点击蓝字 关注我们
关键要点
通过对一个公开目录的分析,发现了一名中文背景威胁行为者的工具包和活动历史。 该威胁行为者使用WebLogicScan、Vulmap和 Xray 进行了广泛的扫描和漏洞利用,其攻击目标包括韩国、中国、泰国、中国台湾和伊朗的多个组织。 该威胁行为者使用Viper C2框架,以及包含TaoWu和Ladon扩展的Cobalt Strike工具包,这些工具常用于高级网络攻击中的指挥与控制(C2)操作。 该威胁行为者使用了泄露的LockBit 3构建器来生成一个自定义的LockBit勒索软件有效载荷。勒索信中提到一个Telegram群组,并在报告中对此进行了进一步调查。
该报告的音频版本可在Spotify、Apple、YouTube、Audible和Amazon 等平台上找到。
0. 案例摘要
DFIR报告的威胁情报团队于2024年1月检测到一个存在目录浏览漏洞的互联网资产,并对其中的攻击手法和威胁行为进行了分析。分析结果显示,它与一个自称为“You Dun”的中文黑客组织有关。
该黑客组织在被调查的主机上进行了多种活动,包括侦查和 Web 漏洞利用活动。他们使用WebLogicScan、Vulmap和Xray等工具识别出大量易受攻击的服务器。他们利用了一些运行致远 OA 软件的网站,通过SQLmap工具实施了SQL注入攻击。
我们发现了多次成功利用漏洞的证据。在获得访问权限后,我们发现攻击者还使用更多工具并尝试利用各种漏洞以提升受感染主机的权限,包括使用 traitor 进行 Linux 权限提升漏洞,以及使用 CDK 进行 docker 和 kubernetes 权限提升。
在该公开访问的目录中,还可以看到Cobalt Strike和Viper框架文件。其中包含Cobalt Strike团队服务器的一个压缩文件,内含TaoWu和Ladon插件,它们极大地扩展了框架的功能。DFIR报告的威胁情报团队追踪到该C2服务器在2024年1月18日至2月10日期间充当指挥与控制中心,托管了活跃的命令和控制。通过泄露服务器中的数据,我们确定了一个由八个 IP 地址组成的集群,这些IP地址都用于代理同一攻击者的C2服务器,并在同一时间范围内处于活动状态。
此外,该威胁组织还利用泄露的LockBit 3勒索软件构建器生成了自定义的可执行文件LB3.exe。LockBit 二进制文件生成的勒索信中提供了EVA”管理的 Telegram组“You_Dun”的联系方式。该组织还使用“Dark Cloud Shield Technical Team”作为名称。根据他们的渠道信息,该组织貌似从事“渗透测试”服务,但同时涉及非法数据销售、DDoS攻击,并且基于LockBit可执行文件的使用,也利用勒索软件来获取收益。
1. 常用工具
1.1 信息收集
1.1.1 WebLogicScan
该威胁行为者使用WebLogicScan,这是一款用于扫描WebLogic漏洞的Python脚本。
根据bash历史记录,他们通过向脚本提供多个文本文件来运行该工具。
1.1.2 Vulmap
该威胁行为者还使用了vulmap.py扫描WebLogic漏洞,并提供了多个目标列表。
以下是bash历史记录的摘录:
以下是帮助选项中关于“-a”开关的详细说明,用于定义目标应用程序:
1.1.3 Xray
该威胁行为者使用Xray工具针对两个我国网站进行了更广泛的漏洞扫描。
Bash历史摘录:
1.1.4 dirsearch
该威胁行为者使用dirsearch工具尝试对目标网站的URL路径进行扫描。其中一次扫描的日志仍然保留在系统中:
1.2 漏洞利用
1.2.1 Sqlmap
该威胁行为者使用sqlmap工具对多个网站进行了入侵攻击:
以下是该威胁行为者用来从一家韩国制药公司中转储表格的众多命令之一:
1.2.2 Seeyon_exp
威胁行为者使用脚本 seeyon_exp 通过利用致远OA 软件中的一个组件,将 JSPX web shell 批量上传到多个站点。
威胁行为者留下的结果显示了成功利用漏洞后部署的 Web shell 的证据,从工具运行的输出结果中我们可以得到存在漏洞且攻击成功的站点列表:
翻译后可以看到每个目标的利用成功与否的确认信息。
1.2.3 Weaver
另一个名为weaver的工具也被用于扫描漏洞并利用泛微OA实例。(原文误写为致远OA)
1.3 链接C2服务器
1.3.1 Cobalt Strike (S0154)
Bash 历史记录中包含了一个 nohup 命令,用于运行 Cobalt Strike 服务器,使用以下密码和帐户详细信息:
IP 地址 116.212.120.32 暴露了以下信标(Beacon)配置,最明显的是已破解的水印编号 987654321:
Cobalt Strike Beacon:
x86:
beacon_type: HTTP
dns-beacon.strategy_fail_seconds: -1
dns-beacon.strategy_fail_x: -1
dns-beacon.strategy_rotate_seconds: -1
http-get.client:
Cookie
http-get.uri: 116.212.120.32,/IE9CompatViewList.xml
http-get.verb: GET
http-post.client:
Content-Type: application/octet-stream
id
http-post.uri: /submit.php
http-post.verb: POST
maxgetsize: 1048576
port: 80
post-ex.spawnto_x64: %windir%sysnativerundll32.exe
post-ex.spawnto_x86: %windir%syswow64rundll32.exe
process-inject.execute:
CreateThread
SetThreadContext
CreateRemoteThread
RtlCreateUserThread
process-inject.startrwx: 64
process-inject.stub: e43a1b63f09794f74d90a9889f7acb77
process-inject.userwx: 64
proxy.behavior: 2 (Use IE settings)
server.publickey_md5: a490a5e2db1fcc496e6b793a8ea02a19
sleeptime: 60000
useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)
uses_cookies: 1
watermark: 987654321
x64:
beacon_type: HTTP
dns-beacon.strategy_fail_seconds: -1
dns-beacon.strategy_fail_x: -1
dns-beacon.strategy_rotate_seconds: -1
http-get.client:
Cookie
http-get.uri: 116.212.120.32,/visit.js
http-get.verb: GET
http-post.client:
Content-Type: application/octet-stream
id
http-post.uri: /submit.php
http-post.verb: POST
maxgetsize: 1048576
port: 80
post-ex.spawnto_x64: %windir%sysnativerundll32.exe
post-ex.spawnto_x86: %windir%syswow64rundll32.exe
process-inject.execute:
CreateThread
SetThreadContext
CreateRemoteThread
RtlCreateUserThread
process-inject.startrwx: 64
process-inject.stub: e43a1b63f09794f74d90a9889f7acb77
process-inject.userwx: 64
proxy.behavior: 2 (Use IE settings)
server.publickey_md5: a490a5e2db1fcc496e6b793a8ea02a19
sleeptime: 60000
useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
uses_cookies: 1
watermark: 987654321
该威胁行为者在该公开目录的根目录中留下了一个名为“红队版.zip”的文件。
该压缩文件包含了一个 Cobalt Strike 工具包,与提取到该公开目录根目录中的内容相同。
攻击者使用的脚本CrossC2-GithubBot-2023-03-27.cna 来自此存储库。
作为此 Cobalt Strike 套件的一部分,其他主要模块包括TaoWu和Ladon,它们显著扩展了 Cobalt Strike 的功能。
1.3.2 TaoWu
TaoWu攻击脚本包含了一系列工具和脚本,用于扩展 Cobalt Strike 的操作功能。
该脚本在路径 taowu-cobalt-strike-masterscript 下包含了大量预编译的二进制文件:
./0803.exe
./360bowser.exe
./add-admin.exe
./ATPMiniDump.exe
./blocketw.exe
./blue.exe
./BrowserGhost.exe
./BypassAddUser.exe
./certexp.exe
./chfs.exe
./ClearnEventRecordID.ps1
./ClearnIpAddress.ps1
./ClearnTempLog.ps1
./crack.exe
./CredPhisher.exe
./cve-2014-4113.x64.dll
./cve-2014-4113.x86.dll
./cve-2015-1701.x64.dll
./cve-2015-1701.x86.dll
./cve-2016-0051.x86.dll
./CVE-2020-0796.x64.dll
./CVE-2021-1675.x64.dll
./dazzleUP_Reflective_DLL.x64.dll
./DecryptAutoLogon.exe
./DecryptTeamViewer.exe
./dis_defender.exe
./EfsPotato.exe
./encode
./encode.exe
./EncryptedZIP.exe
./FakeLogonScreen.exe
./FullPowers.dll
./Gopher.exe
./GPSCoordinates.exe
./hack-browser-data.exe
./InternalMonologue.exe
./Invoke-EternalBlue.ps1
./Invoke-MS16032.ps1
./Invoke-MS16135.ps1
./iox.exe
./JuicyPotato.x64.dll
./JuicyPotato.x86.dll
./KillEvenlogService.ps1
./Ladon.exe
./Ladon1.exe
./lazagne.exe
./ListAllUsers.ps1
./ListLogged-inUsers.ps1
./ListRDPConnections.exe
./LocalSessionManager.ps1
./LPE_Reflect_Elevate.x64.dll
./MaceTrap.exe
./MiniDump.exe
./napwd.exe
./navicatpwd.exe
./Net-GPPPassword.exe
./NoAmci.exe
./noNetApiAdd.exe
./NoPowerShell.exe
./RdpThief_x64.tmp
./Recon-AD-AllLocalGroups.dll
./Recon-AD-Computers.dll
./Recon-AD-Domain.dll
./Recon-AD-Groups.dll
./Recon-AD-LocalGroups.dll
./Recon-AD-SPNs.dll
./Recon-AD-Users.dll
./ReflectiveDll.x64.dll
./RegRdpPort.ps1
./rpcscan.dll
./SafetyKatz.exe
./scout.exe
./scrying.exe
./Seatbelt.exe
./SessionGopher.ps1
./SessionSearcher.exe
./Sharp3389.exe
./SharpAVKB.exe
./SharpBypassUAC.exe
./SharpChassisType.exe
./SharpCheckInfo.exe
./SharpChromium.exe
./SharpClipHistory.exe
./SharpCloud.exe
./SharpCrashEventLog.exe
./SharpDecryptPwd.exe
./SharpDecryptPwd2.exe
./SharpDir.exe
./SharpDirLister.exe
./SharpDomainSpray.exe
./SharpDoor.exe
./SharpDPAPI.exe
./SharpDump.exe
./SharpEDRChecker.exe
./SharPersist.exe
./SharpEventLog.exe
./SharpExcelibur.exe
./SharpExec.exe
./SharpGetTitle.exe
./SharpGPOAbuse.exe
./SharpHide.exe
./SharpHound.exe
./SharpLocker.exe
./SharpMiniDump.exe
./SharpNetCheck.exe
./SharpOXID-Find.exe
./SharpSCshell.exe
./SharpShares.exe
./SharpSpray.exe
./SharpSpray1.exe
./SharpSQLDump.exe
./SharpSQLTools.exe
./SharpStay.exe
./SharpTask.exe
./SharpWeb.exe
./SharpWebScan.exe
./SharpWifiGrabber.exe
./sharpwmi.exe
./SharpXDecrypt.exe
./SharpZeroLogon.exe
./SharpZip.exe
./Shhmon.exe
./SolarFlare.exe
./SPNSearcher.exe
./SpoolTrigger.x64.dll
./SpoolTrigger.x86.dll
./Stealer.exe
./StickyNotesExtract.exe
./SweetPotato.exe
./Telemetry.exe
./Telemetry3.5.exe
./temp.exe
./user.exe
./Watson.exe
./WeblogicRCE.exe
./WireTap.exe
./WMIHACKER.vbs
./x64
./x64/bypass.exe
./x64/frpc.exe
./x64/fscan.exe
./x64/index.html
./x64/nc.exe
./x64/npc.exe
./x64/PrintSpoofer.dll
./x64/PrintSpoofer.exe
./x86
./x86/bypass.exe
./x86/frpc.exe
./x86/fscan.exe
./x86/index.html
./x86/npc.exe
./x86/PrintSpoofer.dll
./x86/PrintSpoofer.exe
1.3.3 Ladon
Ladon插件是为Cobalt Strike设计的一个框架,能够实现入侵活动的大量自动化操作。
相关文档(https://mp.weixin.qq.com/s/GQBXCX1fiSLi6gKY3M-JcA)包含以下截图:
1.3.4 Viper
Viper是一款用于后渗透活动的指挥与控制(C2)工具,是DFIR报告威胁情报团队所追踪的多个C2框架之一。根据其GitHub简介显示:
该工具是通过执行 f8x 脚本安装的,该脚本会安装 Docker 依赖项并部署一个大部分预配置好的 Docker 镜像:
在初次安装时,威胁行为者被要求提供一个密码,并再次使用了为 Cobalt Strike 团队服务器配置的相同密码:
我们观察到 Viper C2 管理面板监听默认的 TCP 端口 60000,并使用 docker 镜像中提供的默认 SSL 证书。通过 Censys 对该默认 SSL 证书进行关联分析,显示出该 VIPER docker 镜像在互联网上公开暴露的更大规模网络。
