{"id":99271,"date":"2019-08-01T06:00:11","date_gmt":"2019-08-01T13:00:11","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=99271"},"modified":"2019-09-04T21:29:42","modified_gmt":"2019-09-05T04:29:42","slug":"rockein-the-netflow","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/","title":{"rendered":"NetFlow\u5185\u306eRocke\u63a2\u7d22"},"content":{"rendered":"<h2>\u30a8\u30b0\u30bc\u30af\u30c6\u30a3\u30d6\u30b5\u30de\u30ea\u30fc<\/h2>\n<p>Unit 42\u306f6\u30f6\u6708\u304b\u3051\u3066\u4e2d\u56fd\u3092\u62e0\u70b9\u3068\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u30b0\u30eb\u30fc\u30d7Rocke\u306e\u8abf\u67fb\u3092\u884c\u3044\u307e\u3057\u305f\u3002Rocke\u306f\u30af\u30e9\u30a6\u30c9\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u3066\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u51e6\u7406\u3092\u884c\u3063\u3066\u3044\u308b\u6700\u3082\u60aa\u540d\u9ad8\u3044\u8105\u5a01\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3059\u3002\u8abf\u67fb\u304b\u3089\u5224\u660e\u3057\u305f\u5185\u5bb9\u3092\u307e\u3068\u3081\u305f\u3082\u306e\u306f<a title=\"\u8105\u5a01\u4e88\u6e2c: \u30af\u30e9\u30a6\u30c9\u3067\u306e\u30a8\u30f3\u30c8\u30ed\u30d4\u30fc\u5897\u5927\u306e\u30ea\u30b9\u30af\" href=\"https:\/\/www.paloaltonetworks.jp\/resources\/unit-42\/unit42-cloud-with-a-chance-of-entropy\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:\u30a8\u30b0\u30bc\u30af\u30c6\u30a3\u30d6\u30b5\u30de\u30ea\u30fc:\u6700\u8fd1\u306e\u30af\u30e9\u30a6\u30c9\u8105\u5a01\u30ec\u30dd\u30fc\u30c8(\u65e5\u672c\u8a9e\u7248\u516c\u958b)\">\u6700\u8fd1\u306e\u30af\u30e9\u30a6\u30c9\u8105\u5a01\u30ec\u30dd\u30fc\u30c8(\u65e5\u672c\u8a9e\u7248\u516c\u958b)<\/a>\u304b\u3089\u3054\u89a7\u3044\u305f\u3060\u3051\u307e\u3059\u3002\u3053\u306e\u8abf\u67fb\u30ec\u30dd\u30fc\u30c8\u3067\u306fRocke\u306b\u3064\u3044\u3066\u79c1\u305f\u3061\u304c\u884c\u3063\u305f\u8abf\u67fb\u306e\u7d50\u679c\u3092\u8a73\u3057\u304f\u8aac\u660e\u3057\u3066\u3044\u307e\u3059\u304c\u3001\u3053\u306e\u306a\u304b\u3067\u79c1\u305f\u3061\u306f\u300c\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306f\u307b\u3068\u3093\u3069\u90aa\u9b54\u3055\u308c\u308b\u3053\u3068\u306a\u304f\u3001\u307e\u305f\u691c\u51fa\u30ea\u30b9\u30af\u3092\u6291\u3048\u3064\u3064\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u5b9f\u884c\u3057\u3066\u3044\u308b\u300d\u3068\u7d50\u8ad6\u3065\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>2018\u5e7412\u6708\u304b\u30892019\u5e746\u670816\u65e5\u307e\u3067\u306eNetFlow\u30c7\u30fc\u30bf\u3092\u5206\u6790\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u3001\u8abf\u67fb\u3057\u305f\u30af\u30e9\u30a6\u30c9\u74b0\u5883\u306e28.1\uff05\u304c\u3001\u5c11\u306a\u304f\u3068\u30821\u3064\u306e\u65e2\u77e5\u306eRocke Command and