Group-IB ã®å°é家ã¯ããã£ãã·ã³ã°ããããããããäžæ£ååŒãç¯çœªããã«ãŒ ã°ã«ãŒãã«é¢é£ããäºä»¶ã調æ»ããé·å¹Žã«ããã£ãŠã°ã©ãåæã䜿çšããŠããŸããŸãªçš®é¡ã®ã€ãªãããç¹å®ããŠããŸããã ããŸããŸãªã±ãŒã¹ã«ãç¬èªã®ããŒã¿ã»ãããæ¥ç¶ãèå¥ããããã®ç¬èªã®ã¢ã«ãŽãªãºã ãããã³ç¹å®ã®ã¿ã¹ã¯ã«åãããŠèª¿æŽãããã€ã³ã¿ãŒãã§ã€ã¹ããããŸãã ãããã®ããŒã«ã¯ãã¹ãŠ Group-IB ã«ãã£ãŠå
éšéçºãããåŸæ¥å¡ã®ã¿ãå©çšã§ããŸããã
ãããã¯ãŒã¯ã€ã³ãã©ã®ã°ã©ãåæïŒãããã¯ãŒã¯ã°ã©ã) ã¯ãåœç€Ÿã®ãã¹ãŠã®å ¬é補åã«çµã¿èŸŒãŸããæåã®å éšããŒã«ãšãªããŸããã ãããã¯ãŒã¯ ã°ã©ããäœæããåã«ãåžå Žã§ã®åæ§ã®éçºãå€æ°åæããŸããããç¬èªã®ããŒãºãæºãã補å㯠XNUMX ã€ãèŠã€ãããŸããã§ããã ãã®èšäºã§ã¯ããããã¯ãŒã¯ ã°ã©ããã©ã®ããã«äœæããã©ã®ããã«äœ¿çšããã©ã®ãããªå°é£ã«ééãããã«ã€ããŠèª¬æããŸãã
ããããªãŒã»ãŽã©ã«ã³ã Group-IB ã® CTO ããã³ãµã€ã㌠ã€ã³ããªãžã§ã³ã¹ã®è²¬ä»»è
Group-IB ãããã¯ãŒã¯ ã°ã©ãã§ã¯äœãã§ããŸãã?
調æ»
2003 幎㮠Group-IB ã®èšç«ä»¥æ¥ãçŸåšã«è³ããŸã§ããµã€ããŒç¯çœªè ãç¹å®ããéé£ããè£å€ã«ãããããšãç§ãã¡ã®ä»äºã®æåªå äºé ãšãªã£ãŠããŸãã æ»æè ã®ãããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ãåæããã«å®äºãããµã€ããŒæ»æ調æ»ã¯ XNUMX ã€ããããŸããã ç§ãã¡ã®æ ã®æåã®æ®µéã§ã¯ããã¡ã€ã³åãIP ã¢ãã¬ã¹ããµãŒããŒã®ããžã¿ã«æçŽãªã©ã®æ å ±ãªã©ãç¯çœªè ã®ç¹å®ã«åœ¹ç«ã€å¯èœæ§ã®ããé¢ä¿ãæ€çŽ¢ããã®ã¯ããªã骚ã®æãããæäœæ¥ãã§ããã
ã»ãšãã©ã®æ»æè ã¯ããããã¯ãŒã¯äžã§å¯èœãªéãå¿åã§è¡åããããšããŸãã ãããããã¹ãŠã®äººã ãšåãããã«ãééããç¯ããŸãã ãã®ãããªåæã®äž»ãªç®çã¯ãç§ãã¡ã調æ»ããŠããçŸåšã®ã€ã³ã·ãã³ãã§äœ¿çšãããæªæã®ããã€ã³ãã©ã¹ãã©ã¯ãã£ãšäº€å·®ããæ»æè ã®ããã¯ã€ãããŸãã¯ãã°ã¬ãŒãã®æŽå²çãããžã§ã¯ããèŠã€ããããšã§ãã ããã¯ã€ã ãããžã§ã¯ãããæ€åºã§ããã°ãéåžžãæ»æè ãèŠã€ããã®ã¯ç°¡åãªäœæ¥ã«ãªããŸãã ãã°ã¬ãŒãã®å Žåãææè ãç»é²ããŒã¿ãå¿ååãŸãã¯é èœããããšãããããæ€çŽ¢ã«ã¯ããå€ãã®æéãšåŽåãããããŸãããå¯èœæ§ã¯äŸç¶ãšããŠéåžžã«é«ãã§ãã äžè¬ã«ãç¯çœªè¡çºã®åæ段éã§ã¯ãæ»æè ã¯èªåã®å®å šã«ããŸã泚æãæãããããå€ãã®ééããç¯ããããã¹ããŒãªãŒãæ·±ãæãäžããããšãã§ããã°ã§ããã»ã©ãææ»ãæåããå¯èœæ§ãé«ããªããŸãã ãã®ãããè¯å¥œãªå±¥æŽãæã€ãããã¯ãŒã¯ ã°ã©ãã¯ããã®ãããªèª¿æ»ã«ãããŠéåžžã«éèŠãªèŠçŽ ãšãªããŸãã ç°¡åã«èšããšãäŒæ¥ãä¿æããéå»ã®ããŒã¿ãæ·±ãã»ã©ããã®ã°ã©ãã¯ããåªãããã®ã«ãªããŸãã 5 幎éã®å±¥æŽãæ¡ä»¶ä»ã㧠1 件ã®ç¯çœªã®ãã¡ 2 ïœ 10 件ã解決ããã®ã«åœ¹ç«ã¡ã15 幎éã®å±¥æŽã XNUMX 件ãã¹ãŠã解決ãããã£ã³ã¹ããããšããŸãã
ãã£ãã·ã³ã°ãšè©æ¬ºã®æ€åº
