ç§ãã¡ã®ã»ãŒå
šå¡ããªã³ã©ã€ã³ ã¹ãã¢ã®ãµãŒãã¹ãå©çšããŠããŸããããã¯ãé
ããæ©ãã JavaScript ã¹ããã¡ãŒ (æ»æè
ããŠãŒã¶ãŒã®éè¡ã«ãŒã ããŒã¿ãäœæããã°ã€ã³æ
å ±ããã¹ã¯ãŒããçãããã« Web ãµã€ãã«å®è£
ããç¹å¥ãªã³ãŒã) ã®è¢«å®³è
ã«ãªãå±éºæ§ãããããšãæå³ããŸãã ã
ããªãã£ãã·ã¥ã»ãšã¢ãŠã§ã€ãºã®ãŠã§ããµã€ããšã¢ãã€ã«ã»ã¢ããªã±ãŒã·ã§ã³ã®ã»ãŒ400äžäººã®ãŠãŒã¶ãŒããã§ã«ã¹ãããã¡ãŒã®åœ±é¿ãåããŠããã»ããã¹ããŒã倧æFILAãã¢ã¡ãªã«ã®èªç©ºåžè²©å£²äŒç€Ÿãã±ãããã¹ã¿ãŒã®è±åœã®ãŠã§ããµã€ããžã®èšªåè ãåæ§ã ã PayPalãChase PaymenttechãUSAePayãMoneris ãªã©ããã®ä»å€ãã®æ±ºæžã·ã¹ãã ãææããŸããã
Threat Intelligence Group-IB ã®ã¢ããªã¹ãããŽã£ã¯ããŒã«ã»ãªã³ãã³ãæ°ããã¹ãããã¡ãŒãã©ã®ããã«ã㊠Web ãµã€ãã®ã³ãŒãã«äŸµå
¥ããæ¯æãæ
å ±ãçãã®ãããŸãã©ã® CRM ãæ»æããã®ãã«ã€ããŠèªããŸãã
ãé ããè åšã
ããŸããŸãé·ãéãJS ã¹ãããã¡ãŒã¯ãŠã€ã«ã¹å¯Ÿçã¢ããªã¹ãã®ç®ã«çãŸãããéè¡ã決æžã·ã¹ãã 㯠JS ã¹ãããã¡ãŒãæ·±å»ãªè
åšãšã¯ã¿ãªããŠããŸããã§ããã ãããŠå®å
šã«ç¡é§ã§ããã ã°ã«ãŒãIBã®å°é家
ãã®ç 究ã§èª¿æ»ãããXNUMXã€ã®ã¹ãããã¡ãŒãã¡ããªãŒã«ã€ããŠè©³ããèŠãŠã¿ãŸãããã
ReactGetãã¡ããªãŒ
ReactGet ãã¡ããªã®ã¹ããã¡ãŒã¯ããªã³ã©ã€ã³ ã·ã§ããã³ã° ãµã€ãã§éè¡ã«ãŒãã®ããŒã¿ãçãããã«äœ¿çšãããŸãã ã¹ããã¡ãŒã¯ããµã€ãã§äœ¿çšãããŠããå€æ°ã®ç°ãªãæ¯æãã·ã¹ãã ã§åäœã§ããŸããXNUMX ã€ã®ãã©ã¡ãŒã¿å€ã XNUMX ã€ã®æ¯æãã·ã¹ãã ã«å¯Ÿå¿ããæ€åºãããã¹ããã¡ãŒã®åã ã®ããŒãžã§ã³ã䜿çšããŠãè³æ Œæ å ±ãçãã ããæ¯æãããéè¡ã«ãŒãã®ããŒã¿ãçãã ãããããšãã§ããŸãããããããŠãããŒãµã«ã¹ããã¡ãŒãªã©ãè€æ°ã®æ¯æãã·ã¹ãã ãåæã«å©çšã§ãã圢åŒã§ãã å Žåã«ãã£ãŠã¯ãæ»æè ããµã€ãã®ç®¡çããã«ã«ã¢ã¯ã»ã¹ããããã«ããªã³ã©ã€ã³ ã¹ãã¢ç®¡çè ã«å¯ŸããŠãã£ãã·ã³ã°æ»æãå®è¡ããããšãå€æããŸããã
ãã®ã¹ããã¡ãŒãã¡ããªãŒã䜿çšãããã£ã³ããŒã³ã¯ 2017 幎 XNUMX æã«å§ãŸããCMS ãš MagentoãBigcommerceãShopify ãã©ãããã©ãŒã ãå®è¡ããŠãããµã€ããæ»æãããŸããã
ReactGet ããªã³ã©ã€ã³ ã¹ãã¢ã®ã³ãŒãã«å®è£ ããæ¹æ³
ãªã³ã¯ãä»ããã¹ã¯ãªããã®ãå€å žçãªãå®è£ ã«å ããŠãReactGet ãã¡ããªã®ã¹ããã¡ãŒã®ãªãã¬ãŒã¿ãŒã¯ç¹å¥ãªææ³ã䜿çšããŸããã€ãŸããJavaScript ã³ãŒãã䜿çšããŠããŠãŒã¶ãŒãããçŸåšã®ã¢ãã¬ã¹ãç¹å®ã®åºæºãæºãããŠãããã©ããã確èªããŸãã æªæã®ããã³ãŒãã¯ãçŸåšã® URL ã«éšåæååãååšããå Žåã«ã®ã¿å®è¡ãããŸãã ãã§ãã¯ã¢ãŠã ãŸã㯠ã¯ã³ã¹ããããã§ãã¯ã¢ãŠã, XNUMXããŒãž/, ã¢ãŠã/ã¯ã³ãã°, ãã§ãã¯ã¢ãŠã/XNUMX, ã³ãã¯ã¢ãŠã/XNUMXã ãããã£ãŠãã¹ããã¡ãŒ ã³ãŒãã¯ããŠãŒã¶ãŒãè³Œå ¥ã®æ¯æããéå§ãããµã€ãäžã®ãã©ãŒã ã«æ¯æãæ å ±ãå ¥åããç¬éã«å®è¡ãããŸãã
ãã®ã¹ããã¡ãŒã¯éæšæºçãªææ³ã䜿çšããŸãã 被害è
ã®æ¯æããšå人ããŒã¿ã¯äžç·ã«åéããã次ã®æ¹æ³ã§æå·åãããŸãã base64ãçµæã®æååã¯ãæ»æè
ã® Web ãµã€ãã«ãªã¯ãšã¹ããéä¿¡ããããã®ãã©ã¡ãŒã¿ãŒãšããŠäœ¿çšãããŸãã ã»ãšãã©ã®å Žåãã²ãŒããžã®ãã¹ã¯ JavaScript ãã¡ã€ã«ãæš¡å£ããŸããããšãã°ã ããããjs, data.js ãªã©ã§ãããç»åãã¡ã€ã«ãžã®ãªã³ã¯ã䜿çšãããŸãã GIF О JPGã ç¹åŸŽã¯ãã¹ããã¡ãŒã 1 à 1 ãã¯ã»ã«ã®ç»åãªããžã§ã¯ããäœæãã以åã«åä¿¡ãããªã³ã¯ããã©ã¡ãŒã¿ãšããŠäœ¿çšããããšã§ãã SRC ç»åã ã€ãŸãããŠãŒã¶ãŒã«ãšã£ãŠãæžæ»äžã®ãã®ãããªãªã¯ãšã¹ãã¯ãéåžžã®åçã®ãªã¯ãšã¹ãã®ããã«èŠããŸãã åæ§ã®ææ³ã ImageID ãã¡ããªã®ã¹ããã¡ãŒã§ã䜿çšãããŸããã ããã«ã1 à 1 ãã¯ã»ã«ã®ç»åã䜿çšããææ³ã¯ãå€ãã®æ£èŠã®ãªã³ã©ã€ã³åæã¹ã¯ãªããã§äœ¿çšãããŠãããããããŠãŒã¶ãŒã誀解ãããå¯èœæ§ããããŸãã
ããŒãžã§ã³åæ
ReactGet ã¹ããã¡ãŒ ãªãã¬ãŒã¿ãŒã«ãã£ãŠäœ¿çšãããã¢ã¯ãã£ã ãã¡ã€ã³ã®åæã«ããããã®ãã¡ããªãŒã®ã¹ããã¡ãŒã«ã¯ããŸããŸãªããŒãžã§ã³ãååšããããšãæããã«ãªããŸããã ããŒãžã§ã³ã¯é£èªåã®æç¡ãç°ãªããããã«ãåã¹ããã¡ãŒã¯ãªã³ã©ã€ã³ ã¹ãã¢ã®éè¡ã«ãŒãæ¯æããåŠçããç¹å®ã®æ¯æãã·ã¹ãã çšã«èšèšãããŠããŸãã ããŒãžã§ã³çªå·ã«å¯Ÿå¿ãããã©ã¡ãŒã¿ã®å€ã䞊ã¹æ¿ããåŸãGroup-IB ã®ã¹ãã·ã£ãªã¹ãã¯ãå©çšå¯èœãªã¹ããã¡ãŒã®ããªãšãŒã·ã§ã³ã®å®å šãªãªã¹ããåãåããåã¹ããã¡ãŒãããŒãž ã³ãŒãå ã§æ€çŽ¢ãããã©ãŒã ãã£ãŒã«ãã®ååã«ãã£ãŠãæ¯æãã·ã¹ãã ãç¹å®ããŸãããã¹ãããã¡ãŒãçã£ãŠããããšã
