è¿å¹ŽãããŒãœãã« ã³ã³ãã¥ãŒã¿çšã®ããã€ã®æšéŠ¬ã«ä»£ãã£ãŠãã¢ãã€ã« ããã€ã®æšéŠ¬ã掻çºã«äœ¿ãããŠãããããå€ãè¯ããè»ãçšã®æ°ãããã«ãŠã§ã¢ã®åºçŸãšããµã€ããŒç¯çœªè
ã«ãããããã®ãã«ãŠã§ã¢ã®ç©æ¥µçãªäœ¿çšã¯ãäžå¿«ã§ã¯ãããŸãããäŸç¶ãšããŠåé¡ãšãªã£ãŠããŸãã æè¿ãCERT Group-IB ã® XNUMX æé幎äžç¡äŒã®æ
å ±ã»ãã¥ãªã㣠ã€ã³ã·ãã³ã察å¿ã»ã³ã¿ãŒã¯ãKeylogger ãš PasswordStealer ã®æ©èœãçµã¿åãããæ°ãã PC ãã«ãŠã§ã¢ãé ããçãããã£ãã·ã³ã°ã¡ãŒã«ãæ€åºããŸããã ã¢ããªã¹ãã®æ³šç®ã¯ãäžè¬çãªé³å£°ã¡ãã»ã³ãžã£ãŒã䜿çšããŠãã¹ãã€ãŠã§ã¢ãã©ã®ããã«ããŠãŠãŒã¶ãŒã®ãã·ã³ã«äŸµå
¥ãããã«æ³šç®ããŸããã ã€ãªã€ã»ãã¡ã©ã³ãã§ãCERT Group-IB ã®ãã«ãŠã§ã¢åæã¹ãã·ã£ãªã¹ãã§ããåæ°ã¯ããã«ãŠã§ã¢ãã©ã®ããã«æ©èœããã®ãããªãå±éºãªã®ãã説æããããã«ã¯é ãé¢ããã€ã©ã¯ã§ãã®äœæè
ãçºèŠããŸããã
ããã§ã¯ãé çªã«è¡ããŸãããã ãã®ãããªæçŽã«ã¯æ·»ä»ãã¡ã€ã«ãè£
ã£ãŠç»åãå«ãŸããŠãããã¯ãªãã¯ãããšãã®ãµã€ãã«èªå°ããã cdn.discordapp.comãããããæªæã®ãããã¡ã€ã«ãããŠã³ããŒããããŸããã
ç¡æã®é³å£°ããã³ããã¹ãã¡ãã»ã³ãžã£ãŒã§ãã Discord ã®äœ¿çšã¯ããŸã£ããåç Žãã§ãã éåžžãä»ã®ã€ã³ã¹ã¿ã³ã ã¡ãã»ã³ãžã£ãŒããœãŒã·ã£ã« ãããã¯ãŒã¯ããããã®ç®çã«äœ¿çšãããŸãã
ãã詳现ãªåæäžã«ããã«ãŠã§ã¢ã®ãã¡ããªãŒãç¹å®ãããŸããã ããã¯ãã«ãŠã§ã¢åžå Žã®æ°åè
ã§ããããšãå€æããŸãã - 404 ããŒãã¬ãŒ.
