{"id":101446,"date":"2019-03-19T12:00:20","date_gmt":"2019-03-19T19:00:20","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=101446\/"},"modified":"2019-11-26T00:06:45","modified_gmt":"2019-11-26T08:06:45","slug":"cardinal-rat-sins-again-targets-israeli-fin-tech-firms","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/","title":{"rendered":"Cardinal RAT\u304c\u518d\u3073\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3092\u6a19\u7684\u306b"},"content":{"rendered":"<h2>\u6982\u8981<\/h2>\n<p>2017\u5e74\u3001\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u8abf\u67fb\u30c1\u30fc\u30e0Unit 42\u306f<a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-cardinal-rat-active-two-years\/\">Cardinal RAT<\/a>\u3068\u547c\u3070\u308c\u308b\u5c11\u6570\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u3064\u3044\u3066\u5831\u544a\u3057\u3001\u5206\u6790\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306f\u305d\u308c\u307e\u30672\u5e74\u4ee5\u4e0a\u691c\u51fa\u3055\u308c\u308b\u3053\u3068\u306a\u304f\u6d3b\u52d5\u3092\u7d9a\u3051\u3066\u3044\u307e\u3057\u305f\u3002\u307e\u305f\u3001Carp Downloader\u3068\u3044\u3046\u540d\u524d\u306e\u30e6\u30cb\u30fc\u30af\u306a\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u3092\u4ecb\u3057\u3066\u914d\u4fe1\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u305d\u308c\u4ee5\u964d\u3001\u3053\u306e\u8105\u5a01\u306e\u76e3\u8996\u3092\u7d9a\u3051\u3066\u304d\u305f\u7d50\u679c\u3001\u66f4\u65b0\u3055\u308c\u305fCardinal RAT\u3092\u4f7f\u7528\u3057\u305f\u4e00\u9023\u306e\u653b\u6483\u304c\u767a\u898b\u3055\u308c\u307e\u3057\u305f\u3002 RAT\u306b\u306f\u4e00\u9023\u306e\u5909\u66f4\u304c\u52a0\u3048\u3089\u308c\u3066\u304a\u308a\u3001\u305d\u306e\u591a\u304f\u306f\u691c\u51fa\u3092\u56de\u907f\u3057\u3066\u5206\u6790\u3092\u59a8\u3052\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u79c1\u305f\u3061\u306f\u3001\u4e3b\u306b\u30a4\u30b9\u30e9\u30a8\u30eb\u306b\u62e0\u70b9\u3092\u7f6e\u304f\u7d44\u7e54\u306b\u7126\u70b9\u3092\u5f53\u3066\u305f\u91d1\u878d\u6280\u8853(\u30d5\u30a3\u30f3\u30c6\u30c3\u30af)\u30bb\u30af\u30bf\u30fc\u3092\u6a19\u7684\u3068\u3059\u308b\u653b\u6483\u3092\u76ee\u6483\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u653b\u6483\u3092\u8abf\u67fb\u3057\u3066\u3044\u308b\u9593\u306b\u3001Cardinal RAT\u3068EVILNUM\u3068\u3044\u3046\u5225\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u304c\u95a2\u9023\u3057\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3053\u3068\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002 EVILNUM\u306fJavaScript\u30d9\u30fc\u30b9\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u3067\u3001\u540c\u69d8\u306e\u7d44\u7e54\u306b\u5bfe\u3059\u308b\u653b\u6483\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<h2>Cardinal RAT\u304cBMP\u306e\u30c6\u30af\u30cb\u30c3\u30af\u3092\u5229\u7528<\/h2>\n<p>Cardinal RAT\u306e\u6700\u521d\u306e\u767a\u898b\u4ee5\u964d\u3001\u653b\u6483\u8005\u306f\u7279\u306b\u96e3\u8aad\u5316\u6280\u8853\u306b\u3064\u3044\u3066\u8907\u6570\u306e\u30de\u30a4\u30ca\u30fc\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3092\u884c\u3063\u3066\u3044\u307e\u3059\u304c\u3001\u3053\u306e\u30c6\u30af\u30cb\u30c3\u30af\u304c\u8aac\u660e\u3059\u308b\u4fa1\u5024\u306e\u3042\u308b\u3082\u306e\u3067\u3057\u305f\u3002\u3053\u306e\u5206\u6790\u306e\u305f\u3081\u306b\u3001Cardinal RAT\u306e\u6700\u65b0\u7248\u3092\u898b\u3066\u307f\u307e\u3057\u3087\u3046\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>SHA256<\/strong><\/td>\n<td>b742162197744a8caeb09f954213a3172ed699f8375f69c40b57b8c219c5e37c<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u524d\u56de<a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-cardinal-rat-active-two-years\/\">2017\u5e74\u306eCardinal RAT\u306b\u3064\u3044\u3066\u306e\u30d6\u30ed\u30b0<\/a>\u3067\u306f\u672c\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306e\u30d0\u30fc\u30b8\u30e7\u30f31.4\u306b\u3064\u3044\u3066\u8aac\u660e\u3092\u884c\u3044\u307e\u3057\u305f\u3002\u30da\u30a4\u30ed\u30fc\u30c9\u5185\u306e\u60c5\u5831\u306b\u57fa\u3065\u304d\u3001\u3053\u306e\u6700\u65b0\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u30d0\u30fc\u30b8\u30e7\u30f31.7.2\u3068\u3057\u3066\u8b58\u5225\u3059\u308b\u3053\u3068\u306b\u3057\u307e\u3059\u3002\u524d\u56de\u8aac\u660e\u3057\u305f\u30b5\u30f3\u30d7\u30eb\u3068\u306f\u7570\u306a\u308a\u3001\u3053\u306e\u6700\u65b0\u306eCardinal RAT\u3067\u306f\u3001\u3055\u307e\u3056\u307e\u306a\u96e3\u8aad\u5316\u624b\u6cd5\u3092\u4f7f\u7528\u3057\u3066\u96a0\u3055\u308c\u305f\u30b3\u30fc\u30c9\u306e\u5206\u6790\u3092\u59a8\u3052\u3066\u3044\u307e\u3059\u3002\u96e3\u8aad\u5316\u306e\u6700\u521d\u306e\u30ec\u30a4\u30e4\u30fc\u306f\u30b9\u30c6\u30ac\u30ce\u30b0\u30e9\u30d5\u30a3\u306e\u5f62\u614b\u3092\u3068\u3063\u3066\u3044\u307e\u3059\u3002\u6700\u521d\u306e\u30b5\u30f3\u30d7\u30eb\u306f.NET\u3067\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u3066\u304a\u308a\u3001\u57cb\u3081\u8fbc\u307f\u30d3\u30c3\u30c8\u30de\u30c3\u30d7(BMP)\u30d5\u30a1\u30a4\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_101447\" aria-describedby=\"caption-attachment-101447\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-101447 size-large lozad\"  data-src=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-207-1024x674.png\" alt=\"\u00a0\u56f31 .NET\u30ed\u30fc\u30c0\u30fc\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u57cb\u3081\u8fbc\u307fBMP\u30d5\u30a1\u30a4\u30eb\" width=\"1024\" height=\"674\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-207-1024x674.png 1024w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-207-300x198.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-207-768x506.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-207-900x593.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-207-370x244.png 370w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-207.png 1944w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-101447\" class=\"wp-caption-text\">\u56f31 .NET\u30ed\u30fc\u30c0\u30fc\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u57cb\u3081\u8fbc\u307fBMP\u30d5\u30a1\u30a4\u30eb<\/figcaption><\/figure>\n<p>\u5b9f\u884c\u3055\u308c\u308b\u3068\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306fBMP\u30d5\u30a1\u30a4\u30eb\u3092\u8aad\u307f\u53d6\u308a\u3001\u753b\u50cf\u304b\u3089\u30d4\u30af\u30bb\u30eb\u30c7\u30fc\u30bf\u3092\u89e3\u6790\u3057\u30011\u30d0\u30a4\u30c8\u306eXOR\u30ad\u30fc\u3092\u4f7f\u7528\u3057\u3066\u7d50\u679c\u3092\u5fa9\u53f7\u5316\u3057\u307e\u3059\u3002\u672c\u7a3f\u672b\u5c3e\u306e\u4ed8\u9332\u306b\u3001\u3053\u306e\u30d7\u30ed\u30bb\u30b9\u3092\u81ea\u52d5\u5316\u3059\u308b\u305f\u3081\u306ePython\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u7528\u610f\u3057\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u7d50\u679c\u3001.NET\u3067\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u305fDLL\u304c\u6b21\u306e\u30cf\u30c3\u30b7\u30e5\u3067\u751f\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>SHA256<\/strong><\/td>\n<td>01e007b8304eb0cbcb2be11ddb86298dc85c084fb5459eda319a69ef50799f88<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u30e1\u30e2\u30ea\u306b\u30ed\u30fc\u30c9\u3055\u308c\u305f\u5f8c\u3001\u30a4\u30cb\u30b7\u30e3\u30eb\u30ed\u30fc\u30c0\u30fc\u306f'corerun'\u95a2\u6570\u3092\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3057\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u7b2c2\u6bb5\u968e\u3092\u958b\u59cb\u3057\u307e\u3059\u3002 