ãã£ãã·ã³ã°ãè©æ¬ºããŸãã¯æµ·è³çãªãœãŒã¹ãžã®çããããªã³ã¯ãåä¿¡ãããã³ã«ãé¢é£ãããããã¯ãŒã¯ ãªãœãŒã¹ã®ã°ã©ããèªåçã«äœæããèŠã€ãã£ããã¹ãŠã®ãã¹ãã§åæ§ã®ã³ã³ãã³ãããªãããã§ãã¯ããŸãã ããã«ããã掻åããŠãããç¥ãããŠããªãå€ããã£ãã·ã³ã° ãµã€ããšãå°æ¥ã®æ»æã«åããŠããããŸã 䜿çšãããŠããªããŸã£ããæ°ãããã£ãã·ã³ã° ãµã€ãã®äž¡æ¹ãèŠã€ããããšãã§ããŸãã éåžžã«é »ç¹ã«çºçããåºæ¬çãªäŸã§ãããµã€ãã 5 ã€ãããªããµãŒããŒäžã§ãã£ãã·ã³ã° ãµã€ããèŠã€ãããŸããã ããããããã§ãã¯ãããšãä»ã®ãµã€ãã§ãã£ãã·ã³ã° ã³ã³ãã³ããèŠã€ãããŸããã€ãŸãã5 ã€ã§ã¯ãªã 1 ã€ããããã¯ã§ããããšã«ãªããŸãã
ããã¯ãšã³ããæ€çŽ¢ãã
ãã®ããã»ã¹ã¯ãæªæã®ãããµãŒããŒãå®éã«ååšããå Žæãç¹å®ããããã«å¿
èŠã§ãã
ã«ãŒã ã·ã§ãããããã«ãŒ ãã©ãŒã©ã ãå€ãã®ãã£ãã·ã³ã° ãªãœãŒã¹ããã®ä»ã®æªæã®ãããµãŒããŒã® 99% ã¯ãç¬èªã®ãããã· ãµãŒããŒãšæ£èŠã®ãµãŒãã¹ (Cloudflare ãªã©) ã®ãããã·ã®äž¡æ¹ã®èåŸã«é ãããŠããŸãã å®éã®ããã¯ãšã³ãã«é¢ããç¥èã¯èª¿æ»ã«ãšã£ãŠéåžžã«éèŠã§ãããµãŒããŒãæŒåã§ãããã¹ãã£ã³ã° ãããã€ããŒãå€æããä»ã®æªæã®ãããããžã§ã¯ããšã®æ¥ç¶ãæ§ç¯ããããšãå¯èœã«ãªããŸãã
ããšãã°ãIP ã¢ãã¬ã¹ 11.11.11.11 ã«è§£æ±ºãããéè¡ã«ãŒã ããŒã¿ãåéãããã£ãã·ã³ã° ãµã€ããšãIP ã¢ãã¬ã¹ 22.22.22.22 ã«è§£æ±ºãããã«ãŒãã·ã§ããã®ã¢ãã¬ã¹ããããšããŸãã åæäžã«ããã£ãã·ã³ã° ãµã€ããšã«ãŒãã·ã§ããã®äž¡æ¹ãå ±éã®ããã¯ãšã³ã IP ã¢ãã¬ã¹ (ããšãã°ã33.33.33.33) ãæã£ãŠããããšãå€æããå ŽåããããŸãã ãã®ç¥èã«ããããã£ãã·ã³ã°æ»æãšéè¡ã«ãŒãã®ããŒã¿ã販売ãããã«ãŒã ã·ã§ãããšã®é¢ä¿ãæ§ç¯ããããšãã§ããŸãã
ã€ãã³ãã®çžé¢é¢ä¿
æ»æãå¶åŸ¡ããããã«ãç°ãªããã«ãŠã§ã¢ãšç°ãªããµãŒããŒã䜿çšãã XNUMX ã€ã®ç°ãªãããªã¬ãŒ (ããšãã°ãIDS äž) ãããå Žåããããã XNUMX ã€ã®ç¬ç«ããã€ãã³ããšããŠæ±ããŸãã ããããæªæã®ããã€ã³ãã©ã¹ãã©ã¯ãã£éã«è¯å¥œãªé¢ä¿ãããå Žåããããã¯ç°ãªãæ»æã§ã¯ãªããXNUMX ã€ã®ããè€éãªå€æ®µéæ»æã®æ®µéã§ããããšãæããã«ãªããŸãã ãŸããã€ãã³ãã® XNUMX ã€ããã§ã«æ»æè ã®ã°ã«ãŒãã«ãããã®ã§ããå ŽåãXNUMX çªç®ã®ã€ãã³ããåãã°ã«ãŒãã«ãããã®ã§ããå¯èœæ§ããããŸãã ãã¡ãããåž°å±ããã»ã¹ã¯ããã«è€éãªã®ã§ãããã¯åçŽãªäŸãšããŠæ±ã£ãŠãã ããã
ã€ã³ãžã±ãŒã¿ãŒã®åŒ·å
ããã¯ãµã€ããŒã»ãã¥ãªãã£ã§ã°ã©ãã䜿çšããæãäžè¬çãªã·ããªãªã§ãããããããã«ã¯ããŸã泚æãæããŸãããå ¥åãšã㊠XNUMX ã€ã®ææšãäžããåºåãšããŠé¢é£ããææšã®é åãååŸããŸãã
ãã¿ãŒã³ã®èå¥
ãã¿ãŒã³ãç¹å®ããããšã¯ãå¹æçãªç©çã®ããã«äžå¯æ¬ ã§ãã ã°ã©ãã䜿çšãããšãé¢é£ããèŠçŽ ãèŠã€ããã ãã§ãªããç¹å®ã®ããã«ãŒ ã°ã«ãŒãã«ç¹åŸŽçãªå ±éã®ããããã£ãèå¥ããããšãã§ããŸãã ãã®ãããªåºæã®ç¹æ§ãç¥ãããšã§ãæºå段éããã£ãã·ã³ã°ã¡ãŒã«ããã«ãŠã§ã¢ãªã©ã®æ»æãè£ä»ãã蚌æ ããªããŠããæ»æè ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ãèªèã§ããããã«ãªããŸãã
ãªãç¬èªã®ãããã¯ãŒã¯ ã°ã©ããäœæããã®ã§ãããã?
