{"id":104635,"date":"2018-11-21T06:00:21","date_gmt":"2018-11-21T14:00:21","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=104635"},"modified":"2020-02-17T22:39:43","modified_gmt":"2020-02-18T06:39:43","slug":"unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit\/","title":{"rendered":"\u65b0\u3057\u3044\u30ef\u30a4\u30f3\u3092\u53e4\u3044\u30dc\u30c8\u30eb\u3067: Fallout\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30ad\u30c3\u30c8\u3092\u4f7f\u7528\u3057\u305fFindMyName\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3067\u65b0\u305f\u306aAzorult\u306e\u4e9c\u7a2e\u3092\u767a\u898b"},"content":{"rendered":"

<\/a>\u6982\u8981<\/h2>\n

\u65e9\u304f\u30822016\u5e74<\/a>\u306b\u306f\u89b3\u6e2c\u3055\u308c\u3066\u3044\u305fAzorult\u306f\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u30d5\u30a1\u30df\u30ea\u3067\u3042\u308a\u3001\u30b9\u30d1\u30e0 \u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u4ecb\u3057\u3066\u3001\u307e\u305f\u306fRIG\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30ad\u30c3\u30c8 \u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e2\u6b21\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u3057\u3066\u3001\u60aa\u610f\u306e\u3042\u308b\u30de\u30af\u30ed\u30d9\u30fc\u30b9\u306e\u6587\u66f8\u3067\u914d\u4fe1\u3055\u308c\u3066\u304d\u307e\u3057\u305f\u30022018\u5e7410\u670820\u65e5\u3001\u5f0a\u793e\u306f\u3001\u65b0\u3057\u3044Azorult\u306e\u4e9c\u7a2e\u304c\u3001Fallout\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30ad\u30c3\u30c8\u3092\u4f7f\u7528\u3057\u305f\u65b0\u305f\u306a\u7d99\u7d9a\u4e2d\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3067\u30011\u6b21\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u3057\u3066\u4f7f\u7528\u3055\u308c\u305f\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3057\u305f\u3002\u5f0a\u793e\u306f\u3001\u3053\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u300cFindMyName\u300d\u3068\u547d\u540d\u3057\u307e\u3057\u305f\u3002\u6700\u5f8c\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30da\u30fc\u30b8\u304c\u3059\u3079\u3066findmyname[.]pw\u3068\u3044\u3046\u30c9\u30e1\u30a4\u30f3\u306b\u884c\u304d\u7740\u304f\u305f\u3081\u3067\u3059\u3002\u3053\u306e\u3088\u3046\u306a\u65b0\u3057\u3044Azorult\u30b5\u30f3\u30d7\u30eb\u306e\u4e9c\u7a2e\u306f\u3001\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9\u88fd\u54c1\u3092\u56de\u907f\u3059\u308b\u305f\u3081\u3001API\u30d5\u30e9\u30c3\u30c7\u30a3\u30f3\u30b0\u3084\u5236\u5fa1\u30d5\u30ed\u30fc\u306e\u5e73\u5766\u5316\u306a\u3069\u3001\u9ad8\u5ea6\u306a\u96e3\u8aad\u5316\u6280\u6cd5\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u307e\u305f\u3001Azorult\u306f\u3055\u3089\u306a\u308b\u9032\u5316\u3092\u9042\u3052\u3066\u304a\u308a\u3001\u5f0a\u793e\u304c\u6355\u6349\u3057\u305f\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3088\u308a\u3082\u591a\u304f\u306e\u30d6\u30e9\u30a6\u30b6\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3001\u4eee\u60f3\u901a\u8ca8\u30a6\u30a9\u30ec\u30c3\u30c8\u306e\u6a5f\u5bc6\u60c5\u5831\u306e\u7a83\u53d6\u3092\u30b5\u30dd\u30fc\u30c8\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002<\/p>\n