DLL\u306f\u3001Windows\u7d44\u307f\u8fbc\u307f\u306e<a href=\"https:\/\/en.wikipedia.org\/wiki\/Choice_(command)\">choice<\/a>\u30e6\u30fc\u30c6\u30ea\u30c6\u30a3\u3092\u4f7f\u3063\u3066\u30b9\u30ea\u30fc\u30d7\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u304b\u3089\u59cb\u3081\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">\u00a0cmd.exe \/c choice \/C Y \/N \/D Y \/T 20\u00a0<\/span><\/p>\n<p>\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u300120\u79d2\u306e\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u3067\u30e6\u30fc\u30b6\u30fc\u306b\u9078\u629e\u3092\u4fc3\u3057\u3001\u305d\u306e\u5f8c\u3067\u30d7\u30ed\u30bb\u30b9\u304c\u7d42\u4e86\u3057\u307e\u3059\u3002\u30a6\u30a3\u30f3\u30c9\u30a6\u306f\u96a0\u3055\u308c\u3066\u304a\u308a\u3001\u3053\u306e\u9078\u629e\u80a2\u306b\u306f\u610f\u5473\u304c\u306a\u3044\u306e\u3067\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u5358\u306b\u3053\u308c\u3092\u30b9\u30ea\u30fc\u30d7\u30b3\u30de\u30f3\u30c9\u306e\u4ee3\u308f\u308a\u306b\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u7b2c2\u6bb5\u968e\u306eDLL\u306f\u3001\u7b2c1\u6bb5\u968e\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u304b\u3089 'strings'\u306e\u57cb\u3081\u8fbc\u307f\u30ea\u30bd\u30fc\u30b9\u3092\u8aad\u307f\u8fbc\u307f\u307e\u3059\u3002\u3053\u306e\u30ea\u30bd\u30fc\u30b9\u306e\u4e00\u90e8\u306f\u3001\u30c9\u30ed\u30c3\u30d1\u30fc\u306b\u8a2d\u5b9a\u60c5\u5831\u3092\u63d0\u4f9b\u3059\u308b\u305f\u3081\u306b\u5fa9\u53f7\u5316\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u8a2d\u5b9a\u60c5\u5831\u306f\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u305d\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30eb\u30fc\u30c1\u30f3\u306b\u5165\u308b\u304b\u3069\u3046\u304b\u3092\u6307\u793a\u3057\u307e\u3059\u3002\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30eb\u30fc\u30c1\u30f3\u3067\u306f\u3001\u307e\u305a %TEMP%\\[random].ini \u306b\u4e00\u610f\u306eGUID\u8b58\u5225\u5b50\u3092\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u6b21\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">%APPDATA%\\Microsoft\\Windows\\IEConfig<\/span><\/p>\n<p>\u7d9a\u3044\u3066\u4e0b\u8a18\u306e\u30cf\u30c3\u30b7\u30e5\u3067\u57cb\u3081\u8fbc\u307e\u308c\u305f\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u3092 %TEMP%\\[random].exe \u306b\u66f8\u304d\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u5185\u90e8\u30d5\u30a1\u30a4\u30eb\u540d\u306f RunExecutive.exe \u3067\u30012\u3064\u76ee\u306e\u5f15\u6570\u306e\u5185\u5bb9\u30921\u3064\u76ee\u306e\u5f15\u6570\u3067\u6307\u5b9a\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u306b\u30b3\u30d4\u30fc\u3059\u308b\u3060\u3051\u3067\u3059\u3002<\/p>\n<table style=\"width: 78%; height: 56px;\">\n<tbody>\n<tr style=\"height: 56px;\">\n<td style=\"height: 56px;\"><strong>SHA256<\/strong><\/td>\n<td style=\"height: 56px;\">2167d393ec89ec0c6e2d7557a7ad22aa1953dd8082f599bee14977c25a128cce<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001GUID\u3092\u4f7f\u7528\u3057\u3066\u3001\u30e9\u30f3\u30c0\u30e0\u306b\u751f\u6210\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u88ab\u5bb3\u8005\u306e\u30b9\u30bf\u30fc\u30c8\u30a2\u30c3\u30d7\u30d5\u30a9\u30eb\u30c0\u306bLNK\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3057\u307e\u3059(\u4f8b: {fcb29182-b3cc-47e2-a95c-b22c6d87dda1}.lnk)\u3002LNK\u30d5\u30a1\u30a4\u30eb\u306f\u6b21\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<pre>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle\u00a0hidden \"%APPDATA%\\Microsoft\\Windows\\IEConfig\\[random]\\sqlreader.exe\"\r\n<\/pre>\n<p>\u6700\u5f8c\u306b\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u5f15\u6570\u3092\u6307\u5b9a\u3057\u3066\u5148\u306eRunExecutive.exe\u3092\u5b9f\u884c\u3057\u3001\u5143\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u4e0a\u8a18\u306esqlreader.exe\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u306b\u30b3\u30d4\u30fc\u3057\u307e\u3059\u3002<\/p>\n<p>\u57cb\u3081\u8fbc\u307f\u30ea\u30bd\u30fc\u30b9\u306e\u6b8b\u308a\u306e\u90e8\u5206\u306f\u300116\u30d0\u30a4\u30c8\u306eXOR\u30ad\u30fc\u3092\u4f7f\u7528\u3057\u3066\u5fa9\u53f7\u5316\u3055\u308c\u3001.NET\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u306e\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u6b21\u306e2\u3064\u306e\u6b63\u898f\u306e\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\/\u30d7\u30ed\u30bb\u30b9\u306e\u3044\u305a\u308c\u304b\u306b\u633f\u5165\u3055\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li>RegSvcs.exe<\/li>\n<li>RegAsm.exe<\/li>\n<\/ul>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306e\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u306f\u3001\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3\u5148\u306e\u6b63\u898f\u30d7\u30ed\u30bb\u30b9\u304c\u591a\u6570\u3042\u308a\u307e\u3057\u305f\u3002\u6700\u7d42\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u6b21\u306e\u30cf\u30c3\u30b7\u30e5\u3092\u6301\u3061\u307e\u3059\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>SHA256<\/strong><\/td>\n<td>04de4b51c881e65236c9efdbfbc0099e6b48fd1723a6e51bf480b52104dd2ba2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u96e3\u8aad\u5316\u306b\u3088\u3063\u3066\u96a0\u3055\u308c\u305fCardinal RAT\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001\u305d\u306e\u52d5\u4f5c\u3084\u6a5f\u80fd\u306e\u70b9\u3067\u306f\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u6bd4\u3079\u3066\u5927\u304d\u306a\u5909\u66f4\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u6700\u3082\u91cd\u8981\u306a\u5909\u66f4\u306e1\u3064\u306f\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u4f7f\u7528\u3057\u3066\u3044\u308b\u96e3\u8aad\u5316\u624b\u6cd5\u3067\u3059\u3002\u3059\u3079\u3066\u306e\u95a2\u6570\u3001\u30e1\u30bd\u30c3\u30c9\u3001\u5909\u6570\u306fMD5\u30cf\u30c3\u30b7\u30e5\u306b\u6539\u540d\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_101449\" aria-describedby=\"caption-attachment-101449\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-101449 size-large lozad\"  data-src=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-208-1024x577.png\" alt=\"\u56f32 Cardinal RAT\u30da\u30a4\u30ed\u30fc\u30c9\u306b\u5b58\u5728\u3059\u308b\u96e3\u8aad\u5316\" width=\"1024\" height=\"577\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-208-1024x577.png 1024w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-208-300x169.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-208-768x433.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-208-900x507.