Iqela lezoyikiso ze-APT lisandul' ukufunyanwa lisebenzisa amaphulo okukhwabanisa ngomkhonto ukusebenzisa ubhubhani we-coronavirus ukusasaza i-malware yabo.
Ihlabathi ngoku lijongene nemeko ekhethekileyo ngenxa yobhubhani we-coronavirus ye-Covid-19. Ukuzama ukunqanda ukusasazeka kwentsholongwane, inani elikhulu leenkampani emhlabeni jikelele liqalise indlela entsha yomsebenzi okude (ukude). Oku kwandise kakhulu indawo yokuhlaselwa, ebangela umngeni omkhulu kwiinkampani ngokubhekiselele kukhuseleko lolwazi, ekubeni ngoku kufuneka zenze imithetho engqongqo kwaye ithathe amanyathelo. ukuqinisekisa ukuqhubeka nokusebenza kweshishini kunye neenkqubo zalo ze-IT.
Nangona kunjalo, indawo yokuhlaselwa eyandisiweyo ayikuphela komngcipheko we-cyber oye wavela kwiintsuku ezimbalwa ezidlulileyo: abaninzi abaphuli-mthetho be-cyber baxhaphaze ngokusebenzayo oku kungaqiniseki kwehlabathi ukwenza amaphulo okukhwabanisa, ukusabalalisa i-malware kunye nokubeka isoyikiso kukhuseleko lolwazi lweenkampani ezininzi.
I-APT isebenzisa ubhubhane
Ekupheleni kweveki ephelileyo, iqela le-Advanced Persistent Threat (APT) elibizwa ngokuba yiVicious Panda labhaqwa eliqhuba amaphulo achaseneyo. , besebenzisa ubhubhani we-coronavirus ukusasaza i-malware yabo. I-imeyile yaxelela umamkeli ukuba iqulethe ulwazi malunga ne-coronavirus, kodwa eneneni i-imeyile iqulethe iifayile ezimbini ezikhohlakeleyo ze-RTF (i-Rich Text Format). Ukuba ixhoba lavula ezi fayile, i-Remote Access Trojan (RAT) yaqaliswa, leyo, phakathi kwezinye izinto, yayikwazi ukuthatha imifanekiso yesikrini, ukudala uluhlu lweefayile kunye nezikhombisi kwikhompyutheni yexhoba, kunye nokukhuphela iifayile.
Eli phulo ukuza kuthi ga ngoku lijolise kwicandelo likarhulumente laseMongolia, kwaye ngokutsho kwezinye iingcali zaseNtshona, limele uhlaselo lwamva nje lomsebenzi oqhubekayo waseTshayina ngokuchasene noorhulumente abahlukeneyo kunye nemibutho kwihlabathi liphela. Ngeli xesha, eyona nto ibalaseleyo yeli phulo kukuba lisebenzisa imeko entsha ye-coronavirus yehlabathi ukosulela ngakumbi amaxhoba anokubakho.
I-imeyile ye-phishing ibonakala ivela kwi-Mongolian Ministry of Foreign Affairs kwaye ibango liqulethe ulwazi malunga nenani labantu abosulelwe yile ntsholongwane. Ukuxhobisa le fayile, abahlaseli basebenzise iRoyalRoad, isixhobo esithandwayo phakathi kwabenzi bezoyikiso baseTshayina esibavumela ukuba benze amaxwebhu angokwezifiso kunye nezinto ezifakwe ngaphakathi ezinokusebenzisa ubuthathaka kwi-Equation Editor edityaniswe kwi-MS Word ukwenza ii-equations ezinzima.
Iindlela zokuSinda
Nje ukuba ixhoba livule iifayile ze-RTF ezinobungozi, iMicrosoft Word isebenzisa umngcipheko wokulayisha ifayile enobungozi (intel.wll) kwifolda yokuqaliswa kweLizwi (% APPDATA%MicrosoftWordSTARTUP). Ukusebenzisa le ndlela, ayisiyiyo kuphela isoyikiso eyomelela, kodwa ikwathintela lonke ikhonkco losulelo ekuqhumeni xa uqhuba kwibhokisi yesanti, kuba i-Word kufuneka iqalwe ngokutsha ukuze iqalise ngokupheleleyo i-malware.