Control\uff08C2\uff09\u30c9\u30e1\u30a4\u30f3\u3068\u306e\u5c11\u306a\u304f\u3068\u30821\u3064\u306e\u5b8c\u5168\u306b\u78ba\u7acb\u3055\u308c\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u63a5\u7d9a\u3092\u6301\u3063\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u7d44\u7e54\u306e\u3044\u304f\u3064\u304b\u306f\u3001\u307b\u307c\u6bce\u65e5\u306e\u63a5\u7d9a\u3092\u7dad\u6301\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u305d\u306e\u9593\u3001\u7d44\u7e54\u306e20\uff05\u304c1\u6642\u9593\u3054\u3068\u306e\u30cf\u30fc\u30c8\u30d3\u30fc\u30c8\u3092\u7dad\u6301\u3057\u3066\u304a\u308a\u3001\u3053\u308c\u306fRocke\u306e\u6226\u8853\u30fb\u30c6\u30af\u30cb\u30c3\u30af\u30fb\u624b\u9806\uff08TTP\uff09\u3068\u4e00\u81f4\u3059\u308b\u3082\u306e\u3067\u3057\u305f\u3002<\/p>\n<p>\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306f\u307e\u305f<a href=\"https:\/\/blog.netlab.360.com\/an-analysis-of-godlua-backdoor-en\/\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:\u30a8\u30b0\u30bc\u30af\u30c6\u30a3\u30d6\u30b5\u30de\u30ea\u30fc:godlua\">Godlua<\/a>\u3068\u547c\u3070\u308c\u308b\u65b0\u3057\u3044\u30c4\u30fc\u30eb\u3092\u30ea\u30ea\u30fc\u30b9\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u30c4\u30fc\u30eb\u306f\u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u3068\u3057\u3066\u6a5f\u80fd\u3059\u308b\u3082\u306e\u3067\u3001\u3053\u308c\u306b\u3088\u308a\u30b0\u30eb\u30fc\u30d7\u5185\u306e\u30a2\u30af\u30bf\u30fc\u304c\u8ffd\u52a0\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u51e6\u7406\u3092\u5b9f\u884c\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002\u8ffd\u52a0\u3055\u308c\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u51e6\u7406\u306b\u306f\u3001\u30b5\u30fc\u30d3\u30b9\u62d2\u5426\uff08DoS\uff09\u653b\u6483\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30d7\u30ed\u30ad\u30b7\u30012\u3064\u306e\u30b7\u30a7\u30eb\u6a5f\u80fd\u306a\u3069\u304c\u542b\u307e\u308c\u307e\u3059\u3002Unit 42\u306f\u307e\u305f\u3001NetFlow\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u5185\u3067\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u8b58\u5225\u3059\u308b\u305f\u3081\u306e\u69d8\u3005\u306a\u30d1\u30bf\u30fc\u30f3\u3082\u767a\u898b\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u306b\u3088\u308a\u3001Rocke\u306eTTP\u306b\u95a2\u3059\u308b\u72ec\u81ea\u306e\u6d1e\u5bdf\u3068\u3001\u9632\u5fa1\u5074\u304c\u691c\u51fa\u6a5f\u80fd\u3092\u958b\u767a\u3059\u308b\u65b9\u6cd5\u306b\u3064\u3044\u3066\u306e\u6d1e\u5bdf\u3092\u5f97\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002<\/p>\n<h3>Rocke\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3068\u306f<\/h3>\n<p>Iron\u30b0\u30eb\u30fc\u30d7\u3001SystemTen\u3001Kerberods\/Khugepageds\u3001ex-Rocke\u306a\u3069\u306e\u5225\u540d\u3067\u3082\u77e5\u3089\u308c\u308bRocke\u306e\u6d3b\u52d5\u304c<a href=\"https:\/\/blog.talosintelligence.com\/2018\/08\/rocke-champion-of-monero-miners.html\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3068\u306f:\u6700\u521d\u306b\u5831\u544a\u3055\u308c\u305f\u306e\u306f\">\u6700\u521d\u306b\u5831\u544a\u3055\u308c\u305f\u306e\u306f<\/a>2018\u5e748\u6708\u3067\u3057\u305f\u3002\u305d\u308c\u4ee5\u6765\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u305f\u3061\u306f\u30d6\u30ed\u30b0\u3067<a