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-208-370x208.png 370w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-208.png 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-101449\" class=\"wp-caption-text\">\u56f32 Cardinal RAT\u30da\u30a4\u30ed\u30fc\u30c9\u306b\u5b58\u5728\u3059\u308b\u96e3\u8aad\u5316<\/figcaption><\/figure>\n<p>\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u96e3\u8aad\u5316\u30eb\u30fc\u30c1\u30f3\u306b\u52a0\u3048\u3066\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u81ea\u4f53\u306b\u3082\u3044\u304f\u3064\u304b\u306e\u5c0f\u3055\u306a\u5909\u66f4\u304c\u52a0\u3048\u3089\u308c\u3066\u3044\u307e\u3059\u3002\u307e\u305a\u3001\u57cb\u3081\u8fbc\u307f\u8a2d\u5b9a\u306b\u306f\u3001\u57cb\u3081\u8fbc\u307f\u5024\u306e\u9806\u5e8f\u3068\u3001\u5b58\u5728\u3057\u3066\u3044\u308b\u5024\u306e\u4e21\u65b9\u306b\u3044\u304f\u3064\u304b\u306e\u5909\u66f4\u304c\u3042\u308a\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u3053\u306e\u8a2d\u5b9a\u306e\u30a8\u30f3\u30b3\u30fc\u30c9\u65b9\u6cd5\u304c\u308f\u305a\u304b\u306b\u5909\u66f4\u3055\u308c\u307e\u3057\u305f\u3002\u30d0\u30fc\u30b8\u30e7\u30f31.4\u3067\u306fbase 64\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u3066\u3044\u305f\u3044\u304f\u3064\u304b\u306e\u5024\u306f\u3001base 64\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u306a\u304f\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<pre>$ python parseConfig.py\u00a0GreyCardinalConfig\r\nMutex: {509ce3ef-e03e-467e-be19-710782f13c28}\r\nCampaign Identifier: '\\xf1\\xaf\\x02i.]\\xa4\\xe0'\r\nC2 Server:\u00a0affiliatecollective[.]club\r\nC2 Port: 443\r\nHash Value: 0304674e9876530dfbea5a9b4fec7b98\r\nAdditional C2 Servers: 0\r\nGUID: '\\xd6\\x04hr\\x9a\\xedLN\\xae\\xe8\\xd0\\x87\\x80\\x19\\x15z'\r\nBuffer Size: 81920\r\nMax Buffer Size: 40960000\r\nSleep Timer Between Requests: 2000\r\nUnused Integer: 60000\r\nUnused Integer: 0\r\nPerform Keylogging: 0\r\nDisable Sleep on Victim: 0\r\n<\/pre>\n<p>\u9060\u9694\u64cd\u4f5c\u3092\u884c\u3046\u653b\u6483\u8005\u306b\u63d0\u4f9b\u3055\u308c\u3066\u3044\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u901a\u4fe1\u3084\u30a2\u30af\u30b7\u30e7\u30f3\u306f\u4e21\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u4e00\u8cab\u3057\u3066\u3044\u307e\u3059\u3002\u3067\u3059\u306e\u3067\u3001\u524d\u56de\u306e\u30d6\u30ed\u30b0\u3067\u63d0\u4f9b\u3057\u3066\u3044\u305f\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u305d\u306e\u307e\u307e\u672c\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306e\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u751f\u6210\u3059\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u89e3\u6790\u306b\u5229\u7528\u3067\u304d\u307e\u3059\u3002\u30de\u30eb\u30a6\u30a7\u30a2\u5185\u306b\u306f\u4ee5\u4e0b\u306e\u30a2\u30af\u30b7\u30e7\u30f3\u304c\u4eca\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u3082\u5b58\u5728\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u88ab\u5bb3\u8005\u60c5\u5831\u3092\u53ce\u96c6\u3059\u308b<\/li>\n<li>\u8a2d\u5b9a\u3092\u66f4\u65b0\u3059\u308b<\/li>\n<li>\u30ea\u30d0\u30fc\u30b9\u30d7\u30ed\u30ad\u30b7\u3068\u3057\u3066\u6a5f\u80fd\u3059\u308b<\/li>\n<li>\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b<\/li>\n<li>\u81ea\u5206\u81ea\u8eab\u3092\u30a2\u30f3\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b<\/li>\n<li>\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5fa9\u5143\u3059\u308b<\/li>\n<li>\u65b0\u3057\u3044\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3059\u308b<\/li>\n<li>\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0<\/li>\n<li>\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u30ad\u30e3\u30d7\u30c1\u30e3\u3059\u308b<\/li>\n<li>Cardinal RAT\u3092\u66f4\u65b0\u3059\u308b<\/li>\n<li>\u30d6\u30e9\u30a6\u30b6\u304b\u3089\u306eCookie\u3092\u6d88\u53bb\u3059\u308b<\/li>\n<\/ul>\n<h2>EVILNUM\u306e\u5206\u6790<\/h2>\n<p>Cardinal RAT\u30b5\u30f3\u30d7\u30eb\u63d0\u51fa\u3068\u307b\u307c\u540c\u3058\u6642\u671f\u306b\u540c\u4e00\u306e\u304a\u5ba2\u69d8\u304b\u3089\u63d0\u51fa\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u78ba\u8a8d\u3057\u305f\u3068\u3053\u308d\u3001EVILNUM\u3068\u3057\u3066\u8ffd\u8de1\u3057\u3066\u3044\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u304c\u63d0\u51fa\u3055\u308c\u3066\u3044\u305f\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002\u79c1\u305f\u3061\u306e\u898b\u89e3\u3067\u306f\u3001\u3053\u308c\u306f\u91d1\u878d\u95a2\u9023\u7d44\u7e54\u306b\u5bfe\u3059\u308b\u653b\u6483\u306b\u306e\u307f\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u3068\u601d\u308f\u308c\u308b\u5225\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u3067\u3059\u3002<\/p>\n<p>\u30aa\u30f3\u30e9\u30a4\u30f3\u306e\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u306b\u63d0\u51fa\u3055\u308c\u305f\u5185\u5bb9\u3092\u76f8\u4e92\u53c2\u7167\u3057\u3066\u307f\u305f\u3068\u3053\u308d\u3001\u305d\u308c\u3068\u306f\u5225\u306e\u7d44\u7e54\u304c\u540c\u3058\u65e5\u306bEVILNUM\u3068Cardinal RAT\u306e\u4e21\u65b9\u3092\u63d0\u51fa\u3057\u3066\u3044\u308b\u3068\u3044\u3046\u4e8b\u4f8b\u304c\u898b\u3064\u304b\u308a\u307e\u3057\u305f\u3002\u3069\u3061\u3089\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3082\u3042\u307e\u308a\u6570\u304c\u51fa\u3066\u3044\u306a\u3044\u3001\u307e\u308c\u306a\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u3067\u3059\u3002<\/p>\n<p>\u79c1\u305f\u3061\u306f\u3053\u308c\u306bEVILNUM(\u90aa\u60aa\u306a\u6570)\u3068\u3044\u3046\u540d\u524d\u3092\u4f7f\u7528\u3059\u308b\u3053\u3068\u306b\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u3044\u304f\u3064\u304b\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u306f\u3001\u30da\u30fc\u30b8\u3092\u8aad\u307f\u3053\u3093\u3067\u6570\u5024\u3092\u30d1\u30fc\u30b9\u3057\u3001\u305d\u306e\u6570\u5024\u3092<a href=\"https:\/\/en.wikipedia.org\/wiki\/Number_of_the_Beast\">666<\/a>\u3067\u5272\u3063\u3066\u51fa\u3057\u305f10\u9032\u6570\u306e\u5024\u3092IP\u30a2\u30c9\u30ec\u30b9\u306b\u5909\u63db\u3057\u3066\u3044\u308b\u304b\u3089\u3067\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u306f\u5c11\u306a\u304f\u3068\u30822\u3064\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u3042\u308a\u30011\u3064\u306fJavaScript\u3067\u66f8\u304b\u308c\u305f\u3082\u306e\u3001\u3082\u30461\u3064\u306f.NET\u3067\u66f8\u304b\u308c\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>SHA256<\/strong><\/td>\n<td><strong>\u30bf\u30a4\u30d7<\/strong><\/td>\n<\/tr>\n<tr>\n<td>bee6c5a506d6fb2cc129443c74b7676fbb9a79b53b92b2cac4c7fb8209592714<\/td>\n<td>.NET<\/td>\n<\/tr>\n<tr>\n<td>97c97ad2baef37eea023549131c192f441aa7976747166cd31095e7dad17948c<\/td>\n<td>JS<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u30d7\u30ed\u30b0\u30e9\u30df\u30f3\u30b0\u8a00\u8a9e\u306b\u9055\u3044\u306f\u3042\u308b\u3082\u306e\u306e\u3001\u30b5\u30f3\u30d7\u30eb\u306f\u4f3c\u3066\u3044\u307e\u3059\u3002\u79c1\u305f\u3061\u306f.NET\u7248\u304c.JS\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u66f8\u304d\u63db\u3048\u305f\u3082\u306e\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3068\u8003\u3048\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>EVILNUM\u306f<a href=\"https:\/\/www.pwncode.club\/2018\/05\/javascript-based-bot-using-github-c.html\">\u3059\u3067\u306b\u3053\u3061\u3089\u306e\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u30c9\u30e1\u30a4\u30f3\u3067\u3059\u3067\u306b\u8aac\u660e\u3055\u308c\u3066<\/a>\u3044\u307e\u3059(\u305f\u3060\u3057\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u306f\u540d\u524d\u304c\u5272\u308a\u5f53\u3066\u3089\u308c\u3066\u3044\u307e\u305b\u3093)\u3002<a