ããŒãã¬ãŒã®è²©å£²ã«é¢ããæåã®åºåãæ²èŒãããŸããã ããã¯ãã©ãŒã©ã 404æ8æ¥ã«ãXNUMX Coderããšããããã¯ããŒã ã§ãŠãŒã¶ãŒã«ãã£ãŠæçš¿ãããŸããã
ã¹ãã¢ã®ãã¡ã€ã³ã¯ããæè¿ã7 幎 2019 æ XNUMX æ¥ã«ç»é²ãããŸããã
éçºè
ããŠã§ããµã€ãã§è¿°ã¹ãŠããããã«ã 404ãããžã§ã¯ã[.]xyz, 404 ã¯ãäŒæ¥ã (èš±å¯ãåŸãŠ) 顧客ã®ã¢ã¯ãã£ããã£ãææ¡ã§ããããã«ããããããŸãã¯ãªããŒã¹ ãšã³ãžãã¢ãªã³ã°ãããã€ããªãä¿è·ãããäŒæ¥åãã«èšèšãããããŒã«ã§ãã å
ãèŠæ®ããŠãæåŸã®ã¿ã¹ã¯ã§ãããèšã£ãŠã¿ãŸããã 404 ééããªã察å¿ããŸããã
ãã¡ã€ã«ã® XNUMX ã€ãéã«ããŠããBEST SMART KEYLOGGERããäœã§ãããã確èªããããšã«ããŸããã
ãã«ãŠã§ã¢ã®ãšã³ã·ã¹ãã
ããŒã㌠1 (AtillaCrypter)
ãœãŒã¹ãã¡ã€ã«ã¯æ¬¡ã䜿çšããŠä¿è·ãããŠããŸã EaxObfuscator XNUMX 段éã®ããŒããå®è¡ããŸã ã¢ãããããã¯ã ãªãœãŒã¹ã»ã¯ã·ã§ã³ããã VirusTotal ã§èŠã€ãã£ãä»ã®ãµã³ãã«ã®åæäžã«ããã®ã¹ããŒãžã¯éçºè èªèº«ã«ãã£ãŠæäŸããããã®ã§ã¯ãªããã¯ã©ã€ã¢ã³ãã«ãã£ãŠè¿œå ãããããšãæããã«ãªããŸããã åŸã«ããã®ããŒãããŒããŒã¯ AtillaCrypter ã§ããããšãå€æããŸããã
ããŒãããŒã㌠2 (AtProtect)
å®éããã®ããŒããŒã¯ãã«ãŠã§ã¢ã®äžå¯æ¬ ãªéšåã§ãããéçºè ã®æå³ã«åŸã£ãŠãåæã«å¯Ÿæããæ©èœãæ ãå¿ èŠããããŸãã
ãã ããå®éã«ã¯ãä¿è·ã¡ã«ããºã ã¯éåžžã«åå§çã§ãããåœç€Ÿã®ã·ã¹ãã ã¯ãã®ãã«ãŠã§ã¢ãæ£åžžã«æ€åºããŸãã
ã¡ã€ã³ã¢ãžã¥ãŒã«ã¯æ¬¡ã䜿çšããŠããŒããããŸã ãã©ã³ã·ãŒã»ã·ã§ã«ã³ãŒã ç°ãªãããŒãžã§ã³ã ãã ãã次ã®ãããªä»ã®ãªãã·ã§ã³ã䜿çšãããå¯èœæ§ãæé€ãããã®ã§ã¯ãããŸããã RunPE.
æ§æãã¡ã€ã«
ã·ã¹ãã å
ã§ã®çµ±å
ã·ã¹ãã å ã®çµ±åã¯ããŒãããŒããŒã«ãã£ãŠä¿èšŒãããŸã ã¢ãããããã¯ãã察å¿ãããã©ã°ãèšå®ãããŠããå Žåã
- ãã¡ã€ã«ã¯ãã¹ã«æ²¿ã£ãŠã³ããŒãããŸã %AppData%GFqaakZpzwm.exe.
- ãã¡ã€ã«ãäœæãããŸãã %AppData%GFqaakWinDriv.urlãèµ·å Zpzwm.exe.
- ã¹ã¬ããå 㧠HKCUãœãããŠã§ã¢MicrosoftWindowsçŸåšã®ããŒãžã§ã³å®è¡ ã¹ã¿ãŒãã¢ããããŒãäœæããã WinDrive.url.
C&C ãšã®å¯Ÿè©±
ããŒããŒã¢ãããããã¯ã
é©åãªãã©ã°ãååšããå Žåããã«ãŠã§ã¢ã¯é ãããã»ã¹ãèµ·åã§ããŸãã ã¢ã€ãšã¯ã¹ãããŒã©ãŒ æå®ããããªã³ã¯ãã¯ãªãã¯ããŠãææã®æåããµãŒããŒã«éç¥ããŸãã
ããŒã¿ã¹ãã£ãŒã©ãŒ
䜿çšããæ¹æ³ã«é¢ä¿ãªãããããã¯ãŒã¯éä¿¡ã¯ããªãœãŒã¹ã䜿çšããŠè¢«å®³è ã®å€éš IP ãååŸããããšããå§ãŸããŸãã [http]://checkip[.]dyndns[.]org/.