Censys 搜索:
services.tls.certificates.leaf_data.fingerprint:4de3278507c89d2242a12c20b74878e3f84970c463a924771f156a3da7d7b5a1 or services.tls.certificates.chain.fingerprint: 4de3278507c89d2242a12c20b74878e3f84970c463a924771f156a3da7d7b5a1
攻击者在一个运行 Bitnami WordPress 应用的 AWS 主机上使用 Viper C2 工具进行后期利用。在获得初始访问权限后,他们使用了 vipermsf (Metasploit) 后端,通过一行命令上传并执行了一个文件:
ONE-LINE-CMD 模式符合在 GitHub 上找到的 Viper MSF Web Delivery API 的格式。
从 Redis RDB 转储文件中使用 Redis RDB 工具 收集的信息显示,攻击者成功执行了负载,表明其通过主机信息模块实现了有效的命令执行。
由于写入磁盘的payload位置与 POC 利用代码 匹配,我们高度确信攻击者通过 WordPress 插件 WPCargo 的漏洞获得了初始访问权限,特别是利用了远程代码执行漏洞 CVE-2021-25003。
1.4 权限提升
由有效负载创建的反向shell似乎用于运行一个名为CDK的工具来进行Docker容器漏洞利用。
mount-cgroup 是一个模块,利用了 @_fel1x 记录的 Docker 容器逃逸漏洞。
后续活动显示,该威胁行为者通过 VIPER 代理上传了一个用于提升权限的额外文件。
traitor-amd64 upload completed
Traitor 是一个工具,包含了多个针对 Linux 系统的权限提升漏洞利用程序。
1.5 影响
该威胁行为者在目录 .localLB3.exe 中存放了一份 LockBit 勒索软件的副本,并且在主机的 bash 历史记录中显示他们删除了两个 RAR 文件:
尽管这些归档文件已不存在,无法供我们分析,但我们有中等信心认为这些文件是之前泄露的 LockBit Black 勒索软件生成器的副本。以下是 .localLB3.exe 在 Triage Sandbox 环境下运行的截图:
在执行 LB3.exe 二进制文件后呈现的勒索信内容如下:
在分析遗留的 LB3.exe 二进制文件时,执行后生成了以下勒索信内容:
勒索信中提到的 Telegram 频道是 hXXps://t.me/You_Dun。关于该组织的进一步分析,请参阅“黑客特征”部分。
2. 受害者
国家和地区:
韩国 中国 泰国 中国台湾 伊朗
作为侦察活动的一部分,威胁行为者留下了其针对多个工具使用的目标 URL 列表,并按国家分开:
./vulmap/kk.txt– 韩国的 IP 和域名./vulmap/kr.txt– 韩国的 IP 和域名./vulmap/hh.txt– 多个国家的 IP 和域名./vulmap/wb.txt– 伊朗的 IP 和域名./vulmap/ww.txt– 伊朗的 IP 和域名./weaver_exp/uu.txt– 中国的 IP 和域名./WebLogicScan/target.txt– 伊朗的 IP 和域名./WebLogicScan/kk.txt– 韩国的 IP 和域名./tt.txt– 保存的对泰国某警察网站的 HTTP 请求
在被攻击的国家中,最频繁观察到的目标国家为中国、韩国和伊朗。
行业:
虽然我们列出以下行业,但我们认为在本案例中,威胁行为者并未特别针对某个特定行业。
政府 教育 医疗 物流
3. 基础设施
我们最初调查的开放目录具有以下特征:
8000/opendir
Server: SimpleHTTP/0.6 Python/3.8.10
28888/mitmproxy
SSL Cert Issuer: CN=mitmproxy, O=mitmproxy
SSL Cert Subject: CN=163.53.216.157
JA3S: 15af977ce25de452b96affa2addb1036
55918/SSH
Fingerprint SHA256: 1192d660e36e9b6f671a22a1ed1adb50f752ca986885ecfffdbbf3967e8ff9c1
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11
60000/Viper
SSL Cert Issuer: C=CN, ST=0d72da0c, L=0d72da0c, O=0d72da0c, OU=0d72da0c, CN=0d72da0c
SSL Cert Subject: C=CN, ST=d1d38ec9, L=d1d38ec9, O=d1d38ec9, OU=d1d38ec9, CN=d1d38ec9
JA3S: 475c9302dc42b2751db9edcac3b74891
该开放目录的根目录包含以下内容:
在 Censys 中搜索具有相同 SSH 指纹的其他主机时,发现有八个结果,这些主机都具有相似的开放服务。
services.ssh.server_host_key.fingerprint_sha256: 1192d660e36e9b6f671a22a1ed1adb50f752ca986885ecfffdbbf3967e8ff9c1
基于这些服务器的指纹和共享的开放目录内容,我们评估以下 IP 在不同时段被用于代理该威胁行为者的后端基础设施:
43.228.89.245
43.228.89.246
43.228.89.247
43.228.89.248
103.228.108.247
115.126.107.244
116.212.120.32
163.53.216.157
所有这些 IP 地址都与同一家互联网服务提供商(ISP)Forewin Telecom Group Limited 相关联。尽管我们无法访问整个系统,但我们发现了“.viminfo”注册信息的痕迹,这表明这些 IP 是通过 VIM 工具被特意添加到设备上的某个文件中的。
在审查 Viper 的访问日志时发现,初始服务监听的域名为 fgfg.bcfnwg.cc:60000。该域名于 2023 年 2 月 7 日 16:16:06(UTC 时间)通过 NameSilo 注册。
根据服务器访问日志中的 Viper 访问记录,我们确定攻击者当时使用的 IP 地址为 101.36.124.183。
进一步分析该 IP 地址,似乎它是一个代理。
3.1 f8x
f8x 是一个配置脚本,DFIRReport 已在多个威胁行为者控制的基础设施中观察到该脚本的使用。它用于自动化基础设施的配置,安装安全工具和依赖项。
在这种情况下,威胁行为者只是通过 curl 从 f8x.io 下载了该脚本,并使用 -all 和 -viper 选项执行了它。
curl -o f8x https://f8x.io/
chmod +X f8x
bash f8x -all
bash f8x -viper
根据 GitHub 文档,还有其他多个可用选项,例如:
4. 黑客特征
根据可用的工具和证据,该威胁行为者为中文使用者。
在修改后的勒索信中提到的 Telegram 频道为 hXXps://t.me/You_Dun,该频道于 2024 年 1 月 9 日创建(现已删除):
就像许多其他威胁行为者声称自己是无辜的“渗透测试人员”一样,这个组织也不例外:
在审查他们的Telegram频道时,可以看到他们发布了各种行动记录,如篡改网站内容和数据泄露等事件。
该组织的管理员昵称为“EVA”,其Telegram标签为@YD099,用户ID为6392878812。
进一步分析发现,与Telegram群组 hxxps://t.me/You_Dun 相关的还有另外两个群组:
hxxps://t.me/You_Dun888 hxxps://t.me/juxingchuhai
其中,You_Dun888 是一个声称提供多种服务的群组,包括渗透测试、数据出售、DDOS攻击等服务。
在名为“Dark Cloud Shield”的 You_Dun888 群组中,还展示了网站篡改和入侵的证据。
Telegram频道 @xuanshang 发布了一则广告,其内容与其他频道的简介用词相似,并附有指向已删除的 You_Dun777 频道的链接。
5. 钻石模型
6. 指标
6.1 Atomic