ç¹°ãè¿ãã«ãªããŸãããæ¢åã®è£œåã§ã¯ã§ããªãããšãå®è¡ã§ããç¬èªã®ããŒã«ãéçºããå¿ èŠããããšããçµè«ã«éããåã«ãããŸããŸãªãã³ããŒã®ãœãªã¥ãŒã·ã§ã³ãæ€èšããŸããã äœæã«ã¯æ°å¹Žãããããã®éã«äœåºŠãå®å šã«å€æŽããŸããã ããããé·ãéçºæéã«ãããããããç§ãã¡ã®èŠä»¶ãæºããé¡äŒŒåã¯ãŸã èŠã€ãã£ãŠããŸããã ç¬èªã®è£œåã䜿çšããããšã§ãæçµçã«ãæ¢åã®ãããã¯ãŒã¯ ã°ã©ãã§çºèŠãããã»ãŒãã¹ãŠã®åé¡ã解決ããããšãã§ããŸããã 以äžã§ã¯ããããã®åé¡ã«ã€ããŠè©³ããæ€èšããŸãã
åé¡
ãœãªã¥ãŒã·ã§ã³
ããŸããŸãªããŒã¿ã®ã³ã¬ã¯ã·ã§ã³ãåãããããã€ããŒã®æ¬ åŠ: ãã¡ã€ã³ãããã·ã DNSãããã·ã SSLãDNS ã¬ã³ãŒãããªãŒãã³ ããŒããããŒãäžã§å®è¡äžã®ãµãŒãã¹ããã¡ã€ã³åããã³ IP ã¢ãã¬ã¹ãšå¯Ÿè©±ãããã¡ã€ã«ã 説æã éåžžããããã€ããŒã¯å¥ã
ã®çš®é¡ã®ããŒã¿ãæäŸãããããå
šäœåãææ¡ããã«ã¯ããã¹ãŠã®ãããã€ããŒãããµãã¹ã¯ãªãã·ã§ã³ã賌å
¥ããå¿
èŠããããŸãã ããã§ããåžžã«ãã¹ãŠã®ããŒã¿ãååŸã§ããããã§ã¯ãããŸãããäžéšã®ããã·ã SSL ãããã€ããŒã¯ãä¿¡é Œã§ãã CA ãçºè¡ãã蚌ææžã«é¢ããããŒã¿ã®ã¿ãæäŸããŠãããèªå·±çœ²å蚌ææžã®ã«ããŒç¯å²ã¯éåžžã«è²§åŒ±ã§ãã èªå·±çœ²å蚌ææžã䜿çšããŠããŒã¿ãæäŸãããµãŒãã¹ããããŸãããæšæºããŒãããã®ã¿ããŒã¿ãåéããŸãã
äžèšã®ã³ã¬ã¯ã·ã§ã³ã¯ãã¹ãŠèªåãã¡ã§éããŸããã ããšãã°ãSSL 蚌ææžã«é¢ããããŒã¿ãåéããããã«ãä¿¡é Œã§ãã CA ãããããã³ IPv4 空éå
šäœãã¹ãã£ã³ããããšã«ãã£ãŠèšŒææžãåéããç¬èªã®ãµãŒãã¹ãäœæããŸããã 蚌ææžã¯ IP ããã ââãã§ãªããããŒã¿ããŒã¹ã®ãã¹ãŠã®ãã¡ã€ã³ãšãµããã¡ã€ã³ãããåéãããŸããããã¡ã€ã³ example.com ãšãã®ãµããã¡ã€ã³ãããå Žå
å±¥æŽèšé²ã®ããŒã¿ããŒã¹å
šäœã«ã¢ã¯ã»ã¹ã§ããªãã 説æã éåžžã®ãµãã©ã€ã€ãŒã¯ã©ãããèç©ãããè¯å¥œãªå±¥æŽãæã£ãŠããŸãããåœç¶ã®çç±ã«ãããã¯ã©ã€ã¢ã³ãã§ããç§ãã¡ã¯ãã¹ãŠã®å±¥æŽããŒã¿ã«ã¢ã¯ã»ã¹ããããšãã§ããŸããã§ããã ãããã®ã ããšãã°ããã¡ã€ã³ã IP ã¢ãã¬ã¹ããšã« XNUMX ã€ã®ã¬ã³ãŒãã®å±¥æŽå
šäœãååŸããããšã¯ã§ããŸããããã¹ãŠã®å±¥æŽã確èªããããšã¯ã§ããŸãããããããªããã°å
šäœåã確èªããããšã¯ã§ããŸããã
ãã¡ã€ã³ã«é¢ããã§ããã ãå€ãã®å±¥æŽèšé²ãåéããããã«ãç§ãã¡ã¯ããŸããŸãªããŒã¿ããŒã¹ã賌å
¥ãããã®å±¥æŽãæã€å€ãã®ãªãŒãã³ ãªãœãŒã¹ã解æã (ããããããã®ã¯è¯ãããšã§ã)ããã¡ã€ã³åã¬ãžã¹ãã©ãšäº€æžããŸããã ãã¡ãããç§ãã¡èªèº«ã®ã³ã¬ã¯ã·ã§ã³ã«å¯Ÿãããã¹ãŠã®æŽæ°ã¯ãå®å
šãªæ¹èšå±¥æŽãšãšãã«ä¿ç®¡ãããŸãã
æ¢åã®ãœãªã¥ãŒã·ã§ã³ã§ã¯ãã¹ãŠãæåã§ã°ã©ããäœæã§ããŸãã 説æã èãããããã¹ãŠã®ããŒã¿ ãããã€ã㌠(éåžžã¯ããšã³ãªããã£ãŒããšåŒã°ããŸã) ãã倧éã®ãµãã¹ã¯ãªãã·ã§ã³ã賌å
