Stories from the SOC Part 1: IDAT Loader to BruteRatel

Rapid7’s Managed Detection and Response (MDR) team continuously monitors our customers’ environments, identifying emerging threats and developing new detections.
Rapid7 的托管检测和响应 (MDR) 团队持续监控客户的环境,识别新出现的威胁并开发新的检测方法。

In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim’s system. What made the IDAT Loader unique was the way in which it retrieved data from PNG files, searching for offsets beginning with 49 44 41 54 (IDAT).
2023 年 8 月,Rapid7 发现了一个名为 IDAT Loader 的新恶意软件加载程序。恶意软件加载程序是一种恶意软件,旨在将其他恶意软件传递和执行到受害者的系统上。IDAT 加载程序的独特之处在于它从 PNG 文件中检索数据的方式,搜索以 49 44 41 54 (IDAT) 开头的偏移量。

At the time, the loader was seen being distributed via a FakeUpdates campaign. In two recent investigations, Rapid7’s Managed Detection & Response (MDR) observed the loader being used again. Based on the recent tactics, techniques and procedures observed (TTPs), we believe the activity is associated with financially motivated threat groups.
当时,人们看到加载器是通过 FakeUpdates 活动分发的。在最近的两项调查中,Rapid7 的托管检测和响应 (MDR) 观察到装载机再次被使用。根据最近观察到的策略、技术和程序 (TTP),我们认为该活动与出于经济动机的威胁组织有关。

In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected. The incidents discussed in the series stem from opportunistic infections, wherein threat groups utilize malvertising and drive-by downloads in order to have their initial malicious payloads executed by users.

This first installment focuses on an incident triggered by a user downloading an application, which subsequently triggered the execution of the IDAT Loader and the BruteRatel C4 (BRC4) framework following initial access to a compromised asset.
第一部分重点介绍用户下载应用程序触发的事件,该事件随后在初始访问受损资产后触发了 IDAT Loader 和 BruteRatel C4 (BRC4) 框架的执行。

Technical Analysis 技术分析

Stage 1: The drive by
第 1 阶段:开车经过

In a recent incident, we observed a user navigate to a website that hosted popular Korean shows. Upon attempting to watch the video, the website redirected the user’s browser through multiple websites, eventually leading to the download of an application named AppFile_v1.1.exe. Threat actors utilize website redirection in order to make it difficult for network technologies to scan links for malicious content.
在最近的一次事件中,我们观察到一个用户导航到一个托管热门韩国节目的网站。在尝试观看视频时,该网站通过多个网站重定向了用户的浏览器,最终导致下载了一个名为 AppFile_v1.1.exe 的应用程序。威胁行为者利用网站重定向,使网络技术难以扫描链接中的恶意内容。

Stories from the SOC Part 1: IDAT Loader to BruteRatel
Figure 1 – Attack Flow
图1 – 攻击流

Binary Analysis: Shaking off the Rust

After initial analysis of the binary AppFile_v1.1.exe, we determined the program was written in Rust.
在对二进制AppFile_v1.1.exe进行初步分析后,我们确定该程序是用 Rust 编写的。

During execution, the program will query the name of the executable. If the executable’s name matches AppFile_v1.1.exe, the program will continue. Most sandboxes will rename the files (sometimes based on the hash) of submitted programs. This technique helps to evade sandboxes, ensuring the malicious functions are not run. If the program name does not match its original intended name,  the program will quit and display an error message, showing an image that a web page could not be loaded.

Stories from the SOC Part 1: IDAT Loader to BruteRatel
Figure 2 – Error messages displayed by AppFile_v1.1.exe when checks fail
图2 — 检查失败时AppFile_v1.1.exe显示的错误消息

Next, the program will check to see if it resides within a debugger by querying the function IsDebuggerPresent. If the check passes, it will decrypt a hard-coded string that resolves to “Normal”. If not, the program will decrypt another hard-coded string that resolves to “Debugger” and then exit.
接下来,程序将通过查询函数 IsDebuggerPresent 来检查它是否驻留在调试器中。如果检查通过,它将解密解密解析为“正常”的硬编码字符串。如果没有,程序将解密另一个解析为“调试器”的硬编码字符串,然后退出。