43.228.89.245
43.228.89.246
43.228.89.247
43.228.89.248
103.228.108.247
115.126.107.244
163.53.216.157
116.212.120.32
6.2 Computed
SSH Fingerprint for OpenDir
SHA256: 1192d660e36e9b6f671a22a1ed1adb50f752ca986885ecfffdbbf3967e8ff9c1
红队版.zip (Cobalt Strike Kit)
SHA256: b94d9412764529f264433c39b6043d43b96e824d016f40a5a38e26771374171f
SHA1: 56bd833178c08baedb0a6f51c957a0cc8e6f9298
MD5: 8c4d6f6c6db273d79a7c46b623e515e3
xray_linux_amd64
SHA256: 6e3c5f8444040e5982da9990cbb9d0ce66b7272a3e6804139e7cbe3083459035
SHA1: 89b12a33628d5939bcedb53c908df9dbb24fe910
MD5: 77915c856012baa7cd554041e7315317
YeNoenXSQB.exe
SHA265: fa301a12655598b9266a8315ac7f48da4f79ed4ea39273e57ac08b8c66b6fced
SHA1: b7b0a37aee514c735913bfa8826faa4bbfc14556
MD5: 2cc31da03228b31dae0a05065e9e1506
f8x (ffffffff0x)
SHA265: 206ac51c01604267c04f0966cdc685fd9ade42dd8d0698df639b06a0ed19377f
SHA1: 2787930ac016783837e7d11903cd84c055356e4c
MD5: 0658d07948a053da265ef693a64e9626
LB3.exe (LockBit)
SHA265: 07104f9be906e62be7539e4f81d980dddb480d64dce204c199a2afe5a0bc3367
SHA1: f8ccc2503052eceebd5311a8b74dc197a4e9f68a
MD5: c8033ec30b55a46ce7daf9d7d9b6b596
TaoWu Cobalt Strike Kit - MD5
f87afacff9c44b94db109e3e956a4b33 taowu-cobalt-strike-master/script/0803.exe
98d006fbea457ec76243cab8f7f6631a taowu-cobalt-strike-master/script/360bowser.exe
8cda17f33d42754721ef2a87f3b5a984 taowu-cobalt-strike-master/script/ATPMiniDump.exe
bfd92dedefe429205a635a38096429a2 taowu-cobalt-strike-master/script/BrowserGhost.exe
201ebb467e02e63242ab4e0a21576f52 taowu-cobalt-strike-master/script/BypassAddUser.exe
67a604d24c2478b19d80032dbc5a3d41 taowu-cobalt-strike-master/script/CVE-2020-0796.x64.dll
13b2df26ffb467142106040cfa98e8dd taowu-cobalt-strike-master/script/CVE-2021-1675.x64.dll
251fe0878c16d68aa88405994c74a8d8 taowu-cobalt-strike-master/script/ClearnEventRecordID.ps1
ee28414ff1bcbb3a6efd9a08f7baaf51 taowu-cobalt-strike-master/script/ClearnIpAddress.ps1
1d0d8fb9803967c5b23c2e519e4c2cfe taowu-cobalt-strike-master/script/ClearnTempLog.ps1
5562f8aa216f87142dccc080506e2ad2 taowu-cobalt-strike-master/script/CredPhisher.exe
f481acde58892cc1af01a009e73c3ae5 taowu-cobalt-strike-master/script/DecryptAutoLogon.exe
fed5394f1b2a425d760e5ac9ee90d851 taowu-cobalt-strike-master/script/DecryptTeamViewer.exe
f41eed0c700eb6961310b19449595af3 taowu-cobalt-strike-master/script/EfsPotato.exe
f3ac9fb21d91fd283d6762a09fee8776 taowu-cobalt-strike-master/script/EncryptedZIP.exe
a65b02f7ee85fec8580d69361df16350 taowu-cobalt-strike-master/script/FakeLogonScreen.exe
bf1bbfd14c7cf3e72458a173c8e7f5a4 taowu-cobalt-strike-master/script/FullPowers.dll
282b368bc42f506b58b83ae16e200544 taowu-cobalt-strike-master/script/GPSCoordinates.exe
4f887be6011ea3e3d1b6afc41da2227d taowu-cobalt-strike-master/script/Gopher.exe
9cd740d0de919819ad00f73665c40500 taowu-cobalt-strike-master/script/InternalMonologue.exe
38d1bf58e34b68a8836b352af978d6a1 taowu-cobalt-strike-master/script/Invoke-EternalBlue.ps1
a63c52d46cb33e57f1f17beaa733ea65 taowu-cobalt-strike-master/script/Invoke-MS16032.ps1
1dc27c44d74bf619aaf496963dfd67d6 taowu-cobalt-strike-master/script/Invoke-MS16135.ps1
894aba8dfa538ba99c1453066824cc63 taowu-cobalt-strike-master/script/JuicyPotato.x64.dll
28e874a7107b7e08e79e6efc63602609 taowu-cobalt-strike-master/script/JuicyPotato.x86.dll
34fb77cd8902076f55071b218c494f77 taowu-cobalt-strike-master/script/KillEvenlogService.ps1
2c2ddfb749aeeca32a9fd5fc20324b47 taowu-cobalt-strike-master/script/LPE_Reflect_Elevate.x64.dll
3aa57bf8e7ea973cc793745de79033fa taowu-cobalt-strike-master/script/Ladon.exe
6b7bba769db3701e13214cb70ca5a54d taowu-cobalt-strike-master/script/Ladon1.exe
d0929362057fbcb2a9971222ef6db973 taowu-cobalt-strike-master/script/ListAllUsers.ps1
