{"id":106764,"date":"2017-02-27T15:00:56","date_gmt":"2017-02-27T23:00:56","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=106764"},"modified":"2020-04-26T17:57:08","modified_gmt":"2020-04-27T00:57:08","slug":"unit-42-title-gamaredon-group-toolset-evolution","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/","title":{"rendered":"Gamaredon\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u306e\u9032\u5316"},"content":{"rendered":"<h2>\u6982\u8981<\/h2>\n<p>\u5148\u65e5\u3001Palo Alto Networks\u306e\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u30c1\u30fc\u30e0Unit 42\u306e\u8105\u5a01\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u304c\u7279\u5225\u4ed5\u69d8\u3067\u958b\u767a\u3055\u308c\u305f\u65b0\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u914d\u4fe1\u3057\u3066\u3044\u308b\u306e\u306b\u6c17\u4ed8\u304d\u307e\u3057\u305f\u3002\u79c1\u305f\u3061\u306f\u3053\u306e\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306bGamaredon\u30b0\u30eb\u30fc\u30d7\u3068\u540d\u4ed8\u3051\u307e\u3057\u305f\u304c\u3001\u79c1\u305f\u3061\u306e\u30ea\u30b5\u30fc\u30c1\u304b\u3089Gamaredon\u30b0\u30eb\u30fc\u30d7\u304c\u5c11\u306a\u304f\u3068\u30822013\u5e74\u4ee5\u964d\u6d3b\u52d5\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3057\u305f\u3002<\/p>\n<p>\u5f93\u6765\u3001Gamaredon\u30b0\u30eb\u30fc\u30d7\u306f\u5e02\u8ca9\u306e\u30c4\u30fc\u30eb\u306b\u5927\u304d\u304f\u983c\u3063\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u79c1\u305f\u3061\u306e\u65b0\u305f\u306a\u30ea\u30b5\u30fc\u30c1\u306b\u3088\u308a\u3001Gamaredon\u30b0\u30eb\u30fc\u30d7\u304c\u7279\u5225\u4ed5\u69d8\u3067\u958b\u767a\u3055\u308c\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u3078\u3068\u79fb\u884c\u3057\u305f\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3057\u305f\u3002\u3053\u306e\u79fb\u884c\u306fGamaredon\u30b0\u30eb\u30fc\u30d7\u304c\u81ea\u5206\u305f\u3061\u306e\u6280\u8853\u7684\u306a\u80fd\u529b\u3092\u5411\u4e0a\u3055\u305b\u305f\u3053\u3068\u3092\u793a\u3059\u3082\u306e\u3067\u3042\u308b\u3001\u3068\u79c1\u305f\u3061\u306f\u4fe1\u3058\u3066\u3044\u307e\u3059\u3002\u7279\u5225\u4ed5\u69d8\u3067\u958b\u767a\u3055\u308c\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u30d5\u30eb\u6a5f\u80fd\u3067\u3042\u308a\u3001\u4e0b\u8a18\u306e\u6a5f\u80fd\u3092\u5099\u3048\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u81ea\u7531\u306b\u9078\u3093\u3060\u8ffd\u52a0\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u5b9f\u884c\u3059\u308b\u30e1\u30ab\u30cb\u30ba\u30e0<\/li>\n<li>\u30b7\u30b9\u30c6\u30e0 \u30c9\u30e9\u30a4\u30d6\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u7279\u5b9a\u306e\u30d5\u30a1\u30a4\u30eb \u30bf\u30a4\u30d7\u3092\u63a2\u3057\u51fa\u3059\u6a5f\u80fd<\/li>\n<li>\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u30ad\u30e3\u30d7\u30c1\u30e3\u3059\u308b\u6a5f\u80fd<\/li>\n<li>\u30e6\u30fc\u30b6\u30fc\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306b\u304a\u3044\u3066\u3001\u30b7\u30b9\u30c6\u30e0\u4e0a\u306e\u30b3\u30de\u30f3\u30c9\u3092\u30ea\u30e2\u30fc\u30c8\u304b\u3089\u5b9f\u884c\u3059\u308b\u6a5f\u80fd<\/li>\n<\/ul>\n<p>Gamaredon\u30b0\u30eb\u30fc\u30d7\u306f\u3001\u4e3b\u3068\u3057\u3066\u3001\u4fb5\u5bb3\u3092\u53d7\u3051\u305f\u30c9\u30e1\u30a4\u30f3\u3001\u30c0\u30a4\u30ca\u30df\u30c3\u30afDNS\u30d7\u30ed\u30d0\u30a4\u30c0\u3001\u30ed\u30b7\u30a2\u304a\u3088\u3073\u30a6\u30af\u30e9\u30a4\u30ca\u306e\u56fd\u5225\u30b3\u30fc\u30c9\u30c8\u30c3\u30d7\u30ec\u30d9\u30eb\u30c9\u30e1\u30a4\u30f3(ccTLD)\u3001\u30ed\u30b7\u30a2\u306e\u30db\u30b9\u30c6\u30a3\u30f3\u30b0 \u30d7\u30ed\u30d0\u30a4\u30c0\u3092\u5229\u7528\u3057\u3066\u3001\u7279\u5225\u4ed5\u69d8\u3067\u4f5c\u6210\u3055\u308c\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u914d\u4fe1\u3057\u307e\u3059\u3002<\/p>\n<p>\u30de\u30eb\u30a6\u30a7\u30a2\u5bfe\u7b56\u6280\u8853\u306f\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u304c\u958b\u767a\u3057\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u691c\u51fa\u306b\u95a2\u3059\u308b\u5b9f\u7e3e\u304c\u4e4f\u3057\u3044\u306e\u3067\u3059\u304c\u3001\u305d\u308c\u306f\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u7684\u306a\u7279\u8cea\u306b\u3088\u308b\u3082\u306e\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3068\u79c1\u305f\u3061\u306f\u4fe1\u3058\u3066\u3044\u307e\u3059\u3002\u30e2\u30b8\u30e5\u30fc\u30eb\u7684\u306a\u7279\u8cea\u3068\u306f\u3001\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u3092\u591a\u7528\u3059\u308b\u3053\u3068\u3001\u304a\u3088\u3073\u6b63\u898f\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3084\u30c4\u30fc\u30eb(wget\u306a\u3069)\u3092\u60aa\u610f\u306e\u3042\u308b\u76ee\u7684\u3067\u60aa\u7528\u3059\u308b\u3053\u3068\u3092\u6307\u3057\u307e\u3059\u3002<\/p>\n<p>\u4ee5\u524d\u3001\u3042\u308b\u653b\u6483\u6d3b\u52d5\u306b\u95a2\u3057\u3066<a href=\"https:\/\/www.lookingglasscyber.com\/operation-armageddon-registration\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-the-gamaredon-group-toolset-evolution: section: \">LookingGlass\u304c\u30ec\u30dd\u30fc\u30c8\u3057\u305f<\/a>\u969b\u3001\u3053\u306e\u653b\u6483\u6d3b\u52d5\u306b\u201c\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3Armageddon\u201d\u3068\u540d\u4ed8\u3051\u307e\u3057\u305f\u304c\u3001\u3053\u308c\u306f\u30a6\u30af\u30e9\u30a4\u30ca\u306e\u8ecd\u304a\u3088\u3073\u56fd\u5bb6\u5b89\u5168\u4fdd\u969c\u30fb\u56fd\u9632\u4f1a\u8b70\u306b\u95a2\u4fc2\u306e\u3042\u308b\u500b\u4eba\u3092\u6a19\u7684\u306b\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u672c\u4ef6\u306e\u30b0\u30eb\u30fc\u30d7\u304c\u305d\u306e\u653b\u6483\u6d3b\u52d5\u306e\u80cc\u5f8c\u306b\u3044\u305f\u3068\u78ba\u4fe1\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u79c1\u305f\u3061\u306f\u672c\u4ef6\u306e\u30b0\u30eb\u30fc\u30d7\u306bGamaredon\u30b0\u30eb\u30fc\u30d7\u3068\u547d\u540d\u3057\u307e\u3057\u305f\u3002\u56e0\u307f\u306bGamaredon\u306f\u201cArmageddon\u201d\u306e\u30a2\u30ca\u30b0\u30e9\u30e0\u3067\u3059\u3002\u73fe\u6642\u70b9\u3067\u306f\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u304c\u914d\u4fe1\u3057\u3066\u3044\u308b\u65b0\u578b\u30da\u30a4\u30ed\u30fc\u30c9\u304c\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3Armageddon\u306e\u7d9a\u304d\u306a\u306e\u304b\u3001\u305d\u308c\u3068\u3082\u65b0\u305f\u306a\u653b\u6483\u6d3b\u52d5\u306a\u306e\u304b\u4e0d\u660e\u3067\u3059\u3002<\/p>\n<h2>Gamaredon: \u904e\u53bb\u304b\u3089\u73fe\u5728\u306b\u81f3\u308b\u30c4\u30fc\u30eb\u306e\u5206\u6790<\/h2>\n<p>\u3053\u306e\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u304c\u914d\u4fe1\u3057\u305f\u30b5\u30f3\u30d7\u30eb\u3067\u3001\u767a\u898b\u3055\u308c\u305f\u6700\u3082\u53e4\u3044\u3082\u306e(\u30b3\u30f3\u30d1\u30a4\u30eb\u6642\u523b\u3068\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9 \u30b5\u30d6\u30df\u30c3\u30c8\u6642\u523b\u306b\u57fa\u3065\u304f)\u306f\u3001<a href=\"https:\/\/www.symantec.com\/security_response\/writeup.jsp?docid=2015-042917-4812-99&amp;tabid=2\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-the-gamaredon-group-toolset-evolution: section:gamaredon: \u904e\u53bb\u304b\u3089\u73fe\u5728\u306b\u81f3\u308b\u30c4\u30fc\u30eb\u306e\u5206\u6790\">Symantec<\/a>\u304a\u3088\u3073<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/troj_gamaredon.a\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-the-gamaredon-group-toolset-evolution: section:gamaredon: \u904e\u53bb\u304b\u3089\u73fe\u5728\u306b\u81f3\u308b\u30c4\u30fc\u30eb\u306e\u5206\u6790\">Trend Micro<\/a>\u304cGamaredon\u306b\u3064\u3044\u3066\u89e3\u8aac\u3057\u3066\u3044\u305f\u3082\u306e\u306b\u985e\u4f3c\u3057\u3066\u3044\u307e\u3059\u3002\u3057\u304b\u3057\u3001\u90fd\u5408\u306e\u60aa\u3044\u3053\u3068\u306b\u3001\u3053\u306e\u540c\u4e00\u6027\u3092\u793a\u3059\u6839\u62e0\u306f\u4e0d\u5341\u5206\u3067\u3059\u3002\u305d\u308c\u306f\u3001\u672c\u4ef6\u3067\u8105\u5a01\u306e\u653b\u6483\u8005\u304c\u4f7f\u3063\u3066\u3044\u308b\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u6700\u521d\u306e\u4e9c\u7a2e\u3092\u7279\u5b9a\u3057\u3066\u3044\u308b\u306e\u306b\u904e\u304e\u306a\u3044\u3088\u3046\u306b\u601d\u3048\u308b\u305f\u3081\u3067\u3059\u3002\u5f8c\u767a\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u4e9c\u7a2e\u306b\u95a2\u3057\u3066\u3001\u4e00\u90e8\u306e\u30b5\u30f3\u30d7\u30eb\u306b\u3082\u4e00\u822c\u7684\u3067\u4e0d\u5b89\u5b9a\u306a\u540d\u79f0\u306e<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/troj_resetter.bb\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-the-gamaredon-group-toolset-evolution: section:gamaredon: \u904e\u53bb\u304b\u3089\u73fe\u5728\u306b\u81f3\u308b\u30c4\u30fc\u30eb\u306e\u5206\u6790\">TROJ_RESETTER.BB<\/a>\u304a\u3088\u3073<a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/threat-encyclopedia\/malware\/troj_fraudrop.ex\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-the-gamaredon-group-toolset-evolution: section:gamaredon: \u904e\u53bb\u304b\u3089\u73fe\u5728\u306b\u81f3\u308b\u30c4\u30fc\u30eb\u306e\u5206\u6790\">TROJ_FRAUDROP.EX<\/a>\u304c\u4ed8\u3051\u3089\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u5f53\u521d\u3001\u3053\u306e\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u304c\u6a19\u7684\u306b\u914d\u4fe1\u3057\u305f\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u3067\u4fdd\u8b77\u3055\u308c\u305f\u81ea\u5df1\u89e3\u51cd\u578bZip\u30a2\u30fc\u30ab\u30a4\u30d6(.SFX)\u30d5\u30a1\u30a4\u30eb\u3067\u69cb\u6210\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306eSFX\u306f\u3001\u89e3\u51cd\u6642\u306b\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30c7\u30a3\u30b9\u30af\u306b\u66f8\u304d\u8fbc\u307f\u3001<a href=\"https:\/\/rmansys.ru\/remote-access\/\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-the-gamaredon-group-toolset-evolution: section:gamaredon: \u904e\u53bb\u304b\u3089\u73fe\u5728\u306b\u81f3\u308b\u30c4\u30fc\u30eb\u306e\u5206\u6790\">Remote Manipulator System (\u30ea\u30e2\u30fc\u30c8\u64cd\u4f5c\u30b7\u30b9\u30c6\u30e0)<\/a>(\u56f31)\u3068\u547c\u3070\u308c\u308b\u6b63\u898f\u306e\u30ea\u30e2\u30fc\u30c8\u7ba1\u7406\u30c4\u30fc\u30eb\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3057\u305f\u3002\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306f\u3001\u3053\u306eRemote Manipulator System\u3092\u60aa\u610f\u306e\u3042\u308b\u76ee\u7684\u3067\u60aa\u7528\u3057\u3088\u3046\u3068\u3057\u307e\u3057\u305f\u3002<\/p>\n<figure style=\"width: 610px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-01.png\" alt=\"\u56f31 Remote Manipulator System\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\" width=\"610\" height=\"560\" \/><figcaption class=\"wp-caption-text\">\u56f31 Remote Manipulator System\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9<\/figcaption><\/figure>\n<p>\u305d\u306e\u3088\u3046\u306a\u81ea\u5df1\u89e3\u51cd\u578b\u30a2\u30fc\u30ab\u30a4\u30d6\u306e1\u3064(ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc)\u304c\u30012014\u5e744\u6708\u9803\u3001\u521d\u3081\u3066\u767a\u898b\u3055\u308c\u307e\u3057\u305f\u3002\u305d\u308c\u304c\u81ea\u5df1\u89e3\u51cd\u7528\u306b\u4f7f\u3063\u305f\u30d1\u30b9\u30ef\u30fc\u30c9(\u30d1\u30b9\u30ef\u30fc\u30c9\u4fdd\u8b77\u3055\u308c\u305f\u591a\u6570\u306eSFX\u30da\u30a4\u30ed\u30fc\u30c9\u3067\u4f7f\u3044\u56de\u3057\u3055\u308c\u3066\u3044\u308b)\u306f\u201c1234567890__\u201d\u3067\u3059\u3002\u79c1\u305f\u3061\u304c\u3053\u306eSFX\u30d5\u30a1\u30a4\u30eb\u3092\u78ba\u8a8d\u3057\u305f\u969b\u3001\u3053\u308c\u306b\u542b\u307e\u308c\u3066\u3044\u305f\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u201c123.cmd\u201d\u3068\u3044\u3046\u540d\u524d\u306e\u30d0\u30c3\u30c1 \u30d5\u30a1\u30a4\u30eb\u304a\u3088\u3073\u201csetting.exe\u201d\u3068\u3044\u3046\u540d\u524d\u306e\u5225\u306eSFX\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e2\u756a\u76ee\u306eSFX\u306b\u306f\u3001Remote Manipulator System\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b.MSI\u30a4\u30f3\u30b9\u30c8\u30fc\u30e9\u30fc \u30d1\u30c3\u30b1\u30fc\u30b8\u3001\u304a\u3088\u3073\u3001\u3053\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u4f5c\u696d\u3092\u64cd\u4f5c\u3059\u308b\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u5f8c\u767a\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30c7\u30a3\u30b9\u30af\u306b\u66f8\u304d\u8fbc\u3080\u307b\u304b\u3001wget\u30d0\u30a4\u30ca\u30ea\u3082\u66f8\u304d\u8fbc\u3082\u3046\u3068\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001wget\u30d0\u30a4\u30ca\u30ea\u3092\u4f7f\u3063\u3066\u65b0\u305f\u306b\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u5b9f\u884c\u3057\u3088\u3046\u3068\u3057\u307e\u3057\u305f\u3002\u307e\u305f\u3001wget\u3092\u4f7f\u3063\u3066POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u30b3\u30de\u30f3\u30c9 \u30a2\u30f3\u30c9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb(C2)\u30b5\u30fc\u30d0\u306b\u9001\u4fe1\u3057\u3088\u3046\u3068\u3057\u307e\u3057\u305f\u3002\u305d\u306e\u969b\u3001POST\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u306f\u4fb5\u5bb3\u3092\u53d7\u3051\u305f\u30b7\u30b9\u30c6\u30e0\u306b\u95a2\u3059\u308b\u60c5\u5831\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u3046\u3057\u305f\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u4e00\u90e8\u306b\u306f\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u5b9f\u884c\u3055\u308c\u305f\u969b\u306b\u958b\u304b\u308c\u308b\u304a\u3068\u308a\u306e\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u3053\u306e\u7a2e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306b\u95a2\u3059\u308b3\u3064\u306e\u30b5\u30f3\u30d7\u30eb\u306b\u306f\u3001\u4ee5\u4e0b\u306e\u3082\u306e\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<ul>\n<li>a6a44ee854c846f31d15b0ca2d6001fb0bdddc85f17e2e56abb2fa9373e8cfe7<\/li>\n<li>b5199a302f053e5e9cb7e82cc1e502b5edbf04699c2839acb514592f2eeabb13<\/li>\n<li>3ef3a06605b462ea31b821eb76b1ea0fdf664e17d010c1d5e57284632f339d4b<\/li>\n<\/ul>\n<p>2014\u5e74\u3001\u79c1\u305f\u3061\u306f\u3053\u308c\u3089\u306e\u30b5\u30f3\u30d7\u30eb\u304cwget\u3092\u4f7f\u3063\u3066\u3044\u308b\u306e\u306b\u521d\u3081\u3066\u6c17\u4ed8\u304d\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u30b5\u30f3\u30d7\u30eb\u304c\u4f7f\u3063\u3066\u3044\u305f\u30d5\u30a1\u30a4\u30eb\u540d\u3068\u304a\u3068\u308a\u306e\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306f\u3001\u500b\u4eba\u3092\u8a98\u3044\u8fbc\u3080\u306e\u306b\u3001\u30c6\u30fc\u30de\u3068\u3057\u3066\u3001\u30a6\u30af\u30e9\u30a4\u30ca\u5927\u7d71\u9818\u306e\u653f\u6a29\u3001\u30a6\u30af\u30e9\u30a4\u30ca\u56fd\u5bb6\u5b89\u5168\u4fdd\u969c\u30fb\u56fd\u9632\u4f1a\u8b70\u3001\u30a6\u30af\u30e9\u30a4\u30ca\u306b\u304a\u3051\u308b\u30c6\u30ed\u5bfe\u7b56\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3 \u30be\u30fc\u30f3\u3001\u304a\u3088\u3073\u30a6\u30af\u30e9\u30a4\u30ca\u306e\u611b\u56fd\u5fc3\u3092\u4f7f\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u305d\u306e\u3088\u3046\u306a\u304a\u3068\u308a\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306e1\u3064\u306b\u3042\u308b\u6587\u9762\u3092\u753b\u50cf\u5316\u3057\u3066\u3001\u4ee5\u4e0b\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure style=\"width: 696px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-02.png\" alt=\"\u56f32 Gamaredon\u30b0\u30eb\u30fc\u30d7\u304c\u4f7f\u7528\u3057\u305f\u30a6\u30af\u30e9\u30a4\u30ca\u306e\u304a\u3068\u308a\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\" width=\"696\" height=\"670\" \/><figcaption class=\"wp-caption-text\">\u56f32 Gamaredon\u30b0\u30eb\u30fc\u30d7\u304c\u4f7f\u7528\u3057\u305f\u30a6\u30af\u30e9\u30a4\u30ca\u306e\u304a\u3068\u308a\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8<\/figcaption><\/figure>\n<p>\u4ed6\u306b\u89b3\u5bdf\u3055\u308c\u305f\u30da\u30a4\u30ed\u30fc\u30c9\u3082\u3001\u3084\u306f\u308a\u3001SFX\u30d5\u30a1\u30a4\u30eb\u3092\u4f7f\u3063\u3066\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u3068\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u914d\u4fe1\u3057\u3088\u3046\u3068\u3057\u307e\u3057\u305f\u304c\u3001\u3053\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306fVNC\u30d7\u30ed\u30c8\u30b3\u30eb\u3092\u4f7f\u3063\u3066\u30ea\u30e2\u30fc\u30c8 \u30a2\u30af\u30bb\u30b9\u3092\u53ef\u80fd\u306b\u3059\u308b\u3082\u306e\u3067\u3057\u305f\u3002\u3053\u308c\u3089\u306eVNC\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306f\u3001SFX\u30d5\u30a1\u30a4\u30eb\u306e\u4e2d\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u304b\u3001\u3042\u308b\u3044\u306f\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3088\u3063\u3066\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3057\u305f\u3002\u79c1\u305f\u3061\u306f\u3001VNC\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u63d0\u4f9b\u3057\u3066\u3044\u305fURL(\u4eca\u3067\u306f\u9589\u9396)\u30921\u3064\u767a\u898b\u3057\u307e\u3057\u305f\u304c\u3001\u3053\u306eVNC\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3001\u5b9f\u884c\u3057\u3088\u3046\u3068\u3057\u307e\u3057\u305f\u3002\u79c1\u305f\u3061\u304c\u767a\u898b\u3057\u305fURL\u306fhxxp:\/\/prestigeclub.frantov.com[.]ua\/press-center\/press\/chrome-xvnc-v5517.exe\u3067\u3057\u305f\u3002<\/p>\n<p>\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u5f15\u304d\u7d9a\u304d\u3001VNC\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u30b3\u30de\u30f3\u30c9 \u30a2\u30f3\u30c9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb(C2)\u30b5\u30fc\u30d0\u306b\u63a5\u7d9a\u3055\u305b\u3066\u3001\u4fb5\u5bb3\u3092\u53d7\u3051\u305f\u30b7\u30b9\u30c6\u30e0\u3092\u30b5\u30fc\u30d0\u304c\u5236\u5fa1\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u3088\u3046\u3068\u3057\u307e\u3057\u305f\u3002\u4fb5\u5bb3\u3092\u53d7\u3051\u305f\u30b7\u30b9\u30c6\u30e0\u4e0a\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u305fVNC\u3092\u79c1\u305f\u3061\u304c\u78ba\u8a8d\u3057\u305f\u969b\u3001\u3044\u305a\u308c\u306b\u3082\u540c\u3058\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb\u3001RC4\u30ad\u30fc \u30d5\u30a1\u30a4\u30eb\u3001\u304a\u3088\u3073\u30d1\u30b9\u30ef\u30fc\u30c9\u304c\u4f7f\u308f\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u305d\u306e\u3088\u3046\u306a\u30b5\u30f3\u30d7\u30eb\u306e1\u3064\u3001cfb8216be1a50aa3d425072942ff70f92102d4f4b155ab2cf1e7059244b99d31\u306f\u30012015\u5e741\u6708\u9803\u3001\u521d\u3081\u3066\u59ff\u3092\u73fe\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u4f7f\u308f\u308c\u3066\u3044\u305f\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u78ba\u5b9f\u306bVNC\u63a5\u7d9a\u304c\u5229\u7528\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u3082\u306e\u3067\u3057\u305f\u3002<\/p>\n<p><img  class=\"alignleft lozad\"  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-03.png\" \/><\/p>\n<p>VNC\u3092\u4f7f\u3063\u3066\u3044\u308b\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u3059\u3079\u3066\u306b\u308f\u305f\u308bVNC\u8a2d\u5b9a\u30d5\u30a1\u30a4\u30eb(UltraVNC.ini)\u306e\u4e2d\u3067\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u308b\u30d1\u30b9\u306f\u3001\u201cY:\\\u041f\u0420\u041e\u0411\u0410\\\u0421\u043e\u0437\u0434\u0430\u043d\u0438\u0435 \u0442\u0440\u043e\u044f\u043d\u043e\u0432\\\u0441\u043e\u0437\u0434\u0430\u043d\u0438\u0435 RMS\\vnc\u201d\u3067\u3059\u3002\u3053\u308c\u306f\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u5316\u3055\u308c\u305f\u30ad\u30ea\u30eb\u6587\u5b57\u306e\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u3092\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u304c\u4f7f\u3063\u3066\u3044\u308b\u552f\u4e00\u306e\u5834\u6240\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306e\u591a\u304f\u3082\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u5316\u3055\u308c\u305f\u30d1\u30b9\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002\u4f8b\u3048\u3070\u3001\u201c\u0413\u043b\u0430\u0432\u043d\u043e\u0435 \u043c\u0435\u043d\u044e\\\u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b\\\u0410\u0432\u0442\u043e\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0430\u201d\u306a\u3069\u304c\u3042\u308a\u307e\u3059\u3002\u591a\u304f\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306b\u306f\u3001\u30c0\u30a4\u30a2\u30ed\u30b0 \u30dc\u30c3\u30af\u30b9\u3092\u30e6\u30fc\u30b6\u30fc\u306b\u63d0\u793a\u3057\u3066\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u8d77\u52d5\u3092\u4fc3\u3059VBS\u30b9\u30af\u30ea\u30d7\u30c8\u3082\u3001\u3084\u306f\u308a\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u305d\u3053\u306b\u306f\u3053\u3046\u66f8\u3044\u3066\u3042\u308a\u307e\u3059\u3002\u201c\u041e\u0448\u0438\u0431\u043a\u0430 \u043f\u0440\u0438 \u0438\u043d\u0438\u0446\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f (0xc0000005).\u041f\u043e\u0432\u0442\u043e\u0440\u0438\u0442\u044c \u043f\u043e\u043f\u044b\u0442\u043a\u0443 \u043e\u0442\u043a\u0440\u044b\u0442\u0438\u044f \u0444\u0430\u0439\u043b\u0430?\u201d(\u30ed\u30b7\u30a2\u8a9e\u304b\u3089\u306e\u7ffb\u8a33: \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u521d\u671f\u5316\u306b\u5931\u6557(0xc0000005)\u3002\u30d5\u30a1\u30a4\u30eb\u3092\u3082\u3046\u4e00\u5ea6\u30aa\u30fc\u30d7\u30f3\u3057\u307e\u3059\u304b\u3002)<\/p>\n<p>\u4e00\u90e8\u306eSFX\u30d5\u30a1\u30a4\u30eb\u306b\u3082\u3001<a href=\"https:\/\/mikelab.kiev.ua\/index.php?page=PROGRAMS\/chkflsh\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-the-gamaredon-group-toolset-evolution: section:gamaredon: \u904e\u53bb\u304b\u3089\u73fe\u5728\u306b\u81f3\u308b\u30c4\u30fc\u30eb\u306e\u5206\u6790\">ChkFlsh.exe<\/a>\u00a0(8c9d690e765c7656152ad980edd2200b81d2afceef882ed81287fe212249f845)\u3068\u547c\u3070\u308c\u308b\u3001\u5225\u306e\u6b63\u898f\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306f\u30a6\u30af\u30e9\u30a4\u30ca\u306e\u30d7\u30ed\u30b0\u30e9\u30de\u30fc\u306b\u3088\u3063\u3066\u66f8\u304b\u308c\u305f\u3082\u306e\u3067\u3042\u308a\u3001USB\u30d5\u30e9\u30c3\u30b7\u30e5 \u30c9\u30e9\u30a4\u30d6\u306e\u30d1\u30d5\u30a9\u30fc\u30de\u30f3\u30b9\u3092\u78ba\u8a8d\u3059\u308b\u306e\u306b\u4f7f\u308f\u308c\u307e\u3059\u3002\u653b\u6483\u8005\u306b\u3068\u3063\u3066\u306e\u3053\u308c\u306e\u4fa1\u5024\u306f\u4e0d\u660e\u3067\u3059\u304c\u30011\u3064\u306e\u53ef\u80fd\u6027\u3068\u3057\u3066\u3001\u4f55\u3089\u304b\u306e\u65b9\u6cd5\u3067USB\u30c7\u30d0\u30a4\u30b9\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u76d7\u3080\u3001\u307e\u305f\u306f\u76e3\u8996\u3059\u308b\u306e\u306b\u3053\u308c\u3092\u5229\u7528\u3059\u308b\u3001\u3068\u3044\u3046\u3053\u3068\u304c\u6319\u3052\u3089\u308c\u307e\u3059\u3002\u79c1\u305f\u3061\u306e\u30ea\u30b5\u30fc\u30c1\u306b\u304a\u3044\u3066\u3001\u3053\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304cVNC\u30d7\u30ed\u30b0\u30e9\u30e0\u3068\u5171\u306b\u5185\u90e8\u306b\u5b58\u5728\u3059\u308bSFX\u30d5\u30a1\u30a4\u30eb\u3082\u3042\u308c\u3070\u3001VNC\u30d7\u30ed\u30b0\u30e9\u30e0\u304c\u5185\u90e8\u306b\u542b\u307e\u308c\u3066\u3044\u306a\u3044SFX\u30d5\u30a1\u30a4\u30eb\u3082\u3042\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3057\u305f\u3002<\/p>\n<h2>\u7279\u5225\u4ed5\u69d8\u306e\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8<\/h2>\n<p>\u78ba\u8a8d\u6e08\u307f\u306e\u3054\u304f\u6700\u8fd1\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u4eca\u3082\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u3068SFX\u30d5\u30a1\u30a4\u30eb\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u304c\u3001Gamaredon\u30b0\u30eb\u30fc\u30d7\u306fwget\u3001Remote Manipulator Tool\u3001VNC\u304a\u3088\u3073ChkFlsh.exe\u306e\u3088\u3046\u306a\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304b\u3089\u96e2\u308c\u3066\u3057\u307e\u3044\u307e\u3057\u305f\u3002wget\u3092\u4f7f\u3046\u4ee3\u308f\u308a\u306b\u3001\u653b\u6483\u8005\u306f\u7279\u5225\u4ed5\u69d8\u3067\u958b\u767a\u3055\u308c\u305f\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3092\u3001Remote Manipulator\u307e\u305f\u306fVNC\u306e\u4ee3\u308f\u308a\u306b\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u7279\u5225\u4ed5\u69d8\u3067\u958b\u767a\u3055\u308c\u305f\u30ea\u30e2\u30fc\u30c8 \u30a2\u30af\u30bb\u30b9 \u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>2015\u5e746\u6708\u3001\u591a\u304f\u306e\u65b0\u578b\u30b5\u30f3\u30d7\u30eb\u304c\u4f7f\u3063\u3066\u3044\u305f\u7279\u5225\u4ed5\u69d8\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u304c\u521d\u3081\u3066\u30cd\u30c3\u30c8\u4e0a\u3067\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002\u305d\u3057\u3066\u3001\u3053\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u306f\u201cLocalSMS.dll\u201d\u3068\u3044\u3046\u540d\u524d\u306eSFX\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u306e\u4e2d\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u3088\u304f\u3042\u308a\u3001adobe.update-service[.]net (\u30b5\u30f3\u30d7\u30eb\u5185\u3067\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u5316\u6e08\u307f)\u306b\u5bfe\u3059\u308b\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u307e\u3059\u304c\u3001\u8a73\u3057\u3044\u8aac\u660e\u306b\u3064\u3044\u3066\u306f\u4ed8\u9332A\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p>2016\u5e742\u6708\u3001SFX\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u5225\u306e\u7279\u5225\u4ed5\u69d8\u306e\u30c4\u30fc\u30eb\u304c\u30cd\u30c3\u30c8\u4e0a\u3067\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u306eSFX\u30d5\u30a1\u30a4\u30eb(3773ddd462b01f9272656f3150f2c3de19e77199cf5fac1f44287d11593614f9)\u306b\u306f\u3001\u201cPteranodon\u201d\u3068\u79c1\u305f\u3061\u304c\u547c\u3093\u3067\u3044\u308b\u65b0\u578b\u306e\u30c8\u30ed\u30a4\u306e\u6728\u99ac(598c55b89e819b23eac34547ad02e5cd59e1b8fcb23b5063a251d8e8fae8b824)\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002Pteranodon\u306f\u7279\u5225\u4f7f\u7528\u306e\u30d0\u30c3\u30af\u30c9\u30a2\u3067\u4ee5\u4e0b\u306e\u30bf\u30b9\u30af\u3092\u884c\u3046\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u8a2d\u5b9a\u53ef\u80fd\u306a\u9593\u9694\u3067\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u30ad\u30e3\u30d7\u30c1\u30e3\u3057\u3001\u3053\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u653b\u6483\u8005\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b<\/li>\n<li>\u8ffd\u52a0\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u5b9f\u884c\u3059\u308b<\/li>\n<li>\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u4efb\u610f\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b<\/li>\n<\/ul>\n<p>Pteranodon\u306e\u6700\u521d\u671f\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u5316\u3055\u308c\u305fURL\u3092\u30b3\u30de\u30f3\u30c9 \u30a2\u30f3\u30c9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u7528\u306b\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u201cmsrestore[.]ru\/post.php\u201d\u306b\u9001\u4fe1\u3057\u307e\u3059\u304c\u3001\u305d\u306e\u969b\u3001\u9759\u7684\u306a\u30de\u30eb\u30c1\u30d1\u30fc\u30c8\u5883\u754c\u3068\u3057\u3066\u6b21\u3092\u4f7f\u3044\u307e\u3059\u3002<\/p>\n<p>\u2014\u2014\u2014\u2014870978B0uNd4Ry_$<\/p>\n<p>\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u306e\u30c4\u30fc\u30eb\u3082\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u5316\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3\u304a\u3088\u3073\u30de\u30eb\u30c1\u30d1\u30fc\u30c8\u5883\u754c\u3092\u4f7f\u3044\u307e\u3059\u3002\u985e\u4f3c\u306epdb\u6587\u5b57\u5217\u3082\u3001\u65b0\u65e7\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u5171\u6709\u3057\u3066\u3044\u307e\u3059\u3002\u4ed6\u306ePteranodon\u30b5\u30f3\u30d7\u30eb\u306f\u3001<a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.Pteranodon\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-the-gamaredon-group-toolset-evolution: section:\u7279\u5225\u4ed5\u69d8\u306e\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\">Pteranodon<\/a>\u30bf\u30b0\u3092\u4f7f\u3046\u3053\u3068\u3067AutoFocus\u306b\u3066\u767a\u898b\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u3054\u304f\u6700\u8fd1\u306ePteranodon\u306e\u4e9c\u7a2e\u306b\u95a2\u3059\u308b\u5206\u6790\u306f\u3001\u4ed8\u9332A\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p>\u4eca\u307e\u3067\u306e\u3068\u3053\u308d\u3001\u65b0\u3057\u3044\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u306b\u95a2\u3059\u308b\u914d\u4fe1\u7d4c\u8def\u30921\u3064\u7279\u5b9a\u3059\u308b\u3053\u3068\u3057\u304b\u3067\u304d\u3066\u3044\u307e\u305b\u3093\u30022016\u5e7412\u6708\u306b\u59cb\u3081\u3066\u78ba\u8a8d\u3055\u308c\u305fJavascript\u30d5\u30a1\u30a4\u30eb(f2355a66af99db5f856ebfcfeb2b9e67e5e83fff9b04cdc09ac0fabb4af556bd)\u306f\u3001\u30ea\u30bd\u30fc\u30b9\u3092http:\/\/samotsvety.com[.]ua\/files\/index.pht (\u30b9\u30c6\u30fc\u30b8\u30f3\u30b0 \u30da\u30a4\u30ed\u30fc\u30c9\u7528\u306b\u4f7f\u308f\u308c\u305f\u3001\u4fb5\u5bb3\u3092\u53d7\u3051\u305f\u30b5\u30a4\u30c8\u306e\u53ef\u80fd\u6027\u304c\u9ad8\u3044)\u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u5f93\u6765\u3001Gamaredon\u306e2\u3064\u306e\u7279\u5225\u4ed5\u69d8\u30c4\u30fc\u30eb\u3092\u542b\u3093\u3060SFX\u30d5\u30a1\u30a4\u30eb(b2fb7d2977f42698ea92d1576fdd4da7ad7bb34f52a63e4066f158a4b1ffb875)\u3067\u3057\u305f\u3002<\/p>\n<p>\u95a2\u9023\u30b5\u30f3\u30d7\u30eb(e24715900aa5c9de807b0c8f6ba8015683af26c42c66f94bee38e50a34e034c4)\u306f\u3001\u540c\u3058\u7279\u7570\u306a\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u3092\u4f7f\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u307e\u305f\u3001\u5206\u6790\u7528\u30c4\u30fc\u30eb\u4e00\u63c3\u3044\u3092\u5f93\u6765\u3088\u308a\u3082\u591a\u6570\u542b\u3093\u3067\u3044\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb\u306e\u5143\u306e\u540d\u524d\u306f\u201cAdapterTroubleshooter.exe\u201d\u3067\u3042\u308a\u3001\u4e0b\u56f3\u306e\u3088\u3046\u306b\u3001OpenVPN\u304c\u4f7f\u7528\u3057\u3066\u3044\u308b\u30a2\u30a4\u30b3\u30f3\u306b\u985e\u4f3c\u306e\u30a2\u30a4\u30b3\u30f3\u3092\u4f7f\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  class=\"aligncenter lozad\"  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-04.png\" \/><\/p>\n<p>AutoFocus\u5185\u306b\u304a\u3051\u308b\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u6d3b\u52d5\u3092\u8abf\u67fb\u3059\u308b\u3068\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u304c\u81ea\u5df1\u89e3\u51cd\u578b\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3067\u3042\u308b\u3053\u3068\u304c\u3001\u3059\u3050\u306b\u5206\u304b\u308a\u307e\u3057\u305f\u3002<\/p>\n<figure style=\"width: 876px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-05.png\" alt=\"\u56f33 AutoFocus\u3067\u793a\u3055\u308c\u308b\u3001\u81ea\u5df1\u89e3\u51cd\u578b\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u6319\u52d5\" width=\"876\" height=\"174\" \/><figcaption class=\"wp-caption-text\">\u56f33 AutoFocus\u3067\u793a\u3055\u308c\u308b\u3001\u81ea\u5df1\u89e3\u51cd\u578b\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u6319\u52d5<\/figcaption><\/figure>\n<p>\u30b5\u30f3\u30d7\u30eb\u30927zip\u3067virtual machine (\u4eee\u60f3\u30de\u30b7\u30f3 - VM)\u5185\u3067\u958b\u304f\u3053\u3068\u3067\u3001\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9\u3092\u8abf\u67fb\u3067\u304d\u307e\u3059\u3002\u4e0b\u306e\u8868\u306b\u3001SHA256\u5024\u3001\u30d5\u30a1\u30a4\u30eb\u540d\u3001\u30b3\u30f3\u30d1\u30a4\u30eb\u6642\u523b\u3001\u304a\u3088\u3073SFX\u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9\u306b\u95a2\u3059\u308bpdb\u30d1\u30b9\u304c\u307e\u3068\u3081\u3066\u3042\u308a\u307e\u3059\u3002<\/p>\n<table border=\"0\" width=\"100%\" cellspacing=\"4\" cellpadding=\"4\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"374\"><b>SHA256<\/b><\/td>\n<td valign=\"top\" width=\"155\"><b>\u30d5\u30a1\u30a4\u30eb\u540d<\/b><\/td>\n<td valign=\"top\" width=\"174\"><b>\u30b3\u30f3\u30d1\u30a4\u30eb\u6642\u523b<\/b><\/td>\n<td valign=\"top\" width=\"246\"><b>PDB\u30d1\u30b9<\/b><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"374\">400f53a89d08d47f608e1288d9873bf8d421fc7cd642c5e821674f38e07a1501<\/td>\n<td valign=\"top\" width=\"155\">LocalSMS.dll<\/td>\n<td valign=\"top\" width=\"174\">Wed Apr 29 08:10:30 2015<\/td>\n<td valign=\"top\" width=\"246\">c:\\users\\viber\\documents\\visual studio 2013\\projects\\contextmenu\\release\\contextmenu.pdb<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"374\">d01df47b6187631c9a93bdad1298439ab1a1c5529b3319f3614b6ec2455e5726<\/td>\n<td valign=\"top\" width=\"155\">MpClients.dll<\/td>\n<td valign=\"top\" width=\"174\">Thu Sep 08 05:01:00 2016<\/td>\n<td valign=\"top\" width=\"246\">c:\\users\\user\\documents\\visual studio 2015\\projects\\updaterv1\\release\\updaterv1.pdb<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"374\">f2296bcb6be68dfb330baec2091fb11a42a51928ba057164213580e6ff0e1126<\/td>\n<td valign=\"top\" width=\"155\">OfficeUpdate.dll<\/td>\n<td valign=\"top\" width=\"174\">Wed Dec 07 09:25:57 2016<\/td>\n<td valign=\"top\" width=\"246\">\u2013<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"374\">2ded2f3b5b5b6155ce818893c67887cbfa8b539be6c983e314ccf2177552da20<\/td>\n<td valign=\"top\" width=\"155\">SmartArtGraphicsLog.lnk<\/td>\n<td valign=\"top\" width=\"174\">\u2013<\/td>\n<td valign=\"top\" width=\"246\">\u2013<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"374\">46a39da996b01e26ddd71d51c9704de2aa641cd3443f6fe0e5c485f1cd9fa65d<\/td>\n<td valign=\"top\" width=\"155\">UsrClass.lnk<\/td>\n<td valign=\"top\" width=\"174\">\u2013<\/td>\n<td valign=\"top\" width=\"246\">\u2013<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"374\">a972ad0ddc00d5c04d9fe26f1748e12008efdd6524c9d2ea4e6c2d3e42d82b7b<\/td>\n<td valign=\"top\" width=\"155\">condirs.cmd<\/td>\n<td valign=\"top\" width=\"174\">\u2013<\/td>\n<td valign=\"top\" width=\"246\">\u2013<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"374\">37c78ee7826d63bb9219de594ed6693f18da5db60e3cbc86795bd10b296f12ac<\/td>\n<td valign=\"top\" width=\"155\">winrestore.dll<\/td>\n<td valign=\"top\" width=\"174\">Mon Jan 09 03:12:39 2017<\/td>\n<td valign=\"top\" width=\"246\">c:\\develop\\ready\\winrestore \u2013 proxy\\release\\winrestore.pdb<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"374\">90ba0f95896736b799f8651ef0600d4fa85c6c3e056e54eab5bb216327912edd<\/td>\n<td valign=\"top\" width=\"155\">wmphost.exe<\/td>\n<td valign=\"top\" width=\"174\">Thu Dec 01 08:23:32 2016<\/td>\n<td valign=\"top\" width=\"246\">c:\\develop\\ready\\mouse-move\\mouse-move\\release\\mouse-move.pdb<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u30b5\u30f3\u30d7\u30eb\u306e\u30d6\u30fc\u30c8\u30b9\u30c8\u30e9\u30c3\u30d7\u306e\u30ed\u30b8\u30c3\u30af\u306f\u3001\u201ccondirs.cmd\u201d\u306e\u5185\u5bb9\u306b\u4f9d\u62e0\u3057\u3066\u3044\u307e\u3059\u3002\u7c21\u5358\u306b\u8a00\u3048\u3070\u3001\u201ccondirs.cmd\u201d\u5185\u306e\u30ed\u30b8\u30c3\u30af\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<p>1.\u201c%LOCALAPPDATA%\\Microsoft\\Windows\\\u201d\u304c\u5b58\u5728\u3059\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b<br \/>\n2.\u30b5\u30f3\u30d7\u30eb\u306e\u5b9f\u884c\u306e\u90aa\u9b54\u306b\u306a\u308b\u53ef\u80fd\u6027\u306e\u3042\u308b\u30d7\u30ed\u30bb\u30b9\u3001\u30d5\u30a1\u30a4\u30eb\u3001\u304a\u3088\u3073\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u5316\u3055\u308c\u305f\u30bf\u30b9\u30af\u3092kill\u3057\u524a\u9664\u3059\u308b<br \/>\n3.\u201cwinrestore.dll\u201d\u3092\u201c%LOCALAPPDATA%\\Microsoft\\Windows\\UsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5win}.dll\u201d\u306b\u30b3\u30d4\u30fc\u3059\u308b<br \/>\n4.\u201cOfficeUpdate.dll\u201d\u3092\u201c%LOCALAPPDATA%\\Microsoft\\Windows\\UsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5off}.dll\u201d\u306b\u30b3\u30d4\u30fc\u3059\u308b<br \/>\n5.\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u304cWindows XP\u306a\u306e\u304bWindows 7\u306a\u306e\u304b\u3001\u5224\u5b9a\u3059\u308b<br \/>\n6.\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u304cWindows XP\u306e\u5834\u5408\u3001<\/p>\n<p>a. \u30d5\u30a1\u30a4\u30eb\u306e\u30b3\u30d4\u30fc\u5148\u3068\u306a\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u201c%WINDIR%\\Setup\\State\\Office\u201d\u3068\u3057\u3066\u8a2d\u5b9a\u3059\u308b<br \/>\nb. \u201cUsrClass.lnk\u201d\u3092\u201c%USERPROFILE%\\\u0413\u043b\u0430\u0432\u043d\u043e\u0435 \u043c\u0435\u043d\u044e\\\u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b\\\u0410\u0432\u0442\u043e\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0430\\\u201d\u306b\u30b3\u30d4\u30fc\u3059\u308b<br \/>\nc. \u201cSmartArtGraphicsLog.lnk\u201d\u3092\u201c%USERPROFILE%\\\u0413\u043b\u0430\u0432\u043d\u043e\u0435 \u043c\u0435\u043d\u044e\\\u041f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u044b\\\u0410\u0432\u0442\u043e\u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0430\\\u201d\u306b\u30b3\u30d4\u30fc\u3059\u308b<\/p>\n<p>7.