。目标很明确——观察毫无戒心的受害者在面对威胁的独特方法时的反应,从而增强他们对控制网络入侵反应的心理基础的理解。
图 7:表情包集合的病毒总图
Starting from this information, it is possible to do other addition hunting activities. Were able to find other samples having the same characteristics:
从这些信息开始,可以进行其他附加狩猎活动。能够找到具有相同特征的其他样品:
- c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8
- bcc7c41209afcf67858b3ef80f0afa1eabf2e4faadcaa23bacc9aa5d57b9d836
bcc7c41209afcf67858b3ef80f0afa1eabf2e4faadcaa23bacc9aa5d57b9d836 - a855012a9e198837eae04295de56d28e9258da1e933c56805b39b1f8d0d03c56
- 4240201a9d957a01676ab7165d112d03c7dbdba7b34778407e7b73344b3fd158
4240201a9d957a01676ab7165d112d03c7dbdba7b34778407e7b73344b3fd158 - 2d866ccf2b24e3b922abb3d3980c2ed752d86b6c017bc2bf7a1c209aa9464643
- ffd5114ffb3a2f66757cecb2fb0079cceaa42a4b42ded566e76b7d58b4effac5
- 5e352c8f55ed9be1142b09e13df7b3efac7ea9e6173b6792d9a5c44dedc3a4ee
- 17494a7687c8e57be6fcd486bc34aaa120105729196474ccffd078d8aa256f87
17494a7687c8e57be6fcd486bc34aaa120105729196474ccffd078d8aa256f87 - dda686d6fda52c6ab3c084b7024cfc68dba60ae2143a1095659b795f84cf2329
- 664b8fbd825db53ccfc5712f7cd54c71bf53f0791b1bd42af8517729653ae7ae
- 6f08ce39072bdacf4a98578ca6b508b68b2c78ed2a378c73a1c87595f9d0c591
- f62e0ec08b15f9a4f3178c77ad540bd7369d1341472fdcbc88aecc0ed29c0387
Emulating the Threat Actor
模拟威胁参与者
In the wake of Unit42’s comprehensive analysis, which unveiled the campaign orchestrated by APT29, a new chapter in the story unfolded—a chapter characterized by meticulous emulation of the very techniques that had been leveraged by the adversary. This emulation, a strategic endeavor undertaken by a dedicated researcher, stands as a testament to the intricate dance between cyber adversaries and defenders, each move and countermove serving to shape the ever-evolving battlefield.
在Unit42的全面分析揭开了APT29精心策划的战役之后,故事的新篇章展开了——这一章的特点是精心模仿对手所利用的技术。这种模拟是由一位敬业的研究人员进行的一项战略努力,证明了网络对手和防御者之间错综复杂的舞蹈,每一个动作和反击都有助于塑造不断变化的战场。
An inherent complexity underscores the process of emulation, one that demands both technical finesse and an astute understanding of the adversary’s playbook. This replication of tactics, techniques, and procedures (TTPs) is far from a mere academic exercise; it serves as a powerful tool that can be harnessed by both malevolent threat actors and astute defenders.
固有的复杂性强调了仿真过程,这既需要技术技巧,也需要对对手剧本的敏锐理解。这种战术、技术和程序 (TTP) 的复制远非仅仅是学术练习;它是一个强大的工具,可以被恶意的威胁行为者和精明的防御者利用。
Within this multifaceted arena, the concept of emulation dances delicately on a precipice—a double-edged sword that bears implications for both sides of the digital divide. From the perspective of threat actors, the newfound accessibility to these emulated techniques introduces a paradigm shift. Even those with limited technical prowess, often colloquially referred to as “script kiddies,” now possess the potential to wield sophisticated tactics that were once reserved for the realm of the adept.
在这个多方面的舞台上,仿真的概念在悬崖上微妙地跳舞——一把双刃剑,对数字鸿沟的双方都有影响。从威胁参与者的角度来看,这些模拟技术的新发现的可访问性引入了范式转变。即使是那些技术能力有限的人,通常被俗称为“脚本小子”,现在也拥有运用曾经为高手保留的复杂战术的潜力。
This democratization of tactics can cast a wider net of danger, potentially exposing an expanded pool of victims to the intricate web woven by these emulated techniques. The barrier to entry, once formidable, has been lowered, enabling a broader spectrum of adversaries to deploy sophisticated attacks with potentially devastating consequences.