href=\"https:\/\/twitter.com\/KorbenD_Intel\/status\/1068560640359481345\">\u307e\u305f\u3001Twitter\u3067\u3082\u8907\u6570\u306e\u30a2\u30ca\u30ea\u30b9\u30c8\u304c\u6ce8\u76ee<\/a>\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u306f\u3001\u653b\u6483\u8005\u304c\u4ed6\u306e\u30e6\u30fc\u30c6\u30a3\u30ea\u30c6\u30a3\u3092\u611f\u67d3\u30db\u30b9\u30c8\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u304b\u3069\u3046\u304b\u3092\u6c7a\u5b9a\u3059\u308b\u305f\u3081\u3001\u611f\u67d3\u30db\u30b9\u30c8\u306b\u95a2\u3059\u308b\u30c7\u30fc\u30bf\u3092\u653b\u6483\u8005\u306b\u63d0\u4f9b\u3059\u308b\u7b2c1\u6bb5\u968e\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u3067\u3059\u3002EVILNUM\u304c\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u308b\u30b3\u30de\u30f3\u30c9\u306f\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u3088\u3063\u3066\u7570\u306a\u308a\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u6c38\u7d9a\u6027\u3092\u78ba\u4fdd\u3059\u308b<\/li>\n<li>\"cmd\u00a0\/c\" \u3092\u4f7f\u7528\u3057\u3066\u4efb\u610f\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b<\/li>\n<li>\u8ffd\u52a0\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b<\/li>\n<li>\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u64ae\u308c\u308b\u304b\u3069\u3046\u304b<\/li>\n<\/ul>\n<p>\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u52d5\u4f5c\u306f\u3059\u3067\u306bpwncode\u306e\u8a18\u4e8b\u3067\u8a73\u3057\u304f\u8aac\u660e\u3055\u308c\u3066\u3044\u308b\u306e\u3067\u3001\u4ee5\u4e0b\u306e\u8868\u306b\u3001\u53e4\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u65b0\u3057\u3044\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u9055\u3044\u3068\u985e\u4f3c\u70b9\u3092\u3044\u304f\u3064\u304b\u7c21\u5358\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td style=\"width: 22.5847%;\"><\/td>\n<td style=\"width: 38.2685%;\"><a href=\"https:\/\/www.virustotal.com\/en\/file\/0713c5c3db572d88b08d527533cb07d25d33c1c7535cf59075e693b4fefba1fc\/analysis\/\"><strong>2018\u5e745\u6708\u306e\u30d0\u30fc\u30b8\u30e7\u30f3<\/strong><\/a><\/td>\n<td style=\"width: 37.8921%;\"><a href=\"https:\/\/www.virustotal.com\/en\/file\/97c97ad2baef37eea023549131c192f441aa7976747166cd31095e7dad17948c\/analysis\/\"><strong>2019\u5e741\u6708\u306e\u30d0\u30fc\u30b8\u30e7\u30f3<\/strong><\/a><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 22.5847%;\">\u30d0\u30fc\u30b8\u30e7\u30f3\u756a\u53f7<\/td>\n<td style=\"width: 38.2685%;\">1.3<\/td>\n<td style=\"width: 37.8921%;\">2.1<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 22.5847%;\">\u4f7f\u7528\u3055\u308c\u308bC2<\/td>\n<td style=\"width: 38.2685%;\"><span style=\"color: #008000;\">\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u30d5\u30a9\u30fc\u30e9\u30e0\/Git\u3001\u756a\u53f7\u3092 666 \u3067\u5272\u3063\u3066\u6c42\u3081\u308b\u3001num2ip<\/span><\/td>\n<td style=\"width: 37.8921%;\"><span style=\"color: #008000;\">\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u30d5\u30a9\u30fc\u30e9\u30e0\/Git\u3001\u756a\u53f7\u3092 8 \u3067\u5272\u3063\u3066\u6c42\u3081\u308b\u3001num2ip<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 22.5847%;\">\u30ed\u30fc\u30ab\u30eb\u306ecookie\u3092\u76d7\u3080\u6a5f\u80fd\u304c\u3042\u308b\u304b<\/td>\n<td style=\"width: 38.2685%;\"><span style=\"color: #ff0000;\">n<\/span><\/td>\n<td style=\"width: 37.8921%;\"><span style=\"color: #ff0000;\">y<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 22.5847%;\">\u30ed\u30c3\u30af\u30d5\u30a1\u30a4\u30eb\u3092\u4f7f\u7528\u3059\u308b\u304b<\/td>\n<td style=\"width: 38.2685%;\"><span style=\"color: #008000;\">y<\/span><\/td>\n<td style=\"width: 37.8921%;\"><span style=\"color: #008000;\">y<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 22.5847%;\">\u30b9\u30bf\u30fc\u30c8\u30a2\u30c3\u30d7\u306bLINK\u3068\u3057\u3066\u8ffd\u52a0\u3059\u308b<\/td>\n<td style=\"width: 38.2685%;\"><span style=\"color: #008000;\">y<\/span><\/td>\n<td style=\"width: 37.8921%;\"><span style=\"color: #008000;\">y<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 22.5847%;\">\u30b9\u30bf\u30fc\u30c8\u30a2\u30c3\u30d7\u30e1\u30bd\u30c3\u30c9\u306e\u8ffd\u52a0\u65b9\u6cd5<\/td>\n<td style=\"width: 38.2685%;\"><span style=\"color: #ff0000;\">\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u7d4c\u7531<\/span><\/td>\n<td style=\"width: 37.8921%;\"><span style=\"color: #ff0000;\">\u30ec\u30b8\u30b9\u30c8\u30ea\u30d5\u30a1\u30a4\u30eb\u306e\u30a4\u30f3\u30dd\u30fc\u30c8<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 22.5847%;\">\u95a2\u6570\u306e\u547d\u540d<\/td>\n<td style=\"width: 38.2685%;\"><span style=\"color: #ff0000;\">this_function<\/span><\/td>\n<td style=\"width: 37.8921%;\"><span style=\"color: #ff0000;\">ThisFunction<\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 22.5847%;\">\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u64ae\u308c\u308b\u304b\u3069\u3046\u304b<\/td>\n<td style=\"width: 38.2685%;\"><span style=\"color: #ff0000;\">n<\/span><\/td>\n<td style=\"width: 37.8921%;\"><span style=\"color: #ff0000;\">y<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u88681 EVINUM\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u9593\u306e\u985e\u4f3c\u70b9(\u7dd1)\u3068\u76f8\u9055\u70b9(\u8d64)\u306e\u30cf\u30a4\u30e9\u30a4\u30c8<\/p>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001(\u4f5c\u8005\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u756a\u53f7\u3067\u793a\u3055\u308c\u308b\u3088\u3046\u306b)\u5168\u4f53\u7684\u306b\u66f8\u304d\u63db\u3048\u304c\u884c\u308f\u308c\u3066\u3044\u308b\u3088\u3046\u3067\u3001\u591a\u304f\u306e\u6a5f\u80fd\u304c\u306f\u3058\u3081\u304b\u3089\u66f8\u304d\u76f4\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u305d\u308c\u306b\u3082\u304b\u304b\u308f\u3089\u305a\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30b3\u30a2\u3068\u306a\u308b\u6a5f\u80fd\u306f\u307b\u3068\u3093\u3069\u540c\u3058\u3067\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u63a1\u7528\u3055\u308c\u3066\u3044\u308b\u30b3\u30f3\u30bb\u30d7\u30c8(\u30ed\u30c3\u30af\u30d5\u30a1\u30a4\u30eb\u306a\u3069)\u3082\u91cd\u8907\u304c\u898b\u3089\u308c\u307e\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u7b2c1\u6bb5\u968e\u3068\u3057\u3066\u306e\u307f\u6a5f\u80fd\u3059\u308b\u3082\u306e\u3067\u3001\u653b\u6483\u8005\u306f\u8208\u5473\u306e\u5bfe\u8c61\u3068\u306a\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u6a19\u7684\u306b\u3059\u308b\u305f\u3081\u3001\u8ffd\u52a0\u30c4\u30fc\u30eb\u3092\u914d\u4fe1\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<h2>\u6a19\u7684\u306e\u9078\u5b9a<\/h2>\n<p>2017\u5e744\u6708\u4ee5\u964d\u3001\u79c1\u305f\u3061\u306fCardinal RAT\u304c\u5f0a\u793e\u306e\u9867\u5ba2\u4f01\u696d2\u793e\u306b\u653b\u6483\u3092\u4ed5\u639b\u3051\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u3066\u3044\u307e\u3059\u3002\u3069\u3061\u3089\u306e\u4f01\u696d\u3082\u3001\u5916\u56fd\u70ba\u66ff\u3068\u6697\u53f7\u901a\u8ca8\u53d6\u5f15\u306b\u95a2\u9023\u3059\u308b\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u958b\u767a\u3057\u3066\u3044\u308b\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3067\u3001\u30a4\u30b9\u30e9\u30a8\u30eb\u3092\u62e0\u70b9\u3068\u3057\u3066\u3044\u307e\u3059\u3002 VirusTotal\u306b\u63d0\u4f9b\u3055\u308c\u305f\u30b5\u30f3\u30d7\u30eb\u3092\u63a2\u3059\u306813\u500b\u306eCarp Downloader\u6587\u66f8\u304c\u898b\u3064\u304b\u308a\u307e\u3059\u3002\u306a\u304a\u3001\u3053\u3053\u3067\u306f\u300c\u5165\u308a\u53e3\u300d\u3068\u306a\u308b\u30d5\u30a1\u30a4\u30eb\u3060\u3051\u3092\u63a2\u3057\u3066\u304a\u308a\u30012\u6bb5\u968e\u76ee\u3067\u30c9\u30ed\u30c3\u30d7\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u63a2\u3057\u3066\u3044\u308b\u308f\u3051\u3067\u306f\u306a\u3044\u70b9\u306b\u6ce8\u610f\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u56f31\u3067\u3053\u308c\u3089\u306e\u6587\u66f8\u306e\u6700\u521d\u306e\u63d0\u4f9b\u8005\u3092\u898b\u308b\u3068\u3001\u305d\u308c\u3089\u304c\u307b\u307c\u30a4\u30b9\u30e9\u30a8\u30eb\u304b\u3089\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u3066\u3044\u308b\u306e\u304c\u308f\u304b\u308a\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_101451\" aria-describedby=\"caption-attachment-101451\" style=\"width: 961px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-101451 size-full lozad\"  data-src=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-209.png\" alt=\"\u56f33 VirusTotal\u3078\u306eCarp Downloader\u63d0\u4f9b\u8005\u306e\u56fd\u5225\u5206\u5e03\" width=\"961\" height=\"575\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-209.png 961w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-209-300x180.