The near future, the trojan that safe group monitors 360 core to be aimed at personnel of foreign trade industry to have charge to a kind is travelling, this kinds of trojan is included to be in the PPT documentation of fishing mail accessory, the number that carries signs copy risked understand of well-known company " to believe the autograph of " .
Attack processThe trojan that copy risks " understand to believe " to sign basically passes two kinds of means to have transmission, one kind is to pass specific target group to send fishing mail, another kind is to pass already trojan of " of troubled times of conceal long " will move.
The article basically introduces the attack technique that adopts fishing mail. Commit the crime the gang makes meticulously a variety of PPT documentation, pretend documentation content in the light of different target personnel respectively, have transmission through mail accessory, revulsive user download is clicked move. It is as follows among them the example of a transmission, air of " of Cheng Mou of this revulsive accessory camouflage is fresh implement the slide documentation related " .
After opening this documentation directly, software of will automatic moving office is like Office PPT or WPS PPT program broadcasts full screen slide to be as follows, should move only right now mouse, or because see the among them word that broadcast pushbutton and clicks slide, can strike the action that sends moving trojan order. Because this kind carries out the movement of the program to compare danger directly, so average office software can play an admonitory clew let an user choose to whether be carried out, because click " to decide " carelessly,nevertheless still many users are met, because touch hair movement ceaselessly to bring about,perhaps keep playing a window, let trojan program finally move rise.
Once get running a chance, PPT software will release trojan program to arrive temporarily catalog, the course of Office batch processing that names camouflage moves rise, actually this program contains copy to risk " understand to believe the trojan that " number signs namely.
The course checks, the means success rate of this kind of moving trojan is higher, main reason is trojan author this PPT documentation extend type make it to show a file automatically (".ppsx" ) , and amid set the object action that can spark ceaselessly. Normally of PPT documentation saving a format is ".ppt" or ".pptx" , after opening, won't automatic Quan Bing broadcasts slide, documentation is opened after extending example the name to change ".pptx" as follows, can see a when insert among them exterior boy or girl friend, installed " to define animation " oneself to this object.
If just be inserted,can click the exterior program object that carry out may successful rate is relatively inferior, but trojan author very wretched the ground installed " mouse to move to this object cross what " and " mouse click " to spark movement, in wanting to broadcast the process of documentation in Quan Bing only, mobile mouse is met spark ceaselessly the act that opens trojan process, its play not tire of irritatedly a safe warning, raised the successful rate that the trojan runs greatly.
Trojan analysisAdopt afore-mentioned attack technique, the trojan is moved to rise by the success begin the work. Locate above all the release position of trojan program, examine the appearance feature of this program, discovery not only the camouflage of file version information of the program became " to have "PDF documentation converter, program code also was added strong case of a "Themida" .
Make dog further after exuviate processing to trojan program through debugging aids, discovering this program is a to load only implement, its work is the core DLL module that gives a real job is decoded in memory and to load is carried out, to load process is to check memory of the repartition after the data format of PE head to undertake LoadPE first.
To load is over after core DLL module, immediately is gotten through analytic PE structure derive the address of function "Shellex" , call this module next derive function "Shellex" has the job.
After entering working flow, trojan module above all couplet net download puzzles PPT documentation "stick1.ppsx" of the gender, download address is: "Hxxp://139.159.132.114:988/ppt/stick1.ppsx" .
Subsequently the trojan opens this PPT documentation to undertake broadcasting, use at showing interested content to target user, the purpose is the alertness that reduces an user. PPT documentation shares two pieces of slide, content remains " air pure and fresh implement " is relevant.
Of course, broadcast " air pure and fresh implement the PPT related " is exterior work only, trojan program criterion already backstage continues on the sly moves. For abiding change, trojan program is added from above all start, realizing way is the Dos symbol link that establishs this program to start " catalog in systematic " through "DefineDosDeviceA" , copy oneself to this symbol to link method to finish the job that trojan program the copy reachs to start catalog oneself secondhand next.
Decorate relevant abiding after changing an environment, trojan program is back-to-back with respect to the line on preparation, the server address of the line on join is: "Www.kuailebaoche.com:9009" .