fd18c734fa25bbacf0b7a6331d404126 taowu-cobalt-strike-master/script/ListLogged-inUsers.ps1
e8a59e21ab61a7d615a7f8a407d72712 taowu-cobalt-strike-master/script/ListRDPConnections.exe
13508e34428cf9611c8d7904b532e1b2 taowu-cobalt-strike-master/script/LocalSessionManager.ps1
50c0e5c847f4a66fbcdda53e6555267f taowu-cobalt-strike-master/script/MaceTrap.exe
80926c91b6d82c4ad7f915bafa70e8d3 taowu-cobalt-strike-master/script/MiniDump.exe
b8016d2f778b9c4c7d7a6347608fb18c taowu-cobalt-strike-master/script/Net-GPPPassword.exe
da296f6861a17738358b043ecc823bdc taowu-cobalt-strike-master/script/NoAmci.exe
b175bb17e17ba2f6a8826c9c90cb9c7e taowu-cobalt-strike-master/script/NoPowerShell.exe
4332225f7e3672c16f705a779dc360f5 taowu-cobalt-strike-master/script/RdpThief_x64.tmp
976df0f9c9319c50a5ac20f4643dec4c taowu-cobalt-strike-master/script/Recon-AD-AllLocalGroups.dll
7e65a509b90b6e9fa0963803020280d9 taowu-cobalt-strike-master/script/Recon-AD-Computers.dll
3f6b6935f5820196c69616e6bd8aa684 taowu-cobalt-strike-master/script/Recon-AD-Domain.dll
7349fa84c7e2fced4885fea0ef0fec63 taowu-cobalt-strike-master/script/Recon-AD-Groups.dll
66a7733af713c5beff9c76d0b6adbe6d taowu-cobalt-strike-master/script/Recon-AD-LocalGroups.dll
c69e7c0bac6b1846fcad05ee7fdd5023 taowu-cobalt-strike-master/script/Recon-AD-SPNs.dll
bbee3a7a828af2a936e3e9a2931f2022 taowu-cobalt-strike-master/script/Recon-AD-Users.dll
fb5fbc7c6b56a7a491532581faef5ee1 taowu-cobalt-strike-master/script/ReflectiveDll.x64.dll
5ed0803ea91968c87994280f6432d43c taowu-cobalt-strike-master/script/RegRdpPort.ps1
cdaa0eda10dce813a0def8be3a669825 taowu-cobalt-strike-master/script/SPNSearcher.exe
29321457a14c9722d76c9134781cf328 taowu-cobalt-strike-master/script/SafetyKatz.exe
42de98c28dae64d104dcccc1d72e7834 taowu-cobalt-strike-master/script/Seatbelt.exe
8885ae88e244f6bcf3089eba94e2cc87 taowu-cobalt-strike-master/script/SessionGopher.ps1
d4969c3a7d88ad38f885a061bba26752 taowu-cobalt-strike-master/script/SessionSearcher.exe
e06b24113cab27ff5a1173fa3f9e1615 taowu-cobalt-strike-master/script/SharPersist.exe
755fa47d4527e9c93433e1887bd871ab taowu-cobalt-strike-master/script/Sharp3389.exe
74f79b71ba72dd55ca261ef789d243d6 taowu-cobalt-strike-master/script/SharpAVKB.exe
205621408b7f84a5f451df233b0b87b1 taowu-cobalt-strike-master/script/SharpBypassUAC.exe
7b5da1d6648103353216a0391638cee8 taowu-cobalt-strike-master/script/SharpChassisType.exe
da478e7f17353b01d9ffa53aab0f0528 taowu-cobalt-strike-master/script/SharpCheckInfo.exe
470acd82ade29f1ef29f198027771517 taowu-cobalt-strike-master/script/SharpChromium.exe
f04164b15b9530d4b7ada28c1b9042b3 taowu-cobalt-strike-master/script/SharpClipHistory.exe
44bac97f297c86a66b2af33eee7e4d8e taowu-cobalt-strike-master/script/SharpCloud.exe
df37fedde5fa9dc9d7a7ea7a87b71e10 taowu-cobalt-strike-master/script/SharpCrashEventLog.exe
6f5764932e177157f307b33649968b5b taowu-cobalt-strike-master/script/SharpDPAPI.exe
6214cc7a0b9491b38a592be4d3032dd1 taowu-cobalt-strike-master/script/SharpDecryptPwd.exe
3cf370a9f29a6b7ea83abac4a3141f26 taowu-cobalt-strike-master/script/SharpDecryptPwd2.exe
34f645d8bf012f8f4965c1cd8857921f taowu-cobalt-strike-master/script/SharpDir.exe
98bacbfcc39e0dee46a0092699a56832 taowu-cobalt-strike-master/script/SharpDirLister.exe
51cf67846561fe279e6e1c4bda712dbe taowu-cobalt-strike-master/script/SharpDomainSpray.exe
3a273a07749d17b50a4ec6387a54e2cc taowu-cobalt-strike-master/script/SharpDoor.exe
95fec2925ea9fa4a5181d491ea07f5e5 taowu-cobalt-strike-master/script/SharpDump.exe
1ef929169b3309a01e850c6ff4e0064f taowu-cobalt-strike-master/script/SharpEDRChecker.exe
122413ef9a5f642703b1e8385c5dbad1 taowu-cobalt-strike-master/script/SharpEventLog.exe