ãŠãŒã¶ãŒãšãŒãžã§ã³ã: Mozilla/4.0 (äºææ§; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
ã¡ãã»ãŒãžã®äžè¬çãªæ§é ã¯åãã§ãã ããããŒã®ååš
|ââ- 404 ããŒãã¬ãŒ â {ã¿ã€ã} ââ-|ã©ã {ã¿ã€ã} éä¿¡ãããæ
å ±ã®çš®é¡ã«å¯Ÿå¿ããŸãã
ã·ã¹ãã ã«é¢ããæ
å ±ã¯æ¬¡ã®ãšããã§ãã
_______ + 被害è ã®æ å ± + _______
IP: {å€éšIP}
ææè
å: {ã³ã³ãã¥ãŒã¿å}
OSå: {OSå}
OS ããŒãžã§ã³: {OS ããŒãžã§ã³}
OS ãã©ãããã©ãŒã : {ãã©ãããã©ãŒã }
RAM ãµã€ãº: {RAM ãµã€ãº}
______________________________
ãããŠæåŸã«ãéä¿¡ãããããŒã¿ã§ãã
SMTP
æçŽã®ä»¶åã¯æ¬¡ã®ãšããã§ãã 404K | {ã¡ãã»ãŒãžã¿ã€ã} | ã¯ã©ã€ã¢ã³ãå: {ãŠãŒã¶ãŒå}.
èå³æ·±ãããšã«ãã¯ã©ã€ã¢ã³ãã«æçŽãå±ããããã« 404 ããŒãã¬ãŒ éçºè ã® SMTP ãµãŒããŒã䜿çšãããŸãã
ããã«ãããäžéšã®ã¯ã©ã€ã¢ã³ããšéçºè
ã® XNUMX 人ã®é»åã¡ãŒã«ãç¹å®ããããšãå¯èœã«ãªããŸããã
FTP
ãã®æ¹æ³ã䜿çšãããšãåéãããæ å ±ã¯ãã¡ã€ã«ã«ä¿åãããããããããã«èªã¿åãããŸãã
ãã®ã¢ã¯ã·ã§ã³ã®èåŸã«ããããžãã¯ã¯å®å
šã«ã¯æ確ã§ã¯ãããŸããããåäœã«ãŒã«ãèšè¿°ããããã®è¿œå ã®ã¢ãŒãã£ãã¡ã¯ããäœæãããŸãã
%HOMEDRIVE%%HOMEPATH%DocumentsA{ä»»æã®çªå·}.txt
ããŒã¹ããã³
åææç¹ã§ã¯ããã®æ¹æ³ã¯çãŸãããã¹ã¯ãŒãã転éããããã«ã®ã¿äœ¿çšãããŸãã ããã«ãããã¯æåã® XNUMX ã€ã®ä»£æ¿ãšããŠã§ã¯ãªãã䞊è¡ããŠäœ¿çšãããŸãã æ¡ä»¶ã¯ãå®æ°ã®å€ããVavaaãã§ããããšã§ãã ããããããã¯ã¯ã©ã€ã¢ã³ãã®ååã§ãã
API ãä»ã㊠https ãããã³ã«çµç±ã§å¯Ÿè©±ãè¡ãããŸãã ããŒã¹ããã³..ã ÐМаÑÐµÐœÐžÐµå€ api_paste_private çãã PASTE_UNLISTEDã§ãã®ãããªããŒãžãæ€çŽ¢ããããšãçŠæ¢ããŸãã ããŒã¹ããã³.
æå·åã¢ã«ãŽãªãºã
ãªãœãŒã¹ãããã¡ã€ã«ãååŸãã
ãã€ããŒãã¯ããŒãããŒã㌠ãªãœãŒã¹ã«ä¿åãããŸã ã¢ãããããã¯ã ããããããç»åã®åœ¢åŒã§ã æœåºã¯ããã€ãã®æ®µéã§å®è¡ãããŸãã
- ãã€ãé åãç»åããæœåºãããŸãã åãã¯ã»ã«ã¯ãBGR é ã® 3 ãã€ãã®ã·ãŒã±ã³ã¹ãšããŠæ±ãããŸãã æœåºåŸãé åã®æåã® 4 ãã€ãã«ã¯ã¡ãã»ãŒãžã®é·ããæ ŒçŽãããåŸç¶ã®ãã€ãã«ã¯ã¡ãã»ãŒãžèªäœãæ ŒçŽãããŸãã
- ããŒã¯èšç®ãããŸãã ãããè¡ãããã«ããã¹ã¯ãŒããšããŠæå®ãããå€ãZpzwmjMJyfTNiRalKVrcSkxCNããã MD5 ãèšç®ãããŸãã çµæã®ããã·ã¥ã¯ XNUMX åæžã蟌ãŸããŸãã
- 埩å·åã¯ãECB ã¢ãŒãã® AES ã¢ã«ãŽãªãºã ã䜿çšããŠå®è¡ãããŸãã
æªæã®ããæ©èœ
ããŠã³ããŒããŒ
ããŒãããŒããŒã«å®è£ ããã ã¢ãããããã¯ã.