\u3053\u306e\u30d6\u30ed\u30b0\u3067\u306f\u3001FindMyName\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3001\u65b0\u3057\u3044Azorult\u30de\u30eb\u30a6\u30a7\u30a2\u3001\u305d\u3057\u3066\u4f7f\u7528\u3055\u308c\u305f\u96e3\u8aad\u5316\u6280\u6cd5\u306b\u3064\u3044\u3066\u8003\u5bdf\u3057\u307e\u3059\u3002<\/p>\n

<\/a>FindMyName\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e\u7b2c1\u6bb5\u968e<\/h3>\n

10\u670820\u65e5\u306f\u3001\u5f0a\u793e\u304cFindMyName\u3068\u547c\u3076\u65b0\u3057\u3044\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u6700\u521d\u306b\u89b3\u6e2c\u3057\u305f\u65e5\u3067\u3059\u3002\u4ee5\u5f8c3\u65e5\u9593\u3067\u3001\u4ed8\u93321\u306b\u6319\u3052\u305f5\u3064\u306e\u7570\u306a\u308bURL\u30c1\u30a7\u30fc\u30f3\u304cFallout\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30ad\u30c3\u30c8\u306e\u914d\u4fe1\u306b\u7d50\u3073\u3064\u3044\u3066\u3044\u307e\u3057\u305f\u30025\u3064\u306e\u7570\u306a\u308bURL\u30c1\u30a7\u30fc\u30f3\u306e\u3059\u3079\u3066\u304c\u3001\u88ab\u5bb3\u7aef\u672b\u3092findmyname[.]pw\u3068\u3044\u30461\u3064\u306e\u30c9\u30e1\u30a4\u30f3\u306b\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n

FindMyName\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e\u7b2c1\u6bb5\u968e\u306b\u304a\u3051\u308b\u30b9\u30c6\u30c3\u30d7\u3092\u3001\u56f31\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n

<\/span><\/p>\n

\u56f31 \u653b\u6483\u306e\u7b2c1\u6bb5\u968e\u306e\u6982\u8981<\/em><\/span><\/p>\n

findmyname[.]pw\u306e5\u3064\u306e\u6700\u7d42\u30da\u30fc\u30b8\u306f\u7570\u306a\u308b\u3082\u306e\u306e\u3001\u305d\u308c\u3089\u306e\u4e2d\u8eab\u306f\u985e\u4f3c\u3057\u3066\u3044\u307e\u3059\u3002Fallout\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30ad\u30c3\u30c8\u306e\u30e9\u30f3\u30c7\u30a3\u30f3\u30b0 \u30da\u30fc\u30b8\u306e\u4f8b\u3092\u56f32\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n

<\/span><\/p>\n

\u56f32 \u96e3\u8aad\u5316\u3055\u308c\u305f\u30e9\u30f3\u30c7\u30a3\u30f3\u30b0 \u30da\u30fc\u30b8<\/em><\/span><\/p>\n

Fallout\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30ad\u30c3\u30c8\u306f\u3001span\u3001h3\u3001p\u306a\u3069\u3001\u3044\u304f\u3064\u304b\u306ehtml\u30bf\u30b0\u3092\u4f7f\u7528\u3057\u3001\u9ad8\u5ea6\u306b\u96e3\u8aad\u5316\u3057\u305f\u30bf\u30b0 \u30b3\u30f3\u30c6\u30f3\u30c4\u306b\u3088\u3063\u3066\u5b9f\u969b\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30b3\u30fc\u30c9\u3092\u96a0\u3057\u3066\u3044\u307e\u3059\u3002\u5fa9\u53f7\u5f8c\u306e\u5b9f\u969b\u306eVBScript\u30b3\u30fc\u30c9\u306f\u30018\u6708\u306b\u30d1\u30c3\u30c1\u304c\u9069\u7528\u3055\u308c\u305f\u3001IE VBScript\u306e\u8106\u5f31\u6027<\/a>(CVE-2018-8174)<\/a>\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u307e\u3059\u3002<\/p>\n