ã¹ãããã¡ãŒãšããã«å¯Ÿå¿ããæ¯æãã·ã¹ãã ã®ãªã¹ã
ã¹ããã¡ãŒ URL | 決æžã·ã¹ãã |
---|---|
|
Authorize.Net |
ã«ãŒãã»ãŒã | |
|
Authorize.Net |
Authorize.Net | |
|
eWAYã©ããã |
Authorize.Net | |
Adyen | |
|
USAePay |
Authorize.Net | |
USAePay | |
|
Authorize.Net |
ã¢ããªã¹ | |
USAePay | |
PayPal | |
ã»ãŒãžã〠| |
ããªãµã€ã³ | |
PayPal | |
ã¹ãã©ã€ã | |
|
ã¬ã¢ã¬ãã¯ã¹ |
PayPal | |
ãªã³ã¯ãã€ã³ã | |
PayPal | |
PayPal | |
ããŒã¿ãã£ãã·ã¥ | |
|
PayPal |
|
Authorize.Net |
|
Authorize.Net |
Authorize.Net | |
Authorize.Net | |
|
ããªãµã€ã³ |
|
Authorize.Net |
ã¢ããªã¹ | |
|
ã»ãŒãžã〠|
|
USAePay |
|
Authorize.Net |
|
Authorize.Net |
|
ANZ eã²ãŒã |
|
Authorize.Net |
|
ã¢ããªã¹ |
|
ã»ãŒãžã〠|
ã»ãŒãžã〠| |
|
ãã§ã€ã¹ã»ãã€ã¡ã³ãã㯠|
|
Authorize.Net |
|
Adyen |
ãµã€ã²ãŒã | |
CyberââSource | |
ANZ eã²ãŒã | |
ã¬ã¢ã¬ãã¯ã¹ | |
|
USAePay |
|
Authorize.Net |
|
Authorize.Net |
|
ANZ eã²ãŒã |
|
PayPal |
|
PayPal |
ã¬ã¢ã¬ãã¯ã¹ | |
|
ã»ãŒãžã〠|
|
PayPal |
|
ããªãµã€ã³ |
Authorize.Net | |
|
ããªãµã€ã³ |
Authorize.Net | |
|
ANZ eã²ãŒã |
PayPal | |
CyberââSource | |
|
Authorize.Net |
|
ã»ãŒãžã〠|
ã¬ã¢ã¬ãã¯ã¹ | |
|
CyberââSource |
PayPal | |
PayPal | |
|
PayPal |
|
ããªãµã€ã³ |
|
eWAYã©ããã |
|
ã»ãŒãžã〠|
ã»ãŒãžã〠| |
|
ããªãµã€ã³ |
Authorize.Net | |
Authorize.Net | |
|
æåã®ããŒã¿ ã°ããŒãã« ã²ãŒããŠã§ã€ |
Authorize.Net | |
Authorize.Net | |
ã¢ããªã¹ | |
|
Authorize.Net |
|
PayPal |
|
ããªãµã€ã³ |
|
USAePay |
USAePay | |
Authorize.Net | |
ããªãµã€ã³ | |
PayPal | |
|
Authorize.Net |
ã¹ãã©ã€ã | |
|
Authorize.Net |
eWAYã©ããã | |
|
ã»ãŒãžã〠|
Authorize.Net | |
|
ãã¬ãŒã³ããªãŒ |
|
ãã¬ãŒã³ããªãŒ |
|
PayPal |
|
ã»ãŒãžã〠|
|
ã»ãŒãžã〠|
|
Authorize.Net |
|
PayPal |
|
Authorize.Net |
ããªãµã€ã³ | |
|
PayPal |
|
Authorize.Net |
|
ã¹ãã©ã€ã |
|
Authorize.Net |
eWAYã©ããã | |
ã»ãŒãžã〠| |
|
Authorize.Net |
ãã¬ãŒã³ããªãŒ | |
|
PayPal |
|
ã»ãŒãžã〠|
ã»ãŒãžã〠| |
|
Authorize.Net |
PayPal | |
Authorize.Net | |
|
ããªãµã€ã³ |
|
Authorize.Net |
|
Authorize.Net |
|
Authorize.Net |
|
Authorize.Net |
|
ã»ãŒãžã〠|
ã»ãŒãžã〠| |
|
ãŠã§ã¹ãããã¯ãã€ãŠã§ã€ |
|
ãã€ãã©ãŒã |
|
PayPal |
|
Authorize.Net |
|
ã¹ãã©ã€ã |
|
æåã®ããŒã¿ ã°ããŒãã« ã²ãŒããŠã§ã€ |
|
ãµã€ã²ãŒã |
Authorize.Net | |
Authorize.Net | |
|
ã¢ããªã¹ |
|
Authorize.Net |
ã»ãŒãžã〠| |
|
ããªãµã€ã³ |
ã¢ããªã¹ | |
PayPal | |
|
ãªã³ã¯ãã€ã³ã |
|
ãŠã§ã¹ãããã¯ãã€ãŠã§ã€ |
Authorize.Net | |
|
ã¢ããªã¹ |
|
PayPal |
Adyen | |
PayPal | |
Authorize.Net | |
USAePay | |
EBizCharge | |
|
Authorize.Net |
|
ããªãµã€ã³ |
ããªãµã€ã³ | |
Authorize.Net | |
|
PayPal |
|
ã¢ããªã¹ |
Authorize.Net | |
|
PayPal |
PayPal | |
ãŠã§ã¹ãããã¯ãã€ãŠã§ã€ | |
Authorize.Net | |
|
Authorize.Net |
ã»ãŒãžã〠| |
|
ããªãµã€ã³ |
|
Authorize.Net |
|
PayPal |
|
ãã€ãã©ãŒã |
CyberââSource | |
ãã€ãã«ãã€ãããŒãã | |
|
Authorize.Net |
|
Authorize.Net |
ããªãµã€ã³ | |
|
Authorize.Net |
|
Authorize.Net |
ã»ãŒãžã〠| |
Authorize.Net | |
|
ã¹ãã©ã€ã |
|
Authorize.Net |
Authorize.Net | |
ããªãµã€ã³ | |
|