¥ãããšããŸãã ã°ã©ããæ§ç¯ããå¿
èŠãããå Žåãå¿
èŠãªæ¥ç¶èŠçŽ ããæ§ç¯ããã³ãã³ãããæåã§ãäžãã衚瀺ãããèŠçŽ ããå¿
èŠãªãã®ãéžæããããããæ¥ç¶ãå®äºããã³ãã³ããäžããããšãã£ãå
·åã§ãã ãã®å Žåãã°ã©ããã©ã®çšåºŠããŸãæ§ç¯ããããã«ã€ããŠã®è²¬ä»»ã¯å®å
šã«ãã®äººã«ãããŸãã
ã°ã©ãã®èªåæ§ç¯ãè¡ããŸããã ãããã®ã ã°ã©ããæ§ç¯ããå¿
èŠãããå Žåãæåã®èŠçŽ ããã®æ¥ç¶ãèªåçã«æ§ç¯ããããã®åŸãåŸç¶ã®ãã¹ãŠã®èŠçŽ ãããæ¥ç¶ãæ§ç¯ãããŸãã ã¹ãã·ã£ãªã¹ãã¯ãã°ã©ããæ§ç¯ããå¿
èŠãããæ·±ãã瀺ãã ãã§ãã ã°ã©ããèªåçã«å®æãããããã»ã¹ã¯ç°¡åã§ãããç¡é¢ä¿ãªçµæã倧éã«çæããããããä»ã®ãã³ããŒã¯ãã®ããã»ã¹ãå®è£
ããŠããŸããããŸãããã®æ¬ ç¹ãèæ
®ããå¿
èŠããããŸãã (äžèšãåç
§)ã
å€ãã®ç¡é¢ä¿ãªçµæã¯ããã¹ãŠã®ãããã¯ãŒã¯èŠçŽ ã°ã©ãã«åé¡ããããŸãã 説æã ããšãã°ãïŒæ»æã«åå ããïŒãäžæ£ãªãã¡ã€ã³ãã¯ãéå» 10 幎éã« 500 ã®ä»ã®ãã¡ã€ã³ãé¢é£ä»ããããŠãããµãŒããŒã«é¢é£ä»ããããŠããŸãã ã°ã©ããæåã§è¿œå ãŸãã¯èªåçã«æ§ç¯ããå Žåãæ»æã«é¢é£ããŠããŸãããããããã® 500 ã®ãã¡ã€ã³ããã¹ãŠã°ã©ãã«è¡šç€ºãããã¯ãã§ãã ãŸãã¯ãããšãã°ããã³ããŒã®ã»ãã¥ãªã㣠ã¬ããŒããã IP ã€ã³ãžã±ãŒã¿ã確èªããŸãã éåžžããã®ãããªã¬ããŒãã¯å€§å¹
ã«é
ããŠãªãªãŒã¹ãããXNUMX 幎以äžã«ãããããšããããããŸãã ãããããã¬ããŒããèªãã æç¹ã§ããã® IP ã¢ãã¬ã¹ãæã€ãµãŒããŒã¯ãã§ã«ä»ã®æ¥ç¶ãæã€ä»ã®äººã«ã¬ã³ã¿ã«ãããŠãããã°ã©ããæ§ç¯ãããšãåã³ç¡é¢ä¿ãªçµæãåŸãããããšã«ãªããŸãã
ç§ãã¡ã¯ãå°é家ãæåã§è¡ã£ãã®ãšåãããžãã¯ã䜿çšããŠãç¡é¢ä¿ãªèŠçŽ ãèå¥ããããã«ã·ã¹ãã ããã¬ãŒãã³ã°ããŸããã ããšãã°ãäžæ£ãªãã¡ã€ã³ example.com ããã§ãã¯ãããšãçŸåšã¯ IP 11.11.11.11 ã«è§£æ±ºããã22.22.22.22 ãæå㯠IP 11.11.11.11 ã«è§£æ±ºãããŸãã example.com ãã¡ã€ã³ã«å ããŠãIP 22.22.22.22 㯠example.ru ã«é¢é£ä»ããããIP 25 ã¯ä»ã® 11.11.11.11 ã®ãã¡ã€ã³ã«é¢é£ä»ããããŸãã ã·ã¹ãã ã¯äººéãšåãããã«ã22.22.22.22 ãå°çšãµãŒããŒã§ããå¯èœæ§ãé«ãããšãç解ããŠããŸãããŸããexample.ru ãã¡ã€ã³ã®ã¹ãã«ã¯ example.com ãšäŒŒãŠãããããé«ã確çã§ãããã¯æ¥ç¶ãããŠãããã°ã©ã; ãã ããIP 25 ã¯å
±æãã¹ãã£ã³ã°ã«å±ããŠãããããããã 50 ã®ãã¡ã€ã³ã®ãããããå«ããå¿
èŠãããããšã瀺ãä»ã®æ¥ç¶ããªãéãããã®ãã¹ãŠã®ãã¡ã€ã³ãã°ã©ãã«å«ããå¿
èŠã¯ãããŸãã (example.net ãªã©)ã ã ã·ã¹ãã ã¯ãæ¥ç¶ãåæããå¿
èŠããããäžéšã®èŠçŽ ãã°ã©ãã«ç§»åããªãå¿
èŠãããããšãèªèããåã«ãèŠçŽ ãšãããã®èŠçŽ ãçµåãããã¯ã©ã¹ã¿ãŒã®å€ãã®ããããã£ãããã³çŸåšã®æ¥ç¶ã®åŒ·åºŠãèæ