<\/span><\/p>\n

\u56f33 Fallout\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30ad\u30c3\u30c8\u306b\u304a\u3051\u308bCVE-2018-8174\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30b3\u30fc\u30c9\u306e\u30b9\u30cb\u30da\u30c3\u30c8<\/em><\/span><\/p>\n

\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u6210\u529f\u3059\u308b\u3068\u3001\u3053\u306eFallout\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30ad\u30c3\u30c8\u306f\u300c.tmp\u300d\u30d5\u30a1\u30a4\u30eb\u3092%Temp%\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3001CreateProcess\u3092\u547c\u3073\u51fa\u3057\u3066\u3001\u305d\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u8a73\u3057\u3044\u5206\u6790\u306b\u3088\u3063\u3066\u3001\u300c.tmp\u300d\u30d5\u30a1\u30a4\u30eb\u304cAzorult\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u6700\u65b0\u306e\u4e9c\u7a2e\u3067\u3042\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002Fallout\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8 \u30ad\u30c3\u30c8\u306e1\u6b21\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u3057\u3066Azorult\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u65b0\u3057\u3044\u4e9c\u7a2e\u304c\u4f7f\u7528\u3055\u308c\u308b\u306e\u3092\u78ba\u8a8d\u3057\u305f\u306e\u306f\u3053\u308c\u304c\u521d\u3081\u3066\u3067\u3057\u305f\u3002<\/p>\n

<\/a>FindMyName\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e\u7b2c2\u6bb5\u968e<\/h3>\n

\u3053\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u3001\u5f0a\u793e\u304c\u6355\u6349\u3057\u305fAzorult\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u6700\u65b0\u306e\u4e9c\u7a2e\u306e\u5206\u6790\u306b\u91cd\u70b9\u3092\u7f6e\u304d\u307e\u3059\u3002<\/p>\n

<\/a>\u30de\u30eb\u30a6\u30a7\u30a2\u5206\u6790\u306e\u6982\u8981<\/h4>\n

Azorult\u30de\u30eb\u30a6\u30a7\u30a2 \u30d5\u30a1\u30df\u30ea\u306f\u3001\u5730\u4e0b\u30d5\u30a9\u30fc\u30e9\u30e0\u3067\u8ca9\u58f2\u3055\u308c\u3066\u3044\u308b\u55b6\u5229\u76ee\u7684\u306e\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3067\u3059\u3002\u5f0a\u793e\u306f\u3001\u6700\u8fd1\u306eFindMyName\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u30673\u3064\u306e\u65b0\u3057\u3044Azorult\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u4e9c\u7a2e\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u305d\u308c\u3089\u3092\u89b3\u6e2c\u3057\u305f\u6642\u70b9\u3067\u306f\u30013\u3064\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u3046\u30612\u3064\u306f\u3001\u307e\u3060\u5b9f\u969b\u306e\u611f\u67d3\u3092\u78ba\u8a8d\u3067\u304d\u3066\u3044\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u5f0a\u793e\u304c\u6355\u6349\u3057\u3001\u5206\u6790\u3057\u305f\u65b0\u3057\u3044Azorult\u30b5\u30f3\u30d7\u30eb\u306e1\u3064\u306b\u306f\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u60aa\u610f\u306e\u3042\u308b\u6a5f\u80fd\u304c\u3042\u308a\u307e\u3057\u305f(\u3053\u306e\u3088\u3046\u306a\u6a5f\u80fd\u306e\u4e00\u90e8\u306f\u3001\u6b21\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8a73\u3057\u304f\u8aac\u660e\u3057\u307e\u3059)\u3002<\/p>\n