- é£çµ¡ããããšã§ [ã¢ã¯ãã£ããªã³ã¯-眮æ] ãã¡ã€ã«ãæäŸããæºåãã§ããŠãããã©ããã確èªããããã«ããµãŒããŒã®ã¹ããŒã¿ã¹ãèŠæ±ãããŸãã ãµãŒããŒãæ»ãã¯ãã§ã "ãªã³".
- ãªã³ã¯ [ããŠã³ããŒããªã³ã¯-眮æ] ãã€ããŒããããŠã³ããŒããããŸãã
- ãšãšãââã« Franchyã·ã§ã«ã³ãŒã ãã€ããŒããããã»ã¹ã«æ¿å ¥ããã [inj-replace].
ãã¡ã€ã³åæäž 404ãããžã§ã¯ã[.]xyz VirusTotal ã§è¿œå ã®ã€ã³ã¹ã¿ã³ã¹ãç¹å®ãããŸãã 404 ããŒãã¬ãŒãããã€ãã®ã¿ã€ãã®ããŒããŒãšåæ§ã«ã
åŸæ¥ããããã¯æ¬¡ã® XNUMX ã€ã®ã¿ã€ãã«åé¡ãããŸãã
- ããŠã³ããŒãã¯ãªãœãŒã¹ããå®è¡ãããŸã 404ãããžã§ã¯ã[.]xyz.
ããŒã¿ã¯ Base64 ã§ãšã³ã³ãŒããããAES ã§æå·åãããŸãã - ãã®ãªãã·ã§ã³ã¯ããã€ãã®æ®µéã§æ§æãããŠãããããŒãããŒããŒãšçµã¿åãããŠäœ¿çšââãããå¯èœæ§ãæãé«ããªããŸãã ã¢ãããããã¯ã.
- æåã®æ®µéã§ã¯ãããŒã¿ã¯æ¬¡ããããŒããããŸãã ããŒã¹ããã³ é¢æ°ã䜿çšããŠãã³ãŒãããŸã HexToByte.
- 第 XNUMX 段éã§ã¯ãèªã¿èŸŒã¿ã®ãœãŒã¹ã¯ 404ãããžã§ã¯ã[.]xyzã ãã ãã解åããã³ãã³ãŒãæ©èœã¯ DataStealer ã«ãããã®ãšäŒŒãŠããŸãã ããããåœåã¯ã¡ã€ã³ ã¢ãžã¥ãŒã«ã«ããŒãããŒããŒæ©èœãå®è£ ããããšãèšç»ãããŠããŸããã
- ãã®æ®µéã§ããã€ããŒãã¯ãã§ã«å§çž®åœ¢åŒã§ãªãœãŒã¹ ãããã§ã¹ãã«ååšããŸãã åæ§ã®æœåºé¢æ°ãã¡ã€ã³ã¢ãžã¥ãŒã«ã«ããããŸããã
解æããããã¡ã€ã«ã®äžã«ããŠã³ããŒããŒãèŠã€ãããŸãã njã©ãã, ã¹ãã€ã²ãŒã ããã³ä»ã® RATã
ããŒãã¬ãŒ
ãã°éä¿¡æéïŒ30åã
ãã¹ãŠã®æåããµããŒããããŠããŸãã ç¹æ®æåã¯ãšã¹ã±ãŒããããŸãã BackSpace ããŒãš Delete ããŒã®åŠçããããŸãã 倧æåãšå°æåãåºå¥ã
ã¯ãªããããŒããã¬ãŒ
ãã°éä¿¡æéïŒ30åã
ãããã¡ããŒãªã³ã°æé: 0,1 ç§ã
ãªã³ã¯ãšã¹ã±ãŒããå®è£ ããŸããã
ã¹ã¯ãªãŒã³ãã¬ãŒ
ãã°éä¿¡æéïŒ60åã
ã¹ã¯ãªãŒã³ã·ã§ããã¯æ¬¡ã®å Žæã«ä¿åãããŸã %HOMEDRIVE%%HOMEPATH%Documents404k404pic.png.