\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u304cWindows 7\u306e\u5834\u5408\u3001<\/p>\n<p>a. \u30d5\u30a1\u30a4\u30eb\u306e\u30b3\u30d4\u30fc\u5148\u3068\u306a\u308b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u201c%APPDATA%\\Microsoft\\Office\u201d\u3068\u3057\u3066\u8a2d\u5b9a\u3059\u308b<br \/>\nb. \u201cUsrClass.lnk\u201d\u3092\u201c%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\u201d\u306b\u30b3\u30d4\u30fc\u3059\u308b<br \/>\nc. \u201cSmartArtGraphicsLog.lnk\u201d\u3092\u201c%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\\u201d\u306b\u30b3\u30d4\u30fc\u3059\u308b<\/p>\n<figure style=\"width: 618px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-06.png\" alt=\"\u56f34 \u201ccondirs.cmd\u201d\u5185\u306eWindows XP\u304a\u3088\u3073Windows 7 \u306e\u30ed\u30b8\u30c3\u30af\" width=\"618\" height=\"341\" \/><figcaption class=\"wp-caption-text\">\u56f34 \u201ccondirs.cmd\u201d\u5185\u306eWindows XP\u304a\u3088\u3073Windows 7 \u306e\u30ed\u30b8\u30c3\u30af<\/figcaption><\/figure>\n<p>8.\u201cwinrestore.dll\u201d\u3092\u3001\u30b9\u30c6\u30c3\u30d76\u307e\u305f\u306f7a\u3067\u8a2d\u5b9a\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u201cMSO1234.win\u201d\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u30b3\u30d4\u30fc\u3059\u308b<\/p>\n<p>9. \u201cLocalSMS.dll\u201d\u3092\u3001\u30b9\u30c6\u30c3\u30d76\u307e\u305f\u306f7a\u3067\u8a2d\u5b9a\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u201cMSO1567.dls\u201d\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u30b3\u30d4\u30fc\u3059\u308b<\/p>\n<p>10. \u201cOfficeUpdate.dll\u201d\u3092\u3001\u30b9\u30c6\u30c3\u30d76\u307e\u305f\u306f7a\u3067\u8a2d\u5b9a\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u201cMSO5678.usb\u201d\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u30b3\u30d4\u30fc\u3059\u308b<\/p>\n<p>11. \u201cMpClients.dll\u201d\u3092\u3001\u30b9\u30c6\u30c3\u30d76\u307e\u305f\u306f7a\u3067\u8a2d\u5b9a\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u201cMSO8734.obn\u201d\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u30b3\u30d4\u30fc\u3059\u308b<\/p>\n<p>12.\u201cMSO1234.win\u201d\u5185\u306e\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3055\u308c\u305f\u95a2\u6570\u201cupdater\u201d\u3092\u3001rundll32.exe\u306b\u3088\u308a\u5b9f\u884c\u3059\u308b<\/p>\n<p>13.\u201cMSO1567.dls\u201d\u5185\u306e\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3055\u308c\u305f\u95a2\u6570\u201cEntryPoint\u201d\u3092\u3001rundll32.exe\u306b\u3088\u308a\u5b9f\u884c\u3059\u308b<\/p>\n<p>\u3053\u3053\u3067\u6ce8\u610f\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u306e\u306f\u3001\u201cUsrClass.lnk\u201d\u304c\u201c%WINDIR%\\system32\\rundll32.exe UsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5win}.dll,updater\u201d\u3078\u306e\u30ea\u30f3\u30af\u3067\u3042\u308b\u3053\u3068\u3001\u304a\u3088\u3073\u201cSmartArtGraphicsLog.lnk\u201d\u304c\u201cC:\\WINDOWS\\system32\\rundll32.exe UsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5off}.dll,StartBackup\u201d\u3078\u306e\u30ea\u30f3\u30af\u3067\u3042\u308b\u3053\u3068\u3067\u3059\u3002\u3053\u308c\u3089\u306f\u3001\u201cwinrestore.dll\u201d\u304a\u3088\u3073\u201cOfficeUpdate.dll\u201d\u306e\u3001\u305d\u308c\u305e\u308c\u30b9\u30c6\u30c3\u30d73\u30684\u3067\u30b3\u30d4\u30fc\u5148\u3068\u306a\u3063\u305f\u4f4d\u7f6e\u3067\u3059\u3002<\/p>\n<p>\u201ccondirs.cmd\u201d\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u6b21\u306b\u3001\u5f15\u304d\u7d9a\u304d\u4ee5\u4e0b\u306e\u51e6\u7406\u3092\u884c\u3044\u307e\u3059\u3002<\/p>\n<p>1.\u4ee5\u4e0b\u306e\u30bf\u30b9\u30af\u3092\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u3057\u307e\u3059\u3002<\/p>\n<p>a. \u30bf\u30b9\u30af\u540d\u201cUpdatesWinRes\u201d\u3001\u3053\u308c\u306f\u201cMSO1234.win,updater\u201d\u3092\u8d77\u52d5\u3059\u308b<br \/>\nb. \u30bf\u30b9\u30af\u540d\u201cUpdatesWinDLL\u201d\u3001\u3053\u308c\u306f\u201cMSO1567.dls,EntryPoint\u201d\u3092\u8d77\u52d5\u3059\u308b<br \/>\nc. \u30bf\u30b9\u30af\u540d\u201cUpdatesWinUSBOOK\u201d\u3001\u3053\u308c\u306f\u201cMSO5678.usb,StartBackup\u201d\u3092\u8d77\u52d5\u3059\u308b<br \/>\nd. \u30bf\u30b9\u30af\u540d\u201cUpdatesWinOBN\u201d\u3001\u3053\u308c\u306f\u201cMSO8734.obn,bitDefender\u201d\u3092\u8d77\u52d5\u3059\u308b<\/p>\n<p>2.\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u201c%Temp%\\reports\\ProfileSkype\\\u201d\u304c\u5b58\u5728\u3059\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b<\/p>\n<p>3.\u201cskype.exe\u201d\u3068\u3044\u3046\u540d\u306e\u30d7\u30ed\u30bb\u30b9\u3092kill\u3059\u308b<\/p>\n<p>4.\u201c%AppData%\\Skype\u201d\u306e\u5185\u5bb9\u3092\u201c%Temp%\\reports\\ProfileSkype\\\u201d\u306b\u30b3\u30d4\u30fc\u3059\u308b<\/p>\n<p>5.\u201c%Temp%\\reports\\%COMPUTERNAME\\\u201d\u306e\u4e0b\u306b\u6b21\u306e\u540d\u524d\u3067\u30b5\u30d6\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u4f5c\u6210\u3059\u308b: Z W P S V Q N M L K I J F H E G\u304a\u3088\u3073D (\u3053\u308c\u3089\u306f\u30c9\u30e9\u30a4\u30d6 \u30ec\u30bf\u30fc\u3067\u3042\u308b)<\/p>\n<p>6.\u4e0a\u8a18\u30c9\u30e9\u30a4\u30d6 \u30ec\u30bf\u30fc\u306b\u7531\u6765\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u3067\u62e1\u5f35\u5b50\u304c\u201cdoc\u201d\u3001\u201cdocx\u201d\u3001\u201cxls\u201d\u3001\u201cxlsx\u201d\u3001\u201crtf\u201d\u3001\u201codt\u201d\u304a\u3088\u3073\u201ctxt\u201d\u306e\u3082\u306e\u3092\u3001\u3059\u3079\u3066\u201c%TEMP%\\reports\\%COMPUTERNAME%\\%%d\\\u201d\u306b\u30b3\u30d4\u30fc\u3059\u308b\u3002\u305f\u3060\u3057\u3001%%d\u306f\u30c9\u30e9\u30a4\u30d6 \u30ec\u30bf\u30fc\u3067\u3042\u308b\u3002<\/p>\n<p>7.\u4e0a\u8a18\u62e1\u5f35\u5b50\u306e\u5168\u30d5\u30a1\u30a4\u30eb\u3092\u3001\u5168\u30e6\u30fc\u30b6\u30fc\u306e\u201cDesktop\u201d\u3001\u201cDocuments\u201d\u304a\u3088\u3073\u201cDownloads\u201d\u30d5\u30a9\u30eb\u30c0\u30fc\u304b\u3089\u3001\u305d\u308c\u305e\u308c\u201c%TEMP%\\reports\\%COMPUTERNAME%\\Desktop\\\u201d\u3001\u201c%TEMP%\\reports\\%COMPUTERNAME%\\Documents\\\u201d\u304a\u3088\u3073\u201c%TEMP%\\reports\\%COMPUTERNAME%\\Downloads\\\u201d\u306b\u30b3\u30d4\u30fc\u3059\u308b<\/p>\n<figure style=\"width: 955px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-07.png\" alt=\"\u56f35 \u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092\u76d7\u307f\u51fa\u3059\u201ccondirs.cmd\u201d\u306e\u5185\u90e8\u30ed\u30b8\u30c3\u30af\" width=\"955\" height=\"721\" \/><figcaption class=\"wp-caption-text\">\u56f35 \u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u3092\u76d7\u307f\u51fa\u3059\u201ccondirs.cmd\u201d\u306e\u5185\u90e8\u30ed\u30b8\u30c3\u30af<\/figcaption><\/figure>\n<p>8.\u201cMSO5678.usb\u201d\u5185\u306e\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3055\u308c\u305f\u95a2\u6570\u201cStartBackup\u201d\u3092\u3001rundll32.exe\u306b\u3088\u308a\u5b9f\u884c\u3059\u308b<\/p>\n<p>9.\u201cMSO8734.obn\u201d\u5185\u306e\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3055\u308c\u305f\u95a2\u6570\u201cbitDefender\u201d\u3092\u3001rundll32.exe\u306b\u3088\u308a\u5b9f\u884c\u3059\u308b<\/p>\n<p>10.\u4e00\u6642\u30d5\u30a1\u30a4\u30eb\u3092\u30af\u30ea\u30fc\u30f3\u30a2\u30c3\u30d7\u3057\u3001\u30b9\u30ea\u30fc\u30d7\u3057\u3001\u81ea\u8eab\u3092\u524a\u9664\u3059\u308b<\/p>\n<p>\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u4f5c\u696d\u3092\u5b8c\u4e86\u3059\u308b\u3068\u3001\u4e00\u9023\u306e\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u304c\u30b7\u30b9\u30c6\u30e0\u4e0a\u306b\u5c0e\u5165\u3055\u308c\u3001\u3053\u308c\u3089\u306e\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u306b\u3088\u308a\u3001\u653b\u6483\u8005\u306f\u30d5\u30a1\u30a4\u30eb\u306e\u76d7\u307f\u51fa\u3057\u3001\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u306e\u30ad\u30e3\u30d7\u30c1\u30e3\u3001\u304a\u3088\u3073\u691c\u51fa\u306e\u56de\u907f\u3092\u884c\u3046\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u500b\u3005\u306e\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u306b\u95a2\u3059\u308b\u8a73\u7d30\u306a\u5206\u6790\u306b\u3064\u3044\u3066\u306f\u3001\u4ed8\u9332A\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<h2>\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u9593\u306e\u30c8\u30ec\u30f3\u30c9<\/h2>\n<p>\u4fb5\u5bb3\u3055\u308c\u305f\u30b7\u30b9\u30c6\u30e0\u306e\u5236\u5fa1\u306b\u4f7f\u7528\u3055\u308c\u308b\u30da\u30a4\u30ed\u30fc\u30c9\u304c\u6642\u9593\u306e\u7d4c\u904e\u3068\u3068\u3082\u306b\u9032\u5316\u3059\u308b\u306b\u3064\u308c\u3001\u30b5\u30f3\u30d7\u30eb\u9593\u3067\u591a\u304f\u306e\u985e\u4f3c\u70b9\u304c\u898b\u3089\u308c\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002\u3053\u306e\u30d6\u30ed\u30b0\u3067\u306f\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u3063\u3066\u5206\u6563\u3055\u308c\u308b\u30b5\u30f3\u30d7\u30eb\u306e\u3059\u3079\u3066\u304c\u8aac\u660e\u3055\u308c\u3066\u3044\u306a\u3044\u3068\u306f\u3044\u3048\u3001\u65e2\u77e5\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u30cf\u30c3\u30b7\u30e5\u306f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u4fb5\u5bb3\u306e\u75d5\u8de1\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u95a2\u9023\u3059\u308b\u30b5\u30f3\u30d7\u30eb\u306b\u95a2\u3059\u308b\u8208\u5473\u6df1\u3044\u52d5\u4f5c\u306f\u6b21\u306e\u3068\u304a\u308a\u3067\u3059\u3002<\/p>\n<ul>\n<li>\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306e\u591a\u304f\u306b\u306f\u3001\u4e00\u822c\u7684\u306a\u82f1\u5358\u8a9e\u306e\u30b9\u30da\u30eb\u30df\u30b9\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u305d\u306e\u3088\u3046\u306a\u4f8b\u306e1\u3064\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u540d\u300ccmd\u300d\u3067\u3059\u3002\u5225\u306e\u4f8b\u300cdomen\u300d\u306f\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306e\u5909\u6570\u540d\u3067\u3001\u3053\u308c\u306f\u300c\u30c9\u30e1\u30a4\u30f3\u300d\u3092\u610f\u5473\u3059\u308b\u540d\u524d\u306e\u3088\u3046\u3067\u3059\u3002<\/li>\n<li>\u3059\u3079\u3066\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u307b\u3068\u3093\u3069\u306e\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u30b9\u30ea\u30fc\u30d7\u306e\u624b\u6bb5\u3068\u3057\u3066localhost\u3092ping\u3057\u307e\u3059\u3002<\/li>\n<li>\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306e\u591a\u304f\u306f\u300ccmd\u300d\u3068\u3044\u3046\u540d\u524d\u3067\u3001\u4e00\u90e8\u306b\u306f\u300cTrons_ups\u300d\u3068\u300cTreams\u300d\u3068\u3044\u3046\u6587\u5b57\u5217\u304c\u542b\u307e\u308c\u307e\u3059\u3002<\/li>\n<li>\u30d0\u30c3\u30c1 \u30b9\u30af\u30ea\u30d7\u30c8\u306e\u591a\u304f\u306f\u3001\u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u7279\u5b9a\u3059\u308b\u3068\u304d\u3068\u540c\u3058\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u4ee5\u524d\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u591a\u304f\u306f\u3001wget\u3001UltraVNC\u3001ChkFlash\u306a\u3069\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u30e6\u30fc\u30c6\u30a3\u30ea\u30c6\u30a3\u306f\u3001\u6700\u65b0\u30b5\u30f3\u30d7\u30eb\u306e\u30ab\u30b9\u30bf\u30e0 \u30c4\u30fc\u30eb\u306b\u7f6e\u304d\u63db\u3048\u3089\u308c\u307e\u3057\u305f\u3002<\/li>\n<li>VNC\u3092\u63a1\u7528\u3059\u308b\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u540c\u3058\u8a2d\u5b9a\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/li>\n<\/ul>\n<p>\u307e\u305f\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u304c\u4f7f\u7528\u3059\u308b\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306f\u3001\u904e\u53bb3\u5e74\u9593\u307b\u3068\u3093\u3069\u5909\u5316\u3057\u3066\u3044\u307e\u305b\u3093\u3002\u30b5\u30f3\u30d7\u30eb\u306e\u591a\u304f\u306f\u3001\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u901a\u4fe1\u7528\u306b\u540c\u3058\u30c9\u30e1\u30a4\u30f3\u3092\u518d\u4f7f\u7528\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3055\u3089\u306b\u3001\u30ab\u30b9\u30bf\u30e0\u958b\u767a\u30c4\u30fc\u30eb\u306e\u591a\u304f\u306f\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u3055\u308c\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30ed\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<p>\u30d5\u30a1\u30a4\u30eb\u540d\u3067\u4f7f\u7528\u3055\u308c\u308bMoniker\u3001\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u3055\u308c\u305fDLL\u95a2\u6570\u3001\u30c9\u30e1\u30a4\u30f3\u3001\u30b9\u30af\u30ea\u30d7\u30c8\u5185\u306e\u5909\u6570\u540d\u306f\u3001\u30c6\u30fc\u30de\u304c\u3042\u3063\u3066\u4e00\u8cab\u6027\u306e\u3042\u308b\u3082\u306e\u3067\u3059\u3002AutoFocus\u5185\u306eSFX\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u306e1\u3064\u3067\u305d\u306e\u5146\u5019\u304b\u3089\u5272\u308a\u51fa\u3059\u3068\u3001\u3053\u308c\u3089\u306e\u77db\u76fe\u306e\u91cd\u8907\u304b\u3089\u8ffd\u52a0\u30b5\u30f3\u30d7\u30eb\u3092\u7c21\u5358\u306b\u8b58\u5225\u3067\u304d\u307e\u3059\u3002\u307b\u3068\u3093\u3069\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u540c\u69d8\u306e\u65b9\u6cd5\u3067\u63d0\u4f9b\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3064\u307e\u308a\u3001SFX\u304c\u30ea\u30bd\u30fc\u30b9\u3092\u524a\u9664\u3057\u305f\u5f8c\u3001\u30d0\u30c3\u30c1\u3084VBS\u30b9\u30af\u30ea\u30d7\u30c8\u3067\u30b9\u30c6\u30fc\u30b8\u30f3\u30b0\u3068\u30ed\u30fc\u30c9\u304c\u884c\u308f\u308c\u307e\u3059\u3002IPv4\u30a2\u30c9\u30ec\u30b9\u9593\u306eSSL\u8a3c\u660e\u66f8\u3001\u30c9\u30e1\u30a4\u30f3\u540d\u306e\u9593\u306eIPv4\u30a2\u30c9\u30ec\u30b9\u306e\u518d\u4f7f\u7528\u306f\u3001\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3001\u3053\u306e\u6d3b\u52d5\u306b\u95a2\u4fc2\u3059\u308b\u30a8\u30f3\u30c6\u30a3\u30c6\u30a3\u3092\u8868\u793a\u3059\u308b\u969b\u306b\u660e\u78ba\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p><img  class=\"aligncenter lozad\"  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-08.png\" \/><\/p>\n<p>\u6700\u3082\u65b0\u3057\u3044\u30b5\u30f3\u30d7\u30eb\u306e1\u3064(\u4ed8\u9332A\u3067\u5206\u6790)\u306b\u91cd\u70b9\u3092\u7f6e\u304f\u3068\u3001\u30d5\u30a1\u30a4\u30eb\u540d\u3068SFX\u30b3\u30f3\u30c6\u30f3\u30c4 \u30d5\u30a1\u30a4\u30eb\u304c\u518d\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<figure style=\"width: 750px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-09.png\" alt=\"\u56f36 Gamaredon Group\u304c\u4f7f\u7528\u3059\u308b\u30b5\u30f3\u30d7\u30eb\u3068\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u9593\u306e\u95a2\u4fc2\u306e\u6982\u8981\" width=\"750\" height=\"402\" \/><figcaption class=\"wp-caption-text\">\u56f36 Gamaredon Group\u304c\u4f7f\u7528\u3059\u308b\u30b5\u30f3\u30d7\u30eb\u3068\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u9593\u306e\u95a2\u4fc2\u306e\u6982\u8981<\/figcaption><\/figure>\n<h2>\u6700\u5f8c\u306b<\/h2>\n<p>\u7279\u5b9a\u3055\u308c\u305f\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u3067\u306f\u3001\u4e00\u822c\u7684\u3067\u9650\u5b9a\u3055\u308c\u305f\u3001\u77db\u76fe\u3059\u308b\u3053\u3068\u306e\u591a\u3044VirusTotal\u304c\u691c\u51fa\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u3092\u4f7f\u7528\u3059\u308b\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306f\u3001\u5c11\u306a\u304f\u3068\u30822014\u5e74\u304b\u3089\u30a2\u30af\u30c6\u30a3\u30d6\u3067\u3042\u308a\u3001\u30a6\u30af\u30e9\u30a4\u30ca\u653f\u5e9c\u306e\u6d3b\u52d5\u306b\u95a2\u4e0e\u3057\u3066\u3044\u308b\u500b\u4eba\u3092\u6a19\u7684\u3068\u3057\u3066\u304d\u307e\u3057\u305f\u3002\u4e00\u90e8\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001Gamaredon\u306a\u3069\u306e\u8907\u6570\u306e\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9 \u30d9\u30f3\u30c0\u30fc\u3067\u691c\u51fa\u3055\u308c\u308b\u914d\u4fe1\u30e1\u30ab\u30cb\u30ba\u30e0\u3068\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u3092\u5171\u6709\u3057\u307e\u3059\u3002\u305f\u3060\u3057\u3001\u3088\u308a\u65b0\u3057\u3044\u5909\u7a2e\u3067\u306f\u3001\u3088\u308a\u9ad8\u5ea6\u306a\u7121\u540d\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u914d\u4fe1\u3057\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001WildFire\u5b9f\u884c\u30ec\u30dd\u30fc\u30c8\u3092\u63a2\u7d22\u3057\u3001\u30bf\u30b0\u4ed8\u3051\u3055\u308c\u3066\u3044\u306a\u3044\u30b5\u30f3\u30d7\u30eb\u306e\u30a2\u30fc\u30c1\u30d5\u30a1\u30af\u30c8\u3092\u7279\u5b9a\u3059\u308b\u305f\u3081\u306b\u3001AutoFocus\u3092\u4f7f\u7528\u3057\u3066\u3001\u3053\u308c\u307e\u3067\u306b\u691c\u51fa\u3055\u308c\u3066\u3044\u306a\u3044\u30de\u30eb\u30a6\u30a7\u30a2 \u30d5\u30a1\u30df\u30ea\u30fc\u3001\u52d5\u4f5c\u3001\u304a\u3088\u3073\u6d3b\u52d5\u3092\u7279\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30d6\u30ed\u30b0\u306b\u306f\u3001AutoFocus\u3092\u4f7f\u7528\u3057\u3066\u4e0a\u8a18\u30d7\u30ed\u30bb\u30b9\u306e\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u3092\u7279\u5b9a\u3057\u307e\u3059\u3002\u30a2\u30e9\u30fc\u30c8\u306b\u3088\u308b\u512a\u5148\u9806\u4f4d\u4ed8\u3051\u3092\u5f85\u6a5f\u3059\u308b\u306e\u3067\u306f\u306a\u304f\u3001\u60aa\u610f\u306e\u3042\u308b\u6d3b\u52d5\u3068\u30d5\u30a1\u30a4\u30eb\u3092\u7a4d\u6975\u7684\u306b\u63a2\u7d22\u3059\u308b\u3053\u3068\u3067\u3001\u65b0\u3057\u3044\u8105\u5a01\u304c\u793e\u5185\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3084\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u306b\u4fb5\u5165\u3059\u308b\u524d\u306b\u3001\u4fdd\u8b77\u3092\u8b58\u5225\u3057\u3066\u69cb\u7bc9\u3067\u304d\u307e\u3059\u3002\u3053\u306e\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306e\u8a73\u7d30\u306f\u3001AutoFocus\u30bf\u30b0\u00a0<a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.GamaredonGroup\" target=\"_blank\" rel=\"noopener noreferrer\" data-page-track=\"true\" data-page-track-value=\"company:unit-42-the-gamaredon-group-toolset-evolution: section:\u6700\u5f8c\u306b\">GamaredonGroup<\/a>.\u3092\u3054\u89a7\u304f\u3060\u3055\u3044\u3002<\/p>\n<p>Palo Alto Networks\u306e\u304a\u5ba2\u69d8\u306f\u3001\u6b21\u306e\u65b9\u6cd5\u3067\u8105\u5a01\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>WildFire\u306f\u3001\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u60aa\u610f\u304c\u3042\u308b\u3082\u306e\u3068\u3057\u3066\u7279\u5b9a\u3057\u307e\u3059\u3002<\/li>\n<li>Traps\u306f\u3001\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u3067\u8aac\u660e\u3055\u308c\u3066\u3044\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u3092\u963b\u6b62\u3057\u307e\u3059\u3002<\/li>\n<li>\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u3067\u4f7f\u7528\u3059\u308bC2\u30c9\u30e1\u30a4\u30f3\u306f\u3001\u8105\u5a01\u9632\u5fa1\u3092\u901a\u3058\u3066\u30d6\u30ed\u30c3\u30af\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/li>\n<\/ul>\n<p>\u3053\u306e\u8abf\u67fb\u306b\u304a\u3051\u308b\u652f\u63f4\u3068\u305d\u306e\u9b45\u529b\u7684\u306a\u5bb9\u8c8c\u306b\u5bfe\u3057\u3001Tom Lancaster\u306b\u6df1\u304f\u611f\u8b1d\u3057\u307e\u3059\u3002<\/p>\n<h2>\u4ed8\u9332A: \u30ab\u30b9\u30bf\u30e0 \u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u5206\u6790<\/h2>\n<h3>USBStealer: MSO5678.usb \/ OfficeUpdate.dll<\/h3>\n<p>\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u305d\u306e\u5185\u90e8\u540d\u300cUSBgrabber.dll\u300d\u3067\u3082\u985e\u63a8\u3067\u304d\u308b\u3088\u3046\u306b\u3001USB\u30d5\u30a1\u30a4\u30eb\u643e\u53d6\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u3059\u3002\u305f\u3060\u3057\u3001\u305d\u306e\u5b9f\u88c5\u306f\u305a\u3055\u3093\u306a\u305f\u3081\u3001\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u65b0\u305f\u306b\u63a5\u7d9a\u3055\u308c\u305f\u8ad6\u7406\u30dc\u30ea\u30e5\u30fc\u30e0\u306b\u304a\u3051\u308b\u30d5\u30a1\u30a4\u30eb\u643e\u53d6\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u3067WM_COMMAND\u3068WM_DEVICECHANGE\u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u76e3\u8996\u3059\u308b\u3082\u306e\u3001USB\u30c9\u30e9\u30a4\u30d6\u304c\u63a5\u7d9a\u3055\u308c\u305f\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3067\u304d\u306a\u3044\u305f\u3081\u306b\u767a\u751f\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u306f\u3001\u201c__Wsnusb73__\u201d\u304a\u3088\u3073\u201c__Wsnusbtt73__\u201d\u3068\u3044\u30462\u3064\u306e\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u6b21\u306b\u3001\u30ed\u30fc\u30ab\u30eb \u30e6\u30fc\u30b6\u30fc\u306e\u4e00\u6642\u30d1\u30b9\u306b\u3001\u6b21\u306e\u30d5\u30a9\u30eb\u30c0\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u201cC:\\Users\\\\AppData\\Local\\Temp\\reports\u201d<\/p>\n<p>\u3053\u306e\u30d5\u30a9\u30eb\u30c0\u306f\u3001\u65b0\u305f\u306b\u63a5\u7d9a\u3055\u308c\u305f\u8ad6\u7406\u30c9\u30e9\u30a4\u30d6\u304b\u3089\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30b3\u30d4\u30fc\u3057\u3001C2\u30b5\u30fc\u30d0\u30fc\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u305f\u3081\u306e\u4e00\u6642\u7684\u306a\u5834\u6240\u3068\u3057\u3066\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u3001HTTP POST\u30e1\u30bd\u30c3\u30c9\u3092\u901a\u3058\u3066\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u3055\u308c\u305fC2\u30b5\u30fc\u30d0\u201c195.62.52.93\u201d\u306b1\u3064\u305a\u3064\u8ee2\u9001\u3055\u308c\u307e\u3059\u3002\u6b21\u306e\u8981\u6c42\u304c\u4f7f\u7528\u3055\u308c\u307e\u3059\u304c\u3001\u88ab\u5bb3\u8005\u3001\u8ee2\u9001\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u3001\u304a\u3088\u3073\u30bd\u30fc\u30b9 \u30c9\u30e9\u30a4\u30d6\u306b\u95a2\u3059\u308b\u60c5\u5831\u3082\u542b\u307e\u308c\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-10.png\" \/><\/p>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u306f\u3001\u30ed\u30fc\u30ab\u30eb \u30e6\u30fc\u30b6\u30fc\u306e\u4e00\u6642\u30d5\u30a9\u30eb\u30c0\u306bSQLite\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u201casha.dat\u201d\u3082\u4f5c\u6210\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u30d5\u30a1\u30a4\u30eb\u540d\u306eMD5\u30cf\u30c3\u30b7\u30e5\u3092\u8a08\u7b97\u3057\u3066\u3001\u30d5\u30a1\u30a4\u30eb\u306e\u9577\u3055\u3092\u8ffd\u52a0\u3059\u308b\u3053\u3068\u3067\u3001\u76d7\u96e3\u306b\u3042\u3063\u305f\u30d5\u30a1\u30a4\u30eb\u3092\u8ffd\u8de1\u3057\u307e\u3059\u3002\u3064\u307e\u308a\u3001\u30c9\u30e9\u30a4\u30d6\u304b\u3089\u5143\u306e\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u306eUnicode\u6587\u5b57\u5217\u3092\u4f5c\u6210\u3057\u3001\u30d5\u30a1\u30a4\u30eb \u30b5\u30a4\u30ba\u3092\u30d0\u30a4\u30c8\u5358\u4f4d\u3067\u9023\u7d50\u3057\u307e\u3059\u3002\u6700\u5f8c\u306b\u3001API\u95a2\u6570MD5Init()\u3001MD5Update()\u3001MD5Final()\u3092\u4f7f\u7528\u3057\u3066\u30cf\u30c3\u30b7\u30e5\u3092\u8a08\u7b97\u3057\u3001\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u306b\u4fdd\u5b58\u3057\u307e\u3059\u3002<\/p>\n<figure style=\"width: 750px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-11.png\" alt=\"\u56f37 \u30de\u30eb\u30a6\u30a7\u30a2\u306b\u3088\u3063\u3066\u4f5c\u6210\u3055\u308c\u305f\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u306e\u69cb\u9020\" width=\"750\" height=\"189\" \/><figcaption class=\"wp-caption-text\">\u56f37 \u30de\u30eb\u30a6\u30a7\u30a2\u306b\u3088\u3063\u3066\u4f5c\u6210\u3055\u308c\u305f\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u306e\u69cb\u9020<\/figcaption><\/figure>\n<p>\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u306b\u8ffd\u52a0\u3055\u308c\u308b\u306e\u306f\u3001\u6b21\u306e\u62e1\u5f35\u5b50\u3092\u6301\u305f\u306a\u3044\u30d5\u30a1\u30a4\u30eb\u306e\u30cf\u30c3\u30b7\u30e5\u306e\u307f\u3067\u3059\u3002<\/p>\n<ul>\n<li>DLL<\/li>\n<li>BIN<\/li>\n<li>CAB<\/li>\n<li>EXE<\/li>\n<li>ISO<\/li>\n<\/ul>\n<h2>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc: MSO1567.dls \/ LocalSMS.dll<\/h2>\n<p>\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u672c\u8cea\u7684\u306b\u3001C2\u30b5\u30fc\u30d0\u306b\u63a5\u7d9a\u3057\u3066\u30e6\u30fc\u30b6\u30fc \u30c7\u30fc\u30bf\u3092\u9001\u4fe1\u3059\u308b\u305f\u3081\u306e\u5358\u7d14\u306a\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3067\u3059\u3002\u307e\u305f\u3001\u305d\u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u3068\u3057\u3066\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u53d6\u5f97\u3057\u3001\u5b9f\u884c\u3057\u307e\u3059\u3002C++\u3067\u4f5c\u6210\u3055\u308c\u3066\u3044\u308bDLL\u306f\u3001\u3059\u3079\u3066\u306e\u6a5f\u80fd\u3092\u542b\u3093\u3067\u304a\u308a\u3001\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u95a2\u6570\u201cEntryPoint\u201d\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u30b3\u30f3\u30d1\u30a4\u30e9\u307e\u305f\u306f\u30ea\u30f3\u30ab\u30fc\u306e\u6700\u9069\u5316\u306a\u3057\u3067\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u305f\u3082\u306e\u3067\u3042\u308b\u305f\u3081\u3001\u30d5\u30a1\u30a4\u30eb \u30b5\u30a4\u30ba\u304c\u5927\u304d\u304f\u3001PDB\u30d1\u30b9\u6587\u5b57\u5217\u304c\u6b8b\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u6700\u521d\u306b\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u30ed\u30fc\u30ab\u30eb \u30e6\u30fc\u30b6\u30fc\u306e\u4e00\u6642\u30d1\u30b9(\u201cC:\\Users\\\\AppData\\Local\\Temp\\\u201d)\u3001\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d(\u201cWIN-MLABCSUOVJB\u201d\u306a\u3069)\u3001\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ebGUID (\u201c{826ee360-7139-11de-8d20-808e6f6e6263}\u201d\u306a\u3069)\u3001\u304a\u3088\u3073C:\\\u30c9\u30e9\u30a4\u30d6\u306e\u30dc\u30ea\u30e5\u30fc\u30e0 \u30b7\u30ea\u30a2\u30eb\u756a\u53f7(\u201c1956047236\u201d)\u3092\u691c\u51fa\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u6b21\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u3055\u308c\u305f\u6587\u5b57\u5217\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002<\/p>\n<p>http:\/\/adobe.update-service[.]net\/index.php?comp=<\/p>\n<p>C2\u30b5\u30fc\u30d0\u306b\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306b\u3001\u88ab\u5bb3\u8005\u60c5\u5831\u3092\u542b\u3093\u3060URL\u6587\u5b57\u5217\u3092\u4f5c\u6210\u3059\u308b\u306b\u306f:<\/p>\n<ul>\n<li>http:\/\/adobe.update-service[.]net\/index.php?comp=WIN-MLABCSUOVJB&amp;id=WIN-MLABCSUOVJB_{826ee360-7139-11de-8d20-808e6f6e6263}1956047236<\/li>\n<\/ul>\n<p>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u306e\u4fdd\u5b58\u5148\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u4f5c\u6210\u3059\u308b\u305f\u3081\u306b\u300110\u6587\u5b57\u306e\u30e9\u30f3\u30c0\u30e0\u6587\u5b57\u5217\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\u305f\u3060\u3057\u3001\u5b9f\u88c5\u30a8\u30e9\u30fc\u304c\u539f\u56e0\u3067\u3001\u5e38\u306b\u201cfrAQBc8Wsa\u201d\u3068\u3044\u3046\u540c\u3058\u6587\u5b57\u5217\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u306e\u6587\u5b57\u5217\u306f\u3001\u691c\u51fa\u3055\u308c\u305f\u30ed\u30fc\u30ab\u30eb \u30e6\u30fc\u30b6\u30fc\u306e\u4e00\u6642\u30d1\u30b9\u304b\u3089\u6b21\u306e\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u306b\u9023\u7d50\u3055\u308c\u307e\u3059\u3002<\/p>\n<ul>\n<li>C:\\Users\\\\AppData\\Local\\Temp\\frAQBc8Wsa<\/li>\n<\/ul>\n<p>\u305d\u306e\u5f8c\u3001API\u95a2\u6570URLDownloadToFileA()\u3092\u4f7f\u7528\u3057\u3066\u3001\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30c7\u30a3\u30b9\u30af\u306b\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3001CreateProcess()\u3092\u4ecb\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002\u6700\u5f8c\u306b\u300160\u79d2\u9593\u30b9\u30ea\u30fc\u30d7\u3057\u305f\u5f8c\u3067\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u505c\u6b62\u3057\u3001DLL\u3092\u7d42\u4e86\u3055\u305b\u307e\u3059\u3002<\/p>\n<h2>\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc: MSO8734.obn \/ MpClients.dll<\/h2>\n<p>\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u3001LocalSMS.dll\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3092\u5c11\u3057\u9ad8\u5ea6\u5316\u3057\u305f\u3082\u306e\u3067\u3059\u3002\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30c7\u30a3\u30b9\u30af\u306b\u76f4\u63a5\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u4ee3\u308f\u308a\u306b\u3001\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u3001C2\u30b5\u30fc\u30d0\u304b\u3089\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9 \u30b3\u30de\u30f3\u30c9\u3092\u8981\u6c42\u3057\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u3001\u5b9f\u969b\u306b\u4f7f\u7528\u3055\u308c\u308b\u30da\u30a4\u30ed\u30fc\u30c9URL\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u3064\u307e\u308a\u3001Winsock\u95a2\u6570\u306b\u57fa\u3065\u3044\u305f\u57fa\u672c\u7684\u306a\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5b9f\u88c5\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u3053\u306eDLL\u306e\u3059\u3079\u3066\u306e\u6a5f\u80fd\u306f\u3001\u201cbitDefender\u201d\u3068\u3044\u3046\u540d\u524d\u306e\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u95a2\u6570\u306b\u7d44\u307f\u8fbc\u307e\u308c\u307e\u3059\u3002<\/p>\n<p>\u3053\u308c\u306f\u3001\u30bd\u30b1\u30c3\u30c8\u3092\u4f5c\u6210\u3057\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u3055\u308c\u305fC2\u30b5\u30fc\u30d0\u201cwin-restore.ru\u201d\u306e\u30a2\u30c9\u30ec\u30b9\u3092gethostbyname()\u3092\u4ecb\u3057\u3066\u30ea\u30af\u30a8\u30b9\u30c8\u3057\u3066\u3001\u305d\u308c\u306b\u63a5\u7d9a\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001C:\\\u30c9\u30e9\u30a4\u30d6\u306e\u30dc\u30ea\u30e5\u30fc\u30e0 \u30b7\u30ea\u30a2\u30eb\u756a\u53f7\u3001\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3001\u30cf\u30fc\u30c9\u30a6\u30a7\u30a2 \u30d7\u30ed\u30d5\u30a1\u30a4\u30ebGUID\u3082\u53ce\u96c6\u3057\u307e\u3059\u3002\u3053\u306e\u60c5\u5831\u306b\u57fa\u3065\u3044\u3066\u3001\u5f8c\u7d9a\u306esend()\u95a2\u6570\u547c\u3073\u51fa\u3057\u3067\u4f7f\u7528\u3055\u308c\u308b\u6b21\u306e\u6587\u5b57\u5217\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<p>\u201cGET \/css.php?id=WIN-MLABCSUOVJB_{826ee360-7139-11de-8d20-808e6f6e6263}1956047236 HTTP\/1.1<br \/>\nHost: win-restore.ru<br \/>\nConnection: close\u201d<\/p>\n<p>\u305d\u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u306f\u3001recv()\u3092\u4ecb\u3057\u3066\u30e1\u30e2\u30ea \u30d0\u30c3\u30d5\u30a1\u306b\u4fdd\u5b58\u3055\u308c\u3001\u6587\u5b57\u5217\u201curltoload={\u201c\u306e\u30b9\u30ad\u30e3\u30f3\u304c\u884c\u308f\u308c\u307e\u3059\u3002\u305d\u306e\u540d\u524d\u304c\u793a\u3059\u3068\u304a\u308a\u3001\u53d7\u4fe1\u3057\u305f\u30c7\u30fc\u30bf\u306b\u306f\u3001\u5b9f\u969b\u306eURL\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u304c\u6ce2\u304b\u3063\u3053\u3067\u56f2\u307e\u308c\u3066\u683c\u7d0d\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u6587\u5b57\u5217\u304b\u3089URL\u304c\u30d7\u30eb \u30a2\u30a6\u30c8\u3055\u308c\u3001API\u95a2\u6570URLDownloadToFile()\u306e\u5165\u529b\u3068\u3057\u3066\u518d\u5ea6\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u3053\u3053\u3067\u3082\u3001\u30c7\u30a3\u30b9\u30af\u306b\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u683c\u7d0d\u3057\u3066\u5b9f\u884c\u3059\u308b\u305f\u3081\u306b\u3001\u6b21\u306e\u540c\u3058\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u304c\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<br \/>\n\u201cC:\\Users\\\\AppData\\Local\\Temp\\frAQBc8Wsa\u201d<\/p>\n<h2>Pteranodon: MSO1234.win \/ winrestore.dll<\/h2>\n<p>Pteranodon\u306f\u30d0\u30c3\u30af\u30c9\u30a2\u3067\u3042\u308a\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306b\u4f5c\u6210\u3055\u308c\u305f\u69cb\u6210\u30d5\u30a1\u30a4\u30eb\u306b\u57fa\u3065\u3044\u3066\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3082\u53d6\u5f97\u3067\u304d\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u306a\u3044\u72b6\u614b\u3067\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092C2\u30b5\u30fc\u30d0\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002\u3053\u306eDLL\u306e\u3059\u3079\u3066\u306e\u6a5f\u80fd\u306f\u3001\u201cupdater\u201d\u3068\u3044\u3046\u540d\u524d\u306e\u30a8\u30af\u30b9\u30dd\u30fc\u30c8\u95a2\u6570\u306b\u7d44\u307f\u8fbc\u307e\u308c\u307e\u3059\u3002<\/p>\n<p>\u6700\u521d\u306b\u3001\u30ed\u30fc\u30ab\u30eb \u30e6\u30fc\u30b6\u30fc\u306e%APPDATA%\u30d5\u30a9\u30eb\u30c0\u3092\u691c\u51fa\u3057\u3001\u6b21\u306e\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<p>\u201cC:\\Users\\\\AppData\\Roaming\\Microsoft\\desktop.ini\u201d<\/p>\n<p>\u305d\u306e\u5f8c\u3001\u30d5\u30a1\u30a4\u30eb\u304c\u3059\u3067\u306b\u5b58\u5728\u3059\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u3001\u305d\u306e\u5834\u5408\u306f\u5b9f\u884c\u3092\u7d99\u7d9a\u3057\u307e\u3059\u3002\u5b58\u5728\u3057\u306a\u3044\u5834\u5408\u306f\u3001\u30a2\u30f3\u30c1\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9 \u30c6\u30af\u30cb\u30c3\u30af\u3068\u3057\u3066\u306e\u30de\u30a6\u30b9\u64cd\u4f5c\u304c\u306a\u3044\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3059\u308b\u30eb\u30fc\u30c1\u30f3\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u30de\u30a6\u30b9\u64cd\u4f5c\u304c\u306a\u3044\u5834\u5408\u306f\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u7121\u9650\u30eb\u30fc\u30d7\u3092\u5b9f\u884c\u3057\u3066\u3001\u30de\u30a6\u30b9\u64cd\u4f5c\u3092\u63a2\u3057\u307e\u3059\u3002<\/p>\n<p>\u201cdesktop.ini\u201d\u30d5\u30a1\u30a4\u30eb\u304c\u5b58\u5728\u3057\u306a\u3044\u5834\u5408\u306f\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u305d\u308c\u3092\u4f5c\u6210\u3057\u3001\u6b21\u306e\u60c5\u5831\u3092\u8ffd\u52a0\u3057\u307e\u3059\u3002<\/p>\n<p>\u201d interval={60} msfolder={10} status={0}\u201d<\/p>\n<p>\u3053\u306e\u60c5\u5831\u306f\u3001\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u4f5c\u6210\u3059\u308b\u305f\u3081\u306e\u69cb\u6210\u30c7\u30fc\u30bf\u3068\u3057\u3066\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u3055\u3089\u306b\u3001C2\u30b5\u30fc\u30d0\u304b\u3089\u691c\u51fa\u3067\u304d\u308b\u305d\u306e\u4ed6\u306e\u30b3\u30de\u30f3\u30c9\u3082\u3042\u308a\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3067\u304d\u307e\u3059\u3002<\/p>\n<p><b>exec=<\/b>{<\/p>\n<p>\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u3001\u6ce2\u304b\u3063\u3053\u3067\u56f2\u307e\u308c\u305fURL\u304b\u3089\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u4e00\u6642\u30d5\u30a9\u30eb\u30c0\u306b\u30e9\u30f3\u30c0\u30e0 \u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u3092\u4f5c\u6210\u3057\u3001URLDownloadToFile()\u304a\u3088\u3073CreateProcess()\u3092\u547c\u3073\u51fa\u3057\u3066\u3001\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u6b21\u306b\u300130\u79d2\u9593\u5f85\u6a5f\u3057\u305f\u5f8c\u3001\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u7d42\u4e86\u3057\u307e\u3059\u3002<\/p>\n<p><b>interval={<\/b><\/p>\n<p>\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u30012\u3064\u4ee5\u4e0a\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092\u4f5c\u6210\u3059\u308b\u9593\u306b\u3001\u305d\u306e\u9593\u9694\u3092\u79d2\u6570\u3067\u5b9a\u7fa9\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><b>msfolder={<\/b><\/p>\n<p>\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u3001\u4f5c\u6210\u3059\u308b\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u306e\u6570\u3092\u5b9a\u7fa9\u3057\u307e\u3059\u3002<\/p>\n<p><b>command={ \/ command_c={<\/b><\/p>\n<p>\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u3001\u6ce2\u304b\u3063\u3053\u3067\u56f2\u307e\u308c\u305f\u6587\u5b57\u5217\u3068\u3057\u3066\u5b58\u5728\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u306e\u5b9f\u884c\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u201cc\u201d\u306e\u4e9c\u7a2e\u306f\u3001ShellExecute()\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u3067\u3001Windows\u30c4\u30fc\u30eb\u306ecmd.exe\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<p><b>status={<\/b><\/p>\n<p>\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306b\u306f\u30d5\u30e9\u30b0\u304c\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u3053\u308c\u306b\u3088\u308a\u3001\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3092(\u201c1\u201d)\u307e\u305f\u306f(\u201c0\u201d)\u306b\u3059\u308b\u304b\u3069\u3046\u304b\u3092\u5b9a\u7fa9\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>\u6b21\u306b\u3001\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u201casassin1dj\u201d\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3066\u3001\u30b7\u30b9\u30c6\u30e0\u304c\u3059\u3067\u306b\u611f\u67d3\u3057\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u3001\u305d\u3046\u3067\u306a\u3044\u5834\u5408\u306f\u305d\u308c\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-12.png\" \/><\/p>\n<p><b><i>\u56f38 \u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u306e\u30c1\u30a7\u30c3\u30af\u3068\u4f5c\u6210\u30eb\u30fc\u30c1\u30f3<\/i><\/b><\/p>\n<p>\u6b21\u306b\u3001\u3059\u3067\u306b\u5b58\u5728\u3057\u306a\u3044\u5834\u5408\u306f\u3001\u6b21\u306e\u30d5\u30a9\u30eb\u30c0\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<p>\u201cC:\\Users\\\\AppData\\Roaming\\Microsoft\\store\u201d<\/p>\n<p>\u305d\u306e\u5f8c\u3001\u201cdesktop.ini\u201d\u306e\u69cb\u6210\u30c7\u30fc\u30bf\u306b\u5f93\u3063\u3066\u300124\u30d3\u30c3\u30c8\u306e\u30ab\u30e9\u30fc\u6df1\u5ea6JPEG\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8(\u62e1\u5f35\u5b50\u306a\u3057)\u3092\u5e38\u306b\u683c\u7d0d\u30d5\u30a9\u30eb\u30c0\u306b\u4f5c\u6210\u3057\u307e\u3059\u3002\u305d\u306e\u969b\u306b\u306f\u3001GDI32\u95a2\u6570\u3068gdiplus API\u95a2\u6570\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u306f\u3001\u6b21\u306e\u540d\u524d\u30b9\u30ad\u30fc\u30e0\u304c\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>_<\/p>\n<p>\u6700\u5f8c\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u304c\u4f5c\u6210\u3055\u308c\u305f\u5f8c\u3001\u201cstore\u201d\u30d5\u30a9\u30eb\u30c0\u306e\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u3092C2\u30b5\u30fc\u30d0\u201cwin-restore[.]ru\u201d\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u30d5\u30a9\u30eb\u30c0\u306b\u5b58\u5728\u3059\u308b\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u524a\u9664\u3055\u308c\u305f\u5f8c\u3001\u65b0\u3057\u3044\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u4f5c\u6210\u30b5\u30a4\u30af\u30eb\u304c\u958b\u59cb\u3055\u308c\u307e\u3059\u3002\u3069\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u305f\u304b\u3092\u78ba\u8a8d\u3059\u308b\u65b9\u6cd5\u306f\u306a\u3044\u3053\u3068\u306b\u6ce8\u610f\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u30d5\u30a1\u30a4\u30eb\u306fPOST HTTP\u30e1\u30bd\u30c3\u30c9\u3092\u4ecb\u3057\u3066\u3001\u30b9\u30af\u30ea\u30d7\u30c8\u201cvvd.php\u201d\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u305f\u3081\u3001\u88ab\u5bb3\u8005\u3060\u3051\u3067\u306a\u304fJPEG\u30d5\u30a1\u30a4\u30eb\u306e\u30c7\u30fc\u30bf\u3092\u542b\u3080\u3001\u6b21\u306eHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/2017\/81715\/gamaredon-group-toolset-evolution-13.png\" \/><\/p>\n<p>\u6700\u5f8c\u306b\u3001C2\u30b5\u30fc\u30d0\u306b\u65b0\u3057\u3044\u30b3\u30de\u30f3\u30c9\u60c5\u5831\u304c\u3042\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u3001\u305d\u308c\u306b\u5fdc\u3058\u3066\u201cdesktop.ini\u201d\u30d5\u30a1\u30a4\u30eb\u3092\u66f4\u65b0\u3057\u307e\u3059\u3002\u6a5f\u80fd\u3001\u30b3\u30f3\u30d1\u30a4\u30eb \u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3001\u30d0\u30a4\u30ca\u30ea\u306e\u9055\u3044\u304b\u3089\u9451\u307f\u308b\u3068\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001598c55b89e819b23eac34547ad02e5cd59e1b8fcb23b5063a251d8e8fae8b824\u306e\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u7248\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3068\u3044\u3048\u307e\u3059\u3002<\/p>\n<p>wmphost.exe<\/p>\n<p>\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u30de\u30a6\u30b9\u52d5\u4f5c\u304c\u691c\u51fa\u3055\u308c\u308b\u307e\u3067\u7121\u9650\u30eb\u30fc\u30d7\u3092\u5b9f\u884c\u3057\u3066\u304b\u3089\u3001\u7d42\u4e86\u3057\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u30de\u30a6\u30b9\u52d5\u4f5c\u3092\u30b7\u30df\u30e5\u30ec\u30fc\u30c8\u3057\u306a\u3044\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u306e\u56de\u907f\u306b\u4f7f\u7528\u3067\u304d\u307e\u3059\u3002\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u5185\u90e8\u3067\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u691c\u51fa\u3059\u308b\u306b\u306f\u3001\u5225\u306e\u30d5\u30a1\u30a4\u30eb\u3067\u5b9f\u884c\u30d7\u30ed\u30bb\u30b9\u306e\u30ea\u30b9\u30c8\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u3001\u201cwmphost.exe\u201d\u304c\u5b58\u5728\u3059\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<h2>\u4ed8\u9332B: \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u4fb5\u5bb3\u306e\u5146\u5019<\/h2>\n<p><b>\u30c9\u30e1\u30a4\u30f3\u540d<\/b><\/p>\n<p>admin-ru[.]ru<br \/>\nadobe.update-service[.]net<br \/>\napploadapp.webhop[.]me<br \/>\nbrokbridge[.]com<br \/>\ncat.gotdns[.]ch<br \/>\ncheck-update[.]ru<br \/>\nchildrights.in[.]ua<br \/>\nconhost.myftp[.]org<br \/>\ndocdownload.ddns[.]net<br \/>\ndownloads.email-attachments[.]ru<br \/>\ndownloads.file-attachments[.]ru<br \/>\ndyndownload.serveirc[.]com<br \/>\ne.muravej[.]ua<br \/>\nemail-attachments[.]ru<br \/>\nfile-attachments[.]ru<br \/>\nfreefiles.myftp[.]biz<br \/>\ngetmyfile.webhop[.]me<br \/>\ngooglefiles.serveftp[.]com<br \/>\ngrom56.ddns[.]net<br \/>\ngrom90.ddns[.]net<br \/>\nhrome-update[.]ru<br \/>\nhrome-updater[.]ru<br \/>\nloaderskypetm.webhop[.]me<br \/>\nloadsoulip.serveftp[.]com<br \/>\nmail.file-attachments[.]ru<br \/>\nmails.redirectme[.]net<br \/>\nmars-ru[.]ru<br \/>\nmsrestore[.]ru<br \/>\noficialsite.webhop[.]me<br \/>\nparkingdoma.webhop[.]me<br \/>\npoligjong.webhop[.]me<br \/>\npolistar.ddns[.]net<br \/>\nproxy-spread[.]ru<br \/>\nrms.admin-ru[.]ru<br \/>\nsamotsvety.com[.]ua<br \/>\nskypeemocache[.]ru<br \/>\nskypeupdate[.]ru<br \/>\nspbpool.ddns[.]net<br \/>\nspread-service[.]ru<br \/>\nspread-ss[.]ru<br \/>\nspread-updates[.]ru<br \/>\nstor.tainfo.com[.]ua<br \/>\ntortilla.sytes[.]net<br \/>\nukrnet.serveftp[.]com<br \/>\nukrway.galaktion[.]ru<br \/>\numachka[.]ua<br \/>\nupdate-service[.]net<br \/>\nupdatesp.ddns[.]net<br \/>\nupdateviber.sytes[.]net<br \/>\nwebclidie.webhop[.]me<br \/>\nwin-restore[.]ru<br \/>\nwinloaded.sytes[.]net<br \/>\nwinupdateloader[.]ru<br \/>\nwww.file-attachments[.]ru<br \/>\nwww.win-restore[.]ru<br \/>\nyfperoliz.webhop[.]me<\/p>\n<p><b>URL:<\/b><\/p>\n<p>http:\/\/childrights.in[.]ua\/public\/manager\/img\/scrdll.ini<br \/>\nhttp:\/\/prestigeclub.frantov[.]com.ua\/press-center\/press\/chrome-xvnc-v5517.exe<br \/>\nhttp:\/\/umachka[.]ua\/screen\/dk.tmp<br \/>\nhttp:\/\/umachka[.]ua\/screen\/screen.tmp<br \/>\nhttp:\/\/viberload.ddns[.]net\/viber.nls<\/p>\n<h4>\u30cf\u30c3\u30b7\u30e5:<\/h4>\n<h3><b>\u30ab\u30b9\u30bf\u30e0\u958b\u767a\u30c4\u30fc\u30eb\u3092\u4f7f\u7528\u3059\u308b\u30b5\u30f3\u30d7\u30eb:<\/b><\/h3>\n<p>002aff376ec452ec35ae2930dfbb51bd40229c258611d19b86863c3b0d156705<br \/>\n08e69f21c3c60a4a9b78f580c3a55d4cfb74729705b5b7d01c1aecfd58fc49e6<br \/>\n0c47cf984afe87a14d0d4c94557864ed19b4cb52783e49ce96ebf9c2f8b52d27<br \/>\n0dc1010c3d3766158e2347d10fc78d9223c6e0e3a44aa8a76622aeff7d429ab9<br \/>\n0f745512940e0efd8f09c6d862571cba2b98fac9a9f7cf30dedcc08ace43a494<br \/>\n145dab86a43835bb37734c16756d6d64d8e5ac6b87c491c57385e27b564136b8<br \/>\n222e85e6d07bdc3a2141cdd582d3f2ed4b1ce5285731cc3f54e6202a13737f8d<br \/>\n2f2b26f2f7d164ea1f529edbc3cb8a1063b39121dad4dd19d8ee4bbbaf25ed37<br \/>\n3242183b1f0176a2e3cfb6bfef96b9d55c5a59ea9614dbde4ef89979336b5a5d<br \/>\n3773ddd462b01f9272656f3150f2c3de19e77199cf5fac1f44287d11593614f9<br \/>\n37c78ee7826d63bb9219de594ed6693f18da5db60e3cbc86795bd10b296f12ac<br \/>\n3e5b1116b2dfd99652a001968a05fc962974931a0596153ab0dea8e4a9982f89<br \/>\n400f53a89d08d47f608e1288d9873bf8d421fc7cd642c5e821674f38e07a1501<br \/>\n598c55b89e819b23eac34547ad02e5cd59e1b8fcb23b5063a251d8e8fae8b824<br \/>\n5b22ace98b57ed19d815c49983c96a3c6ff0b2701e8167d4422c6990982abcf9<br \/>\n5ec8b7ca4461720bd69fb49b3f6cae637d8ac3bbd675da938bc5a84e9b73b395<br \/>\n840b3d4cc95dbf311f792a9f50137056deb66bfdbb55eb9f54ff381a0df65656<br \/>\n90ba0f95896736b799f8651ef0600d4fa85c6c3e056e54eab5bb216327912edd<br \/>\n97ebd7bfad63b36b4572132f6ece359ff9991f269048c0b145411699bfe3dc34<br \/>\n9a1fd88970da3809f45cef00360d1e54ea11a70035c277c130404a67371e142d<br \/>\n9cb64d3242d2b591bd2ff13b1aadef2e6b4bf9147f4a0926613b7c9343feb312<br \/>\na46508ec9e48c256261b2d1914532a36ac7da093253320135d77581051751b75<br \/>\na7e27ff0695a4bdf58c584f48664acd3a385ccebf3a542fdd6d7383f414aa83a<br \/>\na804beddd22bb76ea207a9607ed5c888f2f640cbd9ed9a32942fcd0b8a25c4d5<br \/>\nae5ab2e887a9b46ea7819b7ebbb8163028e66882c97e75b0698dc3a69a69d7da<br \/>\nb2fb7d2977f42698ea92d1576fdd4da7ad7bb34f52a63e4066f158a4b1ffb875<br \/>\nb9434e5a14159c49af2d1a5a11d570f195797d6b17aa560c3dde4a5b3486bf2a<br \/>\nbe2be662cc821a924d5641422dd1116e99188c6923da092ca3f0f8f862bd2d2d<br \/>\nd01df47b6187631c9a93bdad1298439ab1a1c5529b3319f3614b6ec2455e5726<br \/>\nd1ba365e93ff0a4f3a2cb1d657568e583e3fbd7dbb1c2c52e28f16480324e3bb<br \/>\nddfc6bb4819527b2424d6e1a84f04b67adad79401e39efbffba5b7d727e732f0<br \/>\ndf434f54802a6814628f30cae335c302bae7085c4e8314d71a41a47d9c410c39<br \/>\ne24715900aa5c9de807b0c8f6ba8015683af26c42c66f94bee38e50a34e034c4<br \/>\nf2296bcb6be68dfb330baec2091fb11a42a51928ba057164213580e6ff0e1126<b><\/b><\/p>\n<p><b>\u30d0\u30f3\u30c9\u30eb\u3055\u308c\u305f\u5546\u7528\u30c4\u30fc\u30eb\u3092\u4f7f\u7528\u3059\u308b\u30b5\u30f3\u30d7\u30eb:<\/b><\/p>\n<p>026be8a873560f1496c6961f6e36c312bdda01beacb17c4b744f35ee1923d061<br \/>\n03c943f5cba11b09b9c3afa0705d4a027e5a9d81b299711740cc5aedfe4b4aa1<br \/>\n03e5e99cc8280de4663c4b65bfd26782d4975258808a63a4b20bc068008df7f5<br \/>\n059e40ba91b2b2d827c200476fcbd0fad0d43ab198d0c206c996777d27e6de65<br \/>\n0669e61e51cf43daa431d52b5461c90bdce1b1bee03b087e4406c30264dcb9a4<br \/>\n068b9a9194efacc16cf142814e79b7041b6ab3d671a95bb508dbd30061c324aa<br \/>\n0b4a90b823a581311c4acb59f35e32f81f70ca16a2538f54f4dbe03db93350df<br \/>\n0b5316d723d1ebbec9aba0c9ff6761050305d644c3eeb5291b4e2c4de9e5fa15<br \/>\n0b8d59312699739b6e6cb7aeb0f22a2eaebbb0fd898a97ef9b83e8d8e9ce67a0<br \/>\n0dd13d2d0edbcf9d1825c2bfc165876ada2e4d04e2981a0003cb6503fad2287b<br \/>\n0ddb7867e31f3f30cd1cfe74393f8ac5bbdc61538278de9219a49345f0d3af7f<br \/>\n13fed3accac4f38f28e606b110a3b7924d9c7a1a911f8c0613d0bb791e715267<br \/>\n151cf4c83722ba171ae42640e5e13af67ca06ee0a06a74afa53931acf6ac1506<br \/>\n17006d77cc1459aa3d70e4e9377edb2547a7446647aa9872c9dd9ad860ed7e39<br \/>\n1ec7e595677038145991c6d84dc7808602142f258c1f90e9486cca0fe531d74f<br \/>\n208dc592111a8221a9c633efc120b890585f9a67ed340cbb5ec9db4cd5e164e4<br \/>\n2124adbee89f2c1cb65896bed26e7ffa8bf0fcbdfeb99a9e751fea9cca7a896b<br \/>\n22e97292671ada8deef4329eb115c52f6f1bc598bcf01a3961f1c35a2230a013<br \/>\n259a78122ef51ae503059143bf36941fc6090be83213d196ba3051ba36a0b2a1<br \/>\n26564c23530dd14e0042e074f4178a5b2ad6fc8f51f10138fc39941a6303bff9<br \/>\n29453fa1772b6d7d33842d6abbe0cb55c4a4b66a00f43284c8724d7c16749a7d<br \/>\n2a072d9ce63a94d2530cf9f18a232c6a09f6c7bdff9dbe27faceef53604145ea<br \/>\n2c02d3d3fadd76f9d21f5c093459ddc0045c94f17679269eb7a2990a1a88cb42<br \/>\n2d55000bb5cb9e3e1f137810c2e1eb899f68c40e4a6f6307f226c7b8af208abd<br \/>\n2ded2f3b5b5b6155ce818893c67887cbfa8b539be6c983e314ccf2177552da20<br \/>\n2e89436b355550ceb361fac1b03b78b71eda11d25f26223ac5c8c34ed8972a05<br \/>\n32b0e6394b110860371da5541946a6dcc85358a3951eddc86fdaf5794527c150<br \/>\n33934fcfae5760316b3f40e013cbb03d8086f8c30f9a4ba9bed3f9486a530796<br \/>\n34d86602882e86f8aaaeb7513126c8579a4489f2be31c279188e2f2ca8a0e141<br \/>\n390162dae62a0347e35cf5dad093cfc2f7d4ded62fba9d2df7af6133feb41ee0<br \/>\n3ef8602579c6b145fbaafc8970b4c9a6e7bebd11eb5e37eecaa67b4572c6038b<br \/>\n420acd7e8598fe994b59bf5d30f89e1c11b36cbef464a4786694cf9eada8dd4c<br \/>\n42b4c39179f76ea9eb5835b55a3cf4d8dbb29d42ee0622ad2e89ca48d01e8988<br \/>\n42eed03907c9dfa0e566fbe5968cdb5a1b7b5e18521f7327185ed2208c6c29b4<br \/>\n46a39da996b01e26ddd71d51c9704de2aa641cd3443f6fe0e5c485f1cd9fa65d<br \/>\n47d929c69bfd8d8efb9c280eabec2f73d4bddf1c3c30120c3fb6334623469888<br \/>\n505ef8cbc1271ce32f0c473468d75a1aba5073c37b2e6b49293ddc9efcb4ac96<br \/>\n5230453eeb98c5a183129ed8b918b429e96020887302ba30941c408108a1ab84<br \/>\n5363220b532d7da378b338e839a501ae5c006cc03c8b2d3627c480d64deb1221<br \/>\n558f33d478091993e5b5921604f8c3873efc87f551fddf61612b5c64d5b610f6<br \/>\n55c76f4f93f9e155fbb6a28447f97c1ccda0081061dc3cb9973d42c1686964b7<br \/>\n56c8246819f7de5cba91001793831441d4ce998ccb8237cb96c9f52e88ea384b<br \/>\n59bddb5ccdc1c37c838c8a3d96a865a28c75b5807415fd931eaff0af931d1820<br \/>\n5ac627f8964d3b9cad69f21e3b8f27305f1f68f49e4f4fae2c73949a04b32692<br \/>\n5ccc76ae1cdf668ba7f89c6cbd0bad44f148cbee736320ead237262ba170ffba<br \/>\n5cd4401c1dae9b9ecd75c96ab29dc64ce40bef3acc6faf7c001ff98ebd3b3413<br \/>\n5cd72eaf555813f1ee187def594584f5cfc6a5e83086f35e281327b5210adffb<br \/>\n5f8293eda9fb40684caddf576eba6c81f3a06911ca9e4ecf84ede3b2891cff5e<br \/>\n6c258151c593268c13c252d8f275192a6f7a74d5de5754f2cf20fb94be7ee6ea<br \/>\n0458e168baa4fa5942892065925ac82b12245551b539d54c2884b3a21c2699d8<br \/>\n877f1de209eb9d8b2a20a76f8773d12e5a1fcde4148868c7b73added392f62f6<br \/>\n29c728a169c5d18298e77db161dd5d2f6396ceca9ee7849b63ff8a8bc11f911e<br \/>\n98e092b7bfc3bbdaeb82e05de14ba5835c6ac626c17de9eef2049796a031dd10<br \/>\n27e08fb90ada2fd8ce6b6149786edd3b814dd0324257ebd919ed66ada0334b21<br \/>\n9f651ae6ea538238748614a7f86fe2b0f76e881d6c38da581f284e4b6f79b0ca<br \/>\nf47115ea58615781e56dcac673c19edf7ce00defd7ada709ae97b0708d3eac1e<br \/>\nb80719854f8744ba62e9f0e774c09e2e2ed79dd37f9f94ba3ed05ec8507d55e6<br \/>\n467f04914a1e6093bdaf5c28884bf95ec738234033b3292d289a0799de196d49<br \/>\n5c47d18b3f0e0274c6a66b2eab27d47c73a0105c263d41c6473aba9a28d0a4ba<br \/>\n01c5729ac1ae3928053c085fd616323a3715863ab3d7e9b8106c09e24df34183<br \/>\n5b6a691cf8faf238b27861941a1b667d889889cc9711a3e561403d6a6ed292c9<br \/>\ne2688f72cc7ae836be19e765e39318873554ee194a09945eb3f3805d04f256ca<br \/>\n9f0228e3d1577ffb2533584c2b1d87ebee0c0d490f981e61d18bb27ab02e52cb<br \/>\n2617f9301869304b88d8a3a4f7b2eab6b0edf264cc1a28b99f5685959242ec39<br \/>\nf3107a5a00f36e12be7cc2e37c35903ef855b8043492af374ea918385821443c<br \/>\n63fcfab8e9b97d9aec3d6f243003ea3e2bf955523f08e6f1c0d1e28c839ee3d5<br \/>\n05cbe01b1125897e0e982c587a10a72f4df795b844a4a2c4cec44aee7f30ce94<br \/>\n5a7da102c11960b9651650143a4a08ae4ce97d68dff999961f1ffc792531afeb<br \/>\ndf6112e6bad4125b80b8829c13a2ca523bb82cf303cf531389d8795e7512c7e6<br \/>\ncfb8216be1a50aa3d425072942ff70f92102d4f4b155ab2cf1e7059244b99d31<br \/>\ne79dbcc8b60da280e53d9cf818eee1de34251e0551b9947bb2b79a31b131417e<br \/>\na73eac15797130c381b5b4a65c3fb1cfc723b1586a1882c981211787bba285a6<br \/>\n3ef3a06605b462ea31b821eb76b1ea0fdf664e17d010c1d5e57284632f339d4b<br \/>\nf2355a66af99db5f856ebfcfeb2b9e67e5e83fff9b04cdc09ac0fabb4af556bd<br \/>\nca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc<br \/>\n550ee89d5df17f90ba7689d957cd067dcdbe3d957c5369ea28d925e02ccc8ce6<br \/>\nf77d7940c51c2a1eab849dbd77e59c683ebf7820799ef349e7da2583e1aa11ae<br \/>\n2c5d55619d2f56dc5824a4845334e7804d6d306daac1c23bec6f078f30f1c825<br \/>\n7231177a115656041ba4e5b3cf0bf7a547b074f03592351484267e25cda7c899<br \/>\nd5405f99cec0166857274b6c02a7ef52b36274fedb805a17d2089fd24ed133cf<br \/>\n81921b6a7eba39a3f73895a57892ed3a46ab6365ac97d550ca3b9bff46c7a1c2<br \/>\n1eef9f8d7d3099b87be7ac25121f9d2ccacfb5ccf02b508fb2036b6e059c525f<br \/>\n5255061c3600df1a94b376fca40f3ccb69d1cb6dd42aa744b20a643c7292d20c<br \/>\nb5199a302f053e5e9cb7e82cc1e502b5edbf04699c2839acb514592f2eeabb13<br \/>\n5fb7f6f953be3b65d88bd86d1391ebc9f88fc10b0ef23541463ebf5b157f695c<br \/>\n6016cf9898d74e2e9030be7c987964d817ba28ad2253d1da54c81a1bf49db836<br \/>\n621e55421dffae981e3e933c65626314d5610c7c08f76f83a3d07f0ec6c36e2d<br \/>\n6ccc24971073d24d90c4cbaf83dfbae2969cbf527e319c7ee9a4babcbe88e456<br \/>\n6f8da9180eebe02ba35317cb8aee5c8df6ac29795af70eb9430c3588d457aad6<br \/>\n71c5b899a5187baeb8f605ca39ca56bf05a63025a8f9f84c45590d8345e5d349<br \/>\n725b7d92ed66be160f2e04395008a65c72814d5ddf842d9778396f6c6679d85e<br \/>\n72d4b780a90ede7ea152f5da0973965cab31d2813fa8c2fe0e1cb611f5ca257e<br \/>\n73670d06851f588c7df44dc478f49883406697c48c618438e0f249b7a916552e<br \/>\n74e017853fbc85ee77ca7476cd25423815602aaaa02b29e0003c95c9551b8890<br \/>\n75d2367dc79d9f8aed165729df90ed5d28fefe267778dbe4d3d74aafa75d66e0<br \/>\n7a5a1c6ea0c2f017df9f06975c93a356cac20b19031fcde96136fa5881e5ef3a<br \/>\n7adb049e0b49312aea904c70e16d0e7f03d01aae4bf8ac867e8219ced4e6e057<br \/>\n7bfa85bec239b6c4419b2d57149c5960263c80e493f888d03ceaaa3f945b1b25<br \/>\n7f324b658f587b3b27921ebeba5ac25aebd669b33e6801fa9581de8c2eb0df2e<br \/>\n7fee970748eb83045e36911dafdaee0d4069ebe72c059cc7de3d65539012c2e9<br \/>\n823793a37d748ffe708864c16c853c67a5db812712481da1d24790b455163940<br \/>\n8512aabfa0175684bdbb77481d6b272b63dbc4249b04a44e1003b7d8fdea0a89<br \/>\n86c81f03cf7d8f8af38c2559dbf506cccdc25579f3b29fb574f823a67f99a0a3<br \/>\n88ae7e60b9dd57fc6b2d667ce33fb29c0f75d37eb7c837ccf56cb7994386d5ef<br \/>\n8b50e3ca06a22d0be6a71232b320137c776f80ac3f2c81b7440b43854b8a3bf0<br \/>\n8bd40e7fe6bbd4d5810db2c142186bb58da445a132fb6f9ff01c46947a532244<br \/>\n8c9d690e765c7656152ad980edd2200b81d2afceef882ed81287fe212249f845<br \/>\n8d38726d674279705fe06b4b45bbbaef10756c547d560cea6998e23dba09f80c<br \/>\n8db47439685edc683765abb5e6d7d0d05479bf9ee164992db9e8ce97fe43ee2f<br \/>\n95de2e16f1b05d1b45b1d182c1503568c2e5fd4a81ac52fe1bc9e881d1a272b1<br \/>\n95e3204228341852b7c97f357f799e7ec9688abe1262436b569e56397f1fd864<br \/>\n98caf00760d772598386eb8d4f26caf92fb891915ac08da6bf830be5e45278d3<br \/>\n99c9440a84cdc428ce140de901452eb334faec49f1f6258acdde1ddcbb34376e<br \/>\n9a8776e4ae38cf529bab28947b31ade84301262b7996dc37ec47afa4fb4cf6e1<br \/>\n9beb1d2a03ff2d4c15913de0f87b72074155b44df791bd967dac8155e97a0e06<br \/>\n9c8d518fbbc8cbb25fa309f5396efa5749e57a3b0158779404c8d3e92baf6596<br \/>\na064a28e5e7409a96bba93fc57f44cadc3492bb0f49792c89c973e30b0f5d498<br \/>\na194b47043356fa365d98a5f7c582b6f87fac90acf0f469ed3651cfe2fd7b2c9<br \/>\na21dfb8e8b7c8dfbeeb4d72e6ef1f22c667b8968b3a3b1dcce99f44faab05903<br \/>\na2e0fe2d385dabcdfb024100216d259ddd1fa9907e982d297846fd29b8d4d415<br \/>\na48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599<br \/>\na595da9a2fa58d4f8be0bfbcf7f4c950435ff5289dd1ccf2c65eec73a0afe97f<br \/>\na972ad0ddc00d5c04d9fe26f1748e12008efdd6524c9d2ea4e6c2d3e42d82b7b<br \/>\naa860d405746401ae4155485326fdeb39718832c77c73540d48f4fbb8e596215<br \/>\nab6832a4432b4bdaec0706f7b00a369c48175eac9abc3e537032b1f5d26a993b<br \/>\nada2f0703614b3447d427827777af5d4ee9ffe9179498970326926751a4f8d65<br \/>\nb16d317c11228bd3573126a0e1bc0bbf35d84a4a1f47dfb06b70634a21fd9823<br \/>\nb3665548cc0f2fce3593fb7139f49588faa1d327b6d23feb564ca4194053ae8a<br \/>\nb5578c48a11533871ae91e6d5632aafc25d3976c0626d62abab306663566d024<br \/>\nb67a6f87fc3fd7c5c3666acac5918c8c08a53ab6a966f4d1daf38105a566ede1<br \/>\nb6abc8ab631dcf52e028ab26dbe3bb94022d69193c0acc8642cbd6329cbb23ef<br \/>\nb7e117eb342b0d450095805073326989c792bf5ccbbdcd5f4a9ace50e517412e<br \/>\nbb14abc9b0798c7756a6ed887308a3e6210cc08a5149dc1360fdd1f5bca27cca<br \/>\nbdadb319f071f02462d107380102b669e407bb2a0b20e77a9a8a5726b4cbbc4b<br \/>\nbf2383cfbee4cbb0bda2614839454ab1724c9bbfff8b4b48e0f48579ae220c10<br \/>\nbf52b44168de1855d83186163a2d5f29e488ddafdfd5447e211aec4a769cf74a<br \/>\nc0d5cf7a0035deda5646aaf520b3ff632aa6be76ddbc88f38ddc11e77ffb40b4<br \/>\nc1a82a788df7418712664138c0fdb05232036a27ab0998479d60c656998849f1<br \/>\nc63a523834ab59ab5621a0acb156a9b901befe806044642fe5fec8a0ba545e70<br \/>\nd05d3f3582e13eaf5f39d7143ca1a4b1367cc5267bf9958a15e27cf53e059518<br \/>\nd0e456cff03c2483ded9a0f8c1b99f9fefb6ba47dcaf949dae27abe940ee20e6<br \/>\nd8a01f69840c07ace6ae33e2f76e832c22d4513c07e252b6730b6de51c2e4385<br \/>\ndada74663e3e29ee26bfd03a888f0bda9fc81e148511fa98f73f8e8a915933cc<br \/>\ndb3ffcbf136e0268ec66f28b30fa8ba350f74e02e8e737e61cc6ef8d8258027e<br \/>\ndd26b85b6568595b1d2bbc47ce47d071ede75665fbd779d637b74663ead5539e<br \/>\ndf9038660164623a827a8119d4cb3d71d0a5288b12bdfdd32c72769bf90a9ea0<br \/>\ndfed16e9184a86e6fcd17a98f127410840d058db667e9975b43add100c33122e<br \/>\ne0063d2524a89159cf5da12661225fbb27725bbd72acd9497b7207ecf2f3aeb6<br \/>\ne00c55ddda9cbb82fb47924fafdf40c3394dc1127d9901c71a69ef3ef664b817<br \/>\ne14a51d69211948163ab20b0cc68adf410bb821f2890f55d2d202c745f4ec1b8<br \/>\ne2e3f243bbcad666852e64202d35f6dd88c58f5d24435d92975697b0efa8a775<br \/>\ne37e25739e8bc4620d9d37d8f6b400cd82c85b89d206436ba35930ed96db6eb0<br \/>\ne55b5ede808b6d491f18737d6a1cf34b5178f02e9ea01d7cff31a449888dbd73<br \/>\ned28d9207acac2afff817eaa56d1599422e23946dffa4f8bade376d52a6af7d4<br \/>\neda0853e814ee31a66c3b42af45cd66019ffd61eac30e97bd34c27d79253a1bb<br \/>\nf1b3e58d060803b0ff6008386bab47fb8099ac75ee74f385ac34340a28bf716e<br \/>\nf2091f71227180d74ba1ba4607635e623553b1826314dca91cb31839eb00c4ea<br \/>\nf214d55ccb5db5edbaafe7d40b240c79f04c70d441adee01ef438f776eb37037<br \/>\nf571ddc894915dee136cf24731ff3d79fe4f811b112d122a34a128628cb43c4a<br \/>\nf7676d2a28992a382475af2ae0abca4794e1397ef3327f30f7d4cbdbc2ca0a68<br \/>\nf8e20894c8c18d79e80b431008aa8bef46cc10a355a4934f9cc40ffd637b8890<br \/>\nfa1bf7565352099b74624c8beeff6620411e1efe00e54f8b4190f69e243d5811<br \/>\nfa784f69265ebe5e150cf5956a40d86335d1a5edc57fffcc7ce6eedc591c2751<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.<\/p>\n","protected":false},"author":23,"featured_media":103240,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4322,1974,4431],"tags":[5309,6391,7450,5315],"product_categories":[],"coauthors":[1025],"class_list":["post-106764","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-actor-groups","category-malware-ja","category-threat-actor-groups-ja","tag-gamaredon-ja","tag-threat-research-ja","tag-toolset","tag-trident-ursa-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Gamaredon\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u306e\u9032\u5316<\/title>\n<meta name=\"description\" content=\"Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Gamaredon\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u306e\u9032\u5316\" \/>\n<meta property=\"og:description\" content=\"Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-27T23:00:56+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-04-27T00:57:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"650\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Unit 42\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Gamaredon\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u306e\u9032\u5316","description":"Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/","og_locale":"ja_JP","og_type":"article","og_title":"Gamaredon\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u306e\u9032\u5316","og_description":"Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/","og_site_name":"Unit 42","article_published_time":"2017-02-27T23:00:56+00:00","article_modified_time":"2020-04-27T00:57:08+00:00","og_image":[{"width":650,"height":300,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","type":"image\/jpeg"}],"author":"Unit 42","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/"},"author":{"name":"Unit 42","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"headline":"Gamaredon\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u306e\u9032\u5316","datePublished":"2017-02-27T23:00:56+00:00","dateModified":"2020-04-27T00:57:08+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/"},"wordCount":14025,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","keywords":["Gamaredon","threat research","Toolset","Trident Ursa"],"articleSection":["Threat Actor Groups","\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30a2\u30af\u30bf\u30fc \u30b0\u30eb\u30fc\u30d7"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/","name":"Gamaredon\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u306e\u9032\u5316","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","datePublished":"2017-02-27T23:00:56+00:00","dateModified":"2020-04-27T00:57:08+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"description":"Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","width":650,"height":300},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit-42-title-gamaredon-group-toolset-evolution\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"Gamaredon\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u306e\u9032\u5316"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63","name":"Unit 42","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Unit 42"},"url":"https:\/\/unit42.paloaltonetworks.com\/ja\/author\/unit42\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106764","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=106764"}],"version-history":[{"count":4,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106764\/revisions"}],"predecessor-version":[{"id":106773,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106764\/revisions\/106773"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/103240"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=106764"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=106764"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=106764"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=106764"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=106764"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}