    \n
  1. API\u30d5\u30e9\u30c3\u30c7\u30a3\u30f3\u30b0\u306b\u3088\u3063\u3066\u3001\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9 \u30a8\u30df\u30e5\u30ec\u30fc\u30bf\u3092\u56de\u907f\u3002<\/li>\n
  2. \u5236\u5fa1\u30d5\u30ed\u30fc\u306e\u5e73\u5766\u5316\u6280\u6cd5\u306b\u3088\u3063\u3066\u3001\u30ea\u30d0\u30fc\u30b9 \u30a8\u30f3\u30b8\u30cb\u30a2\u30ea\u30f3\u30b0\u5206\u6790\u3092\u59a8\u5bb3\u3002<\/li>\n
  3. \u30d7\u30ed\u30bb\u30b9\u306e\u7a7a\u6d1e\u5316\u6280\u6cd5\u3092\u4f7f\u7528\u3057\u3066\u3001\u65b0\u3057\u3044\u30de\u30eb\u30a6\u30a7\u30a2 \u30a4\u30e1\u30fc\u30b8\u3092\u4f5c\u6210\u3002<\/li>\n
  4. \u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3088\u308a\u3082\u591a\u304f\u306e\u30d6\u30e9\u30a6\u30b6\u3067\u3001\u8cc7\u683c\u60c5\u5831\u3001cookie\u3001\u5c65\u6b74\u3001\u30aa\u30fc\u30c8\u30d5\u30a3\u30eb\u7528\u306e\u60c5\u5831\u3092\u7a83\u53d6\u3002<\/li>\n
  5. \u4ee5\u524d\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3088\u308a\u3082\u591a\u304f\u306e\u4eee\u60f3\u901a\u8ca8\u30a6\u30a9\u30ec\u30c3\u30c8\u3092\u7a83\u53d6\u3002<\/li>\n
  6. \u5fc5\u8981\u306b\u5fdc\u3058\u3001Skype\u3001Telegram\u3001Steam\u3001FTP\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3001\u96fb\u5b50\u30e1\u30fc\u30eb \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306e\u8cc7\u683c\u60c5\u5831\u304a\u3088\u3073\u30c1\u30e3\u30c3\u30c8\u5c65\u6b74\u3092\u7a83\u53d6\u3002<\/li>\n
  7. \u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u6e08\u307f\u30d7\u30ed\u30b0\u30e9\u30e0\u3001\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3001\u30de\u30b7\u30f3\u60c5\u5831\u3001\u30e6\u30fc\u30b6\u30fc\u540d\u3001OS\u30d0\u30fc\u30b8\u30e7\u30f3\u3001\u5b9f\u884c\u4e2d\u30d7\u30ed\u30bb\u30b9\u3092\u4ecb\u3057\u3001\u88ab\u5bb3\u7aef\u672b\u306e\u60c5\u5831\u3092\u53ce\u96c6\u3002<\/li>\n
  8. \u30e6\u30fc\u30b6\u30fc\u306e\u30c7\u30b9\u30af\u30c8\u30c3\u30d7\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u3092\u53ce\u96c6\u3002<\/li>\n
  9. \u30a2\u30f3\u30c1\u30d5\u30a9\u30ec\u30f3\u30b8\u30c3\u30af \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3001\u3059\u3079\u3066\u306e\u30c9\u30ed\u30c3\u30d7\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u6d88\u53bb\u3002<\/li>\n
  10. C2\u901a\u4fe1\u306b\u3088\u3063\u3066\u958b\u59cb\u3055\u308c\u305f\u7279\u5b9a\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u5b9f\u884c\u3002<\/li>\n<\/ol>\n

    <\/a>API\u30d5\u30e9\u30c3\u30c7\u30a3\u30f3\u30b0\u304a\u3088\u3073\u5236\u5fa1\u30d5\u30ed\u30fc\u306e\u5e73\u5766\u5316\u306b\u3088\u308b\u96e3\u8aad\u5316<\/h4>\n