®ããŸãã ããšãã°ãã°ã©ãäžã«äžè¯ãã¡ã€ã³ãå«ãå°ããªã¯ã©ã¹ã¿ãŒ (5 èŠçŽ ) ãšãå¥ã®å€§ããªã¯ã©ã¹ã¿ãŒ (XNUMX èŠçŽ ) ããããäž¡æ¹ã®ã¯ã©ã¹ã¿ãŒãéåžžã«äœã匷床 (éã¿) ã®æ¥ç¶ (ç·) ã§æ¥ç¶ãããŠãããšããŸããã®å Žåããã®ãããªæ¥ç¶ã¯åæããã倧ããªã¯ã©ã¹ã¿ãŒããèŠçŽ ãåé€ãããŸãã ããããå°ããªã¯ã©ã¹ã¿ãŒãšå€§ããªã¯ã©ã¹ã¿ãŒã®éã«å€ãã®æ¥ç¶ãããããããã®åŒ·åºŠãåŸã
ã«å¢å ããå Žåããã®å Žåãæ¥ç¶ã¯åæããããäž¡æ¹ã®ã¯ã©ã¹ã¿ãŒããã®å¿
èŠãªèŠçŽ ãã°ã©ãäžã«æ®ããŸãã
ãµãŒããŒãšãã¡ã€ã³ã®æææš©ã®ééã¯èæ
®ãããŸããã 説æã ãäžæ£ãªãã¡ã€ã³ãã¯é
ããæ©ããæå¹æéãåããæªæã®ããç®çãŸãã¯æ£åœãªç®çã§åã³è³Œå
¥ãããããšã«ãªããŸãã é²åŒŸãã¹ãã£ã³ã° ãµãŒããŒã§ãã£ãŠããããŸããŸãªããã«ãŒã«ã¬ã³ã¿ã«ãããŠãããããç¹å®ã®ãã¡ã€ã³/ãµãŒããŒã 11.11.11.11 人ã®ææè
ã®å¶åŸ¡äžã«ãã£ãæéãææ¡ããèæ
®ããããšãéèŠã§ãã IP 2 ã®ãµãŒããŒãçŸåšéè¡ãããã® C&C ãšããŠäœ¿çšãããŠãããXNUMX ãæåã«ã¯ã©ã³ãµã ãŠã§ã¢ã«ãã£ãŠå¶åŸ¡ãããŠãããšããç¶æ³ã«ããééããŸãã æææš©ã®ééãèæ
®ããã«æ¥ç¶ãæ§ç¯ãããšãå®éã«ã¯æ¥ç¶ããªãã«ãããããããéè¡ããããããã®ææè
ãšã©ã³ãµã ãŠã§ã¢ã®éã«æ¥ç¶ãããããã«èŠããŸãã ç§ãã¡ã®ä»äºã§ã¯ããã®ãããªãšã©ãŒã¯é倧ã§ãã
ç§ãã¡ã¯ã·ã¹ãã ã«æææš©ã®ééã決å®ããããã«æããŸããã ãã¡ã€ã³ã®å Žåãããã¯æ¯èŒçç°¡åã§ãããªããªããWhois ã«ã¯ç»é²ã®éå§æ¥ãšæå¹æéãå«ãŸããŠããããšãå€ããWhois ã®å€æŽã®å®å
šãªå±¥æŽãããå Žåãééã決å®ããã®ãç°¡åã ããã§ãã ãã¡ã€ã³ã®ç»é²ã®æå¹æéãåããŠããªããããã®ç®¡çãä»ã®ææè
ã«ç§»ç®¡ãããŠããå Žåãã远跡ããããšãã§ããŸãã SSL 蚌ææžã®å Žåã¯ãäžåºŠçºè¡ããããšæŽæ°ãè²æž¡ããããªãããããã®ãããªåé¡ã¯ãããŸããã ãã ããèªå·±çœ²å蚌ææžã®å Žåã蚌ææžã®æå¹æéã«æå®ãããæ¥ä»ãä¿¡é Œããããšã¯ã§ããŸãããããã¯ãSSL 蚌ææžãä»ããçæã§ãã蚌ææžã®éå§æ¥ã 2010 幎ããæå®ã§ããããã§ãã æãé£ããã®ã¯ããµãŒããŒã®æææéã決å®ããããšã§ããæ¥ä»ãšã¬ã³ã¿ã«æéãæã£ãŠããã®ã¯ãã¹ãã£ã³ã° ãããã€ããŒã ãã§ããããã§ãã ãµãŒããŒã®æææéã決å®ããããã«ãããŒã ã¹ãã£ã³ã®çµæã䜿çšããããŒãäžã§å®è¡äžã®ãµãŒãã¹ã®ãã£ã³ã¬ãŒããªã³ããäœæãå§ããŸããã ãã®æ
å ±ã䜿çšãããšããµãŒããŒã®ææè
ããã€å€æŽãããããããªãæ£ç¢ºã«ç¥ãããšãã§ããŸãã
ã€ãªãããå°ãªãã 説æã çŸåšã§ã¯ãWhois ã«ç¹å®ã®é»åã¡ãŒã« ã¢ãã¬ã¹ãå«ãŸãããã¡ã€ã³ã®ç¡æãªã¹ããååŸããããç¹å®ã® IP ã¢ãã¬ã¹ã«é¢é£ä»ããããŠãããã¹ãŠã®ãã¡ã€ã³ãèŠã€ãããããããšã¯ãããã»ã©åé¡ã§ã¯ãããŸããã ãããã远跡ãå°é£ã«ããããã«æåãå°œãããŠããããã«ãŒã«é¢ããŠã¯ãæ°ããããããã£ãèŠã€ããŠæ°ããæ¥ç¶ãæ§ç¯ããããã®è¿œå ã®ããªãã¯ãå¿
èŠã§ãã