PayPal |
Authorize.Net | |
|
Authorize.Net |
ã»ãŒãžã〠| |
|
Authorize.Net |
|
Authorize.Net |
|
PayPal |
|
ããªã³ã |
|
PayPal |
ã»ãŒãžã〠| |
ããªãµã€ã³ | |
|
Authorize.Net |
|
Authorize.Net |
|
ã¹ãã©ã€ã |
|
ãã¡ãããŒãã© |
ã»ãŒãžã〠| |
|
Authorize.Net |
æåã®ããŒã¿ ã°ããŒãã« ã²ãŒããŠã§ã€ | |
|
Authorize.Net |
|
eWAYã©ããã |
Adyen | |
|
PayPal |
QuickBooks 販売è ãµãŒãã¹ | |
ããªãµã€ã³ | |
|
ã»ãŒãžã〠|
ããªãµã€ã³ | |
|
Authorize.Net |
|
Authorize.Net |
ã»ãŒãžã〠| |
|
Authorize.Net |
|
eWAYã©ããã |
Authorize.Net | |
|
ANZ eã²ãŒã |
|
PayPal |
CyberââSource | |
|
Authorize.Net |
ã»ãŒãžã〠| |
|
ã¬ã¢ã¬ãã¯ã¹ |
CyberââSource | |
|
PayPal |
|
PayPal |
|
PayPal |
|
ããªãµã€ã³ |
eWAYã©ããã | |
|
ã»ãŒãžã〠|
|
ã»ãŒãžã〠|
|
ããªãµã€ã³ |
Authorize.Net | |
|
Authorize.Net |
|
æåã®ããŒã¿ ã°ããŒãã« ã²ãŒããŠã§ã€ |
Authorize.Net | |
Authorize.Net | |
|
ã¢ããªã¹ |
|
Authorize.Net |
|
PayPal |
ãã¹ã¯ãŒãã¹ããã¡ãŒ
Web ãµã€ãã®ã¯ã©ã€ã¢ã³ãåŽã§åäœãã JavaScript ã¹ããã¡ãŒã®å©ç¹ã® XNUMX ã€ã¯ããã®æ±çšæ§ã§ããWeb ãµã€ãã«åã蟌ãŸããæªæã®ããã³ãŒãã¯ãæ¯æãããŒã¿ããŠãŒã¶ãŒ ã¢ã«ãŠã³ãã®ãã°ã€ã³æ å ±ããã¹ã¯ãŒããªã©ãããããçš®é¡ã®ããŒã¿ãçãå¯èœæ§ããããŸãã Group-IB ã®ã¹ãã·ã£ãªã¹ãã¯ããµã€ã ãŠãŒã¶ãŒã®é»åã¡ãŒã« ã¢ãã¬ã¹ãšãã¹ã¯ãŒããçãããã«èšèšããã ReactGet ãã¡ããªã«å±ããââã¹ããã¡ãŒã®ãµã³ãã«ãçºèŠããŸããã
ImageID ã¹ããã¡ãŒãšã®äº€å·®
ææããã¹ãã¢ã® XNUMX ã€ãåæãããšããããã®ãµã€ãã XNUMX åææããŠããããšãå€æããŸãããReactGet ãã¡ã㪠ã¹ããã¡ã®æªæã®ããã³ãŒãã«å ããŠãImageID ãã¡ã㪠ã¹ããã¡ã®ã³ãŒããæ€åºãããŸããã ãã®éè€ã¯ãäž¡æ¹ã®ã¹ããã¡ãŒã®èåŸã«ãããªãã¬ãŒã¿ãŒãåæ§ã®ææ³ã䜿çšããŠæªæã®ããã³ãŒããæ¿å ¥ããŠãã蚌æ ã§ããå¯èœæ§ããããŸãã
ãŠãããŒãµã«ã¹ããã¡ãŒ
ReactGet ã¹ããã¡ãŒ ã€ã³ãã©ã¹ãã©ã¯ãã£ã«é¢é£ä»ãããããã¡ã€ã³åã® 15 ã€ãåæãããšãããåããŠãŒã¶ãŒãä»ã® XNUMX ã€ã®ãã¡ã€ã³åãç»é²ããŠããããšãå€æããŸããã ããã XNUMX ã€ã®ãã¡ã€ã³ã¯ãçŸå®ã® Web ãµã€ãã®ãã¡ã€ã³ãæš¡å£ããŠããã以åã¯ã¹ãããã¡ãŒããã¹ãããããã«äœ¿çšãããŠããŸããã XNUMX ã€ã®æ£èŠãµã€ãã®ã³ãŒããåæãããšãããæªç¥ã®ã¹ããã¡ãŒãæ€åºããããããªãåæã®çµæãããã ReactGet ã¹ããã¡ãŒã®æ¹è¯çã§ããããšãå€æããŸããã ãã®ãã¡ããªãŒã®ã¹ããã¡ãŒã®ä»¥åã«ç£èŠãããŠããããŒãžã§ã³ã¯ãã¹ãŠãåäžã®æ¯æãã·ã¹ãã ã察象ãšããŠãããããåæ¯æãã·ã¹ãã ã«ã¯ç¹å¥ãªããŒãžã§ã³ã®ã¹ããã¡ãŒãå¿ èŠã§ããã ãã ãããã®ã±ãŒã¹ã§ã¯ãXNUMX ã®ç°ãªãæ¯æãã·ã¹ãã ã«é¢é£ãããã©ãŒã ãããªã³ã©ã€ã³æ¯æããè¡ãããã®é»ååååŒãµã€ãã®ã¢ãžã¥ãŒã«ããæ å ±ãçãããšãã§ããã¹ããã¡ãŒã®ãŠãããŒãµã« ããŒãžã§ã³ãçºèŠãããŸããã
ãã®ãããæ¢ç¥è ã¯äœæ¥ã®éå§æã«ã被害è ã®å人æ å ±ïŒæ°åãäœæãé»è©±çªå·ïŒãå«ãåºæ¬çãªãã©ãŒã ãã£ãŒã«ããæ€çŽ¢ããŸããã
次ã«ãã¹ããã¡ãŒã¯ãããŸããŸãªæ¯æãã·ã¹ãã ãšãªã³ã©ã€ã³æ¯æãã¢ãžã¥ãŒã«ã«å¯Ÿå¿ãã 15 çš®é¡ä»¥äžã®ç°ãªããã¬ãã£ãã¯ã¹ãæ€çŽ¢ããŸããã
次ã«ã被害è
ã®å人ããŒã¿ãšæ¯æãæ
å ±ããŸãšããŠåéãããæ»æè
ã管çãããµã€ãã«éä¿¡ãããŸããããã®ç¹å®ã®ã±ãŒã¹ã§ã¯ãXNUMX ã€ã®ç°ãªããããã³ã° ãµã€ãã«ååšãããŠãããŒãµã« ReactGet ã¹ããã¡ãŒã® XNUMX ã€ã®ããŒãžã§ã³ãçºèŠãããŸããã ãã ããã©ã¡ãã®ããŒãžã§ã³ãçãŸããããŒã¿ãåããããã³ã°ããããµã€ãã«éä¿¡ããŸããã ãºãŒãã·ã§ãã.com.
被害è
ã®æ¯æãæ
å ±ãå«ããã£ãŒã«ããæ€çŽ¢ããããã«ã¹ããã¡ãŒã䜿çšãããã¬ãã£ãã¯ã¹ãåæããçµæããã®ã¹ããã¡ãŒ ãµã³ãã«ã¯æ¬¡ã®æ¯æãã·ã¹ãã ãã¿ãŒã²ããã«ããŠãããšå€æã§ããŸããã
- Authorize.Net
- ããªãµã€ã³
- æåã®ããŒã¿
- USAePay
- ã¹ãã©ã€ã
- PayPal
- ANZ eã²ãŒã
- ãã¬ãŒã³ããªãŒ
- ããŒã¿ãã£ãã·ã¥ (ãã¹ã¿ãŒã«ãŒã)
- Realex ã®æ¯æã
- ãµã€ã²ãŒã
- ããŒãã©ã³ããã€ã¡ã³ãã·ã¹ãã
æ¯æãæ
å ±ãçãããã«ã©ã®ãããªããŒã«ã䜿çšãããŸãã?