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-209-768x460.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-209-900x539.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-209-370x221.png 370w\" sizes=\"(max-width: 961px) 100vw, 961px\" \/><figcaption id=\"caption-attachment-101451\" class=\"wp-caption-text\">\u56f33 VirusTotal\u3078\u306eCarp Downloader\u63d0\u4f9b\u8005\u306e\u56fd\u5225\u5206\u5e03<\/figcaption><\/figure>\n<p>EVILNUM\u306b\u3064\u3044\u3066\u306f\u3001\u672c\u7a3f\u524d\u534a\u3067\u53c2\u7167\u3057\u305f\u4f01\u696d\u3067\u306e\u4e8b\u4f8b\u306e\u307f\u304c\u89b3\u6e2c\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u305f\u3060\u3057\u3001\u30d1\u30d6\u30ea\u30c3\u30af\u306a\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u304b\u3089\u306e\u8abf\u67fb\u7d50\u679c\u3092\u898b\u3066\u307f\u308b\u3068\u3001\u7b2c1\u6bb5\u968e\u306e\u611f\u67d3\u306b\u4f7f\u7528\u3055\u308c\u308b\u30d5\u30a1\u30a4\u30eb\u306e\u914d\u4fe1\u306f\u3001LNK\u30d5\u30a1\u30a4\u30eb\u306b\u3088\u308b\u3082\u306e\u304c\u3082\u3063\u3068\u3082\u4e00\u822c\u7684\u3067\u3042\u308b\u3088\u3046\u3067\u3059\u3002\u56f34\u306b\u793a\u3059\u3088\u3046\u306b\u3001EVILNUM\u306e\u6700\u521d\u306e\u63d0\u4f9b\u8005\u306e\u5730\u7406\u7684\u5206\u5e03\u306f\u304b\u306a\u308a\u7570\u306a\u308a\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_101453\" aria-describedby=\"caption-attachment-101453\" style=\"width: 961px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-101453 lozad\"  data-src=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-210.png\" alt=\"\u56f34 VirusTotal \u3078\u306eEVILNUM \u63d0\u4f9b\u8005\u306e\u56fd\u5225\u5206\u5e03\" width=\"961\" height=\"575\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-210.png 961w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-210-300x180.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-210-768x460.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-210-900x539.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/word-image-210-370x221.png 370w\" sizes=\"(max-width: 961px) 100vw, 961px\" \/><figcaption id=\"caption-attachment-101453\" class=\"wp-caption-text\">\u56f34 VirusTotal \u3078\u306eEVILNUM \u63d0\u4f9b\u8005\u306e\u56fd\u5225\u5206\u5e03<\/figcaption><\/figure>\n<h2>\u7d50\u8ad6<\/h2>\n<p>Cardinal RAT\u3068EVILNUM\u306f\u3001\u3069\u3061\u3089\u3082\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u306b\u9650\u5b9a\u7684\u306b\u914d\u4fe1\u3055\u308c\u3066\u3044\u308b\u653b\u6483\u3067\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3042\u308b\u4e8b\u4f8b\u3067\u306f\u3001\u4e21\u65b9\u306e\u30de\u30eb\u30a6\u30a8\u30a2\u304c\u540c\u3058\u6a19\u7684\u4f01\u696d\u3067\u77ed\u6642\u9593\u3067\u89b3\u5bdf\u3055\u308c\u3066\u304a\u308a\u3001\u4e21\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u5229\u7528\u3055\u308c\u308b\u30c9\u30ed\u30c3\u30d1\u30fc\u3082\u4f3c\u305f\u3088\u3046\u306a\u5185\u5bb9\u306e\u30eb\u30a2\u30fc(\u308f\u306a)\u6587\u66f8\u3092\u4f7f\u3063\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u3057\u305f\u304c\u3063\u3066\u3001\u3053\u308c\u3089\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306f\u3001\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3078\u306e\u6a19\u7684\u578b\u653b\u6483\u306b\u4f7f\u7528\u3055\u308c\u308b\u3082\u306e\u3060\u3068\u8a00\u3048\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u79c1\u305f\u3061\u306e\u30c6\u30ec\u30e1\u30c8\u30ea\u3082\u3001\u3053\u308c\u3089\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u304c\u672c\u30bb\u30af\u30bf\u30fc\u306b\u5c5e\u3059\u308b\u4f01\u696d\u306b\u5bfe\u3057\u3066\u306e\u307f\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u69d8\u5b50\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u30eb\u30a2\u30fc\u6587\u66f8\u306f\u4e00\u8cab\u3057\u3066\u3001\u5916\u56fd\u70ba\u66ff\/\u6697\u53f7\u901a\u8ca8\u306e\u53d6\u5f15\u306b\u95a2\u4e0e\u3057\u3066\u3044\u308b\u500b\u4eba\u306e\u540d\u524d\/\u756a\u53f7\u306e\u30ea\u30b9\u30c8\u306b\u95a2\u9023\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u5206\u91ce\u4ee5\u5916\u306e\u500b\u4eba\u3092\u6a19\u7684\u306b\u3059\u308b\u306a\u3089\u307b\u307c\u9078\u3070\u308c\u306a\u3044\u3067\u3042\u308d\u3046\u30cb\u30c3\u30c1\u306a\u4e3b\u984c\u3067\u3059\u3002<\/li>\n<\/ul>\n<p>\u79c1\u305f\u3061\u306f\u3001\u4e21\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u304c\u540c\u3058\u653b\u6483\u8005\u306b\u3088\u3063\u3066\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u3068\u8003\u3048\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>2\u3064\u306e\u4e8b\u4f8b\u3067\u306f\u3001\u3042\u308b\u7279\u5b9a\u4f01\u696d\u304c\u4e21\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u7acb\u3066\u7d9a\u3051\u306b\u6a19\u7684\u306b\u3055\u308c\u305f\u3001\u306a\u3044\u3057\u6a19\u7684\u306b\u3055\u308c\u305f\u69d8\u5b50\u304c\u3042\u308b\u3053\u3068\u304c\u5206\u304b\u3063\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u4e21\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u3068\u3082\u3001\u5916\u56fd\u70ba\u66ff\/\u6697\u53f7\u901a\u8ca8\u306e\u53d6\u5f15\u306b\u95a2\u4e0e\u3057\u3066\u3044\u308b\u500b\u4eba\u306e\u540d\u524d\/\u756a\u53f7\u306e\u30ea\u30b9\u30c8\u3092\u542b\u3080\u60aa\u610f\u306e\u3042\u308b\u6587\u66f8\u306b\u3088\u308a\u914d\u4fe1\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u5730\u7406\u7684\u5206\u5e03\u306e\u9055\u3044\u306f\u3001\u5358\u7d14\u306b\u89b3\u6e2c\u3067\u304d\u305f\u7bc4\u56f2\u306e\u9055\u3044\u3068\u3057\u3066\u8aac\u660e\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/li>\n<\/ul>\n<p>\u305f\u3060\u3057\u30012\u3064\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306e\u95a2\u9023\u6027\u306b\u3064\u3044\u3066\u306f\u8b70\u8ad6\u306e\u4f59\u5730\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u3053\u308c\u3089\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u304c\u89b3\u6e2c\u3055\u308c\u305f\u5730\u7406\u7684\u306a\u5e83\u304c\u308a\u306b\u95a2\u3057\u3066\u3044\u3048\u3070\u3001\u5404\u30d5\u30a1\u30df\u30ea\u306e\u6a19\u7684\u306e\u9078\u5b9a\u304c\u304b\u306a\u308a\u7570\u306a\u3063\u3066\u3044\u308b\u69d8\u5b50\u304c\u3042\u308a\u307e\u3059\u3002<\/li>\n<li>\u5404\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