ç§ãã¡ã¯ãåŸæ¥ã®æ¹æ³ã§ã¯å©çšã§ããªãã£ãããŒã¿ãæœåºããæ¹æ³ãç 究ããããšã«å€ãã®æéãè²»ãããŸããã æçœãªçç±ã«ããããããã©ã®ããã«æ©èœããããããã§èª¬æããããšã¯ã§ããŸããããç¹å®ã®ç¶æ³äžã§ã¯ãããã«ãŒããã¡ã€ã³ãç»é²ãããããµãŒããŒãã¬ã³ã¿ã«ããŠèšå®ããããããšãã«ãé»åã¡ãŒã« ã¢ãã¬ã¹ãããã«ãŒã®ãšã€ãªã¢ã¹ãããã³ããã¯ãšã³ã ã¢ãã¬ã¹ãèŠã€ãåºãå¯èœæ§ãããééããç¯ããŸãã æœåºããæ¥ç¶ãå€ãã»ã©ãããæ£ç¢ºãªã°ã©ããæ§ç¯ã§ããŸãã
ã°ã©ãã®ä»çµã¿
ãããã¯ãŒã¯ ã°ã©ãã®äœ¿çšãéå§ããã«ã¯ããã¡ã€ã³ãIP ã¢ãã¬ã¹ãé»åã¡ãŒã«ããŸã㯠SSL 蚌ææžã®ãã£ã³ã¬ãŒããªã³ããæ€çŽ¢ããŒã«å ¥åããå¿ èŠããããŸãã ã¢ããªã¹ããå¶åŸ¡ã§ããæ¡ä»¶ã¯ãæéãã¹ãããã®æ·±ããã¯ãªã¢ã® XNUMX ã€ã§ãã
æé
æå» â æ€çŽ¢ãããèŠçŽ ãæªæã®ããç®çã§äœ¿çšãããæ¥ä»ãŸãã¯ééã ãã®ãã©ã¡ãŒã¿ãæå®ããªãå Žåãã·ã¹ãã èªäœããã®ãªãœãŒã¹ã®æåŸã®æææš©ééã決å®ããŸãã ããšãã°ã11 æ XNUMX æ¥ãEset ã¯
- ukrfreshnews[.]com
- unian-search[.]com
- ãŽã§ã¹ãã£ã¯ãŒã«ã[.]æ å ±
- ã«ãã¥ãŒã¹ã¡ã¿[.]com
- ãã©ãã¯ã¹ãã¥ãŒã¹ã¡ã¿[.]biz
- sobesednik-meta[.]info
- rian-ua[.]net
- ãã
ãããã¯ãŒã¯ ã€ã³ãžã±ãŒã¿ãŒã«å ããŠããã®ã€ã³ãã©ã¹ãã©ã¯ãã£ãšã®æ¥ç¶ãæã€æªæã®ãããã¡ã€ã«ãšã®æ¥ç¶ãããã³ Meterpreter ãš AZORult ã䜿çšãããããšã瀺ãã¿ã°ãããã«èŠã€ãããŸãã
çŽ æŽãããã®ã¯ããã®çµæã XNUMX ç§ä»¥å ã«åŸãããããŒã¿ã®åæã«äœæ¥ãè²»ããå¿ èŠããªããªã£ãããšã§ãã ãã¡ããããã®ã¢ãããŒãã«ããã調æ»æéãå€§å¹ ã«ççž®ãããå Žåããããããã¯å€ãã®å ŽåéèŠã§ãã
ã°ã©ããæ§ç¯ããã¹ãããæ°ãŸãã¯ååž°ã®æ·±ã
ããã©ã«ãã§ã¯ãæ·±ã㯠3 ã§ããããã¯ãçŽæ¥é¢é£ãããã¹ãŠã®èŠçŽ ãç®çã®èŠçŽ ããæ€çŽ¢ãããåæ°ããèŠçŽ ããä»ã®èŠçŽ ãžã®æ°ããæ¥ç¶ãæ§ç¯ãããæåŸã®èŠçŽ ããã®æ°ããèŠçŽ ããæ°ããèŠçŽ ãäœæãããããšãæå³ããŸããã¹ãããã
APT ãšãŒãã〠ãšã¯ã¹ããã€ãã«é¢ä¿ã®ãªãäŸãèŠãŠã¿ãŸãããã æè¿ãæå·é貚ã«é¢é£ããèå³æ·±ãè©æ¬ºäºä»¶ãããã¬ã§èª¬æãããŸããã ãã®ã¬ããŒãã§ã¯ãè©æ¬ºåž«ããã©ãã£ãã¯ãéããããã« Miner Coin Exchange ãé»è©±æ€çŽ¢ [.]xyz ãè£ ã Web ãµã€ãããã¹ãããããã«äœ¿çšãããã¡ã€ã³ themcx[.]co ã«ã€ããŠèšåããŠããŸãã
ãã®ã¹ããŒã ãäžæ£ãªãªãœãŒã¹ã«ãã©ãã£ãã¯ãåŒãä»ããããã«ããªã倧èŠæš¡ãªã€ã³ãã©ã¹ãã©ã¯ãã£ãå¿ èŠãšããããšã¯ã説æããæããã§ãã ç§ãã¡ã¯ã4 ã€ã®ã¹ãããã§ã°ã©ããäœæããŠããã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã調ã¹ãããšã«ããŸããã åºåã¯ã230 ã®ãã¡ã€ã³ãš 39 ã® IP ã¢ãã¬ã¹ãå«ãã°ã©ãã§ããã 次ã«ããã¡ã€ã³ã 2 ã€ã®ã«ããŽãªã«åé¡ããŸããXNUMX ã€ã¯æå·é貚ãæ±ãããã®ãµãŒãã¹ã«äŒŒããã®ããã XNUMX ã€ã¯é»è©±èªèšŒãµãŒãã¹ãéããŠãã©ãã£ãã¯ãä¿é²ããããšãç®çãšãããã®ã§ãã