5b1c1007de5a2864d24276e3b1d293da taowu-cobalt-strike-master/script/SharpExcelibur.exe
03ee7c0c3822822b5e2373c4f532545a taowu-cobalt-strike-master/script/SharpExec.exe
a4f9bfa588427735f80e749ee341e819 taowu-cobalt-strike-master/script/SharpGPOAbuse.exe
fe4f202c9595f6242903fbad0611eebb taowu-cobalt-strike-master/script/SharpGetTitle.exe
f6c2d2cc1e2016fddb7654822411ab2b taowu-cobalt-strike-master/script/SharpHide.exe
71eaf81214239027d5385a61e3917ab2 taowu-cobalt-strike-master/script/SharpHound.exe
56892df95d1b9d78261587d5080630d1 taowu-cobalt-strike-master/script/SharpLocker.exe
ea381b3247b6c2ed4d39973eca62669f taowu-cobalt-strike-master/script/SharpMiniDump.exe
bddf6c8e9a8229ed7667e3e1bb33aac9 taowu-cobalt-strike-master/script/SharpNetCheck.exe
6181e5196eaeb14ec9ff798b43300ceb taowu-cobalt-strike-master/script/SharpOXID-Find.exe
56c33b2a06e3d68fe4e8b9421b36e902 taowu-cobalt-strike-master/script/SharpSCshell.exe
09e471f71d1d66f5c8b407dfadce8ce5 taowu-cobalt-strike-master/script/SharpSQLDump.exe
e390dbe577164988694d7aab5235e1af taowu-cobalt-strike-master/script/SharpSQLTools.exe
ccf2d0a5bbe52e80775900a2e18fe70f taowu-cobalt-strike-master/script/SharpShares.exe
d06c2c02133b810eb0111c6b4e34e940 taowu-cobalt-strike-master/script/SharpSpray.exe
1d1478fddbf9b4128a4ecb85238c87b7 taowu-cobalt-strike-master/script/SharpSpray1.exe
aca267b9a1ab0c97b8f88773d356220c taowu-cobalt-strike-master/script/SharpStay.exe
3f1abaf273e3ce16265a3f639945ff3e taowu-cobalt-strike-master/script/SharpTask.exe
dc443ffed5b96bee78ca2309d0f8fdca taowu-cobalt-strike-master/script/SharpWeb.exe
fc98ec23880eea7f0f701c5d66fa6892 taowu-cobalt-strike-master/script/SharpWebScan.exe
1ca3ca7750b0ce2095a2f99d5b33177a taowu-cobalt-strike-master/script/SharpWifiGrabber.exe
e23e588319f82d826d3bf2c9fa4d1cba taowu-cobalt-strike-master/script/SharpXDecrypt.exe
bf2144fcf764bc3e5337fa3d2253232b taowu-cobalt-strike-master/script/SharpZeroLogon.exe
e73ca08a6937b95d8d5a90a33fcbc5c1 taowu-cobalt-strike-master/script/SharpZip.exe
2ac4edf1110124560aeec330de7f8328 taowu-cobalt-strike-master/script/Shhmon.exe
1de240d44557e7497ad1a1e144077805 taowu-cobalt-strike-master/script/SolarFlare.exe
76fca31c99b232be1ec92d6b5762d97b taowu-cobalt-strike-master/script/SpoolTrigger.x64.dll
ad9382b2e7214d350f622f360f300ccf taowu-cobalt-strike-master/script/SpoolTrigger.x86.dll
a145f3345a4a2fd23b49dd299d0c3a83 taowu-cobalt-strike-master/script/Stealer.exe
99d639417aa2a0ed7d188c85ea9ece23 taowu-cobalt-strike-master/script/StickyNotesExtract.exe
624007937ba4931486c9bba5bb695688 taowu-cobalt-strike-master/script/SweetPotato.exe
2d9777a0e299315b23d08955389154ed taowu-cobalt-strike-master/script/Telemetry.exe
817ddd444915bda25a5e81c1faa8978e taowu-cobalt-strike-master/script/Telemetry3.5.exe
ceb337687402e19efdf57264b2682d08 taowu-cobalt-strike-master/script/WMIHACKER.vbs
9c444a9c1d75cbd07798110eeca1c3ce taowu-cobalt-strike-master/script/Watson.exe
2a449b2b65686a72525c98622e5bade7 taowu-cobalt-strike-master/script/WeblogicRCE.exe
98d8bbeac624e77323f45256f6c87369 taowu-cobalt-strike-master/script/WireTap.exe
1c96ec806a6e0a54cd7e0e78bb75eeb7 taowu-cobalt-strike-master/script/add-admin.exe
3febcc80ab5ea418ef3e2103fe92d2e0 taowu-cobalt-strike-master/script/blocketw.exe
4b1fdcf5cfa616fcaf411f3bff9acd75 taowu-cobalt-strike-master/script/blue.exe
b3ec75c3a7454a096c65a99a0eb3073c taowu-cobalt-strike-master/script/certexp.exe
d7b669038c4860f1e3be02d389ed52d7 taowu-cobalt-strike-master/script/chfs.exe
827cdfb4c1f1169c21ba84a194a70a0f taowu-cobalt-strike-master/script/crack.exe
c8c886ca25a381b22343a397f80a35c1 taowu-cobalt-strike-master/script/cve-2014-4113.x64.dll
159801144740381f30e0ae4dfbfd62e6 taowu-cobalt-strike-master/script/cve-2014-4113.x86.dll