这种策略的民主化可能会撒下一张更广泛的危险网,有可能使更多的受害者暴露在这些模仿技术编织的错综复杂的网络中。曾经令人生畏的进入门槛已经降低,使更广泛的对手能够部署具有潜在破坏性后果的复杂攻击。
Yet, the story takes an intriguing twist—a twist that underscores the potential for defenders to wield emulation as a potent instrument of resilience. Here, the concept of adversary simulation takes center stage, transforming emulation into a strategic asset for the blue team. By replicating the maneuvers of real-world adversaries, defenders gain an invaluable opportunity to test and fortify their defenses against a constantly evolving threat landscape.
然而,这个故事有一个有趣的转折——这个转折强调了捍卫者将模仿作为一种强有力的复原力工具的潜力。在这里,对手模拟的概念占据了中心位置,将仿真转化为蓝队的战略资产。通过复制现实世界对手的演习,防御者获得了一个宝贵的机会来测试和加强他们的防御,以应对不断变化的威胁形势。
The power of adversary simulation lies in its ability to bridge the chasm between theoretical knowledge and practical application. Through emulation, red team companies, armed with insights into the adversary’s modus operandi, can execute actions that closely mirror those of actual threat actors. This exercise serves to illuminate blind spots, identify vulnerabilities, and fine-tune defensive strategies, thereby creating a fortified digital bastion that can withstand the relentless advances of cyber adversaries.
对手模拟的力量在于它能够弥合理论知识和实际应用之间的鸿沟。通过仿真,红队公司掌握了对对手作案手法的洞察,可以执行与实际威胁行为者非常相似的行动。该演习旨在阐明盲点,识别漏洞并微调防御策略,从而创建一个坚固的数字堡垒,可以抵御网络对手的无情发展。
图 8:GitHub 对项目的描述
The project contains two versions, the DLL based on the original payload and an EXE version for debugging purposes.
该项目包含两个版本,即基于原始有效负载的 DLL 和用于调试目的的 EXE 版本。
图 9:DLL 版本(左侧)和 EXE 版本(右侧)的比较
We managed to compile the project, in order to verify its actual functionality. After that, we compared our compiled DLL against the malicious one, they are identical except for the character “s” added to the XOR Key.
我们设法编译了该项目,以验证其实际功能。之后,我们将编译的 DLL 与恶意 DLL 进行了比较,除了添加到 XOR 键的字符“s”之外,它们是相同的。
图 10:我们编译的 DLL 与执行 CobaltStrike 的恶意 DLL 的比较
Conclusion 结论
Embedded within the pages of the Yoroi Annual Report for the year 2022, a prescient declaration emerged—a prophecy that foretold the emergence of a year characterized by the proliferation of what can be termed “exotic” filetypes. This prophecy found its roots in the shifting dynamics of the cyber landscape, where a notable alteration in the default settings of Microsoft Office documents had profound ripple effects.
嵌入在 Yoroi 2022 年年度报告的页面中,出现了一个有先见之明的宣言——这个预言预示着以所谓的“异国情调”文件类型激增为特征的一年的出现。这一预言的根源在于网络领域的动态变化,其中Microsoft Office文档默认设置的显着变化产生了深远的连锁反应。
The disabling, by default, of macros within Microsoft Office documents heralded a paradigm shift in the tactics wielded by threat actors. Faced with this newfound barrier, a swift adaptation became imperative, propelling threat actors to explore uncharted territory. Thus, an era of innovation dawned, as malicious forces turned their attention towards the development of a diverse array of nefarious conduits—malicious PDFs, XLL files, JavaScript scripts, and, as so eloquently elucidated within this blogpost, archives.
默认情况下,Office 文档中宏的禁用Microsoft预示着威胁参与者所采用的策略的范式转变。面对这个新发现的障碍,迅速适应变得势在必行,推动威胁行为者探索未知领域。因此,一个创新的时代到来了,因为恶意势力将注意力转向了各种邪恶渠道的开发——恶意 PDF、XLL 文件、JavaScript 脚本,以及本博文中如此雄辩地阐明的档案。
However, the mechanics of this transformation unveiled a fascinating conundrum—a reliance on augmented user interaction. No longer could malware propagate through passive exploitation; instead, a strategic coaxing of the human element was necessitated. The user, an unwitting participant, was beckoned to unseal the encrypted archives, to peer into the contained documents, to click where they were bidden. Thus, the machinations of the adversary now transcended the realm of code, permeating the realm of psychology and persuasion.