æå·é貚é¢é£
é»è©±ãã³ãã³ã°ãµãŒãã¹ã«é¢é£ãããã®
ã³ã€ã³ããŒããŒ[.]cc
çºä¿¡è
ã¬ã³ãŒã[.]ãµã€ãã
mcxwallet[.]co
é»è©±èšé²[.]ã¹ããŒã¹
btcnoise[.]com
fone-uncover[.]xyz
ã¯ãªãããã€ããŒ[.]ãŠã©ãã
çªå·-uncover[.]æ
å ±
ã¯ãªãŒãã³ã°
ããã©ã«ãã§ã¯ããã°ã©ãã®ã¯ãªãŒã³ã¢ããããªãã·ã§ã³ãæå¹ã«ãªã£ãŠãããç¡é¢ä¿ãªèŠçŽ ããã¹ãŠã°ã©ãããåé€ãããŸãã ã¡ãªã¿ã«ããããŸã§ã®ãã¹ãŠã®äŸã§äœ¿çšãããŠããŸããã ãéèŠãªãã®ãåé€ãããªãããã«ããã«ã¯ã©ãããã°ããã§ãããã?ããšããåœç¶ã®çåãçãããšæããŸãã çããŸããæåã§ã°ã©ããäœæãããã¢ããªã¹ãã®å Žåãèªåã¯ãªãŒãã³ã°ãç¡å¹ã«ããŠãã¹ãããæ° = 1 ãéžæã§ããŸãã次ã«ãã¢ããªã¹ãã¯å¿ èŠãªèŠçŽ ããã°ã©ããå®æãããèŠçŽ ãåé€ããããšãã§ããŸããã¿ã¹ã¯ã«é¢ä¿ã®ãªãã°ã©ãã
ã¢ããªã¹ãã¯ãWhoisãDNSããªãŒãã³ ããŒããšãããã§å®è¡ãããŠãããµãŒãã¹ã®å€æŽå±¥æŽããã§ã«ã°ã©ãäžã«è¡šç€ºãããŠãããããå©çšã§ããããã«ãªããŸãã
éèãã£ãã·ã³ã°
ç§ãã¡ã¯ãæ°å¹Žéã«ããããããŸããŸãªå°åã®ããŸããŸãªéè¡ã®é¡§å®¢ã«å¯ŸããŠãã£ãã·ã³ã°æ»æãå®è¡ããŠããããã APT ã°ã«ãŒãã®æŽ»åã調æ»ããŸããã ãã®ã°ã«ãŒãã®ç¹åŸŽã¯ãå®éã®éè¡åã«ãã䌌ããã¡ã€ã³ãç»é²ããŠããããšã§ããã£ãã·ã³ã°ãµã€ãã®ã»ãšãã©ã¯åããã¶ã€ã³ã§ãéãã¯éè¡åãšããŽã ãã§ããã
ãã®å Žåãèªåã°ã©ãåæãéåžžã«åœ¹ã«ç«ã¡ãŸããã 圌ãã®ãã¡ã€ã³ã® 3 ã€ã§ãã lloydsbnk-uk[.]com ã䜿çšããŠãæ°ç§ã§ 250 ã¹ãããã®æ·±ãã®ã°ã©ããäœæããŸãããããã«ããã2015 幎以æ¥ãã®ã°ã«ãŒãã«ãã£ãŠäœ¿çšãããçŸåšã䜿çšãããŠãã XNUMX 以äžã®æªæã®ãããã¡ã€ã³ãç¹å®ãããŸããã ã ãããã®ãã¡ã€ã³ã®äžéšã¯ãã§ã«éè¡ã«ãã£ãŠè³Œå
¥ãããŠããŸãããéå»ã®èšé²ã«ãããšããããã¯ä»¥åã«æ»æè
ã«ç»é²ãããŠããŸããã
ããããããããããã«ãå³ã«ã¯ 2 段éã®æ·±ãã®ã°ã©ãã瀺ãããŠããŸãã
泚ç®ã«å€ããã®ã¯ããã§ã« 2019 幎ã«æ»æè ãæŠè¡ãããããå€æŽããWeb ãã£ãã·ã³ã°ããã¹ãããããã«éè¡ã®ãã¡ã€ã³ã ãã§ãªãããã£ãã·ã³ã°ã¡ãŒã«ãéä¿¡ããããã«ããŸããŸãªã³ã³ãµã«ãã£ã³ã°äŒç€Ÿã®ãã¡ã€ã³ãç»é²ãå§ããããšã§ãã ããšãã°ããã¡ã€ã³ swift-Department.comãsaudconsultancy.comãvbgrigoryanpartners.com ãªã©ã§ãã
ã³ãã«ãã®ã£ã³ã°
2018 幎 XNUMX æãéè¡ã«å¯Ÿããæšçåæ»æãå°éãšããããã«ãŒ ã°ã«ãŒã Cobalt ããã«ã¶ãã¹ã¿ã³åœç«éè¡ã«ä»£ãã£ãŠã¡ãŒã« ãã£ã³ããŒã³ãéä¿¡ããŸããã
æçŽã«ã¯ãhXXps://nationalbank.bz/Doc/Prikaz.doc ãžã®ãªã³ã¯ãå«ãŸããŠããŸããã ããŠã³ããŒããããããã¥ã¡ã³ãã«ã¯ãPowershell ãèµ·åãããã¯ããå«ãŸããŠããã%Temp%einmrmdmy.exe å