Once the anti-debug check passes, the program retrieves an encrypted string and XOR decrypts it, revealing the URL hxxps://cdn-network-services-001[.]com/update/minor/1/release.json.
一旦反调试检查通过,程序就会检索一个加密的字符串,然后 XOR 对其进行解密,从而显示 URL hxxps://cdn-network-services-001[.]com/update/minor/1/release.json。

The program will then perform anti-analysis techniques, specifically querying for the username and open process and comparing them to a list of known sandbox usernames and tools. The list of usernames and processes are also XOR-encrypted and are decrypted at runtime. Based on Open Source Intelligence, we determined that another malware known as Serpent Stealer contained a similar table of user names. See Appendix A below for the complete list.
然后,该程序将执行反分析技术,特别是查询用户名和打开的进程,并将它们与已知的沙盒用户名和工具列表进行比较。用户名和进程列表也经过异或加密,并在运行时解密。根据开源情报,我们确定另一种名为 Serpent Stealer 的恶意软件包含类似的用户名表。有关完整列表,请参阅下面的附录 A。

Usernames Known Sandbox ToolsProcesses
hbyldjtckyn1 httpdebuggerui.exe
lubi53an14cu immunitydebugger.exe
rgzcbuyrznreg ksdumperclient.exe
8lnfaai9qdjr httpanalyzerstdv7.exe
j6sha37ka J6SHA37Ka型 ida64.exe

Stories from the SOC Part 1: IDAT Loader to BruteRatel
Figure 3 – Sample Output from x64Debugger showing list of processes to check for
图3 — x64Debugger的示例输出显示要检查的进程列表

If any of the checks fail, the program will exit and display the message box. If the checks pass, the program will then utilize Rust library tokio-1.32.0/src/net/tcp/ in order to read in data from the decrypted URL and store the contents in memory.
如果任何检查失败,程序将退出并显示消息框。如果检查通过,程序将利用 Rust 库 tokio-1.32.0/src/net/tcp/ 从解密的 URL 中读取数据并将内容存储在内存中。

Upon initial analysis, the downloaded data appeared to be encoded. Subsequently, the data is passed into a function tasked with decoding it. The decoding process involves reading each byte and subtracting the hexadecimal value 32.
经过初步分析,下载的数据似乎是编码的。随后,数据被传递到负责解码的函数中。解码过程包括读取每个字节并减去十六进制值 32。

Stories from the SOC Part 1: IDAT Loader to BruteRatel
Figure 4 – Data Decoding Routine
图4 – 数据解码例程

Stories from the SOC Part 1: IDAT Loader to BruteRatel
Figure 5 – Decoded downloaded bytes using CyberChef
图 5 – 使用 CyberChef 解码下载的字节

After the downloaded data is decoded, the program XOR decrypts another string, revealing a path to the executable C:\Windows\system32\werfault.exe. Using syscalls, the program then does the following:
对下载的数据进行解码后,程序 XOR 会解密另一个字符串,从而显示可执行文件 C:\Windows\system32\werfault.exe 的路径。然后,使用系统调用,程序执行以下操作:

Windows API Function Syscall ID Description
NtOpenProcess NtOpen进程 0x0026 Used to start the process werfault.exe
NtCreateUserProcess 0x00c8 Used for spoofing Parent Process ID (PPID)
用于欺骗父进程 ID (PPID)
NtAllocateVirtualMemory 0x0018 Allocate new space within memory, storing the new executable
NtGetContextThread 0x00F2 Used to retrieve the context of a thread within the target process (werfault.exe).
用于检索目标进程 (werfault.exe) 中线程的上下文。
The thread in this case is a pointer to the entry point of the new executable
NtSetContextThread NtSetContext线程 0x0018B Used to point to the thread from NtGetContextThread
用于指向 NtGetContextThread 中的线程
NtResumeThread NtResume线程 0x0052 Starts the thread set by NtSetContextThread
启动 NtSetContextThread 设置的线程

After analysis of the decoded binary, we determined that it was another executable written in Rust. The program’s executable contains a zip archive within the .rdata section. During execution, the program generates a folder with a randomly generated name in the %TEMP% directory and extracts the contents of the archive into this newly created folder.
在分析了解码的二进制文件后,我们确定它是另一个用 Rust 编写的可执行文件。该程序的可执行文件在 .rdata 部分包含一个 zip 存档。在执行过程中,程序会在 %TEMP% 目录中生成一个具有随机生成名称的文件夹,并将存档的内容提取到这个新创建的文件夹中。