    \u6700\u521d\u306eAzorult\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001Microsoft Visual C++ 7.0\u3067\u4f5c\u6210\u3055\u308c\u307e\u3057\u305f\u3002\u7b2c\u4e00\u306b\u3001Azorult\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u5236\u5fa1\u30d5\u30ed\u30fc\u306e\u5e73\u5766\u5316<\/a>\u306b\u3088\u308b\u96e3\u8aad\u5316\u3092\u4f7f\u7528\u3057\u3066\u3001\u30ea\u30d0\u30fc\u30b9 \u30a8\u30f3\u30b8\u30cb\u30a2\u30ea\u30f3\u30b0\u5206\u6790\u3092\u59a8\u5bb3\u3057\u307e\u3059(\u56f34\u53c2\u7167)\u3002\u7b2c\u4e8c\u306b\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001API\u30d5\u30e9\u30c3\u30c7\u30a3\u30f3\u30b0\u6280\u6cd5\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3057\u305f(\u56f35\u53c2\u7167)\u3002API\u30d5\u30e9\u30c3\u30c7\u30a3\u30f3\u30b0\u306f\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9 \u30a8\u30df\u30e5\u30ec\u30fc\u30bf\u3092\u56de\u907f\u3059\u308b\u305f\u3081\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u6280\u6cd5\u3067\u3059\uff61\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9 \u30a8\u30df\u30e5\u30ec\u30fc\u30bf\u306f\uff64\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u4e0a\u306e\u652f\u969c\u304c\u751f\u3058\u306a\u3044\u3088\u3046\uff64\u30db\u30b9\u30c8 \u30de\u30b7\u30f3\u3067\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u30a8\u30df\u30e5\u30ec\u30fc\u30c8\u3059\u308b\u3055\u3044\uff64\u4e00\u5b9a\u6642\u9593\u5185\u3067\u30a8\u30df\u30e5\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u7d42\u4e86\u3059\u308b\u30bf\u30a4\u30de\u30fc\u3092\u8a2d\u5b9a\u3057\u307e\u3059\uff61\u3053\u3053\u3067\uff64\u6570\u767e\u56de\u306b\u304a\u3088\u3076\u95a2\u6570\u51e6\u7406\u306e\u30a8\u30df\u30e5\u30ec\u30fc\u30c8\u3092\u884c\u308f\u305b\u308b\u3068\uff64\u30bf\u30a4\u30e0 \u30a2\u30a6\u30c8\u304c\u767a\u751f\u3057\uff64\u30d5\u30a1\u30a4\u30eb\u304c\u7121\u5bb3\u3068\u3057\u3066\u30de\u30fc\u30ad\u30f3\u30b0\u3055\u308c\u3066\u3057\u307e\u3044\u307e\u3059\u3002<\/p>\n

    <\/span><\/p>\n

    \u56f34 \u5236\u5fa1\u30d5\u30ed\u30fc\u306e\u5e73\u5766\u5316<\/em><\/span><\/p>\n

    <\/span><\/p>\n

    \u56f35 API\u30d5\u30e9\u30c3\u30c7\u30a3\u30f3\u30b0<\/em><\/span><\/p>\n

    <\/a>\u30d7\u30ed\u30bb\u30b9\u306e\u7a7a\u6d1e\u5316<\/h4>\n

    Azorult\u306f\u3001\u30d7\u30ed\u30bb\u30b9\u306e\u7a7a\u6d1e\u5316\u6280\u6cd5\u3092\u4f7f\u7528\u3057\u3001\u65b0\u3057\u3044\u30de\u30eb\u30a6\u30a7\u30a2 \u30a4\u30e1\u30fc\u30b8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u307e\u305a\uff64\u30e1\u30e2\u30ea\u5185\u3067\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u5fa9\u53f7\u3057\u307e\u3059\u3002\u6b21\u306b\u81ea\u8eab\u306e\u4e00\u6642\u505c\u6b62\u3057\u305f\u30d7\u30ed\u30bb\u30b9\u3092\u65b0\u3057\u304f\u4f5c\u6210\u3057\uff64\u305d\u306e\u306e\u3061\u306b\u5fa9\u53f7\u3057\u305f\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u65b0\u3057\u3044\u30d7\u30ed\u30bb\u30b9\u306b\u633f\u5165\u3057\u307e\u3059\u3002\u6700\u5f8c\u306b\u65b0\u3057\u3044\u30d7\u30ed\u30bb\u30b9\u5b9f\u884c\u3092\u518d\u958b\u3057\u3001\u60aa\u610f\u306e\u3042\u308b\u632f\u308b\u821e\u3044\u3092\u884c\u3044\u307e\u3059\u3002\u30b5\u30f3\u30d7\u30eb\u5b9f\u884c\u306e\u6982\u8981\u3092\u56f36\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n