306e\u914d\u4fe1\u65b9\u6cd5\u306b\u307b\u3068\u3093\u3069\u985e\u4f3c\u70b9\u304c\u3042\u308a\u307e\u305b\u3093\u3002<\/li>\n<li>\u5404\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u305f\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306f\u3001\u30db\u30b9\u30c6\u30a3\u30f3\u30b0\u30d7\u30ed\u30d0\u30a4\u30c0\u3084\u305d\u306e\u4ed6\u306e\u5c5e\u6027\u304b\u3089\u89b3\u6e2c\u3055\u308c\u308b\u9650\u308a\u91cd\u8907\u306f\u898b\u3089\u308c\u305a\u3001\u305d\u308c\u305e\u308c\u306b\u7279\u7570\u306a\u3082\u306e\u3067\u3059\u3002<\/li>\n<\/ul>\n<p>\u305f\u3068\u30482\u3064\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u95a2\u9023\u304c\u306a\u304f\u3068\u3082\u3001\u3069\u3061\u3089\u3082\u4f3c\u305f\u3088\u3046\u306a\u6a19\u7684\u3092\u8208\u5473\u306e\u5bfe\u8c61\u3068\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u306f\u3053\u308c\u3089\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u304b\u3089\u78ba\u5b9f\u306b\u4fdd\u8b77\u3055\u308c\u3066\u3044\u306a\u3051\u308c\u3070\u306a\u308a\u307e\u305b\u3093\u3002\u653b\u6483\u8005\u304c\u6a19\u7684\u3068\u3057\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3078\u306e\u4fb5\u5165\u3092\u679c\u305f\u3057\u305f\u5f8c\u3001\u4f55\u3092\u884c\u3046\u306e\u304b\u306b\u3064\u3044\u3066\u306e\u6d1e\u5bdf\u306f\u5f97\u3089\u308c\u3066\u3044\u307e\u305b\u3093\u304c\u3001\u9078\u5b9a\u3055\u308c\u305f\u6a19\u7684\u304b\u3089\u898b\u3066\u3001\u653b\u6483\u8005\u306f\u91d1\u92ad\u7684\u5229\u76ca\u3092\u5f97\u308b\u305f\u3081\u306b\u3053\u306e\u30a2\u30af\u30bb\u30b9\u3092\u5229\u7528\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>\u52b9\u679c\u7684\u306a\u30b9\u30d1\u30e0\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u3001\u9069\u5207\u306a\u30b7\u30b9\u30c6\u30e0\u7ba1\u7406\u3001\u6700\u65b0\u306eWindows\u30db\u30b9\u30c8\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u7d44\u7e54\u306f\u3001\u611f\u67d3\u306e\u30ea\u30b9\u30af\u304c\u306f\u308b\u304b\u306b\u4f4e\u304f\u306a\u308a\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u8105\u5a01\u306b\u5bfe\u3059\u308b\u4e00\u822c\u7684\u306a\u9632\u5fa1\u7b56\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<ul>\n<li>\u6dfb\u4ed8\u30d5\u30a1\u30a4\u30eb\u3068\u3057\u3066LNK\u30d5\u30a1\u30a4\u30eb\u3092\u542b\u3080\u53d7\u4fe1E\u30e1\u30fc\u30eb\u3092\u8a31\u53ef\u3057\u306a\u3044\u3001\u307e\u305f\u306f\u5358\u4e00\u306eLNK\u30d5\u30a1\u30a4\u30eb\u3092\u542b\u3080\u6dfb\u4ed8ZIP\u30d5\u30a1\u30a4\u30eb\u3092\u542b\u3080\u53d7\u4fe1E\u30e1\u30fc\u30eb\u3092\u8a31\u53ef\u3057\u306a\u3044<\/li>\n<li>\u6587\u66f8\u306b\u30de\u30af\u30ed\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u5916\u90e8\u30bd\u30fc\u30b9\u304b\u3089\u306e\u30a4\u30f3\u30d0\u30a6\u30f3\u30c9\u96fb\u5b50\u30e1\u30fc\u30eb\u3092\u8a31\u53ef\u3057\u306a\u3044\u3001\u8a31\u53ef\u3059\u308b\u306e\u3067\u3042\u308c\u3070<a href=\"https:\/\/support.office.com\/en-us\/article\/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?redirectSourcePath=%252farticle%252fEnable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12&amp;ui=en-US&amp;rs=en-US&amp;ad=US\">\u9069\u5207\u306a\u30dd\u30ea\u30b7\u30fc\u304c\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d<\/a>\u3059\u308b<\/li>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/traps\/4-2\/traps-endpoint-security-manager-admin\/malware-protection\/manage-malware-protection-rules\/configure-child-process-protection\">\u89aa\u30d7\u30ed\u30bb\u30b9\u3068\u5b50\u30d7\u30ed\u30bb\u30b9\u306b\u3064\u3044\u3066\u5f37\u5236\u7684\u306b\u30dd\u30ea\u30b7\u30fc\u3092\u9069\u7528<\/a>\u3057\u3066\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u3088\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u8a00\u8a9e\u306e\u4f7f\u7528\u3092\u5236\u9650\u3059\u308b<\/li>\n<\/ul>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001\u6b21\u306e\u3088\u3046\u306b\u3057\u3066\u3053\u306e\u8105\u5a01\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>EVILNUM\u306e\u4e9c\u7a2e\u306f\u3001IPS\u306b\u3088\u3063\u3066\u30d6\u30ed\u30c3\u30af\u3055\u308c\u307e\u3059\u3002\u8105\u5a01ID 18781 \u304a\u3088\u3073 18782 \u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/li>\n<li>Wildfire\u3068Traps\u306f\u672c\u7a3f\u306b\u8a18\u8f09\u3057\u305f\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30de\u30eb\u30a6\u30a7\u30a2\u3068\u3057\u3066\u691c\u51fa\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/products\/secure-the-network\/subscriptions\/autofocus\">AutoFocus<\/a>\u3092\u304a\u4f7f\u3044\u306e\u304a\u5ba2\u69d8\u306f\u6b21\u306e\u30bf\u30b0\u3092\u4f7f\u7528\u3057\u3066\u3053\u308c\u3089\u306e\u6d3b\u52d5\u3092\u8ffd\u8de1\u3067\u304d\u307e\u3059: <a href=\"https:\/\/autofocus.paloaltonetworks.com\/\">CarpDownloader<\/a>\u3001<a href=\"https:\/\/autofocus.paloaltonetworks.com\/\">EVILNUM<\/a><\/p>\n<h2>\u4ed8\u9332<\/h2>\n<h3><strong>Cardinal RAT\u30c9\u30ed\u30c3\u30d1\u30fc\u304b\u3089BMP\u3092\u5fa9\u53f7\u5316\u3059\u308b\u305f\u3081\u306e\u30b9\u30af\u30ea\u30d7\u30c8<\/strong><\/h3>\n<pre>from PIL import Image\r\nimport sys\r\nfrom struct import *\r\nim = Image.open(sys.argv[1])\r\npix = im.load()\r\nwidth, height = im.size\r\nfileSize = unpack(\"I\", (pack(\"bbbb\", pix[0,0][0],pix[0,0][1],pix[0,0][2],pix[1,0][0])))[0]\r\n\r\nkey = 187\r\nout = \"\"\r\nfor ind, h in enumerate(range(height)):\r\nif ind == 0:\r\nj = 2\r\nfor w in range(width-2):\r\npixel = pix[j, ind]\r\nout += chr(pixel[0] ^ key)\r\nout += chr(pixel[1] ^ key)\r\nout += chr(pixel[2] ^ key)\r\nj += 1\r\nelse:\r\nfor k in range(width):\r\npixel = pix[k, ind]\r\nout += chr(pixel[0] ^ key)\r\nout += chr(pixel[1] ^ key)\r\nout += chr(pixel[2] ^ key)\r\n\r\nfinished = out[0:fileSize]\r\nprint(\"Writing output to 'dumped.exe_'\u2026\")\r\nfh = open(\"dumped.exe_\", 'wb')\r\nfh.write(finished)\r\nfh.close()\r\n<\/pre>\n<h2>IOC<\/h2>\n<h3><strong>Cardinal RAT\u306e\u30b5\u30f3\u30d7\u30eb<\/strong><\/h3>\n<ul>\n<li>b742162197744a8caeb09f954213a3172ed699f8375f69c40b57b8c219c5e37c<\/li>\n<li>06151c14153e983ae7ab793c7cd0e5ac3faf8e200894955b02e1191429eff29a<\/li>\n<li>9e6671a8af28e0ab6c37c044d85a2406b665a171ae3bef46f3e90d06e33027ae<\/li>\n<li>448c33094322b200c53ff016fec29469b3e52def359430113115cc70d7f28704<\/li>\n<li>06f1348c8a2ffab67627556075ddcad92998526d4d3802b9c2357d169531825f<\/li>\n<li>ca8af85f7eed79a73984b2dccd3dd2148865dfed7a009842be7372e6ce18037f<\/li>\n<li>75ca794f265ebad84954f13480e0e31c17048d21c4b52e949864c951437d0c2c<\/li>\n<li>78e2929e5dae8677f9db3aa7eaa96ad584c872343698e18f85349a027328b3ea<\/li>\n<li>f4f52c45ca3d4d4ce33981f660d23e8df4a9c0e345fdd6429d8b46f6c0528c38<\/li>\n<li>dd8fe0e27bf798cace40ac0d58b833ba3bbf16d80175296601585ed1964465ec<\/li>\n<li>20fec2d1824b585aa558b7cf9e9980acd665736ce9f7a124507cf46afb30c79f<\/li>\n<li>dab228c236d48fa1660bcec59e17e5004726741a85b0fbeef8300f29927c32d9<\/li>\n<li>f75883ff35104a032dd047ca39d35ec98601c76aa02f58ad655df6deaadecb55<\/li>\n<li>a545288c4d491d510972d583b773f8a0c5dc355942e322cf767d33121c659c1c<\/li>\n<li>64a9bdf4ff33e8f2e74dc16d7dce0f392aa130ff9b99458778fd25d9aadff381<\/li>\n<li>66f38591e8c80bb26623b0e6be5ab976fdf745c2afa020c7d98e2814960b5961<\/li>\n<li>65b726aab53920c497f83eb1f3cbd6b7dbfc2074aab6761b7485aa98f2df139a<\/li>\n<li>3ec85a019a480114856d3022961d7a55c1ae7cfa81b0073b2c1abcf99e0e541f<\/li>\n<li>43fb0b13f9872a