Stories from the SOC Part 1: IDAT Loader to BruteRatel
Figure 6 – ZIP Archive Contained Within New Rust Executable
图6 – 新 Rust 可执行文件中包含的 ZIP 存档

The archive contained a DLL, msidcrl40.dll, an executable named live.exe and an encrypted file, dynatron.mdb. Initial analysis of the DLL msidcrl40.dll showed that the DLL’s signature was corrupted, indicating the DLL was tampered with. Further analysis showed that the DLL contained code related to the IDAT Loader.
存档包含一个 DLL、msidcrl40.dll、一个可执行namedlive.exe和一个加密文件 dynatron.mdb。对 DLL msidcrl40.dll的初步分析表明 DLL 的签名已损坏,表明 DLL 已被篡改。进一步的分析表明,DLL 包含与 IDAT 加载程序相关的代码。

IDAT Loader IDAT装载机

After the rust program drops the contents of the zip archive, it then proceeds to execute the binary live.exe, which sideloads the DLL, msidcrl40.dll, containing the IDAT Loader code.
在 rust 程序删除 zip 存档的内容后,它继续执行二进制live.exe,该二进制旁加载包含 IDAT 加载程序代码的 DLL msidcrl40.dll。

After the binary live.exe loads the DLL msidcrl40.dll, the DLL executes the function containing  the IDAT Loader. The loader then reads in encrypted contents contained within the file dynatron.mdb, searching for the offset 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After decrypting the contents, the loader will then decompress the contents using RtlDecompressBuffer and execute additional code into a newly created process, cmd.exe.
binarylive.exe加载 DLL msidcrl40.dll后,DLL 将执行包含 IDAT 加载程序的函数。然后,加载程序读取文件dynatron.mdb中包含的加密内容,搜索偏移量 49 44 41 54 (IDAT),后跟 C6 A5 79 EA。解密内容后,加载程序将使用 RtlDecompressBuffer 解压缩内容,并在新创建的进程 cmd.exe 中执行其他代码。

The IDAT loader employs advanced techniques such as Process Doppelgänging and the Heaven’s Gate technique in order to initiate new processes and inject additional code.

The code contained within cmd.exe is responsible for decrypting the final payload and injecting it into a newly created process, msbuild.exe.

Using our IDAT Loader config extractor, we were able to extract the final payload and determined that it was SecTop RAT. During execution of the SecTop RAT, we observed that it communicated with the IP address 152.89.217[.]215.
使用我们的 IDAT Loader 配置提取器,我们能够提取最终有效载荷并确定它是 SecTop RAT。在执行 SecTop RAT 期间,我们观察到它与 IP 地址 152.89.217[.]215.

Stories from the SOC Part 1: IDAT Loader to BruteRatel
Figure 7 – SecTop RAT payload extracted by our IDAT Loader Python Script
图 7 – IDAT Loader Python 脚本提取的 SecTop RAT 有效负载Figure 7 – SecTop RAT payload extracted by our IDAT Loader Python Script

Post-Exploitation: BRC4 Deployment
开发后:BRC4 部署

After the SecTop RAT was executed successfully, Rapid7 observed follow-on activity in which the threat actor executed another version of the IDAT loader from within the folder path C:\ProgramData\. We observed the following related files were dropped by the threat actor into C:\ProgramData:
成功执行 SecTop RAT 后,Rapid7 观察到后续活动,其中威胁参与者从文件夹路径 C:\ProgramData\ 中执行了另一个版本的 IDAT 加载程序。我们观察到威胁参与者将以下相关文件拖放到 C:\ProgramData 中:

Files Description
glib-2.0.dll Benign executable loaded by rvm.exe
由 rvm.exe 加载的良性可执行文件
iconv.dll Benign executable loaded by rvm.exe
由 rvm.exe 加载的良性可执行文件
intl.dll Benign executable loaded by rvm.exe
由 rvm.exe 加载的良性可执行文件
rvm.exe Legitimate executable that loads vmtools.dll during execution
spank.mpg Encrypted file containing IDAT sections, read in by vmtools.dll
vmtools.dll Tampered DLL containing IDAT Loader, loaded by rvm.exe
被篡改的 DLL 包含 IDAT Loader,由 rvm.exe 加载