href=\"https:\/\/www.anomali.com\/blog\/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3068\u306f:\u540c\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308bgolang\u30d7\u30ed\u30b0\u30e9\u30df\u30f3\u30b0\u8a00\u8a9e\">\u540c\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308bGolang\u30d7\u30ed\u30b0\u30e9\u30df\u30f3\u30b0\u8a00\u8a9e<\/a>\u306e\u5229\u7528\u3084\u3001\u65b0\u3057\u3044\u30d0\u30c3\u30af\u30c9\u30a2\u3067\u3042\u308b<a href=\"https:\/\/blog.netlab.360.com\/an-analysis-of-godlua-backdoor-en\/\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3068\u306f:godlua\">Godlua<\/a>\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u3066\u304d\u307e\u3057\u305f\u3002<a href=\"https:\/\/redcanary.com\/blog\/rocke-cryptominer\/\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3068\u306f:rocke\u306b\u3088\u308b\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092mitre att\uff06ck\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u306b\u30de\u30c3\u30d4\u30f3\u30b0\">Rocke\u306b\u3088\u308b\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092MITRE ATT\uff06CK\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u306b\u30de\u30c3\u30d4\u30f3\u30b0<\/a>\u3057\u305f\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u95a2\u9023\u306e\u30d6\u30ed\u30b0\u3082\u3042\u308a\u307e\u3059\u3002Unit 42\u306f\u307e\u305f\u3001\u540c\u30b0\u30eb\u30fc\u30d7\u306e<a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows\/\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3068\u306f:xbash\">Xbash<\/a>\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2\u30c4\u30fc\u30eb\u3068\u305d\u306e<a href=\"https:\/\/unit42.paloaltonetworks.com\/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products\/\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3068\u306f:\u30af\u30e9\u30a6\u30c9\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u56de\u907f\u3068\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u306e\u30c6\u30af\u30cb\u30c3\u30af\">\u30af\u30e9\u30a6\u30c9\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u56de\u907f\u3068\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u306e\u30c6\u30af\u30cb\u30c3\u30af<\/a>\u306b\u3064\u3044\u3066\u306e\u30d6\u30ed\u30b0\u3092\u516c\u958b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Rocke\u306f\u5f53\u521d\u3001\u6a5f\u80fd\u7684\u306b<a href=\"https:\/\/www.wired.com\/story\/petya-ransomware-ukraine\/\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3068\u306f:notpetya\">NotPetya<\/a>\u3068\u985e\u4f3c\u3057\u305f\u30c7\u30fc\u30bf\u7834\u58ca\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u3042\u308bLinux\u7279\u5316\u578b\u30c4\u30fc\u30ebXbash\u3092\u4f7f\u7528\u3092\u3057\u3066\u3044\u305f\u3053\u3068\u304b\u3089\u3001\u30e9\u30f3\u30b5\u30e0\u30a6\u30a7\u30a2 \u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3068\u95a2\u9023\u3065\u3051\u3089\u308c\u3066\u3044\u307e\u3057\u305f \u3002NotPetya\u306f\u3001EternalBlue\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u4f7f\u7528\u3057\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7d4c\u7531\u3067\u62e1\u6563\u3059\u308b\u30de\u30eb\u30a6\u30a7\u30a2\u3067\u3001Xbash\u3082\u7d44\u7e54\u306e\u30d1\u30c3\u30c1\u672a\u9069\u7528\u306e\u8106\u5f31\u6027\u3084\u5f31\u3044\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u4f7f\u7528\u3092\u60aa\u7528\u3057\u305f\u6a2a\u5c55\u958b\u3092\u884c\u3044\u307e\u3057\u305f\u304c\u3001\u305d\u306e\u52b9\u679c\u306f\u3055\u307b\u3069\u9ad8\u304f\u306a\u304b\u3063\u305f\u3088\u3046\u3067\u3059\u3002\u307e\u305fRocke\u306f\u7d44\u7e54\u3092\u4fb5\u5bb3\u5f8c\u3001\u88ab\u5bb3\u8005\u306b\u640d\u5931\u30c7\u30fc\u30bf\u5fa9\u5143\u306e\u305f\u3081\u306e0.2\u30d3\u30c3\u30c8\u30b3\u30a4\u30f3\u30010.15\u30d3\u30c3\u30c8\u30b3\u30a4\u30f3\u3001\u307e\u305f\u306f0.02\u30d3\u30c3\u30c8\u30b3\u30a4\u30f3\uff08BTC\uff09\u306e\u652f\u6255\u3044\u3092\u8981\u6c42\u3057\u307e\u3057\u305f\u304c\u3001Xbash\u306f\u8eab\u4ee3\u91d1\u306e\u8981\u6c42\u4ee5\u524d\u306b\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u30c6\u30fc\u30d6\u30eb\u3092\u524a\u9664\u3057\u3066\u3044\u308b\u3053\u3068\u304b\u3089\u3001\u30c7\u30fc\u30bf\u306f\u5fa9\u5143\u4e0d\u80fd\u3067\u3057\u305f\u3002Unit 42\u304c\u30ec\u30dd\u30fc\u30c8\u3057\u305f\u6642\u70b9\u3067\u306eRocke\u306eBTC\u30a6\u30a9\u30ec\u30c3\u30c8\u306f\u3001\u500b\u5225\u306e48\u4ef6\u306e\u9001\u91d1\u306b\u3088\u308b0.964 BTC\uff08\u4eca\u65e5\u306e\u7c73\u56fd\u30c9\u30eb\u4fa1\u683c\u306710,130\u30c9\u30eb\u3001\u65e5\u672c\u5186\u3067\u304a\u3088\u305d100\u4e07\u5186\u306b\u76f8\u5f53\uff09\u3060\u3051\u3067\u3057\u305f\u3002<\/p>\n<h3>Rocke\u306e\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0 \u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3<\/h3>\n<p>Xbash\u30de\u30eb\u30a6\u30a7\u30a2\u540c\u69d8\u3001Rocke\u30b0\u30eb\u30fc\u30d7\u6700\u521d\u306e\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0 \u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306fPython\u3067\u66f8\u304b\u308c\u3066\u304a\u308a\u3001\u7b2c1\u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u30b3\u30fc\u30c9\u30ea\u30dd\u30b8\u30c8\u30ea\u3068\u3057\u3066Pastebin\u306a\u3044\u3057GitHub\u3092\u4f7f\u7528\u3057\u3066\u3044\u307e\u3057\u305f\u30022019\u5e743\u670812\u65e5\u6642\u70b9\u3067\u3001Rocke\u306e\u30a2\u30af\u30bf\u30fc\u306f\u3053\u306e\u307b\u304b\u306b<a href=\"https:\/\/www.anomali.com\/blog\/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u306e\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0 \u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3:golang\">Golang<\/a>\u3082\u4f7f\u3044\u306f\u3058\u3081\u307e\u3057\u305f\u3002\u7b2c1\u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001\u88ab\u5bb3\u8005\u306e\u30b7\u30b9\u30c6\u30e0\u306b\u5bfe\u3057\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fRocke\u306e\u30c9\u30e1\u30a4\u30f3\/IP\u30a2\u30c9\u30ec\u30b9\u3078\u306e\u63a5\u7d9a\u3092\u6307\u793a\u3057\u3001\u3053\u308c\u304c\u7b2c2\u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3092\u30c8\u30ea\u30ac\u30fc\u3057\u307e\u3059\u3002<\/p>\n<p>Unit 