54f91a7bf202b23a8a16de99d054a83ed08b9ea97f9e2675e8<\/li>\n<li>137f9265cba1101ae5d63b94c6ad1b47c7d02f0ab4f54a1af3169422791790cf<\/li>\n<li>101af6fdb990e5e9584382a65f5cee7efd9e89c38e928beca18419bdf70ef076<\/li>\n<li>f9bccd349cf841d0f25e81d80a1b4bf73dd960a1f3aa71029a18e36480c80392<\/li>\n<li>f027735c3db77e67cf7bada8862ddbb0d85a2caacbb4b2825e4acdfa863a14c9<\/li>\n<li>75996bbfcd2b343523ed79476f9516cc7d2b041c43841e5e735db4f22ae970c3<\/li>\n<li>0097dd7676b810bd0c1c70d8c86604c830e1e8e88f6a13c3869747faba381076<\/li>\n<li>08ce077e8d54db08ede1095d03286146d04e8cbce74ec91a9fc7b9d0a99ddb9f<\/li>\n<li>28e9e0fcc6899db7a16315d3dca38b6166ba318f8ca07b422ebadaab209b589b<\/li>\n<li>2247c528fc1b90b725d857cc5d45572e864c6c4948100458774f0ef6a8f11403<\/li>\n<li>dfa041f6cbe9d83cdaaed90466693efca33729c99fa43b29ab8e44bb27eb0a6b<\/li>\n<li>4045950ffa263b92774e92ab36b3ec52bf18f1c133b8d155819629d2ad4b3d1c<\/li>\n<li>85f1053041ef7af8a1c3d941e18de21e7adc24537863063d127bab8a8d2dc64b<\/li>\n<li>98200955db80cb5835158320ba94b2b55bc7028ea988b75f02adee3df40793f3<\/li>\n<li>ae8fb2f138981f10092761768428fb312e3e49bc23d5b610e3127c1a387aede8<\/li>\n<li>66f43e57648f01ea5f8d0d152db1df90c764eebeb701403936a15c47e2965353<\/li>\n<li>943cef39e54457fcfa21f5a8ed0f04095c1d4b798453770be5dda5db7d5406ac<\/li>\n<li>ca2a01792873233693e17fe51c4c86c05d07e31f9b579ab0444dd89733633532<\/li>\n<li>4fde64e9391d36aaff700ce0be3df9e7e6303b6de114332286de694af33dd7da<\/li>\n<li>5909b5999d3998f578a3acb4bf85e0b3fde102c417c40b6beed0dd3b8ceb51bf<\/li>\n<li>0212334200668ac64cb63fc1a4f4ea17e956f6928a2211c945c2e07f1b25a3ef<\/li>\n<li>bae230d6a988723b33158bbeef4ab90b1bff7b521fed9cab0c5e1f5b69a01de5<\/li>\n<li>b01b7a5798f41a5fae54b4189db6f47c6110a0b53a4df32cb7d0f13503c5250c<\/li>\n<li>fb63acfda1730132dbfbf1d46834d771156aac3f7c8e97ea136ca6edbe811fad<\/li>\n<li>268c3c9a98f2a15aaab9b0488225b0ba4e3d35efa30f6fed9052ffd31042bd7b<\/li>\n<li>0afec067628e901f7151861b0924ffb1909d21a707177b1e6cf2c8d491bb1a60<\/li>\n<li>985d893426373d4e71386d731e5bc44c1c2ac93e0920dddeb4380929af43dfcb<\/li>\n<li>82017e34c232e05094c2bbed2e62f6b55c1ed8f645803784cac791cc4690beaf<\/li>\n<li>8d8ccaf5a241112d173147b6b08ad5b7953c940ff5928e3046781c1e58a9c73a<\/li>\n<li>427b635915e0fe313ce58175faa1cc240ae26183fb88d05864bc20ef6d87aca3<\/li>\n<li>00f93492edb3274f71686fa469f6c9031a94292a2776c623a1596f710bf4eaa1<\/li>\n<li>5dcec8a061195bd4a2c3e96afecc48b1f0143b6ac4644c518ed8a923d2dcbe21<\/li>\n<li>02e85f39adf8613fd1be610e4e76f4fac08949f2e0198e8cf89a7c3a17cdd6d9<\/li>\n<li>5e60f17396e2ddfce8e60c964056d63cc3b17646c31b4a4f934c2d1fb4f5ba71<\/li>\n<li>cbcb627ff2220ed269aaa58203e7e89f1988210073d35f5f4019f8ecfd012f81<\/li>\n<li>267b1df7bc64c1b93b604d964f52801733fdd43efaf7742810b9277f00ad17ff<\/li>\n<li>e017651dd9e9419a7f1714f8f2cdc3d8e75aebbe6d3cfbb2de3f042f39aec3bd<\/li>\n<li>778090182a10fde1b4c1571d1e853e123f6ab1682e17dabe2e83468b518c01df<\/li>\n<li>8fababb509ad8230e4d6fa1e6403602a97e60dc8ef517016f86195143cf50f4e<\/li>\n<li>1977cedcfb8726dea5e915b47e1479256674551bc0fe0b55ddd3fa3b15eb82b2<\/li>\n<li>16aab89d74c1eaaf1e94028c8ccceef442eb2cd5b052cba3562d2b1b1a3a4ba6<\/li>\n<li>9c47b2af8b8c5f3c25f237dcc375b41835904f7cd99221c7489fb3563c34c9ab<\/li>\n<li>211b7b7a4c4a07b9c65fae361570dbb94666e26f0cc0fa0b32df4b09fcee6de2<\/li>\n<li>fd61a5cd1a83f68b75d47c8b6041f8640e47510925caee8176d5d81afac29134<\/li>\n<li>84f822d9cf575aeea867e9b73f88ad4d9244293e52208644e12ff2cf13b6b537<\/li>\n<li>855cf3a6422b0bf680d505720fd07c396508f67518670b493dba902c3c2e5dfa<\/li>\n<li>4b4c6b36938c3de0623feb92c0e1cb399d2dc338d2095b8ba84e862ef6d11772<\/li>\n<li>5dd162ab66f0c819ee73868c26ecd82408422e2b6366805631eab95ae32516f3<\/li>\n<li>6e2991e02d3cf17d77173d50cdaa766661a89721c3cc4050fba98bea0dbdb1a9<\/li>\n<li>1e8ed6e8d0b6fc47d8176c874ed40fb09644c058042f34d987878fa644f493cc<\/li>\n<li>647e379517fed71682423b0192da453ec1d61a633c154fdd55bab762bcc404f3<\/li>\n<li>ebd4f45cbb272bcc4954cf1bd0a5b8802a6e501688f2a1abdb6143ba616aea82<\/li>\n<li>edc49bf7ec508becb088d5082c78d360f1a7cad520f6de6d8b93759b67aac305<\/li>\n<li>7482f8c86b63ce53edcb62fc2ff2dd8e584e2164451ae0c6f2b1f4d6d0cb6d9c<\/li>\n<li>2fbd3d2362acd1c8f0963b48d01f94c7a07aeac52d23415d0498c8c9e23554db<\/li>\n<li>154e3a12404202fd25e29e754ff78703d4edd7da73cb4c283c9910fd526d47db<\/li>\n<li>fc5f7a21d953c394968647df6a37e1f61db04968ad1aca65ad8f261b363fa842<\/li>\n<li>a1d5b7d69d85b1be31d9e1cb0686094cc7b1213079b2a66ace01be4bfe3fb7c3<\/li>\n<li>4b0203492a95257707a86992e84b5085ce9e11810a26920dbb085005081e32d3<\/li>\n<li>a05805bcec72fb76b997c456e0fd6c4b219fdc51cad70d4a58c16b0b0e2d9ba1<\/li>\n<li>4e953ea82b0406a5b95e31554628ad6821b1d91e9ada0d26179977f227cf01ad<\/li>\n<li>6272ed2a9b69509ac16162158729762d30f9ca06146a1828ae17afedd5c243ef<\/li>\n<li>440504899b7af6f352cfaad6cdef1642c66927ecce0cf2f7e65d563a78be1b29<\/li>\n<\/ul>\n<h3><strong>Carp Downloader\u306e\u30b5\u30f3\u30d7\u30eb<\/strong><\/h3>\n<ul>\n<li>9a2491d803407b8696d6b797f8b90d728a8db3583bf4c2977cbeef8be0eb7249<\/li>\n<li>7220e659d59491db50661c54762b49bf6976acbeb723b5d59abde48301c86228<\/li>\n<li>c2d944a939bdc810d603149c0685f0bcb55a84d1f3a6ea33e9debe893fd0a8dd<\/li>\n<li>d562f01384b1d215758227fb2c165ed633fe9997096613fed8ce3bdf8963e4fd<\/li>\n<li>fdee357557a69d3dfa629d0cbd585d9c5dadc526dfb424af56c8edcc7a67d556<\/li>\n<li>0716f3f9cb0dead0c1f156a07adfeb3e0d72e4ea4af7b67238fae3e1ae670f90<\/li>\n<li>2016766acaeb1b89415fb6ef03f6ee815b8fe76b8955a6a41d2bbb28dfa74c28<\/li>\n<li>d7996ac876fa0ece281e49e7955dfbbf4ef1239b1ee63a0e21d6c4ed4b7c6559<\/li>\n<li>96067fc9b137ceecab2ff29ac56ff6897a7c73657ace7c40d70b7c1ebaaccf39<\/li>\n<li>ea581e8e625a3748da9663414182d1b99f9c5ddb0b9db2fbf1059a28c69cc10c<\/li>\n<li>a2dfe3a5a1e999af7f1920d28e05d8b0ce66c6e8b2947177878862ce1f870b17<\/li>\n<li>5665527ce54ed1a79ddb8e3c10499ac0b7af5c79a8cf5a37448baccbf6dba09f<\/li>\n<li>b4632dcf0b23467970ee7e0844e7c8a931dc3a0f549c0aa5e40e41c1b5b31fdc<\/li>\n<li>6ecd376cdc182bf157e59d500da6092891e6cd9a61305214e462d6e990e6e834<\/li>\n<li>0fabc65c316e8d84493d07cd39bfdd59481af9f9a7ebc9103693f1788438a438<\/li>\n<li>a52ba498d304906d6c060e8c56ad7db50e1af0a781616c0aa35447c50c28bae9<\/li>\n<li>5025aa0fc6d4ac6daa2d9a6452263dcc20d6906149fc0995d458ed38e7e57b61<\/li>\n<li>1181f97071d8f96f9cdfb0f39b697204413cc0a715aa4935fe8964209289b331<\/li>\n<li>d5d885734969641f43c64edf9788837df0d3452413a7ef835f8910d56c60c91c<\/li>\n<li>0438becfd66d728778f47d734d2f0bc4d1462d945cf4b6dde9fbf627eb0bb02d<\/li>\n<li>84e705341a48c8c6552a7d3dd97b7cd968d2a9bc281a70c287df70813f5dca52<\/li>\n<li>ae1a6c4f917772100e3a5dc1fab7de4a277876a6e626da114baf8179b13b0031<\/li>\n<li>e49e61da52430011f1a22084a601cc08005865fe9a76abf503a4a9d2e11a5450<\/li>\n<li>192b204dbc702d3762c953544975b61db8347a7739c6d8884bb4594bd816bf91<\/li>\n<li>571b58ba655463705f45d2541f0fde049c83389a69552f98e41ece734a59f8d4<\/li>\n<li>10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f<\/li>\n<li>8bea55d2e35a2281ed71a59f1feb4c1cf6af1c053a94781c033a94d8e4c853e5<\/li>\n<li>057965e8b6638f0264d89872e80366b23255f1a0a30fd4efb7884c71b4104235<\/li>\n<\/ul>\n<h3><strong>Cardinal