ãã©ã«ããŒãéä¿¡ããåŸ 404k åé€ãããŸãã
ãã¹ã¯ãŒãã¹ãã£ãŒã©ãŒ
ãã©ãŠã¶ | ã¡ãŒã«ã¯ã©ã€ã¢ã³ã | FTPã¯ã©ã€ã¢ã³ã |
---|---|---|
ã¯ãã | Outlook | FileZillaã |
Firefoxã® | ãµã³ããŒããŒã | |
SeaMonkeyã® | Foxmailã® | |
Icedragon | ||
ããŒã«ã ãŒã³ | ||
ãµã€ããŒãã©ãã¯ã¹ | ||
ã¯ãã | ||
ãã¬ã€ããã©ãŠã¶ | ||
QQãã©ãŠã¶ | ||
ã€ãªãžãŠã ãã©ãŠã¶ | ||
Xvastãã©ãŠã¶ | ||
ãã§ããã | ||
360ãã©ãŠã¶ | ||
ã³ã¢ããã©ãŽã³ | ||
360Chrome | ||
ã¹ãŒããŒããŒã | ||
ã»ã³ããã©ãŠã¶ | ||
ãŽãŒã¹ããã©ãŠã¶ | ||
ã¢ã€ã¢ã³ãã©ãŠã¶ | ||
ã¯ãã | ||
ããã«ã㣠| ||
ã¹ãªã ãžã§ãããã©ãŠã¶ | ||
è»é | ||
ã³ãã³ã¯ | ||
ããŒã | ||
UCãã©ãŠã¶ | ||
ãšããã¯ãã©ãŠã¶ | ||
ããªã¹ã¯ãã©ãŠã¶ | ||
Opera |
åç解æãžã®å¯Ÿæ
- ããã»ã¹ãåæäžãã©ããã確èªãã
ããã»ã¹æ€çŽ¢ã䜿çšããŠå®è¡ TASKMGR, ããã»ã¹ããã«ãŒ, ããã·ãŒãžã£64, ããã·ãŒãžã£, ããã¢ã³ã å°ãªããšã XNUMX ã€èŠã€ãã£ãå Žåããã«ãŠã§ã¢ã¯çµäºããŸãã
- ä»®æ³ç°å¢ã«ãããã©ããã確èªãã
ããã»ã¹æ€çŽ¢ã䜿çšããŠå®è¡ vmtoolsd, VGAuthãµãŒãã¹, vmacthlp, VBoxãµãŒãã¹, Vããã¯ã¹ãã¬ã€ã å°ãªããšã XNUMX ã€èŠã€ãã£ãå Žåããã«ãŠã§ã¢ã¯çµäºããŸãã
- 5ç§éç ãã«èœã¡ã
- ããŸããŸãªçš®é¡ã®ãã€ã¢ãã° ããã¯ã¹ã®ãã¢ã³ã¹ãã¬ãŒã·ã§ã³
äžéšã®ãµã³ãããã¯ã¹ããã€ãã¹ããããã«äœ¿çšã§ããŸãã
- UAC ããã€ãã¹ãã
ã¬ãžã¹ããªããŒãç·šéããŠå®è¡ããŸã EnableLUA ã°ã«ãŒãããªã·ãŒèšå®ã§ã
- çŸåšã®ãã¡ã€ã«ã«ãé衚瀺ãå±æ§ãé©çšããŸãã
- çŸåšã®ãã¡ã€ã«ãåé€ããæ©èœã
éã¢ã¯ãã£ããªæ©èœ
ããŒãããŒããŒãšã¡ã€ã³ ã¢ãžã¥ãŒã«ã®åæäžã«ãè¿œå æ©èœãæ ãé¢æ°ãèŠã€ãããŸãããããããã¯ã©ãã«ã䜿çšãããŠããŸããã ããã¯ããããããã«ãŠã§ã¢ããŸã éçºäžã§ãããæ©èœãããã«æ¡åŒµãããããã§ãã
ããŒããŒã¢ãããããã¯ã
ããã»ã¹ãžã®ããŒããšæ³šå ¥ãæ åœããé¢æ°ãèŠã€ãããŸãã msiexec.exeã® ä»»æã®ã¢ãžã¥ãŒã«ã
ããŒã¿ã¹ãã£ãŒã©ãŒ
- ã·ã¹ãã å ã§ã®çµ±å
- 解åããã³åŸ©å·åæ©èœ
ãããã¯ãŒã¯éä¿¡æã®ããŒã¿æå·åãéããªãå®è£ ãããå¯èœæ§ããããŸãã - ãŠã€ã«ã¹å¯Ÿçããã»ã¹ã®çµäº