After analysis of the files, we determined that rvm.exe was a renamed executable rvmsetup.exe, a legitimate tool that is a part of the VMWare Tools toolset. The binary is used to join a VMWare source virtual machine to an active directory domain. We also observed that the binary vmtools.dll had a corrupted signature, indicating the binary’s code was tampered with. We observed that the DLL vmtools.dll contained code related to the IDAT Loader.
在分析文件后,我们确定rvm.exe是一个重命名的可执行rvmsetup.exe,这是一个合法工具,是 VMWare 工具集的一部分。二进制文件用于将 VMWare 源虚拟机加入 Active Directory 域。我们还观察到binaryvmtools.dll的签名已损坏,表明二进制文件的代码被篡改。我们观察到 DLL vmtools.dll包含与 IDAT 加载程序相关的代码。

During execution of the executable, rvm.exe, the program loads vmtools.dll. After vmtools.dll is loaded, the DLL is directed to execute a function that contains the IDAT Loader. The IDAT Loader proceeds to read in contents from within spank.mpg, searching for the same offset, 49 44 41 54 (IDAT) followed by C6 A5 79 EA. After decrypting the contents within spank.mpg, the IDAT Loader spawns a new process, cmd.exe, injecting additional code that is responsible for decrypting the final payload and injecting it into a newly created process, explorer.exe.
在执行可执行文件 rvm.exe 期间,程序会加载vmtools.dll。加载vmtools.dll后,DLL 被定向执行包含 IDAT 加载程序的函数。IDAT 加载程序继续从 spank.mpg 中读取内容,搜索相同的偏移量 49 44 41 54 (IDAT),后跟 C6 A5 79 EA。解密spank.mpg中的内容后,IDAT 加载程序会生成一个新进程 cmd.exe,注入负责解密最终有效负载并将其注入新创建的进程 explorer.exe。

Using our static config extractor, we extracted the final payload, a 64-bit executable. During initial analysis of the final payload, we observed that the program utilized the API functions VirtualAlloc and VirtualProtectDuring execution of the program, it utilized VirtualAlloc to read in and store additional code, including encrypted data, into a new region of memory. The program then called upon the function VirtualProtect, changing the newly allocated region of memory (containing the new code) to be executable. We also observed the 64 bit executable (obtained from the IDAT Loader python script) had the capability to perform process hollowing by starting a new process, notepad.exe, and injecting the code into the newly created process.
使用我们的静态配置提取器,我们提取了最终的有效负载,一个 64 位可执行文件。在对最终有效载荷的初步分析中,我们观察到该程序利用了 API 函数 VirtualAlloc 和 VirtualProtect。在程序执行期间,它利用 VirtualAlloc 将其他代码(包括加密数据)读入并存储到新的内存区域中。然后,程序调用函数 VirtualProtect,将新分配的内存区域(包含新代码)更改为可执行的。我们还观察到 64 位可执行文件(从 IDAT Loader python 脚本获取)能够通过启动新进程、notepad.exe并将代码注入新创建的进程来执行进程空心化。

Stories from the SOC Part 1: IDAT Loader to BruteRatel
Figure 8 – Final Payload showing Injection into notepad.exe
图8 – 显示注入notepad.exe的最终有效载荷

The newly allocated code was responsible for decrypting the encrypted data using RC4, copying the decrypted code into an allocated memory buffer via VirtualAlloc, and setting the memory buffer to have executable permission using VirtualProtect. Rapid7 determined the decrypted code was a Brute Ratel C4 (BRC4) “badger”.
新分配的代码负责使用 RC4 解密加密数据,通过 VirtualAlloc 将解密的代码复制到分配的内存缓冲区中,并使用 VirtualProtect 将内存缓冲区设置为具有可执行权限。Rapid7 确定解密的代码是 Brute Ratel C4 (BRC4) “badger”。