æåã®ããŒã«ã¯ãæ»æè
ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã®åæäžã«çºèŠãããéè¡ã«ãŒãã®çé£ãåŒãèµ·ããæªæã®ããã¹ã¯ãªãããé£èªåããããã«äœ¿çšãããŸãã ãããžã§ã¯ãã® CLI ã䜿çšãã bash ã¹ã¯ãªãããæ»æè
ã®ãã¹ââãã® XNUMX ã€ã§çºèŠãããŸãã
XNUMX çªç®ã«çºèŠãããããŒã«ã¯ãã¡ã€ã³ ã¹ããã¡ãŒã®ããŒããæ
åœããã³ãŒããçæããããã«èšèšãããŠããŸãã ãã®ããŒã«ã¯ããŠãŒã¶ãŒã®çŸåšã®äœæã®æååãæ€çŽ¢ããããšã§ããŠãŒã¶ãŒãæ¯æãããŒãžã«ãããã©ããããã§ãã¯ãã JavaScript ã³ãŒããçæããŸãã ãã§ãã¯ã¢ãŠã, ã«ãŒã ãªã©ãçµæãè¯å®çã§ããã°ãã³ãŒãã¯æ»æè
ã®ãµãŒããŒããã¡ã€ã³ã®ã¹ãããã¡ãããŒãããŸãã æªæã®ããã¢ã¯ãã£ããã£ãé ãããã«ãæ¯æãããŒãžã決å®ããããã®ãã¹ãè¡ãšã¹ããã¡ãŒãžã®ãªã³ã¯ãå«ããã¹ãŠã®è¡ãã次ã®æ¹æ³ã§ãšã³ã³ãŒããããŸãã base64.
ãã£ãã·ã³ã°æ»æ
æ»æè ã®ãããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ãåæããçµæãç¯çœªã°ã«ãŒããã¿ãŒã²ããã®ãªã³ã©ã€ã³ ã¹ãã¢ã®ç®¡çããã«ã«ã¢ã¯ã»ã¹ããããã«ãã£ãã·ã³ã°ãé »ç¹ã«äœ¿çšããŠããããšãæããã«ãªããŸããã æ»æè ã¯ãã¹ãã¢ã®ãã¡ã€ã³ã«èŠèŠçã«äŒŒããã¡ã€ã³ãç»é²ãããã®ãã¡ã€ã³ã«åœã® Magento 管çããã«ã®ãã°ã€ã³ ãã©ãŒã ãå±éããŸãã æåãããšãæ»æè 㯠Magento CMS ã®ç®¡çããã«ã«ã¢ã¯ã»ã¹ã§ããããã«ãªããWeb ãµã€ãã®ã³ã³ããŒãã³ããç·šéããããã¯ã¬ãžãã ã«ãŒã ããŒã¿ãçãããã®ã¹ããã¡ãŒãå®è£ ãããããæ©äŒãåŸãããŸãã
ã€ã³ãã©
ÐПЌеМ | çºèŠã»åºçŸæ¥ |
---|---|
ã¡ãã£ã¢ããã¯.info | 04.05.2017 |
adsgetapi.com | 15.06.2017 |
simcounter.com | 14.08.2017 |
mageanalytics.com | 22.12.2017 |
maxstatics.com | 16.01.2018 |
åå¿ããjsapi.com | 19.01.2018 |
mxcounter.com | 02.02.2018 |
apitstatus.com | 01.03.2018 |
orderracker.com | 20.04.2018 |
ã¿ã°è¿œè·¡.com | 25.06.2018 |
adsapigate.com | 12.07.2018 |
trust-tracker.com | 15.07.2018 |
fbstatspartner.com | 02.10.2018 |
billgetstatus.com | 12.10.2018 |
www.aldenmlilhouse.com | 20.10.2018 |
ãã¬ãšãã¥ãŒãã£ãŒãã«ãã«.com | 20.10.2018 |
bargalnjunkie.com | 20.10.2018 |
ãã€ã»ã¬ã¯ã¿ãŒ.com | 21.10.2018 |
ã¿ã°ã¡ãã£ã¢ã²ãã.com | 02.11.2018 |
hs-payments.com | 16.11.2018 |
ordercheckpays.com | 19.11.2018 |
geisseie.com | 24.11.2018 |
gtmproc.com | 29.11.2018 |
livegetpay.com | 18.12.2018 |
ã·ãããŒãµãã³ãµãã©ã€ãº.com | 18.12.2018 |
newrelicnet.com | 19.12.2018 |
nr-public.com | 03.01.2019 |
ã¯ã©ãŠããã¹ã¯.com | 04.01.2019 |
ajaxstatic.com | 11.01.2019 |
livecheckpay.com | 21.01.2019 |
ã¢ãžã¢ã³ããŒãã°ã¬ãŒãµãŒ.com | 25.01.2019 |
G-ã¢ããªãã£ã¯ã¹ãã¡ããªãŒ
ãã®ã¹ãããã¡ãŒã®ãã¡ããªãŒã¯ããªã³ã©ã€ã³ ã¹ãã¢ãã顧客ã«ãŒããçãããã«äœ¿çšãããŸãã ãã®ã°ã«ãŒãã䜿çšããæåã®ãã¡ã€ã³å㯠2016 幎 2016 æã«ç»é²ãããŠãããããã¯ãã®ã°ã«ãŒãã XNUMX 幎åã°ã«æŽ»åãéå§ããããšã瀺ããŠããå¯èœæ§ããããŸãã
çŸåšã®ãã£ã³ããŒã³ã§ã¯ããã®ã°ã«ãŒã㯠Google Analytics ã jQuery ãªã©ã®çŸå®ã®ãµãŒãã¹ãæš¡å£ãããã¡ã€ã³åã䜿çšããæ£èŠã®ã¹ã¯ãªãããšæ£èŠã®ãã®ã«é¡äŒŒãããã¡ã€ã³åã䜿çšããŠã¹ãããã¡ãŒã®æŽ»åãé èœããŠããŸãã Magento CMS ãå®è¡ããŠãããµã€ããæ»æãããŸããã
G-Analytics ããªã³ã©ã€ã³ ã¹ãã¢ã®ã³ãŒãã«å®è£
ããæ¹æ³
ãã®ãã¡ããªãŒã®ç¹åŸŽã¯ãããŸããŸãªæ¹æ³ã䜿çšããŠãŠãŒã¶ãŒã®æ¯æãæ å ±ãçãããšã§ãã ç¯çœªã°ã«ãŒãã¯ããµã€ãã®ã¯ã©ã€ã¢ã³ãåŽãžã® JavaScript ã³ãŒãã®å€å žçãªæ¿å ¥ã«å ããŠããµã€ãã®ãµãŒããŒåŽãžã®ã³ãŒãæ¿å ¥ææ³ãã€ãŸããŠãŒã¶ãŒãå ¥åããããŒã¿ãåŠçãã PHP ã¹ã¯ãªããã䜿çšããŸããã ãã®ææ³ã¯ããµãŒãããŒãã£ã®ç 究è ã«ããæªæã®ããã³ãŒãã®æ€åºãå°é£ã«ãªããããå±éºã§ãã Group-IB ã®ã¹ãã·ã£ãªã¹ãã¯ããã¡ã€ã³ãã²ãŒããšããŠäœ¿çšãããµã€ãã® PHP ã³ãŒãã«åã蟌ãŸããã¹ããã¡ãŒã®ããŒãžã§ã³ãçºèŠããŸããã dittm.org.