42\u306f\u3001\u6700\u521d\u306e\u5831\u544a\u4ee5\u964d\u3001\u3069\u3046\u3084\u3089\u6c7a\u307e\u3063\u305f12\u6bb5\u968e\u306e\u624b\u9806\u306b\u5f93\u3063\u3066Rocke\u304c\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u5b9f\u884c\u3057\u3066\u3044\u308b\u69d8\u5b50\u304c\u3042\u308b\u3053\u3068\u3092\u89b3\u6e2c\u3057\u307e\u3057\u305f\u3002<\/p>\n<ol>\n<li>\u30a2\u30af\u30bf\u30fc\u304c\u7b2c1\u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u30b5\u30fc\u30c9\u30d1\u30fc\u30c6\u30a3\u306e\u30b5\u30a4\u30c8\uff08Pastebin\u3001GitHub\u306a\u3069\uff09\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b<\/li>\n<li>\u88ab\u5bb3\u8005\u304cPastebin\/GitHub\u306b\u79fb\u52d5\u3059\u308b\u3088\u3046\u4ed5\u5411\u3051\u308b\uff08\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u306a\u3069\uff09<\/li>\n<li>\u65e2\u77e5\u306e\u8106\u5f31\u6027\uff08Oracle WebLogic\u3001Adobe ColdFusion\u3001Apache Struts\u306a\u3069\uff09\u3092\u60aa\u7528\u3059\u308b<\/li>\n<li>\u88ab\u5bb3\u8005\u304c\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\uff08\u30b7\u30a7\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u3001JavaScript\u306e\u30d0\u30c3\u30af\u30c9\u30a2\u306a\u3069\uff09<\/li>\n<li>\u88ab\u5bb3\u8005\u304cPython\u304bGolang\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u4ecb\u3057\u7b2c1\u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u5b9f\u884c\u3057C2\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3059\u308b<\/li>\n<li>\u7b2c2\u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3067\u3042\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3057\u3001\u30b7\u30b9\u30c6\u30e0\u306e\u7ba1\u7406\u8005\u30a2\u30af\u30bb\u30b9\u6a29\u9650\u3092\u53d6\u5f97\u3059\u308b<\/li>\n<li>cron\u30b8\u30e7\u30d6 \u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u3066\u6c38\u7d9a\u6027\u3092\u78ba\u7acb\u3059\u308b<\/li>\n<li>\u3059\u3067\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u308b\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0 \u30d7\u30ed\u30bb\u30b9\u3092\u63a2\u3057\u3066kill\u3059\u308b<\/li>\n<li>\u305d\u308c\u4ee5\u964d\u306e\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u30d7\u30ed\u30bb\u30b9\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b\u305f\u3081\u306biptables\u306b\u30eb\u30fc\u30eb\u3092\u8ffd\u52a0\u3059\u308b<\/li>\n<li>\u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u30d9\u30fc\u30b9\u306e\u30af\u30e9\u30a6\u30c9\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u30c4\u30fc\u30eb\uff08Tencent Cloud\u3001Alibaba Cloud\u306a\u3069\uff09\u3092\u30a2\u30f3\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b<\/li>\n<li>Monero\u306e\u30de\u30a4\u30cb\u30f3\u30b0\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b<\/li>\n<li>\"libprocesshider\"\u3092\u4f7f\u3063\u3066Linux\u306eps\u304b\u3089XMRig\u30de\u30a4\u30cb\u30f3\u30b0 \u30d7\u30ed\u30bb\u30b9\u3092\u30eb\u30fc\u30c8\u30ad\u30c3\u30c8\u5316(\u96a0\u853d)\u3059\u308b<\/li>\n<\/ol>\n<h3>Rocke\u306e\u30a4\u30f3\u30d5\u30e9<\/h3>\n<p>\u672c\u7a3f\u57f7\u7b46\u6642\u70b9\u3067\u306f\u30018\u3064\u306e\u30c9\u30e1\u30a4\u30f3\u304c\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fIP\u30a2\u30c9\u30ec\u30b9\u3001URL\u30a2\u30c9\u30ec\u30b9\u3001\u307e\u305f\u306f\u30c9\u30e1\u30a4\u30f3\u767b\u9332\u6642\u306e\u3064\u306a\u304c\u308a\uff08WHOIS\u767b\u9332