ã® hXXp://wateroilclub.com/file/dwm.exe ãããã¡ã€ã«ãããŒãããŠå®è¡ããããšããŸãã ãã¡ã€ã« %Temp%einmrmdmy.exe å¥å dwm.exe ã¯ããµãŒã㌠hXXp://admvmsopp.com/rilruietguadvtoefmuy ãšå¯Ÿè©±ããããã«æ§æããã CobInt ã¹ããŒãžã£ãŒã§ãã
ãããã®ãã£ãã·ã³ã°ã¡ãŒã«ãåä¿¡ã§ãããæªæã®ãããã¡ã€ã«ã®å®å šãªåæãå®è¡ã§ããªãããšãæ³åããŠãã ããã æªæã®ãããã¡ã€ã³ Nationalbank[.]bz ã®ã°ã©ãã«ã¯ãä»ã®æªæã®ãããã¡ã€ã³ãšã®æ¥ç¶ãããã«ç€ºããããããã°ã«ãŒãã«å±ããã©ã®ãã¡ã€ã«ãæ»æã«äœ¿çšããããã瀺ãããŸãã
ãã®ã°ã©ããã IP ã¢ãã¬ã¹ 46.173.219[.]152 ãååŸãããããã 40 åã®ãã¹ã§ã°ã©ããäœæããã¯ãªãŒãã³ã°ããªãã«ããŠã¿ãŸãããã ããã«ã¯ 0 ã®ãã¡ã€ã³ãé¢é£ä»ããããŠããŸã (äŸ: blXNUMXckchain[.]ug)
paypal.co.uk.qlg6[.]pw
cryptoelips[.]com
ãã¡ã€ã³åããå€æãããšããããã¯äžæ£ãªã¹ããŒã ã«äœ¿çšãããŠããããã«èŠããŸãããã¯ãªãŒãã³ã° ã¢ã«ãŽãªãºã ã¯ããããä»åã®æ»æã«é¢é£ããŠããªãããšãèªèããã°ã©ãã«è¡šç€ºããŸããã§ãããããã«ãããåæãšå±æ§ã®ããã»ã¹ãå€§å¹ ã«ç°¡çŽ åãããŸãã
Nationalbank[.]bz ã䜿çšããŠã°ã©ã ã¯ãªãŒãã³ã° ã¢ã«ãŽãªãºã ãç¡å¹ã«ããŠã°ã©ããåæ§ç¯ãããšã500 ãè¶
ããèŠçŽ ãå«ãŸããããšã«ãªããŸããããã®ã»ãšãã©ã¯ Cobalt ã°ã«ãŒãããã®æ»æãšã¯äœã®é¢ä¿ããããŸããã ãã®ãããªã°ã©ããã©ã®ããã«ãªããã®äŸã以äžã«ç€ºããŸãã
ãŸãšã
æ°å¹Žéã«ããã埮調æŽãå®éã®èª¿æ»ã§ã®ãã¹ããè
åšèª¿æ»ãæ»æè
ã®æ玢ãçµãŠãç§ãã¡ã¯ç¬èªã®ããŒã«ãäœæããã ãã§ãªããããã«å¯Ÿãã瀟å
ã®å°é家ã®æ
床ãå€ããããšãã§ããŸããã åœåãæè¡å°é家ã¯ã°ã©ãæ§ç¯ããã»ã¹ãå®å
šã«å¶åŸ¡ããããšèããŠããŸããã èªåã°ã©ãæ§ç¯ã®æ¹ãé·å¹Žã®çµéšãæã€äººãããããŸããããå®è¡ã§ããããšã圌ãã«çŽåŸãããã®ã¯éåžžã«å°é£ã§ããã ãã¹ãŠã¯æéãšãã°ã©ããçæããçµæã®è€æ°ã®ãæåããã§ãã¯ã«ãã£ãŠæ±ºå®ãããŸããã çŸåšãåœç€Ÿã®å°é家ã¯ã·ã¹ãã ãä¿¡é ŒããŠããã ãã§ãªããã·ã¹ãã ããåŸãããçµæãæ¥åžžæ¥åã«æŽ»çšããŠããŸãã ãã®ãã¯ãããžãŒã¯åœç€Ÿã®åã·ã¹ãã å
ã§åäœããããããçš®é¡ã®è
åšãããé©åã«èå¥ã§ããããã«ãªããŸãã æåã°ã©ãåæçšã®ã€ã³ã¿ãŒãã§ã€ã¹ã¯ãã¹ãŠã® Group-IB 補åã«çµã¿èŸŒãŸããŠããããµã€ããŒç¯çœªãã³ãã£ã³ã°ã®æ©èœã倧å¹
ã«æ¡åŒµããŸãã ããã¯ãã¯ã©ã€ã¢ã³ãããã®ã¢ããªã¹ãã®ã¬ãã¥ãŒã«ãã£ãŠç¢ºèªãããŠããŸãã ãããŠç§ãã¡ã¯åŒãç¶ãã°ã©ããããŒã¿ã§åŒ·åãã人工ç¥èœã䜿çšããŠæãæ£ç¢ºãªãããã¯ãŒã¯ ã°ã©ããäœæããæ°ããã¢ã«ãŽãªãºã ã«åãçµãã§ããŸãã
åºæïŒ habr.com