    <\/span><\/p>\n

    \u56f36 \u30b5\u30f3\u30d7\u30eb\u306e\u30d7\u30ed\u30bb\u30b9\u7a7a\u6d1e\u5316<\/em><\/span><\/p>\n

    <\/a>C2\u901a\u4fe1<\/h3>\n

    \u30d7\u30ed\u30bb\u30b9\u304b\u3089\u30c0\u30f3\u30d7\u3055\u308c\u305f\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u30d5\u30a1\u30a4\u30eb\u306f\u3001Delphi\u3067\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u30b5\u30f3\u30d7\u30eb\u306f\u5b9f\u884c\u6642\u306b\u3001\u5373\u5ea7\u306bC2\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3057\u3066\u3055\u3089\u306a\u308b\u6307\u793a\u3092\u53d7\u3051\u307e\u3059\u3002\u4fb5\u5165\u9632\u5fa1\u30b7\u30b9\u30c6\u30e0(IPS)\u3092\u56de\u907f\u3059\u308b\u305f\u3081\u3001C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306f\u96e3\u8aad\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u3002C2\u306b\u9001\u308a\u8fd4\u3055\u308c\u308b\u30c7\u30fc\u30bf\u306b\u306f\u3001\u88ab\u5bb3\u306b\u3042\u3063\u305f\u500b\u3005\u306e\u30de\u30b7\u30f3\u56fa\u6709\u306e\u88ab\u5bb3\u7aef\u672bID\u304c\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u30de\u30b7\u30f3\u306eGUID\u3001Windows\u88fd\u54c1\u540d\u3001\u30e6\u30fc\u30b6\u30fc\u540d\u3001\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u304c\u30cf\u30c3\u30b7\u30e5 \u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001C2\u30a2\u30c9\u30ec\u30b9\u3092\u5fa9\u53f7\u3057\u3001\u6697\u53f7\u5316\u3055\u308c\u305f\u88ab\u5bb3\u7aef\u672b\u306eID\u3067\u3001POST\u30ea\u30af\u30a8\u30b9\u30c8\u309251[.]15[.]196[.]30\/1\/index.php\u306b\u9001\u4fe1\u3057\u307e\u3059\u3002C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u56f37\u306b\u793a\u3057\u307e\u3059\u3002\u30cf\u30c3\u30b7\u30e5 \u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u3068\u6697\u53f7\u5316\u306b\u95a2\u3059\u308b\u8a73\u3057\u3044\u4f8b\u306f\u3001\u4ed8\u93321\u306b\u6319\u3052\u3089\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n