åããã¡ã€ã³ã䜿çšããŠçãŸããããŒã¿ãåéããåæããŒãžã§ã³ã®ã¹ããã¡ãŒãçºèŠãããŸãã dittm.orgããã ãããã®ããŒãžã§ã³ã¯ãªã³ã©ã€ã³ ã¹ãã¢ã®ã¯ã©ã€ã¢ã³ãåŽã«ã€ã³ã¹ããŒã«ããããšãç®çãšããŠããŸãã
ãã®åŸããã®ã°ã«ãŒãã¯æŠè¡ãå€æŽããæªæã®ãã掻åã®é èœãšã«ã¢ãã©ãŒãžã¥ã«éç¹ã眮ãããã«ãªããŸããã
2017 幎ã®åãã«ãã°ã«ãŒãã¯ãã¡ã€ã³ã®äœ¿çšãéå§ããŸããã jquery-js.comãjQuery ã® CDN ãè£ ã: æ»æè ã®ãµã€ãã«ã¢ã¯ã»ã¹ãããšããŠãŒã¶ãŒã¯æ£èŠã®ãµã€ãã«ãªãã€ã¬ã¯ããããŸãã jquery.com.
ãã㊠2018 幎åã°ã«ãã°ã«ãŒãã¯ãã¡ã€ã³åãæ¡çšããŸããã g-analytics.com ãããŠãã¹ãããã¡ãŒã®æŽ»åãæ£èŠã® Google Analytics ãµãŒãã¹ãšããŠåœè£ ãå§ããŸããã
ããŒãžã§ã³åæ
ã¹ãããã¡ãŒ ã³ãŒãã®ä¿åã«äœ¿çšããããã¡ã€ã³ã®åæäžã«ããã®ãµã€ãã«ã¯å€æ°ã®ããŒãžã§ã³ãå«ãŸããŠãããé£èªåã®æç¡ãã泚æããããããã«ãã¡ã€ã«ã«è¿œå ãããå°éäžèœãªã³ãŒãã®æç¡ãç°ãªãããšãå€æããŸãããæªæã®ããã³ãŒããé ããŸãã
ãµã€ãã®åèš jquery-js.com ã¹ãããã¡ãŒã® XNUMX ã€ã®ããŒãžã§ã³ãç¹å®ãããŸããã ãããã®ã¹ããã¡ãŒã¯ãçãã ããŒã¿ãã¹ããã¡ãŒèªäœãšåã Web ãµã€ãã«ããã¢ãã¬ã¹ã«éä¿¡ããŸãã hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
åŸã®ãã¡ã€ã³ g-analytics.comã¯ã2018 幎åã°ä»¥éããã®ã°ã«ãŒããæ»æã«äœ¿çšããŠãããããå€ãã®ã¹ãããã¡ãŒã®ãªããžããªãšããŠæ©èœããŸãã åèš 16 ã®ç°ãªãããŒãžã§ã³ã®ã¹ããã¡ãŒãçºèŠãããŸããã ãã®äºä»¶ã§ã¯ãçãŸããããŒã¿ãéä¿¡ããããã®ã²ãŒããç»å圢åŒãžã®ãªã³ã¯ãšããŠåœè£
ãããŠããŸããã GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560Ã1440&vp=2145Ã371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
çãŸããããŒã¿ã®åçå
ç¯çœªã°ã«ãŒãã¯ãã«ãŒãå©çšè ã«ãµãŒãã¹ãæäŸããç¹å¥ã«äœæãããå°äžã¹ãã¢ãéããŠã«ãŒãã販売ããããšã§ãçãã ããŒã¿ãåçåããŠããŸãã æ»æè ã䜿çšãããã¡ã€ã³ã®åæã«ããã次ã®ããšãå€æããŸããã google-analytics.cm ãã¡ã€ã³ãšåããŠãŒã¶ãŒã«ãã£ãŠç»é²ãããŸãã ã«ãŒããº.vc. ãã¡ã€ã³ ã«ãŒããº.vc çãŸããéè¡ã«ãŒãã販売ããåº Cardsurfs (Flysurfs) ãæããŸããCardsurfs (Flysurfs) ã¯ãå°äžååŒãã©ãããã©ãŒã AlphaBay ã®æŽ»åæ代ã«ãã¹ããã¡ãŒã䜿çšããŠçãŸããéè¡ã«ãŒãã販売ããåºãšããŠäººæ°ãåããŸããã
ãã¡ã€ã³ãåæãã åæçã§ãã¯ãçãŸããããŒã¿ãåéããããã«ã¹ãããã¡ãŒã䜿çšãããã¡ã€ã³ãšåããµãŒããŒäžã«ãããGroup-IB ã®å°é家ã¯ãCookie ã¹ãã£ãŒã©ãŒã®ãã°ãå«ããã¡ã€ã«ãçºèŠããŸããããã®ãã¡ã€ã«ã¯ãåŸã«éçºè
ã«ãã£ãŠæŸæ£ãããããã§ãã ãã°å
ã®ãšã³ããªã® XNUMX ã€ã«ãã¡ã€ã³ãå«ãŸããŠããŸãã iozoz.comãããã¯ä»¥åã2016 幎ã«æŽ»åããŠããã¹ãããã¡ãŒã® XNUMX ã€ã§äœ¿çšãããŠããŸããã ããããããã®ãã¡ã€ã³ã¯ãæ»æè
ãã¹ããã¡ãŒã䜿çšããŠçãã ã«ãŒããåéããããã«ä»¥åã«äœ¿çšãããŠãããã®ãšèããããŸãã ãã®ãã¡ã€ã³ã¯é»åã¡ãŒã« ã¢ãã¬ã¹ã«ç»é²ãããŸãã [ã¡ãŒã«ä¿è·]ããã¡ã€ã³ã®ç»é²ã«ã䜿çšãããŸãã ã«ãŒããºã¹ãŒ О ã«ãŒããº.vcãã«ãŒãã·ã§ããCardsurfsã«é¢é£ããŠããŸãã
ååŸããããŒã¿ã«åºã¥ããŠãG-Analytics ãã¡ããªã®ã¹ãããã¡ãšããã£ãã·ã¥ ã«ãŒãã販売ããå°äžã¹ã㢠Cardsurf ãåã人ç©ã«ãã£ãŠç®¡çãããŠããããã®ã¹ãã¢ã¯ã¹ããã¡ã䜿çšããŠçãŸãããã£ãã·ã¥ ã«ãŒãã®è²©å£²ã«äœ¿çšãããŠãããšæšæž¬ã§ããŸãã
ã€ã³ãã©
ÐПЌеМ | çºèŠã»åºçŸæ¥ |
---|---|
iozoz.com | 08.04.2016 |
dittm.org | 10.09.2016 |
jquery-js.com | 02.01.2017 |
g-analytics.com | 31.05.2018 |
google-analytics.is | 21.11.2018 |
åæ.to | 04.12.2018 |
google-analytics.to | 06.12.2018 |
google-analytics.cm | 28.12.2018 |
åæçã§ã | 28.12.2018 |
googlc-analytics.cm | 17.01.2019 |
ã€ã«ã ãã¡ããªãŒ
Illum ã¯ãMagento CMS ãå®è¡ããŠãããªã³ã©ã€ã³ ã¹ãã¢ãæ»æããããã«äœ¿çšãããã¹ãããã¡ãŒã®ãã¡ããªãŒã§ãã ãã®ã¹ããã¡ãŒã®éå¶è ã¯ãæªæã®ããã³ãŒããå°å ¥ããããšã«å ããŠãæ»æè ãå¶åŸ¡ããã²ãŒãã«ããŒã¿ãéä¿¡ããæ¬æ Œçãªåœã®æ¯æããã©ãŒã ã®å°å ¥ãå©çšããŠããŸãã
ãã®ã¹ããã¡ãŒã®ãªãã¬ãŒã¿ãŒã䜿çšãããããã¯ãŒã¯ ã€ã³ãã©ã¹ãã©ã¯ãã£ãåæãããšãããå€æ°ã®æªæã®ããã¹ã¯ãªããããšã¯ã¹ããã€ããåœã®æ¯æããã©ãŒã ãããã³ç«¶åä»ç€Ÿã®æªæã®ããã¹ããã¡ãŒã®äŸã®ã³ã¬ã¯ã·ã§ã³ã確èªãããŸããã ã°ã«ãŒãã䜿çšãããã¡ã€ã³åã®åºçŸæ¥ã«é¢ããæ å ±ã«åºã¥ããŠããã®ãã£ã³ããŒã³ã¯ 2016 幎æ«ã«éå§ããããšæšæž¬ã§ããŸãã
Illum ããªã³ã©ã€ã³ ã¹ãã¢ã®ã³ãŒãã«ã©ã®ããã«å®è£ ãããã
çºèŠãããã¹ããã¡ãŒã®æåã®ããŒãžã§ã³ã¯ã䟵害ããããµã€ãã®ã³ãŒãã«çŽæ¥åã蟌ãŸããŠããŸããã çãŸããããŒã¿ã¯æ¬¡ã®å®å ã«éä¿¡ãããŸããã cdn.illum[.]pw/records.phpãã²ãŒãã¯æ¬¡ã䜿çšããŠãšã³ã³ãŒããããŸãã base64.