Brute Ratel originated as a post-exploitation tool intended for penetration testers, designed to mimic adversary tactics as of December 2020. Its development aimed to replicate the functionality of established Command and Control (C2) software like Cobalt Strike, Mythic and Sliver. Following a successful compromise of a target, the attacker deploys the Brute Ratel “badger,” tasked with establishing communication with the attacker’s Command and Control domain.
Brute Ratel 起源于一种用于渗透测试人员的开发后工具,旨在模仿截至 2020 年 12 月的对手战术。它的开发旨在复制已建立的命令和控制(C2)软件的功能,如Cobalt Strike,Mythic和Sliver。在成功入侵目标后,攻击者会部署 Brute Ratel“獾”,其任务是与攻击者的命令和控制域建立通信。

During execution of the BRC4 program, we observed that it reached out to the domain updatenazure[.]com.
在执行 BRC4 程序期间,我们观察到它到达了域 updatenazure[.]com。

Stories from the SOC Part 1: IDAT Loader to BruteRatel
Figure 9 – Debugging BRC4 C2 Communication
图9 – 调试BRC4 C2通信

After the BRC4 program was executed, we observed the threat actor attempting to enumerate the domain controller by using the command nltest /dclist.
执行 BRC4 程序后,我们观察到威胁参与者尝试使用命令 nltest /dclist 枚举域控制器。

Rapid7 Customers Rapid7 客户

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections deployed and alerting on activity described:
InsightIDR 和 Managed Detection and Response 客户通过 Rapid7 广泛的检测规则库拥有现有的检测覆盖范围。Rapid7 建议在所有适用的主机上安装 Insight Agent,以确保对可疑进程的可见性和适当的检测范围。下面是已部署的检测和所述活动警报的非详尽列表:

  • Network Discovery – Nltest Enumerate Domain Controllers
    网络发现 – Nltest 枚举域控制器
  • Suspicious Process – Execution From Root of ProgramData
    可疑进程 – 从程序数据根目录执行
  • Suspicious Process – PowerShell Uncommon Upper And Lower Case Combinations
    可疑进程 – PowerShell 不常见的大写和小写组合
  • Suspicious Process – explorer.exe in Non-Standard Location
    可疑进程 – explorer.exe在非标准位置

Appendix A: Known Sandbox Usernames and Analysis Tools
附录 A:已知沙盒用户名和分析工具

Usernames Processes
hbyldjtckyn1 httpdebuggerui.exe
lubi53an14cu immunitydebugger.exe
rgzcbuyrznreg ksdumperclient.exe
8lnfaai9qdjr httpanalyzerstdv7.exe
j6sha37ka J6SHA37Ka型 ida64.exe
keecfmwgj 32dbg.exe
pwouqdtdq 64dbg.exe
qmis5df7u protection_id.exe
txwas1m2t vmsrvc.exe
uox1tzamo x32dbg.exe
rb5bnfur2 x64dbg.exe
cm0uegn4do x96dbg.exe
douyo8rv71 斗友8RV71 prl_cc.exe
paul jones 保罗·琼斯 windbg.exe
pxmduopvyx scylla.exe
fnbdsldtxy idau64.exe
gexwjqdjxg idaq64.exe
gjam1nxxvm idag64.exe
jcotj17dzx JCOTJ17DZX系列 taskmgr.exe
05kvauqkpqk5 procexp.exe
64f2tkiqo5k5h procmon.exe
of20xqh4vl fiddler.exe
harry johnson 哈里·约翰逊 dumpcap.exe
4tgiizslims df5serv.exe
bvjchrpnsxn ollydbg.exe
kfu0lqwgx5p rdpclip.exe
nok4zg7zhof NOK4ZG7ZHof(诺克4ZG7ZHOF酒店) vmusrvc.exe
ogjb6gqgk0o5 qemu-ga.exe
xplyvzr8sgc vboxtray.exe
ykj0egq7fze vmtoolsd.exe
ryjijkiroms pestudio.exe
nzap7ubvas1 vmacthlp.exe
9yjcpseyimh procexp64.exe
uhuqiuwoefu  wireshark.exe
6o4kyhhjxbir prl_tools.exe
7wjlgx7pjlw4 importrec.exe
8nl0colnq5bq vmwaretray.exe
g2dbyldgzz8yo vmwareuser.exe
pqonjhvwexsst xenservice.exe
rdhj0cnfevzxf scylla_x86.exe
xmimmckziitdl scylla_x64.exe
l3cnbb8ar5b8 vboxservice.exe
sal.rosenburg 萨尔·罗森堡
defaultaccount 默认帐户
wdagutilityaccount wdagutility帐户