    <\/span><\/p>\n

    \u56f37 C2\u30ea\u30af\u30a8\u30b9\u30c8<\/em><\/span><\/p>\n

    \u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001C2\u5fdc\u7b54\u3092\u5fa9\u53f7\u3057\u3001\u691c\u8a3c\u3057\u307e\u3059\u3002\u5fa9\u53f7\u3055\u308c\u305fC2\u30b3\u30f3\u30c6\u30f3\u30c4\u306b\u306f3\u3064\u306e\u90e8\u5206\u304c\u3042\u308a\u307e\u3057\u305f\u3002<n><\/n>\u30bf\u30b0\u3067\u56f2\u307e\u308c\u305f\u90e8\u5206\u306b\u306f\u300148\u500b\u306e\u6b63\u898fDLL\u304c\u542b\u307e\u308c\u3001\u3053\u308c\u3089\u306f\u4ee5\u5f8c\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8aac\u660e\u3059\u308b\u60c5\u5831\u7a83\u53d6\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<d><\/d>\u30bf\u30b0\u3067\u56f2\u307e\u308c\u305f\u90e8\u5206\u306b\u306f\u3001\u60c5\u5831\u7a83\u53d6\u7528\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u60c5\u5831\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u5177\u4f53\u7684\u306b\u306f\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3 \u30d1\u30b9\u3001\u95a2\u9023\u30ec\u30b8\u30b9\u30c8\u30ea\u3001\u8cc7\u683c\u60c5\u5831\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u3059\u3002<c><\/c>\u30bf\u30b0\u3067\u56f2\u307e\u308c\u305f\u90e8\u5206\u306b\u306f\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306eC2\u69cb\u6210\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002C2\u69cb\u6210\u3092\u56f38\u306b\u793a\u3057\u307e\u3059\u3002pcap\u5206\u6790\u306b\u3088\u3063\u3066\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u4ee5\u4e0b\u306e\u6587\u5b57\u304c\u30c1\u30a7\u30c3\u30af\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002<\/p>\n

      \n
    1. \u300c+\u300d: \u7279\u5b9a\u306e\u60aa\u610f\u306e\u3042\u308b\u6a5f\u80fd\u3092\u6709\u52b9\u5316\u3057\u307e\u3059\u3002<\/li>\n
    2. \u300c-\u300d: \u7279\u5b9a\u306e\u60aa\u610f\u306e\u3042\u308b\u6a5f\u80fd\u3092\u7121\u52b9\u5316\u3057\u307e\u3059\u3002<\/li>\n
    3. \u300cI\u300d: \u30db\u30b9\u30c8IP\u60c5\u5831\u3092\u53ce\u96c6\u3057\u307e\u3059\u3002<\/li>\n
    4. \u300cL\u300d: \u30ea\u30e2\u30fc\u30c8 \u30b5\u30fc\u30d0\u30fc\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002<\/li>\n<\/ol>\n

      <\/span><\/p>\n

      \u56f38 C2\u69cb\u6210<\/em><\/span><\/p>\n

      C2\u3067\u6307\u5b9a\u3055\u308c\u305f\u60aa\u610f\u306e\u3042\u308b\u6a5f\u80fd:<\/p>\n

        \n
      1. \u30d6\u30e9\u30a6\u30b6 \u30d1\u30b9\u30ef\u30fc\u30c9\u8cc7\u683c\u60c5\u5831\u306e\u7a83\u53d6\u3002<\/li>\n
      2. \u30d6\u30e9\u30a6\u30b6\u306ecookie\u3001\u30aa\u30fc\u30c8\u30d5\u30a3\u30eb\u8cc7\u683c\u60c5\u5831\u306e\u7a83\u53d6\u3002FTP\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u3084\u96fb\u5b50\u30e1\u30fc\u30eb \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304b\u3089\u306e\u8cc7\u683c\u60c5\u5831\u306e\u7a83\u53d6\u3002<\/li>\n
      3. \u30d6\u30e9\u30a6\u30b6\u5c65\u6b74\u306e\u7a83\u53d6\u3002<\/li>\n
      4. \u30d3\u30c3\u30c8\u30b3\u30a4\u30f3 \u30a6\u30a9\u30ec\u30c3\u30c8\u306e\u7a83\u53d6\u3002<\/li>\n
      5. Skype\u306e\u30c1\u30e3\u30c3\u30c8 \u30e1\u30c3\u30bb\u30fc\u30b8main.db\u306e\u7a83\u53d6\u3002<\/li>\n
      6. Telegram\u306e\u8cc7\u683c\u60c5\u5831\u306e\u7a83\u53d6\u3002<\/li>\n
      7. Steam\u306e\u8cc7\u683c\u60c5\u5831(ssfn)\u304a\u3088\u3073\u30b2\u30fc\u30e0 \u30e1\u30bf\u30c7\u30fc\u30bf(.vdf)\u306e\u7a83\u53d6\u3002<\/li>\n
      8. \u6700\u7d42\u7684\u306b\u653b\u6483\u8005\u306b\u9001\u3089\u308c\u308b\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u306e\u53d6\u5f97\u3002<\/li>\n
      9. \u4e00\u6642\u30de\u30eb\u30a6\u30a7\u30a2 \u30d5\u30a1\u30a4\u30eb\u306e\u6d88\u53bb\u3002<\/li>\n
      10. \u30c7\u30b9\u30af\u30c8\u30c3\u30d7\u304b\u3089\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u53ce\u96c6\u3002<\/li>\n
      11. GET\u30ea\u30af\u30a8\u30b9\u30c8\u3092ip-api[.]com\/json\u306b\u9001\u4fe1\u3059\u308b\u3053\u3068\u306b\u3088\u308b\u30db\u30b9\u30c8IP\u60c5\u5831\u306e\u53d6\u5f97\u3002<\/li>\n
      12. C2\u3067\u6307\u5b9a\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3068\u5b9f\u884c\u3002<\/li>\n<\/ol>\n