zlclient | Dvp95_0 | ããã·ã¥ã | avgserv9 |
ãšã°ã€ | ãšãã§ã³ãžã³ | ãã | avgserv9schedapp |
æªã | ãšã»ãŒã | ïŒïŒ¯ïŒ® | avgemc |
npfmsg | ãšã¹ããŠã©ãã | PCCMAIN | ã¢ãã·ã¥ãŠã§ã |
olydbg | F-Agnt95 | Pccwin98 | ã¢ãã·ã¥ãã£ã¹ã |
ã¢ããã¹ | Findvir | ããœã³ã³ãŠã©ãŒã«ãªã³ã³ | ã¢ã·ã¥ãã€ãŽ |
wireshark | ãããã | ããŒã¹ãœãããŠã§ã¢ | ã¢ãã·ã¥ãµãŒã |
ã¢ãŽã¡ã¹ãã¥ã€ | F-Protã® | ããã3ãã©ãã | aswUpdSv |
_Avp32 | F-Prot95 | PVIEW95 | symwsc |
VSã¢ã³ | FP-Win | Rav7 | ããŒãã³ |
ã ãã | åè | Rav7win | ããŒãã³ ãªãŒããããã¯ã |
ããŒã¹ã¯ã©ã³ãã©ãŒ | F-ã¹ããã | ã¬ã¹ãã¥ãŒçšæ©æ | ããŒãã³_av |
_Avpcc | ã¢ã€ããã | ã»ãŒããŠã§ã | ããŒããã |
_Avpm | ã€ã¢ã ãµãŒã | Scan32 | ccsetmgr |
ã¢ãã¯ãŠã£ã³32 | ã€ããã³ | Scan95 | ccevtmgr |
ååš | Ibmavsp | ã¹ãã£ã³ååŸ | ã¢ãããã³ |
ã¢ã³ãããã€ã®æšéŠ¬ | Icload95 | ã¹ã¯ã¹ãã£ã³ | ã¢ãŽã»ã³ã¿ãŒ |
æãŠã€ã«ã¹å€ | ã€ããŒãã³ã | ãµãŒã95 | å¹³å |
APVxdwin | ã€ã¯ã¢ã³ | SMC | ã¢ãŽã¬ãŒã |
ã¢ãã©ã㯠| icsupp95 | SMCSãµãŒãã¹ | avnotify |
ãªãŒãããŠã³ | ãµããŒããããŠããŸãã | 錻ã鳎ãã | ã¢ãŽã¹ãã£ã³ |
ã¢ãŽã³ã³ãœãŒã« | ã€ãã§ã€ã¹ | ã¹ãã£ã³ã¯ã¹ | ã¬ãŒãã® |
ã¢ããã¥ãŒ32 | ã€ãªã¢ã³98 | ã¹ã€ãŒã95 | ããªãã32krn |
å¹³åå¶åŸ¡ | ãžã§ã〠| SYMPROXYSVC | nod32kui |
ã¢ãŽã¯ãµãŒã | ããã¯ããŠã³2000 | TBSã¹ãã£ã³ | ã¯ã©ã ã¹ãã£ã³ |
ã¢ãŽã¡ã³ã | å€ãèŠã | Tca | ããã°ãªãã¬ã€ |
å¹³å | ã«ãªãŒã« | TDS2-98 | ã¯ã©ã ãŠã£ã³ |
Avp32 | ãã«ãã£ãŒ | Tds2-NT | ãã¬ãã·ã¥ã¯ã©ã |
Avpcc | ã ãŒãªã | ãã«ãããã | ãªã©ãã£ã³ |
Avpdos32 | MPftray | ç£å»95 | ã·ã°ããŒã« |
Avpm | N32ã¹ãã£ã³ | ãŽã§ããã¬ãŒ | w9xpopen |
Avptc32 | NAVAPSVC | Vscan40 | è¿ã |
ã¢ãŽãã | NAVAPW32 | ãŽã»ã³ã | cmgrdian |
ã¢ãŽã·ã¥ã32 | ããã«32 | Vshwin32 | ã¢ãã°ãµãŒã |