Ifayile ye-intel.wll emva koko ilayishe ifayile yeDLL esetyenziselwa ukukhuphela i-malware kunye nokunxibelelana nomyalelo we-hacker kunye neseva yokulawula. Umyalelo kunye nomncedisi wolawulo usebenza ixesha elingqongqo ngokungqongqo ngosuku ngalunye, okwenza kube nzima ukuhlalutya kunye nokufikelela kwezona ndawo zintsonkothileyo zekhonkco losulelo.
Nangona kunjalo, abaphandi bakwazi ukufumanisa ukuba kwinqanaba lokuqala le khonkco, ngokukhawuleza emva kokufumana umyalelo ofanelekileyo, i-RAT ilayishwe kwaye ihlanjululwe, kwaye i-DLL ilayishiwe, elayishwe kwimemori. I-plugin-efana ne-architecture iphakamisa ukuba kukho ezinye iimodyuli ukongeza kwi-payload ebonwa kweli phulo.
Amanyathelo okukhusela kwi-APT entsha
Eli phulo lukhohlakeleyo lisebenzisa amaqhinga amaninzi ukungena kwiinkqubo zamaxhoba kwaye emva koko libeke esichengeni ukhuseleko lwabo lolwazi. Ukuzikhusela kumaphulo anjalo, kubalulekile ukuthatha uluhlu lwamanyathelo.
Eyokuqala ibaluleke kakhulu: kubalulekile ukuba abasebenzi bathathele ingqalelo kwaye balumke xa befumana ii-imeyile. I-imeyile yenye yezona zinto ziphambili zohlaselo, kodwa phantse akukho nkampani inokwenza ngaphandle kwe-imeyile. Ukuba ufumana i-imeyile evela kumthumeli ongaziwayo, kungcono ukuba ungayivuli, kwaye ukuba uyayivula, musa ukuvula nayiphi na i-attachments okanye ucofe kuzo naziphi na izixhumanisi.
Ukubeka esichengeni ukhuseleko lolwazi lwamaxhoba, olu hlaselo lusebenzisa ubuthathaka kwi-Word. Enyanisweni, ubuthathaka obungafakwanga sisizathu , kunye neminye imiba yokhuseleko, inokukhokelela ekwaphulwa kwedatha enkulu. Yiyo loo nto kubaluleke kakhulu ukusebenzisa isiziba esifanelekileyo ukuvala ubuthathaka ngokukhawuleza.
Ukuphelisa ezi ngxaki, kukho izisombululo ezenzelwe ngokukodwa ukuchongwa, . Imodyuli ikhangela ngokuzenzekelayo iipetshi eziyimfuneko ukuqinisekisa ukhuseleko lweekhompyuter zenkampani, ibeka phambili olona hlaziyo lungxamisekileyo kunye nokucwangcisa ukufakwa kwazo. Ulwazi malunga neepetshi ezifuna ukufakela zixelwe kumlawuli naxa ukuxhaphaka kunye ne-malware zibhaqwe.
Isisombululo sinokuqalisa ngokukhawuleza ukufakwa kweepatches ezifunekayo kunye nohlaziyo, okanye ukufakwa kwazo kunokucwangciswa kwi-console yolawulo oluphakathi kwewebhu, ukuba kuyimfuneko ukuhlukanisa iikhomputha ezingabhalwanga. Ngale ndlela, umlawuli unokulawula iipetshi kunye nohlaziyo lokugcina inkampani isebenza kakuhle.
Ngelishwa, uhlaselo lwe-cyber ekuthethwa ngalo ngokuqinisekileyo aluzukuba lolokugqibela ukuthatha ithuba lemeko yangoku ye-coronavirus yehlabathi ukubeka esichengeni ukhuseleko lolwazi lwamashishini.
umthombo: www.habr.com