        \u56f39\u306f\u3001Firefox\u304a\u3088\u3073Thunderbird\u304b\u3089\u6a5f\u5bc6\u60c5\u5831\u3092\u7a83\u53d6\u3059\u308b\u305f\u3081\u306eC2\u69cb\u6210\u306e\u4f8b\u3067\u3059\u3002<\/p>\n

        <\/span><\/p>\n

        \u56f39 \u60c5\u5831\u7a83\u53d6\u7528\u306eC2\u69cb\u6210<\/em><\/span><\/p>\n

        C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u6982\u8981\u3092\u56f310\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n

        <\/span><\/p>\n

        \u56f310 C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u6982\u8981<\/em><\/span><\/p>\n

        <\/a>\u60c5\u5831\u7a83\u53d6<\/h3>\n

        \u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001Chrome\u3001Firefox\u3001Qihoo 360\u306a\u3069\u300132\u306e\u30d6\u30e9\u30a6\u30b6\u304b\u3089\u8cc7\u683c\u60c5\u5831\u304a\u3088\u3073\u30e6\u30fc\u30b6\u30fc \u30c7\u30fc\u30bf\u3092\u7a83\u53d6\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u30d6\u30e9\u30a6\u30b6\u306e\u5168\u30ea\u30b9\u30c8\u306f\u4ed8\u93322\u306b\u3042\u308a\u307e\u3059\u3002\u30d6\u30e9\u30a6\u30b6\u304b\u3089\u8cc7\u683c\u60c5\u5831\u3092\u7a83\u53d6\u3059\u308b\u305f\u3081\u3001\u30b5\u30f3\u30d7\u30eb\u306fC2\u306e\u5fdc\u7b54\u304b\u308948\u500b\u306e\u6b63\u898fDLL\u30d5\u30a1\u30a4\u30eb\u3092 %AppData%\\Local\\Temp\\2fda \u30d5\u30a9\u30eb\u30c0\u306b\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u3044\u307e\u3057\u305f(\u56f311\u53c2\u7167)\u3002<\/p>\n

        <\/span><\/p>\n

        \u56f311 \u5408\u6cd5\u306adll\u30d5\u30a1\u30a4\u30eb<\/em><\/span><\/p>\n

        \u3053\u306e\u52d5\u4f5c\u306e\u76ee\u7684\u306f\u3001nss3.dll\u3092\u30ed\u30fc\u30c9\u3057\u3066\u3001\u4ee5\u4e0b\u306e\u95a2\u6570\u3092\u30ed\u30fc\u30c9\u3059\u308b\u3053\u3068\u3067\u3059\u3002<\/p>\n