\u8005\u306eE\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9\u306a\u3069\uff09\u3092\u901a\u3058\u3066Rocke\u306eC2\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3068\u7d10\u4ed8\u3051\u3089\u308c\u3066\u3044\u307e\u3059\u3002\u6b21\u8868\u306f\u305d\u308c\u3089\u306e\u30c9\u30e1\u30a4\u30f3\u304cRocke\u30b0\u30eb\u30fc\u30d7\u306e\u30a4\u30f3\u30d5\u30e9\u3068\u3069\u306e\u3088\u3046\u306b\u95a2\u4fc2\u3057\u3066\u3044\u308b\u304b\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\uff08\u88681\u53c2\u7167\uff09\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>\u30c9\u30e1\u30a4\u30f3<\/strong><\/td>\n<td><strong>Rocke\u3068\u306e\u3064\u306a\u304c\u308a<\/strong><\/td>\n<td><strong>\u91cd\u8907\u304c\u898b\u3089\u308c\u305f\u5024<\/strong><\/td>\n<td><strong>\u89e3\u6c7a\u5148IP\u30a2\u30c9\u30ec\u30b9<\/strong><\/td>\n<\/tr>\n<tr>\n<td>sowcar[.]com<\/td>\n<td>\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fIOC<\/td>\n<td>4592248@gmail[.]com<\/td>\n<td>23.234.4[.]15123.234.4[.]153<\/p>\n<p>27.221.28[.]231<\/p>\n<p>27.221.54[.]252<\/p>\n<p>36.103.236[.]221<\/p>\n<p>36.103.247[.]121<\/p>\n<p>36.248.26[.]205<\/p>\n<p>42.202.141[.]230<\/p>\n<p>42.236.125[.]84<\/p>\n<p>42.56.76[.]104<\/p>\n<p>43.242.166[.]88<\/p>\n<p>59.83.204[.]14<\/p>\n<p>60.167.222[.]122<\/p>\n<p>61.140.13[.]251<\/p>\n<p>104.31.68[.]79<\/p>\n<p>104.31.69[.]79<\/p>\n<p>113.142.51[.]219<\/p>\n<p>113.200.16[.]234<\/p>\n<p>116.211.184[.]212<\/p>\n<p>118.213.118[.]94<\/p>\n<p>118.25.145[.]24<\/p>\n<p>122.246.6[.]183<\/p>\n<p>125.74.45[.]101<\/p>\n<p>150.138.184[.]119<\/p>\n<p>182.118.11[.]126<\/p>\n<p>182.118.11[.]193<\/p>\n<p>182.247.250[.]251<\/p>\n<p>182.247.254[.]83<\/p>\n<p>183.224.33[.]79<\/p>\n<p>211.91.160[.]159<\/p>\n<p>211.91.160[.]238<\/p>\n<p>218.75.176[.]126<\/p>\n<p>219.147.231[.]79<\/p>\n<p>221.204.60[.]69<\/td>\n<\/tr>\n<tr>\n<td>thyrsi[.]com<\/td>\n<td>WHOIS \u767b\u9332<\/td>\n<td>4592248@gmail[.]com<\/td>\n<td>23.234.4[.]15123.234.4[.]153<\/p>\n<p>103.52.216[.]35<\/p>\n<p>104.27.138[.]223<\/p>\n<p>104.27.139[.]223<\/p>\n<p>205.185.122[.]229<\/p>\n<p>209.141.41[.]204<\/td>\n<\/tr>\n<tr>\n<td>w2wz[.]cn<\/td>\n<td>WHOIS \u767b\u9332<\/td>\n<td>4592248@gmail[.]com<\/td>\n<td>36.103.236[.]22136.103.247[.]121<\/p>\n<p>42.202.141[.]230<\/p>\n<p>58.215.145[.]137<\/p>\n<p>58.216.107[.]77<\/p>\n<p>58.218.208[.]13<\/p>\n<p>60.167.222[.]122<\/p>\n<p>61.140.13[.]251<\/p>\n<p>113.142.51[.]219<\/p>\n<p>113.96.98[.]113<\/p>\n<p>116.211.184[.]212<\/p>\n<p>118.213.118[.]94<\/p>\n<p>118.25.145[.]241<\/p>\n<p>121.207.229[.]203<\/p>\n<p>122.246.20[.]201<\/p>\n<p>125.74.45[.]101<\/p>\n<p>140.249.61[.]134<\/p>\n<p>150.138.184[.]119<\/p>\n<p>182.118.11[.]193<\/p>\n<p>182.247.250[.]251<\/p>\n<p>218.75.176[.]126<\/p>\n<p>219.147.231[.]79<\/p>\n<p>222.186.49[.]224<\/td>\n<\/tr>\n<tr>\n<td>baocangwh[.]cn<\/td>\n<td>WHOIS \u767b\u9332<\/td>\n<td>4592248@qq[.]com<\/td>\n<td>103.52.216[.]35104.18.38[.]253<\/p>\n<p>104.18.39[.]253<\/p>\n<p>104.31.92[.]26<\/p>\n<p>104.31.93[.]26<\/p>\n<p>119.28.48[.]240<\/p>\n<p>205.185.122[.]229<\/td>\n<\/tr>\n<tr>\n<td>z9ls[.]com<\/td>\n<td>WHOIS \u767b\u9332<\/td>\n<td>4592248@qq[.]com<\/td>\n<td>103.52.216[.]35104.27.134[.]168<\/p>\n<p>104.27.135[.]168<\/p>\n<p>104.31.80[.]164<\/p>\n<p>104.31.81[.]164<\/p>\n<p>172.64.104[.]10<\/p>\n<p>172.64.105[.]10<\/p>\n<p>205.185.122[.]229<\/td>\n<\/tr>\n<tr>\n<td>gwjyhs[.]com<\/td>\n<td>\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3<\/td>\n<td>gwjyhs[.]com<\/td>\n<td>103.52.216[.]35104.27.138[.]191<\/p>\n<p>104.27.139[.]191<\/p>\n<p>205.185.122[.]229<\/td>\n<\/tr>\n<tr>\n<td>heheda[.]tk<\/td>\n<td>\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fIP\u30a2\u30c9\u30ec\u30b9\u307e\u305f\u306f\u30c9\u30e1\u30a4\u30f3<\/td>\n<td>104.238.151.101c.heheda[.]tk<\/p>\n<p>d.heheda[.]tk<\/p>\n<p>dd.heheda[.]tk<\/td>\n<td>104.18.58[.]79104.18.59[.]79<\/p>\n<p>104.238.151[.]101<\/p>\n<p>195.20.40[.]95<\/p>\n<p>198.204.231[.]250<\/td>\n<\/tr>\n<tr>\n<td>cloudappconfig[.]com<\/td>\n<td>\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fIP\u30a2\u30c9\u30ec\u30b9\u307e\u305f\u306f\u30c9\u30e1\u30a4\u30f3<\/td>\n<td>104.238.151.101c.cloudappconfig[.]com<\/p>\n<p>img0.cloudappconfig[.]com<\/p>\n<p>Img1.cloudappconfig[.]com<\/p>\n<p>img2.cloudappconfig[.]com<\/td>\n<td>43.224.225[.]22067.21.64[.]34<\/p>\n<p>104.238.151[.]101<\/p>\n<p>198.204.231[.]250<\/td>\n<\/tr>\n<tr>\n<td>systemten[.]org<\/td>\n<td>\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3<\/td>\n<td>systemten[.]org<\/td>\n<td>104.248.53[.]213104.31.92[.]233<\/p>\n<p>104.31.93[.]233<\/p>\n<p>134.209.104[.]20<\/p>\n<p>165.22.156[.]147<\/p>\n<p>185.193.125[.]146<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>\u88681 \u65e2\u77e5\u306eRocke\u30c9\u30e1\u30a4\u30f3<\/em><\/p>\n<h4><a id=\"post-99064-_cd8e1a8h2f47\"><\/a>Rocke\u306e\u65b0\u305f\u306a\u653b\u6483\u30d9\u30af\u30bf\u30fc<\/h4>\n<p>\u524d\u9805\u3067\u4e00\u89a7\u5316\u3057\u305fTTP\u3067\u306f\u3001Rocke\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306b\u304a\u3051\u308b\u6f5c\u5728\u7684\u306a\u7b2c3\u6bb5\u968e\u306f\u8003\u616e\u3057\u3066\u3044\u307e\u305b\u3093\u3002<a href=\"https:\/\/blog.netlab.360.com\/an-analysis-of-godlua-backdoor-en\/\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u306e\u65b0\u305f\u306a\u653b\u6483\u30d9\u30af\u30bf\u30fc:godlua \u30d0\u30c3\u30af\u30c9\u30a2\u306e\u5206\u6790\">Godlua \u30d0\u30c3\u30af\u30c9\u30a2\u306e\u5206\u6790<\/a>\u5831\u544a\u304c\u51fa\u308b\u524d\u307e\u3067\u3001Rocke\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u4fb5\u5bb3\u5148\u306e\u30af\u30e9\u30a6\u30c9\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u4e0a\u306e\u7279\u5b9a\u6a5f\u80fd\u3092\u5b9f\u884c\u3057\u3066\u3044\u305f\u69d8\u5b50\u304c\u3042\u308a\u307e\u3057\u305f\u3002Godlua\u306e\u5831\u544a\u3067\u3082\u3053\u3046\u3057\u305fRocke\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u624b\u9806\u540c\u69d8\u306eTTP\u3092\u542b\u3080\u30de\u30eb\u30a6\u30a7\u30a2 \u30b5\u30f3\u30d7\u30eb\u3092\u5f15\u7528\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3055\u3089\u306b\u8abf\u67fb\u3057\u305f\u7d50\u679c\u3001Unit 