ãã®åŸãå¥ã®ã²ãŒãã䜿çšããã¹ããã¡ãŒã®ããã±ãŒãžçãçºèŠãããŸããã records.nstatistics[.]com/records.php.
ã«ãã
æ»æè
ã® Web ãµã€ãã®åæ
Group-IB ã®å°é家ã¯ããã®ç¯çœªã°ã«ãŒããããŒã«ãä¿ç®¡ããçãŸããæ å ±ãåéããããã«äœ¿çšããŠãã Web ãµã€ããçºèŠããåæããŸããã
æ»æè
ã®ãµãŒããŒã§èŠã€ãã£ãããŒã«ã®äžã«ã¯ãLinux OS ã§æš©éãææ Œãããããã®ã¹ã¯ãªããããšã¯ã¹ããã€ããå«ãŸããŠããŸããããšãã°ãMike Czumak ãéçºãã Linux æš©éææ Œãã§ã㯠ã¹ã¯ãªããããCVE-2009-1185 ã®ãšã¯ã¹ããã€ããªã©ã§ãã
æ»æè
㯠XNUMX ã€ã®ãšã¯ã¹ããã€ãã䜿çšããŠãªã³ã©ã€ã³ ã¹ãã¢ãçŽæ¥æ»æããŸããã
ãŸãããµãŒããŒã®åæäžã«ãæ»æè
ããããã³ã°ããããµã€ãããæ¯æãæ
å ±ãåéããããã«äœ¿çšããã¹ããã¡ãŒãšåœã®æ¯æããã©ãŒã ã®ããŸããŸãªãµã³ãã«ãçºèŠãããŸããã 以äžã®ãªã¹ããããããããã«ãäžéšã®ã¹ã¯ãªããã¯ãããã³ã°ããããµã€ãããšã«åå¥ã«äœæãããŸããããç¹å®ã® CMS ããã³æ¯æãã²ãŒããŠã§ã€ã«ã¯ãŠãããŒãµã« ãœãªã¥ãŒã·ã§ã³ã䜿çšãããŠããŸããã ããšãã°ãã¹ã¯ãªãã segapay_standart.js О segapay_onpage.js Sage Pay æ¯æãã²ãŒããŠã§ã€ã䜿çšãããµã€ãã«å®è£
ããããã«èšèšãããŠããŸãã
ããŸããŸãªæ¯æãã²ãŒããŠã§ã€ã®ã¹ã¯ãªããã®ãªã¹ã
ã¹ã¯ãªãã | æ¯æãã²ãŒããŠã§ã€ |
---|---|
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//cdn.illum[.]pw/records.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//cdn.illum[.]pw/records.php |
//ä»ããæ¯æã[.]cf/?payment= | |
|
//ä»ããæ¯æã[.]cf/?payment= |
|
//paymentnow[.]tk/?payment= |
ãã¹ã ä»ããæ¯æã[.]tkãã¹ã¯ãªããå ã§ã²ãŒããšããŠäœ¿çšãããŸã Payment_forminsite.jsãšããŠçºèŠãããŸããã 件å代æ¿å CloudFlare ãµãŒãã¹ã«é¢é£ããããã€ãã®èšŒææžã«å«ãŸããŠããŸãã ããã«ããã¹ãã«ã¯ã¹ã¯ãªãããå«ãŸããŠããŸãã éªæªãª.jsã ã¹ã¯ãªããã®ååããå€æãããšããã®ã¹ã¯ãªãã㯠CVE-2016-4010 ã®æªçšã®äžéšãšããŠäœ¿çšãããå¯èœæ§ããããããã«ãããCMS Magento ãå®è¡ããŠãããµã€ãã®ããã¿ãŒã«æªæã®ããã³ãŒããæ¿å ¥ããããšãå¯èœã«ãªããŸãã ãã¹ãã¯ãã®ã¹ã¯ãªãããã²ãŒããšããŠäœ¿çšããŸãã request.requestnet[.]tkãã¹ããšåã蚌ææžã䜿çšãã ä»ããæ¯æã[.]tk.
åœã®æ¯æããã©ãŒã
以äžã®å³ã¯ãã«ãŒãããŒã¿ãå ¥åãããã©ãŒã ã®äŸã瀺ããŠããŸãã ãã®ãã©ãŒã ã¯ããªã³ã©ã€ã³ ã¹ãã¢ã«äŸµå ¥ããã«ãŒã ããŒã¿ãçãããã«äœ¿çšãããŸããã
次ã®å³ã¯ãæ»æè
ããã®æ¯æãæ¹æ³ã§ãµã€ãã«äŸµå
¥ããããã«äœ¿çšããåœã® PayPal æ¯æããã©ãŒã ã®äŸã瀺ããŠããŸãã
ã€ã³ãã©
ÐПЌеМ | çºèŠã»åºçŸæ¥ |
---|---|
cdn.illum.pw | 27/11/2016 |
records.nstatistics.com | 06/09/2018 |
request.payrightnow.cf | 25/05/2018 |
ãã€ã¡ã³ãããŠ.tk | 16/07/2017 |
ãã€ã¡ã³ãã©ã€ã³.tk | 01/03/2018 |
ãã€ã¡ã³ããã«.cf | 04/09/2017 |
ãªã¯ãšã¹ãããã.tk | 28/06/2017 |
ã³ãŒããŒã¢ãã³å®¶
CoffeMokko ãã¡ããªãŒã®ã¹ãããã¡ãŒã¯ããªã³ã©ã€ã³ ã¹ã㢠ãŠãŒã¶ãŒããéè¡ã«ãŒããçãããã«èšèšãããŠãããå°ãªããšã 2017 幎 1 æãã䜿çšãããŠããŸãã ããããããã®çèŽè ã°ã«ãŒãã®éå¶è ã¯ã2016 幎㫠RiskIQ ã®å°é家ã«ãã£ãŠèšèŒãããç¯çœªã°ã«ãŒã Group XNUMX ã§ãã MagentoãOpenCartãWordPressãosCommerceãShopify ãªã©ã® CMS ãå®è¡ããŠãããµã€ããæ»æãããŸããã
CoffeMokko ããªã³ã©ã€ã³ ã¹ãã¢ã®ã³ãŒãã«å®è£ ããæ¹æ³
ãã®ãã¡ããªãŒã®ãªãã¬ãŒã¿ãŒã¯ãææããšã«åºæã®ã¹ããã¡ãŒãäœæããŸããã¹ããã¡ãŒ ãã¡ã€ã«ã¯æ¬¡ã®ãã£ã¬ã¯ããªã«ãããŸãã SRC ãŸã㯠js æ»æè ã®ãµãŒããŒäžã§ã ãµã€ã ã³ãŒããžã®çµã¿èŸŒã¿ã¯ãã¹ããã¡ãŒãžã®çŽæ¥ãªã³ã¯ãä»ããŠå®è¡ãããŸãã
ã¹ããã¡ãŒ ã³ãŒãã¯ãããŒã¿ãçãå¿
èŠããããã©ãŒã ãã£ãŒã«ãã®ååãããŒãã³ãŒãããŸãã ãŸããã¹ããã¡ãŒã¯ããŠãŒã¶ãŒã®çŸåšã®äœæãšããŒã¯ãŒãã®ãªã¹ãããã§ãã¯ããããšã§ããŠãŒã¶ãŒãæ¯æãããŒãžã«ã¢ã¯ã»ã¹ããŠãããã©ããããã§ãã¯ããŸãã
çºèŠãããã¹ããã¡ãŒã®äžéšã®ããŒãžã§ã³ã¯é£èªåãããŠããããªãœãŒã¹ã®ã¡ã€ã³é