e0e467f5597828a1d3c8abdbde8b6f17 taowu-cobalt-strike-master/script/cve-2015-1701.x64.dll
dafc44bc1e488e1108449e39bcb147e1 taowu-cobalt-strike-master/script/cve-2015-1701.x86.dll
e79195ab1fda13edac7a000cf8742802 taowu-cobalt-strike-master/script/cve-2016-0051.x86.dll
600c41b3a161c5d2019767c87a7889ce taowu-cobalt-strike-master/script/dazzleUP_Reflective_DLL.x64.dll
5e4319826d24eacce3ca0738885722f3 taowu-cobalt-strike-master/script/dis_defender.exe
d035f1c73e746553323924e3b61b3fb2 taowu-cobalt-strike-master/script/encode
b5fac96201ab68d8a0c29eb8df6596e7 taowu-cobalt-strike-master/script/encode.exe
58bbb92c36ee75183d2257b2ae64a0c2 taowu-cobalt-strike-master/script/hack-browser-data.exe
0e51c36a7c45a2dea751fcb692102a6b taowu-cobalt-strike-master/script/iox.exe
73255c8357afd671c2256360d0be69cd taowu-cobalt-strike-master/script/lazagne.exe
5bd9a0f8a2f63622eb0d8bba2fb70fbb taowu-cobalt-strike-master/script/napwd.exe
5bd9a0f8a2f63622eb0d8bba2fb70fbb taowu-cobalt-strike-master/script/navicatpwd.exe
bb15b1dbc80dae1b9ac51455c72b44b4 taowu-cobalt-strike-master/script/noNetApiAdd.exe
deca5d20a7fb145e288f39d4e4bd5042 taowu-cobalt-strike-master/script/rpcscan.dll
dbff25033593278d05d2eee6cb9f44a6 taowu-cobalt-strike-master/script/scout.exe
7c42df21e22b9c6cc87b2eebf219c01d taowu-cobalt-strike-master/script/scrying.exe
34daed0b12685ee391660f658b5980b5 taowu-cobalt-strike-master/script/sharpwmi.exe
7728fc3821a7ff9c994258a36812e250 taowu-cobalt-strike-master/script/temp.exe
dc6606879efe07595dfd968f8edf82f7 taowu-cobalt-strike-master/script/user.exe
575b5020c27e3d7b14fee8b2b33c44e3 taowu-cobalt-strike-master/script/x64/PrintSpoofer.dll
108da75de148145b8f056ec0827f1665 taowu-cobalt-strike-master/script/x64/PrintSpoofer.exe
bd0f451c578f5a0b6c55e39e124db2fa taowu-cobalt-strike-master/script/x64/bypass.exe
d0139fda662f3ca949dd335c30573fa2 taowu-cobalt-strike-master/script/x64/frpc.exe
9b0e4652a0317e6e4da66f29a74b5ad7 taowu-cobalt-strike-master/script/x64/fscan.exe
a5a74d73fbf4a6f0b75f074de316277e taowu-cobalt-strike-master/script/x64/nc.exe
07edf20febc120edf731c4dc0d4d3b0b taowu-cobalt-strike-master/script/x64/npc.exe
5047fc7502bc9520fd2b9c26e8cbbd82 taowu-cobalt-strike-master/script/x86/PrintSpoofer.dll
2a74db17b50025d13a63d947d8a8f828 taowu-cobalt-strike-master/script/x86/PrintSpoofer.exe
11c1ffdff16dd42e33c8014f2b5360cd taowu-cobalt-strike-master/script/x86/bypass.exe
03f45692db10fe291de65f15ca9761af taowu-cobalt-strike-master/script/x86/frpc.exe
3505308cf3fd01398f1e4d1974b2438e taowu-cobalt-strike-master/script/x86/fscan.exe
8fa2d7a60d5bc36ead30c61d7b3608e7 taowu-cobalt-strike-master/script/x86/index.html
f860286242afc5151d9ff68f0c7b8a56 taowu-cobalt-strike-master/script/x86/npc.exe
Landon Cobalt Strike Kit - MD5
1f040434a5bbaa855822ab4bed5fde2b Ladon911/ChatLadon.exe
9055f7437681be39b865326fad31cfd4 Ladon911/Ladon-cn.cna
689aa7368a41586690d84a1a9d1b158a Ladon911/Ladon.ps1
59a5445907ea5f4e6db1cc4d47a0417e Ladon911/Ladon911.exe
31aa0419b32bf3b3228157f91c1a21fd Ladon911/LadonExp.exe
2242303952f6fb570b2484974b7771ba Ladon911/LadonGUI.exe
813fb29abbe42068283efaf665bea1c7 Ladon911/LadonShell.exe
6153ce694983cf7e1c12e875d944e7e7 Ladon911/LadonStudy.exe
486015a44a273c6c554a27b3d498365c Ladon911/Newtonsoft.Json.dll7. 攻击与防御框架
./0803.exe
./360bowser.exe
./add-admin.exe
./ATPMiniDump.exe
./blocketw.exe
./blue.exe
./BrowserGhost.exe
./BypassAddUser.exe
./certexp.exe
./chfs.exe
./ClearnEventRecordID.ps1
./ClearnIpAddress.ps1
./ClearnTempLog.ps1
./crack.exe
./CredPhisher.exe
./cve-2014-4113.x64.dll
./cve-2014-4113.x86.dll
./cve-2015-1701.x64.dll
./cve-2015-1701.x86.dll
./cve-2016-0051.x86.dll
./CVE-2020-0796.x64.dll
./CVE-2021-1675.x64.dll