然而,这种转变的机制揭示了一个引人入胜的难题——对增强用户交互的依赖。恶意软件不再可以通过被动利用传播;相反,有必要对人为因素进行战略哄骗。用户,一个不知情的参与者,被召唤去解封加密的档案,窥视包含的文件,点击他们出价的地方。因此,对手的阴谋诡计现在超越了代码领域,渗透到心理学和说服领域。
Within this context, the attackers found themselves presented with a new challenge, one that required a heightened mastery of the art of social engineering. The arsenal of tactics expanded, encompassing an array of ploys and ruses aimed at luring victims into a web of deceit. The attackers, akin to master puppeteers, endeavored to orchestrate scenarios that would lead their victims down the treacherous path towards compromise.
在这种情况下,攻击者发现自己面临着一个新的挑战,一个需要进一步掌握社会工程艺术的挑战。战术范围扩大,包括一系列旨在引诱受害者进入欺骗网络的伎俩和诡计。攻击者类似于木偶大师,努力策划场景,将受害者引向危险的妥协之路。
Yet, the tapestry of this narrative isn’t woven solely by the hands of malevolent forces. Defenders, ever vigilant in their quest to safeguard the digital realm, rise to meet this challenge head-on. A symphony of strategic maneuvers takes center stage, where security awareness campaigns and the deployment of cutting-edge technologies converge to form a formidable defense against the onslaught of evolving malware vectors.
然而,这种叙事的挂毯并不仅仅是由邪恶势力编织的。捍卫者在寻求保护数字领域的过程中时刻保持警惕,奋起直面这一挑战。战略演习的交响乐占据了中心舞台,安全意识运动和尖端技术的部署融合在一起,形成了强大的防御,抵御不断发展的恶意软件媒介的冲击。
In this symphony, a recurring motif emerges—a gradual escalation in the complexity and sophistication of attack chains. From the perspective of the adversary, this evolution demands the honing of social engineering skills to the pinnacle of mastery. The defender, on the other hand, grapples with a different facet of this intricate dance—a need to equip the digital terrain with the right tools and insights capable of unraveling the intricate threads of the adversary’s machinations.
在这首交响乐中,出现了一个反复出现的主题——攻击链的复杂性和精密度逐渐升级。从对手的角度来看,这种演变需要将社会工程技能磨练到掌握的顶峰。另一方面,防御者努力应对这种错综复杂的舞蹈的另一个方面——需要为数字地形配备正确的工具和洞察力,能够解开对手阴谋的复杂线索。
The realization dawns that the replication of the Tactics, Techniques, and Procedures (TTPs) employed by even the most sophisticated threat actors can be accomplished with a disarming ease. However, this revelation, far from a moment of despair, stands as a catalyst for renewed fortification. It serves as a clarion call to bolster the foundations of security posture, to strengthen the bulwarks that guard the digital gateways of organizations.
意识到即使是最复杂的威胁参与者所采用的策略、技术和程序 (TTP) 的复制也可以轻松完成。然而,这一启示远非绝望的时刻,而是重新设防的催化剂。它吹响了号角,以加强安全态势的基础,加强保护组织数字网关的堡垒。
In the final measures of this symphony, the spotlight turns towards ethical hacking activities—an arena where these replicated TTPs transform into powerful instruments for resilience testing. The ethical hacker, armed with insights into the adversary’s playbook, navigates the landscape with a dual purpose—unveiling vulnerabilities and weaknesses, while simultaneously fostering a culture of proactive defense.