AVSYNMGR | ããã³ã | VSstat | ãã¯ã·ãŒã«ã |
ã¢ãŽãŠã£ã³95 | ããŽã©ã³ã« | ãŠã§ãã¹ãã£ã³ã¯ã¹ | vshwin32 |
Avwupd32 | Navw32 | ãŠã§ããã©ãã | avã³ã³ãœãŒã« |
ãã©ã㯠| ããŽã³ã | Wfindv32 | vsstat |
ãã©ãã¯ã¢ã€ã¹ | ããªãŠã©ãã | ZoneAlarmã® | avsynmgr |
Cfiadmin | ããã»ã«ã | ããã¯ããŠã³2000 | avcmd |
èªèšŒ | ããµã | ã¬ã¹ãã¥ãŒ32 | avconfig |
ãã£ããã | ã³ã¡ã€ã³ | ã«ã³ã ãµãŒã㌠| licmgr |
Cfinet32 | èŠç¯äž»çŸ©è | avgcc | äºå® |
çª95 | NORTON | avgcc | æºåäž |
ã¯ããŒ95cf | ã¢ããã°ã¬ãŒã | avgamsvr | ãã |
ã¯ãªãŒã㌠| Nvc95 | avgupsvc | MSASCui |
ã¯ãªãŒããŒ3 | ååš | å¹³å | Avira.Systray |
ãããŠã©ãã | ãããã³ | avgcc32 | |
Dvp95 | Pavcl | å¹³åãµãŒãã¹ |
- èªå·±ç Žå£
- æå®ããããªãœãŒã¹ãããã§ã¹ãããã®ããŒã¿ã®ããŒã
- ãã¹ã«æ²¿ã£ãŠãã¡ã€ã«ãã³ããŒãã %Temp%tmpG[çŸåšã®æ¥ä»ãšæå» (ããªç§åäœ)].tmp
èå³æ·±ãããšã«ãAgentTesla ãã«ãŠã§ã¢ã«ãåãæ©èœãååšããŸãã - ã¯ãŒã ã®æ©èœ
ãã«ãŠã§ã¢ã¯ãªã ãŒããã« ã¡ãã£ã¢ã®ãªã¹ããåãåããŸãã ãã«ãŠã§ã¢ã®ã³ããŒã¯ã次ã®ååã§ã¡ãã£ã¢ ãã¡ã€ã« ã·ã¹ãã ã®ã«ãŒãã«äœæãããŸãã Sys.exeã èªåå®è¡ã¯ãã¡ã€ã«ã䜿çšããŠå®è£ ãããŸã AUTORUN.INF.
æ»æè
ã®ãããã£ãŒã«
ã³ãã³ã ã»ã³ã¿ãŒã®åæäžã«ãéçºè ã®é»åã¡ãŒã«ãšããã¯ããŒã ãRazer (å¥å BrwaãBrwa65ãHiDDen PerSOnã404 Coder) ãç¹å®ããããšãã§ããŸããã 次ã«ããã«ããŒã®æäœã瀺ãèå³æ·±ããããªã YouTube ã§èŠã€ããŸããã
ããã«ãããå
ã®éçºè
ãã£ãã«ãèŠã€ããããšãå¯èœã«ãªããŸããã
圌ãæå·åŠè
ãæžããçµéšãããããšãæããã«ãªããŸããã ãœãŒã·ã£ã«ãããã¯ãŒã¯äžã®ããŒãžãžã®ãªã³ã¯ããèè
ã®å®åãæ²èŒãããŠããŸãã 圌ã¯ã€ã©ã¯ã®å±
äœè
ã§ããããšãå€æããã
ããã¯ã404 ããŒãã¬ãŒã®éçºè ãã©ã®ããã«èŠãããã§ãã åçã¯åœŒã®å人ç㪠Facebook ãããã£ãŒã«ããã
CERT Group-IB ã¯ãããŒã¬ãŒã³ã«ãããµã€ããŒè
åš (SOC) ã® 404 æéç£èŠããã³å¯Ÿå¿ã»ã³ã¿ãŒã§ããæ°ããè
åš XNUMX ããŒãã¬ãŒãçºè¡šããŸããã
åºæïŒ habr.com