After join server, gather user computer information, include information of condition of systematic version, memory, hard disk, trojan to install time to wait, still the safe software that will collect computer through alling over list of all previous process runs a condition, go to the lavatory to dominate an activity follow-uply.
Information is answered pass the line goes up to succeed after ending, receive going down is the operation request that waits to dominate end remotely. Once receive control request, in receive data to arrive to the need after buffer has simple other to its first or be decoded, next again analytic and issue control statement.
Enter finally distribute control technological process, include common far if download is carried out,control trojan function, the process that all over all previous, cancel a system to wait.
Track trace to the sourceArrange this copy to risk the program category that autograph has signed and issue, discovery commits the crime gang besides sign and issue trojan program with this autograph, be in 360 pairs its are checked in the round after killing, the program that still signed and issue a large number of understand to believe software and a few other and normal procedure, having safe test ceaselessly.
Copy risks autograph to check the normal understand that sign and issue to believe a program to pursue as follows, autograph string tail became much very inconspicuous dot, it is to commit the crime gang from other the copy that sign and issue an orgnaization to apply for and comes risks autograph.
The similar relevant report that signs we are in attack gimmick to be released this year " familial analysis of trojan of " of " troubled times reports " and " far accuse a trojan to embezzle Netease government signs " in allude somewhat and sum up. Dig the discovery after arranging further, in the trojan that this batch of copy risk " understand to believe " to sign, travel through fishing mail besides one part besides, still the Payload that passes trojan of " of " troubled times just about partly additionally comes to those who commit the crime to travel. A typical case is, the time that this Payload example appears the earliest in machine of fall victim user was May 5, 2018, through the conceal of large half an year, be in finally October 26, 2018 when those who started copy to risk " understand to believe " is far accuse a trojan, and fall victim user also is a personnel that pursues foreign trade trade, the target group that narrates fishing mail with above paragraphs place is consistent.
Should commit the crime it is thus clear that gang and gang of trojan of " of " troubled times are having close together and relevant connection, and be be in be aimed at the target group that pursues foreign trade trade technically to have charge, the characteristic between simple summary both and concern are as follows.
Be on guard proposalCommit the crime according to this the gimmick of commonly used attack of the gang, put forward the following to be on guard to broad user here proposal.
1, email: To the email of unidentified identity, raise vigilance, do not nod an any links that include among them, picture or accessory easily; If open a process to discover any admonitory message, be not ignored or flurried, prevent in time can.
2, documentation kind: To any documentation with unidentified origin, do not open easily examine. If open the discovery in the process to play a safe warning, examine option carefully please, prevent in time continue to move; If open a process to discover,twinkle, break down wait for strange phenomenon, can check task management implement close doubtful process.
3, IM tool: Perhaps chat to the chatting target that does not meet group, any files that be not received easily or open its to send, picture or link; Open file extends a name to show, name of file of the examination before opening a file and extend a name.
4, software tool: Do not download the software program with unidentified origin to move on the net easily, commonly used software can carry official channel or 360 software chamberlain downloads installation.
5, safe software, the proposal installs 360 bodyguard or kill poison to undertake all-around safety detects and defend.
SummaryThe target crowd that aims at specific industry technically has this second attack event, also showed from flank to it the target structure with its numerous and jumbled, orderly gang of associated trojan of " of " troubled times. Look from its attack characteristic, should commit the crime the gang is good at passing the specific aim documentation that makes meticulously, mail or link, combinative society engineering and autograph copy are risked wait for a technology to come revulsive target carries out attack, let people's air defense be prevented deeply; And, this gang returns a likelihood to undertake long-term monitoring and conceal after attack is successful, also undertake updating iteration to component of trojan back door ceaselessly, attack posture tends change for a long time with specialization, the user is imperceptible a target that becomes attack possibly already, although be aware of somewhat,conceal oneself gimmick possibly also and have no way is answered. Face increasingly frequent and active, rampant trojan gang, hope broad user raises safe consciousness, seasonable installation to defend software, beware suffer attack menace and belongings loss.
Appendix HashsReferenced link