在这首交响曲的最后阶段,焦点转向了道德黑客活动——在这个舞台上,这些复制的 TTP 变成了强大的弹性测试工具。道德黑客掌握了对对手战术的洞察力,他们以双重目的驾驭环境 – 揭示漏洞和弱点,同时培养主动防御文化。
Indicators of Compromise
妥协指标
- Hash 散 列
- 17494a7687c8e57be6fcd486bc34aaa120105729196474ccffd078d8aa256f87
- 2d866ccf2b24e3b922abb3d3980c2ed752d86b6c017bc2bf7a1c209aa9464643
- 4240201a9d957a01676ab7165d112d03c7dbdba7b34778407e7b73344b3fd158
- 5e352c8f55ed9be1142b09e13df7b3efac7ea9e6173b6792d9a5c44dedc3a4ee
- 664b8fbd825db53ccfc5712f7cd54c71bf53f0791b1bd42af8517729653ae7ae
- 6f08ce39072bdacf4a98578ca6b508b68b2c78ed2a378c73a1c87595f9d0c591
- a855012a9e198837eae04295de56d28e9258da1e933c56805b39b1f8d0d03c56
- bcc7c41209afcf67858b3ef80f0afa1eabf2e4faadcaa23bacc9aa5d57b9d836
- c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8
- dda686d6fda52c6ab3c084b7024cfc68dba60ae2143a1095659b795f84cf2329
- f62e0ec08b15f9a4f3178c77ad540bd7369d1341472fdcbc88aecc0ed29c0387
- ffd5114ffb3a2f66757cecb2fb0079cceaa42a4b42ded566e76b7d58b4effac5
- C2
- 193.37.254.]27 193.37.254.]27
Yara Rules 雅苒规则
rule onedriveupdate_exe_repackage
{
/*
4240201a9d957a01676ab7165d112d03c7dbdba7b34778407e7b73344b3fd158
*/
meta:
author = "Yoroi Malware ZLab"
description = "Rule for OneDriveUpdate EXE Repackage"
last_updated = "2023-07-27"
tlp = "WHITE"
category = "informational"
strings:
$1 = {4? 83 f8 ?? 4? 8d 52 01 4? 8b ?? 4? 0f 45 c8 4? ff c0 0f b6 84 ?? ?? ?? ?? ?? 30 4? ?? 4? 8d 41 01 4? 81 f8 ?? ?? ?? ??}
/*
.text:0000000140001660 48 83 F8 1C cmp rax, 1Ch
.text:0000000140001664 48 8D 52 01 lea rdx, [rdx+1]
.text:0000000140001668 48 8B CE mov rcx, rsi
.text:000000014000166B 48 0F 45 C8 cmovnz rcx, rax
.text:000000014000166F 41 FF C0 inc r8d
.text:0000000140001672 0F B6 84 0D 18 01 00 00 movzx eax, [rbp+rcx+480h+var_368]
.text:000000014000167A 30 42 FF xor [rdx-1], al
.text:000000014000167D 48 8D 41 01 lea rax, [rcx+1]
.text:0000000140001681 41 81 F8 28 03 00 00 cmp r8d, 328h
*/
condition:
$1
}
rule onedriveupdate_dll_repackage
{
/*
6f08ce39072bdacf4a98578ca6b508b68b2c78ed2a378c73a1c87595f9d0c591
a855012a9e198837eae04295de56d28e9258da1e933c56805b39b1f8d0d03c56
bcc7c41209afcf67858b3ef80f0afa1eabf2e4faadcaa23bacc9aa5d57b9d836
c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8
f62e0ec08b15f9a4f3178c77ad540bd7369d1341472fdcbc88aecc0ed29c0387
*/
meta:
author = "Yoroi Malware ZLab"
description = "Rule for OneDriveUpdate DLL Repackage"
last_updated = "2023-07-27"
tlp = "WHITE"
category = "informational"
strings:
$1 = {4? 83 f8 ?? 4? 8d 5? ?? 4? 8b cf 4? 0f 45 c8 4? ff c1 0f b6 84 0d 18 01 00 00 4? 8d 41 01 30 42 ff 4? 63 c1 4? 3b c7}
/*
.text:00000001800012E0 49 83 F8 1C cmp r8, 1Ch
.text:00000001800012E4 48 8D 52 01 lea rdx, [rdx+1]
.text:00000001800012E8 49 8B CF mov rcx, r15
.text:00000001800012EB 49 0F 45 C8 cmovnz rcx, r8
.text:00000001800012EF 41 FF C1 inc r9d
.text:00000001800012F2 0F B6 84 0D 18 01 00 00 movzx eax, [rbp+rcx+150h+var_38]
.text:00000001800012FA 4C 8D 41 01 lea r8, [rcx+1]
.text:00000001800012FE 30 42 FF xor [rdx-1], al
.text:0000000180001301 49 63 C1 movsxd rax, r9d
.text:0000000180001304 48 3B C7 cmp rax, rdi
*/
condition:
$1
}
References 引用
- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
- https://blog.sunggwanchoi.com/recreating-an-iso-payload-for-fun-and-no-profit/
- https://hijacklibs.net/
- https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
- https://posts.bluraven.io/detecting-dll-hijacking-attacks-part-1-bdb354685164
原文始发于yoroi:How an APT technique turns to be a public Red Team Project
转载请注明:How an APT technique turns to be a public Red Team Project | CTF导航
相关文章