åãä¿åãããæå·åãããæååãå«ãŸããŠããŸãããããã«ã¯ãããŸããŸãªæ¯æãã·ã¹ãã ã®ãã©ãŒã ãã£ãŒã«ãã®ååãšãçãŸããããŒã¿ã®éä¿¡å
ãšãªãã²ãŒã ã¢ãã¬ã¹ãå«ãŸããŠããŸããã
çãŸããæ¯æãæ
å ±ã¯éäžã§æ»æè
ã®ãµãŒããŒäžã®ã¹ã¯ãªããã«éä¿¡ãããŸãã /savePayment/index.php ãŸã㯠/tr/index.phpã ããããããã®ã¹ã¯ãªããã¯ã²ãŒãããã¡ã€ã³ ãµãŒããŒã«ããŒã¿ãéä¿¡ããããã«äœ¿çšããããã¹ãŠã®ã¹ããã¡ãŒããã®ããŒã¿ãçµ±åãããŸãã éä¿¡ãããããŒã¿ãé ãããã«ã被害è
ã®ãã¹ãŠã®æ¯æãæ
å ±ã¯æ¬¡ã®æ¹æ³ã§æå·åãããŸãã base64ããã®åŸãããã€ãã®æå眮æãçºçããŸãã
- ãeãæåã¯ã:ãã«çœ®ãæããããŸãã
- ãwãèšå·ã¯ã+ãã«çœ®ãæããããŸã
- ãoãæåã¯ã%ãã«çœ®ãæããããŸã
- ãdãæåã¯ã#ãã«çœ®ãæããããŸã
- æåãaãã¯ã-ãã«çœ®ãæããããŸã
- èšå·ã7ãã¯ã^ãã«çœ®ãæããããŸã
- æåãhãã¯ã_ãã«çœ®ãæããããŸã
- ãTãèšå·ã¯ã@ãã«çœ®ãæããããŸã
- æåã0ãã¯ã/ãã«çœ®ãæããããŸã
- ãYãæåã¯ã*ãã«çœ®ãæããããŸã
ã䜿çšããŠãšã³ã³ãŒããããæå眮æã®çµæãšã㊠base64 éå€æãè¡ããªããšããŒã¿ããã³ãŒãã§ããŸããã
é£èªåãããŠããªãã¹ããã¡ãŒ ã³ãŒãã®äžéšã¯æ¬¡ã®ããã«ãªããŸãã
ã€ã³ãã©ã¹ãã©ã¯ãã£åæ
åæã®ãã£ã³ããŒã³ã§ã¯ãæ»æè ã¯æ£èŠã®ãªã³ã©ã€ã³ ã·ã§ããã³ã° ãµã€ããšåæ§ã®ãã¡ã€ã³åãç»é²ããŸããã ãããã®ãã¡ã€ã³ã¯ãã·ã³ãã«ããšã«ããŸãã¯å¥ã® TLD ã«ãã£ãŠæ£èŠã®ãã®ãšç°ãªãå¯èœæ§ããããŸãã ç»é²ããããã¡ã€ã³ã¯ã¹ããã¡ãŒ ã³ãŒããä¿åããããã«äœ¿çšããããã®ã³ãŒããžã®ãªã³ã¯ãã¹ã㢠ã³ãŒãã«åã蟌ãŸããŠããŸããã
ãã®ã°ã«ãŒãã¯ã人æ°ã®ãã jQuery ãã©ã°ã€ã³ (slickjs[.]org ãã©ã°ã€ã³ã䜿çšããŠãããµã€ãã®å Žå slick.js)ãæ¯æãã²ãŒããŠã§ã€ (sagecdn[.]org Sage Pay æ¯æãã·ã¹ãã ã䜿çšãããµã€ãã®å ŽåïŒã
ãã®åŸãã°ã«ãŒãã¯ãåºã®ãã¡ââã€ã³ãåºã®ããŒããšã¯ãŸã£ããé¢ä¿ã®ãªãååã®ãã¡ã€ã³ãäœæãå§ããŸããã
åãã¡ã€ã³ã¯ããã£ã¬ã¯ããªãäœæããããµã€ãã«å¯Ÿå¿ããŠããŸãã /js ãŸã㯠/srcã ã¹ããã¡ãŒ ã¹ã¯ãªããã¯ãã®ãã£ã¬ã¯ããªã«ä¿åãããŸãããæ°ããææããšã« XNUMX ã€ã®ã¹ããã¡ãŒãååšããŸãã ã¹ããã¡ãŒã¯çŽæ¥ãªã³ã¯ãä»ã㊠Web ãµã€ãã®ã³ãŒãã«åã蟌ãŸããŠããŸãããããŸãã«ãæ»æè
ã Web ãµã€ãã®ãã¡ã€ã«ã® XNUMX ã€ãå€æŽããæªæã®ããã³ãŒããè¿œå ããããšããããŸããã
ã³ãŒãåââæ
æåã®é£èªåã¢ã«ãŽãªãºã
ãã®ãã¡ããªãŒã®ã¹ããã¡ãŒã®ããã€ãã®çºèŠããããµã³ãã«ã§ã¯ãââã³ãŒãã¯é£èªåãããŠãããã¹ããã¡ãŒãåäœããããã«å¿ èŠãªæå·åãããããŒã¿ãç¹ã«ã¹ããã¡ãŒ ã²ãŒã ã¢ãã¬ã¹ãæ¯æããã©ãŒã ãã£ãŒã«ãã®ãªã¹ããããã³å Žåã«ãã£ãŠã¯åœã®ã³ãŒããå«ãŸããŠããŸãããæ¯æããã©ãŒã ã é¢æ°å ã®ã³ãŒãã§ã¯ããªãœãŒã¹ã¯æ¬¡ã䜿çšããŠæå·åãããŠããŸãã XOR åãé¢æ°ã«åŒæ°ãšããŠæž¡ãããããŒã«ãã£ãŠç°ãªããŸãã
åãµã³ãã«ã«åºæã®é©åãªããŒã䜿çšããŠæååã埩å·åãããšãåºåãæåã§åºåãããã¹ããã¡ãŒ ã³ãŒãã®ãã¹ãŠã®æååãå«ãæååãååŸã§ããŸãã
XNUMX çªç®ã®é£èªåã¢ã«ãŽãªãºã
ãã®ãã¡ããªãŒã®ã¹ããã¡ãŒã®ãã®åŸã®ãµã³ãã«ã§ã¯ãââå¥ã®é£èªåã¡ã«ããºã ã䜿çšãããŸããããã®å ŽåãããŒã¿ã¯ç¬èªã«äœæãããã¢ã«ãŽãªãºã ã䜿çšããŠæå·åãããŸããã ã¹ããã¡ãŒã®åäœã«å¿ èŠãªæå·åãããããŒã¿ãå«ãæååãåŒæ°ãšããŠåŸ©å·åé¢æ°ã«æž¡ãããŸããã
ãã©ãŠã¶ ã³ã³ãœãŒã«ã䜿çšãããšãæå·åãããããŒã¿ã埩å·åããã¹ããã¡ãŒ ãªãœãŒã¹ãå«ãé
åãååŸã§ããŸãã
åæã®MageCartæ»æãšã®é¢é£æ§
çãŸããããŒã¿ãåéããããã®ã²ãŒããŠã§ã€ãšããŠãã®ã°ã«ãŒãã䜿çšããŠãããã¡ã€ã³ã® 1 ã€ãåæãããšããããã®ãã¡ã€ã³ã«ã¯ãæåã®ã°ã«ãŒãã® XNUMX ã€ã§ããã°ã«ãŒã XNUMX ã䜿çšããŠãããã®ãšåããã¯ã¬ãžãã ã«ãŒãçé£ã®ããã®ã€ã³ãã©ã¹ãã©ã¯ãã£ãå°å
¥ãããŠããããšãå€æããŸããã
CoffeMokko ãã¡ããªã®ã¹ããã¡ãŒã®ãã¹ã㧠XNUMX ã€ã®ãã¡ã€ã«ãèŠã€ãããŸããã
- mage.js â ã²ãŒã ã¢ãã¬ã¹ãå«ãã°ã«ãŒã 1 ã¹ããã¡ãŒ ã³ãŒããå«ããã¡ã€ã« js-cdn.ãªã³ã¯
- mag.php â ã¹ããã¡ãŒã«ãã£ãŠçãŸããããŒã¿ãåéãã PHP ã¹ã¯ãªãã
mage.js ãã¡ã€ã«ã®å
容