./dazzleUP_Reflective_DLL.x64.dll
./DecryptAutoLogon.exe
./DecryptTeamViewer.exe
./dis_defender.exe
./EfsPotato.exe
./encode
./encode.exe
./EncryptedZIP.exe
./FakeLogonScreen.exe
./FullPowers.dll
./Gopher.exe
./GPSCoordinates.exe
./hack-browser-data.exe
./InternalMonologue.exe
./Invoke-EternalBlue.ps1
./Invoke-MS16032.ps1
./Invoke-MS16135.ps1
./iox.exe
./JuicyPotato.x64.dll
./JuicyPotato.x86.dll
./KillEvenlogService.ps1
./Ladon.exe
./Ladon1.exe
./lazagne.exe
./ListAllUsers.ps1
./ListLogged-inUsers.ps1
./ListRDPConnections.exe
./LocalSessionManager.ps1
./LPE_Reflect_Elevate.x64.dll
./MaceTrap.exe
./MiniDump.exe
./napwd.exe
./navicatpwd.exe
./Net-GPPPassword.exe
./NoAmci.exe
./noNetApiAdd.exe
./NoPowerShell.exe
./RdpThief_x64.tmp
./Recon-AD-AllLocalGroups.dll
./Recon-AD-Computers.dll
./Recon-AD-Domain.dll
./Recon-AD-Groups.dll
./Recon-AD-LocalGroups.dll
./Recon-AD-SPNs.dll
./Recon-AD-Users.dll
./ReflectiveDll.x64.dll
./RegRdpPort.ps1
./rpcscan.dll
./SafetyKatz.exe
./scout.exe
./scrying.exe
./Seatbelt.exe
./SessionGopher.ps1
./SessionSearcher.exe
./Sharp3389.exe
./SharpAVKB.exe
./SharpBypassUAC.exe
./SharpChassisType.exe
./SharpCheckInfo.exe
./SharpChromium.exe
./SharpClipHistory.exe
./SharpCloud.exe
./SharpCrashEventLog.exe
./SharpDecryptPwd.exe
./SharpDecryptPwd2.exe
./SharpDir.exe
./SharpDirLister.exe
./SharpDomainSpray.exe
./SharpDoor.exe
./SharpDPAPI.exe
./SharpDump.exe
./SharpEDRChecker.exe
./SharPersist.exe
./SharpEventLog.exe
./SharpExcelibur.exe
./SharpExec.exe
./SharpGetTitle.exe
./SharpGPOAbuse.exe
./SharpHide.exe
./SharpHound.exe
./SharpLocker.exe
./SharpMiniDump.exe
./SharpNetCheck.exe
./SharpOXID-Find.exe
./SharpSCshell.exe
./SharpShares.exe
./SharpSpray.exe
./SharpSpray1.exe
./SharpSQLDump.exe
./SharpSQLTools.exe
./SharpStay.exe
./SharpTask.exe
./SharpWeb.exe
./SharpWebScan.exe
./SharpWifiGrabber.exe
./sharpwmi.exe
./SharpXDecrypt.exe
./SharpZeroLogon.exe
./SharpZip.exe
./Shhmon.exe
./SolarFlare.exe
./SPNSearcher.exe
./SpoolTrigger.x64.dll
./SpoolTrigger.x86.dll
./Stealer.exe
./StickyNotesExtract.exe
./SweetPotato.exe
./Telemetry.exe
./Telemetry3.5.exe
./temp.exe
./user.exe
./Watson.exe
./WeblogicRCE.exe
./WireTap.exe
./WMIHACKER.vbs
./x64
./x64/bypass.exe
./x64/frpc.exe
./x64/fscan.exe
./x64/index.html
./x64/nc.exe
./x64/npc.exe
./x64/PrintSpoofer.dll
./x64/PrintSpoofer.exe
./x86
./x86/bypass.exe
./x86/frpc.exe
./x86/fscan.exe
./x86/index.html
./x86/npc.exe
./x86/PrintSpoofer.dll
./x86/PrintSpoofer.exe
0消息来源:
https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-dun-threat-group/
以下是solar安全团队近期处理过的常见勒索病毒后缀:后缀.lol勒索病毒,.360勒索病毒,.halo勒索病毒,.phobos勒索病毒,.Lockfiles勒索病毒,.stesoj勒索病毒,.src勒索病毒,.svh勒索病毒,.Elbie勒索病毒,.Wormhole勒索病毒.live勒索病毒, .rmallox勒索病毒, .mallox 勒索病毒,.hmallox勒索病毒,.jopanaxye勒索病毒, .2700勒索病毒, .elbie勒索病毒, .mkp勒索病毒, .dura勒索病毒, .halo勒索病毒, .DevicData勒索病毒, .faust勒索病毒, ..locky勒索病毒, .cryptolocker勒索病毒, .cerber勒索病毒, .zepto勒索病毒, .wannacry勒索病毒, .cryptowall勒索病毒, .teslacrypt勒索病毒, .gandcrab勒索病毒, .dharma勒索病毒, .phobos勒索病毒, .lockergoga勒索病毒, .coot勒索病毒, .lockbit勒索病毒, .nemty勒索病毒, .contipa勒索病毒, .djvu勒索病毒, .marlboro勒索病毒, .stop勒索病毒, .etols勒索病毒, .makop勒索病毒, .mado勒索病毒, .skymap勒索病毒, .aleta勒索病毒, .btix勒索病毒, .varasto勒索病毒, .qewe勒索病毒, .mylob勒索病毒, .coharos勒索病毒, .kodc勒索病毒, .tro勒索病毒, .mbed勒索病毒, .wannaren勒索病毒, .babyk勒索病毒, .lockfiles勒索病毒, .locked勒索病毒, .DevicData-P-XXXXXXXX勒索病毒, .lockbit3.0勒索病毒, .DevicData勒索病毒.blackbit勒索病毒等。
勒索攻击作为成熟的攻击手段,很多勒索家族已经形成了一套完整的商业体系,并且分支了很多团伙组织,导致勒索病毒迭代了多个版本。而每个家族擅用的攻击手法皆有不同,TellYouThePass勒索软件家族常常利用系统漏洞进行攻击;Phobos勒索软件家族通过RDP暴力破解进行勒索;Mallox勒索软件家族利用数据库及暴力破解进行加密,攻击手法极多防不胜防。
而最好的预防方法就是针对自身业务进行定期的基线加固、补丁更新及数据备份,在其基础上加强公司安全人员意识。
如果您想了解有关勒索病毒的最新发展情况,或者需要获取相关帮助,请关注“solar专业应急响应团队”。
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...