Tactics Techniques Details
Initial Access 初始访问 Drive-by Compromise (T1189)
偷渡式妥协 (T1189)
Threat Actors utilize drive-by downloads in order to direct browsers to download their initial payloads without users consent
Execution 执行 User Execution: Malicious File (T1204.002)
用户执行:恶意文件 (T1204.002)
Users execute the binary AppFile_v1.1.exe
Execution 执行 Native API (T1106) 本机 API (T1106) The IDAT injector and IDAT loader are using Heaven’s Gate technique to evade detection
Defense Evasion 防御规避 Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)
劫持执行流:DLL 搜索顺序劫持 (T1574.001)
run.exe loads a malicious wbxtrace.dll
Defense Evasion 防御规避 Process Injection (T1055)
工艺注入 (T1055)
IDAT injector implements NtCreateSection + NtMapViewOfSection Code Injection technique to inject into cmd.exe process
IDAT 注入器实现 NtCreateSection + NtMapViewOfSection 代码注入技术以注入到cmd.exe进程中
Defense Evasion 防御规避 Deobfuscate/Decode Files or Information (T1140)
对文件或信息进行反混淆/解码 (T1140)
msidcrl40.dll decrypts dynatron.mdb
Defense Evasion 防御规避 Process Injection: Process Doppelgänging (T1055.013)
工艺注入:工艺分身 (T1055.013)
IDAT loader implements Process Doppelgänging technique to load the SecTop RAT
IDAT 加载器实现进程分身技术来加载 SecTop RAT
Defense Evasion 防御规避 Masquerading (T1036) 伪装 (T1036) dynatron.mdb file masqueraded to a .png file
Defense Evasion 防御规避 Virtualization/Sandbox Evasion: Time Based Evasion (T1497.003)
虚拟化/沙盒规避:基于时间的规避 (T1497.003)
Execution delays are performed by several stages throughout the attack flow

IOCs 国际奥委会

IOC Sha256 Notes
AppFile_v1.1.exe A3A5E7011335A2284E2D4F73FD464FF129F0C9276878A054C1932BC50608584B Rust Loader responsible for downloading IDAT Loader
Rust Loader 负责下载 IDAT Loader
msidcrl40.dll 02D5E281689EC2D4AB8AC19C93321A09113E5D8FA39380A7021580EA1887B7A5 Malicious DLL executed by live.exe
dynatron.mdb C5C52331B208CAD19DC710786E26AC55090FFCA937410D76C53569D731F0BB92 Encrypted payload decrypted by msidcrl40.dll
由 msidcrl40.dll 解密的加密有效负载
vmtools.dll BEFE0DF365F0E2DC05225470E45FDF03609F098A526D617C478B81AC6BB9147F Malicious DLL executed by rvm.exe
spank.mpg E05E561C5118EFDBCA113CA231C527B62E59A4BFFAE3BD374F7B4FCDD10E7D90 Encrypted payload decrypted by vmtools.dll
由 vmtools.dll 解密的加密有效负载
hxxps://cdn-network-services-001[.]com/update/minor/1/release.json Downloads additional Rust binary containing IDAT Loader
下载包含 IDAT Loader 的其他 Rust 二进制文件
152.89.217[.]215 SecTop RAT domain SecTop RAT 域名
updatenazure[.]com BRC4 Domain BRC4 域名

References 引用

Article URL
Uncovering the “Serpent”
Process Doppelgänging 工艺分身
Analysis of “Heaven’s Gate” part 1
A Deep Dive Into Malicious Direct Syscall Detection
Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
虚假更新利用新的 IDAT 加载程序执行 StealC 和 Lumma 信息窃取程序

Rapid7 Labs GitHub Config Extractors/ 配置提取器/

原文始发于Tom Elkins:Stories from the SOC Part 1: IDAT Loader to BruteRatel

版权声明:admin 发表于 2024年4月7日 下午9:08。
转载请注明:Stories from the SOC Part 1: IDAT Loader to BruteRatel | CTF导航