ãŸããCoffeMokko ãã¡ããªãŒã®ã¹ãããã¡ãŒã°ã«ãŒãã«ãã£ãŠäœ¿çšãããŠããæãå€ããã¡ã€ã³ã 17 幎 2017 æ XNUMX æ¥ã«ç»é²ãããããšãå€æããŸããã
- ãªã³ã¯-js[.]ãªã³ã¯
- info-js[.]ãªã³ã¯
- track-js[.]ãªã³ã¯
- ããã-js[.]ãªã³ã¯
- ã¹ããŒãjs[.]ãªã³ã¯
ãããã®ãã¡ã€ã³åã®åœ¢åŒã¯ã1 幎ã®æ»æã§äœ¿çšãããã°ã«ãŒã 2016 ã®ãã¡ã€ã³åãšäžèŽããŸãã
çºèŠãããäºå®ã«åºã¥ããŠãCoffeMokko ã¹ãããã¡ãŒã®éå¶è ãšç¯çœªçµç¹ã°ã«ãŒã 1 ã®éã«ã¯ã€ãªããããããšæšæž¬ã§ããŸãã ãããããCoffeMokko ã®éå¶è ã¯åä»»è ããããŒã«ããœãããŠã§ã¢ãåããŠã«ãŒããçãã å¯èœæ§ããããŸãã ãã ããCoffeMokko ãã¡ããªãŒã®ã¹ãããã¡ãŒã䜿çšããèåŸã«ããç¯çœªã°ã«ãŒãã¯ãã°ã«ãŒã 1 æ»æãå®è¡ãã人ç©ãšåäžäººç©ã§ããå¯èœæ§ãé«ããç¯çœªã°ã«ãŒãã®æŽ»åã«é¢ããæåã®ã¬ããŒãã®å ¬éåŸã圌ãã®ãã¡ã€ã³åã¯ãã¹ãŠåé€ãããŸããããããã¯ãããããŒã«ã¯è©³çŽ°ã«ç 究ããã説æãããŸããã ãã®ã°ã«ãŒãã¯æ»æãç¶ç¶ããæ€åºãããªãããã«ããããã«ãäŒæ©ããšããå éšããŒã«ãæ¹è¯ããã¹ãããã¡ãŒã³ãŒããæžãçŽãããšãäœåãªããããŸããã
ã€ã³ãã©
ÐПЌеМ | çºèŠã»åºçŸæ¥ |
---|---|
ãªã³ã¯-js.ãªã³ã¯ | 17.05.2017 |
info-js.ãªã³ã¯ | 17.05.2017 |
ãã©ãã¯-js.ãªã³ã¯ | 17.05.2017 |
ããã-js.ãªã³ã¯ | 17.05.2017 |
ã¹ããŒãjs.ãªã³ã¯ | 17.05.2017 |
adorebeauty.org | 03.09.2017 |
ã»ãã¥ãªãã£æ¯æã.su | 03.09.2017 |
ãã¬ã€ã³cdn.org | 04.09.2017 |
sagecdn.org | 04.09.2017 |
slickjs.org | 04.09.2017 |
ãªãŒã¯ã¢ã³ããã©ãŒã.org | 10.09.2017 |
citywlnery.org | 15.09.2017 |
dobell.su | 04.10.2017 |
Childrensplayclothing.org | 31.10.2017 |
jewsondirect.com | 05.11.2017 |
ã·ã§ããrnib.org | 15.11.2017 |
ã¯ããŒãŒãããã³ãã³.org | 16.11.2017 |
ãã¹ã·ã£ãŠã¹.org | 28.11.2017 |
ããããªãŒãã©ãŒã¹.org | 01.12.2017 |
kik-vape.org | 01.12.2017 |
greatfurnituretradingco.org | 02.12.2017 |
etradesupply.org | 04.12.2017 |
replacemyremote.org | 04.12.2017 |
all-about-sneakers.org | 05.12.2017 |
mage-checkout.org | 05.12.2017 |
ããªãã¿ã³.org | 07.12.2017 |
lamoodbigat.net | 08.12.2017 |
ãŠã©ã¬ããã®ã¢.org | 10.12.2017 |
ããŒãªãŒ.org | 12.12.2017 |
davidsfootwear.org | 20.12.2017 |
ãã©ãã¯ãªããŒã€ã¡ãŒãžã³ã°.org | 23.12.2017 |
exrpesso.org | 02.01.2018 |
park.su | 09.01.2018 |
pmtonline.su | 12.01.2018 |
otocap.org | 15.01.2018 |
christohperward.org | 27.01.2018 |
ã³ãŒããŒãã£ãŒ.org | 31.01.2018 |
ãšãã«ã®ãŒã³ãŒããŒ.org | 31.01.2018 |
ãšãã«ã®ãŒãã£ãŒ.org | 31.01.2018 |
ãã£ãŒã³ãŒããŒããã | 31.01.2018 |
ã¢ãããã£ãCSS.org | 01.03.2018 |
ã³ãŒããŒã¢ãã³.com | 01.03.2018 |
ãã³ãã³ãã£ãŒããã | 01.03.2018 |
ukcoffee.com | 01.03.2018 |
ã©ãã㺠| 20.03.2018 |
ããããªãŒããŒã.com | 03.04.2018 |
btosports.net | 09.04.2018 |
ã²ãããµãã«ãªãŒããã | 16.04.2018 |
ãã€ãã€ãã€.org | 11.05.2018 |
ar500arnor.com | 26.05.2018 |
æ¿èªcdn.com | 28.05.2018 |
ã¹ãªãã¯ãã³.com | 28.05.2018 |
ãããŒããºæ å ± | 03.06.2018 |
ãã£ã³ãã£ãã³ã¹.net | 08.06.2018 |
ãã«ã¬ã³ãã£ãã©ã³.com | 15.06.2018 |
ãã¬ãã·ã¥ãã£ããæ å ± | 01.07.2018 |
3ãªãã.org | 02.07.2018 |
abtasty.net | 02.07.2018 |
ã¡ã«ããã€ã³ãã© | 02.07.2018 |
zoplm.com | 02.07.2018 |
zapaljs.com | 02.09.2018 |
foodandcot.com | 15.09.2018 |
freshdepor.com | 15.09.2018 |
ã¹ã¯ããã¹ãã¢.com | 15.09.2018 |
ããªãŒãŠã§ã«ãã£ãããã¹.com | 15.09.2018 |
ãšã¬ã°ãªã.com | 18.11.2018 |
majsurplus.com | 19.11.2018 |
ããã5ããªã¥ãŒ.com | 19.11.2018 |
åºæïŒ habr.com