RAT\u306e\u30a4\u30f3\u30d5\u30e9(2017\u5e74\u4e2d\u9803\u4ee5\u964d\u306b\u89b3\u6e2c\u3055\u308c\u305f\u30b5\u30f3\u30d7\u30eb\u306e\u307f)<\/strong><\/h3>\n<ul>\n<li>s.dropinbox[.]host<\/li>\n<li>secure.dropinbox[.]pw<\/li>\n<li>s.spotmacro[.]online<\/li>\n<li>secure.spotoption[.]pw<\/li>\n<li>190.10.8[.]238<\/li>\n<li>affiliatecollective[.]club<\/li>\n<\/ul>\n<h3><strong>EVILNUM\u306e\u30a4\u30f3\u30d5\u30e9<\/strong><\/h3>\n<ul>\n<li>hxxps:\/\/raw.githubusercontent[.]com\/venomisherenow\/wearevenom\/master\/README.md<\/li>\n<li>hxxps:\/\/raw.githubusercontent[.]com\/idontwantcofee\/ihavepoop\/master\/README.md<\/li>\n<li>hxxps:\/\/raw.githubusercontent[.]com\/yoshimaster8\/whatcha\/master\/readne<\/li>\n<li>hxxps:\/\/raw.githubusercontent[.]com\/grobagala\/pizza\/master\/readne<\/li>\n<li>hxxps:\/\/gitlab[.]com\/githubuser\/testing\/commits\/master<\/li>\n<li>hxxps:\/\/raw.githubusercontent[.]com\/sarutubi\/Luckyluke\/master\/README.md<\/li>\n<li>hxxps:\/\/raw.githubusercontent[.]com\/hititdolly\/justcallmeangel\/master\/README.md<\/li>\n<li>hxxps:\/\/www.codeplex[.]com\/site\/users\/view\/saidjaosdjo<\/li>\n<li>hxxps:\/\/raw.githubusercontent[.]com\/iuasbduias\/auhidshas\/master\/README.md<\/li>\n<li>hxxps:\/\/www.digitalpoint[.]com\/members\/bitbox123.922831\/<\/li>\n<\/ul>\n<ul>\n<li>139.28.37[.]0<\/li>\n<li>127.194.87[.]192\u00a0# likely attacker testing<\/li>\n<li>127.194.73[.]243\u00a0# likely attacker testing<\/li>\n<li>wikipeldia[.]org<\/li>\n<li>185.247.211[.]198<\/li>\n<li>185.20.187[.]4<\/li>\n<li>193.22.96[.]98<\/li>\n<li>193.22.98[.]182<\/li>\n<li>193.22.99[.]168<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 2017\u5e74\u3001\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u8abf\u67fb\u30c1\u30fc\u30e0Unit 42\u306fCardinal RAT\u3068\u547c\u3070\u308c\u308b\u5c11\u6570\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u3064\u3044\u3066\u5831\u544a\u3057\u3001\u5206\u6790\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306f\u305d\u308c\u307e\u30672\u5e74\u4ee5\u4e0a\u691c\u51fa<\/p>\n","protected":false},"author":59,"featured_media":101455,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4324,4434,1974,4428],"tags":[6749,6751,6753,6754,4793,6309],"product_categories":[4346,4442,4444,4448],"coauthors":[605,933],"class_list":["post-101446","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybercrime","category-cybercrime-ja","category-malware-ja","category-threat-research-ja","tag-cardinalrat-ja","tag-carpdownloader-ja","tag-evilnum-ja","tag-fintech","tag-javascript-malware-ja","tag-targeted-attacks-ja","product_categories-advanced-threat-prevention","product_categories-advanced-threat-prevention-ja","product_categories-advanced-wildfire-ja","product_categories-cortex-xdr-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Cardinal RAT\u304c\u518d\u3073\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3092\u6a19\u7684\u306b<\/title>\n<meta name=\"description\" content=\"\u6982\u8981 2017\u5e74\u3001\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u8abf\u67fb\u30c1\u30fc\u30e0Unit 42\u306fCardinal\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cardinal RAT\u304c\u518d\u3073\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3092\u6a19\u7684\u306b\" \/>\n<meta property=\"og:description\" content=\"\u6982\u8981 2017\u5e74\u3001\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u8abf\u67fb\u30c1\u30fc\u30e0Unit 42\u306fCardinal\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2019-03-19T19:00:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-11-26T08:06:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Post-Image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"819\" \/>\n\t<meta property=\"og:image:height\" content=\"352\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Tom Lancaster, Josh Grunzweig\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Cardinal RAT\u304c\u518d\u3073\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3092\u6a19\u7684\u306b","description":"\u6982\u8981 2017\u5e74\u3001\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u8abf\u67fb\u30c1\u30fc\u30e0Unit 42\u306fCardinal","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/","og_locale":"ja_JP","og_type":"article","og_title":"Cardinal RAT\u304c\u518d\u3073\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3092\u6a19\u7684\u306b","og_description":"\u6982\u8981 2017\u5e74\u3001\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u8abf\u67fb\u30c1\u30fc\u30e0Unit 42\u306fCardinal","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/","og_site_name":"Unit 42","article_published_time":"2019-03-19T19:00:20+00:00","article_modified_time":"2019-11-26T08:06:45+00:00","og_image":[{"width":819,"height":352,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Post-Image.png","type":"image\/png"}],"author":"Tom Lancaster, Josh Grunzweig","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/"},"author":{"name":"Tom Lancaster","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/8d7a7081b5f70c6533689b6f17a2de5b"},"headline":"Cardinal RAT\u304c\u518d\u3073\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3092\u6a19\u7684\u306b","datePublished":"2019-03-19T19:00:20+00:00","dateModified":"2019-11-26T08:06:45+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/"},"wordCount":2052,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Post-Image.png","keywords":["CardinalRAT","CarpDownloader","EVILNUM","FinTech","JavaScript Malware","Targeted Attacks"],"articleSection":["Cybercrime","\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a","\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/","name":"Cardinal RAT\u304c\u518d\u3073\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3092\u6a19\u7684\u306b","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Post-Image.png","datePublished":"2019-03-19T19:00:20+00:00","dateModified":"2019-11-26T08:06:45+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/8d7a7081b5f70c6533689b6f17a2de5b"},"description":"\u6982\u8981 2017\u5e74\u3001\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u8abf\u67fb\u30c1\u30fc\u30e0Unit 42\u306fCardinal","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Post-Image.png","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Post-Image.png","width":819,"height":352},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/cardinal-rat-sins-again-targets-israeli-fin-tech-firms\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"Cardinal RAT\u304c\u518d\u3073\u30a4\u30b9\u30e9\u30a8\u30eb\u306e\u30d5\u30a3\u30f3\u30c6\u30c3\u30af\u4f01\u696d\u3092\u6a19\u7684\u306b"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/8d7a7081b5f70c6533689b6f17a2de5b","name":"Tom Lancaster","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Tom Lancaster"},"url":"https:\/\/unit42.paloaltonetworks.com\/ja\/author\/tom-lancaster\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/101446","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/59"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=101446"}],"version-history":[{"count":3,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/101446\/revisions"}],"predecessor-version":[{"id":101458,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/101446\/revisions\/101458"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/101455"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=101446"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=101446"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=101446"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=101446"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=101446"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}