42\u306f\u3001TTP\u304c\u4e00\u81f4\u3059\u308b\u3060\u3051\u3067\u306a\u304f\u3001\u4ee5\u524d\u306b\u5831\u544a\u3055\u308c\u305fRocke\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u5024\u3068\u3064\u306a\u304c\u308b\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3\u3001URL\u3001\u304a\u3088\u3073IP\u30a2\u30c9\u30ec\u30b9\u304c\u3042\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u3064\u306a\u304c\u308a\u306f\u3001<a href=\"https:\/\/www.reddit.com\/r\/LinuxMalware\/comments\/bfaea2\/fun_in_dissecting_lsd_packer_elf_golang_miner\/\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u306e\u65b0\u305f\u306a\u653b\u6483\u30d9\u30af\u30bf\u30fc:reddit \u306e r\/linuxmalware \u30b5\u30d6\u30ec\u30c7\u30a3\u30c3\u30c8\uff08\u30b5\u30d6\u30d5\u30a9\u30fc\u30e9\u30e0\uff09\u306b\u63b2\u8f09\u3055\u308c\u305f\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u8abf\u67fb\">reddit \u306e r\/LinuxMalware \u30b5\u30d6\u30ec\u30c7\u30a3\u30c3\u30c8\uff08\u30b5\u30d6\u30d5\u30a9\u30fc\u30e9\u30e0\uff09\u306b\u63b2\u8f09\u3055\u308c\u305f\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u8abf\u67fb<\/a>\u3068<a href=\"https:\/\/gist.github.com\/unixfreaxjp\/d38a08ae7f41dc7ca5e9b16caa607cbe\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u306e\u65b0\u305f\u306a\u653b\u6483\u30d9\u30af\u30bf\u30fc:github\">GitHub<\/a>\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u305f\u30de\u30eb\u30a6\u30a7\u30a2 \u30b5\u30f3\u30d7\u30eb\u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u3092\u542b\u3080\u8abf\u67fb\u7d50\u679c\u304b\u3089\u78ba\u8a8d\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3057\u305f\u3002\u3053\u306eReddit\u306e\u6295\u7a3f\u8005\u306f\u3001\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u4e0a\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u524a\u6e1b\u3092\u76ee\u7684\u3068\u3057\u305f\u30db\u30ef\u30a4\u30c8\u30cf\u30c3\u30c8\u7d44\u7e54\u306e\u975e\u55b6\u5229\u56e3\u4f53MalwareMustDie\u306e\u904b\u55b6\u8005\u3067\u3059\u3002Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001Reddit\u30b9\u30ec\u30c3\u30c9\u306b\u30ea\u30b9\u30c8\u3055\u308c\u3066\u3044\u308b4\u3064\u306e\u30d0\u30a4\u30ca\u30ea\u3092\u5206\u6790\u3057\u3001Reddit\u306e\u30b9\u30ec\u30c3\u30c9\u306b\u8a18\u8f09\u3055\u308c\u305f\u30b5\u30f3\u30d7\u30eb\u306b\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fRocke\u30c9\u30e1\u30a4\u30f3\u306esystemten[.]or\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3057\u305f\u3002\u30b5\u30f3\u30d7\u30eb\u306b\u306f\u3001\u65e2\u77e5\u306eRocke\u306e<a href=\"https:\/\/www.anomali.com\/blog\/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:rocke\u306e\u65b0\u305f\u306a\u653b\u6483\u30d9\u30af\u30bf\u30fc:\u30ec\u30dd\u30fc\u30c8\">\u30ec\u30dd\u30fc\u30c8<\/a>\u3068\u91cd\u8907\u3059\u308b\u3001\u6b21\u306ePastebin URL\u3078\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u30ea\u30f3\u30af\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<ul>\n<li>hxxps:\/\/pastebin[.]com\/raw\/HWBVXK6H<\/li>\n<li>hxxps:\/\/pastebin[.]com\/raw\/60T3uCcb<\/li>\n<li>hxxps:\/\/pastebin[.]com\/raw\/rPB8eDpu<\/li>\n<li>hxxps:\/\/pastebin[.]com\/raw\/wR3ETdbi<\/li>\n<li>hxxps:\/\/pastebin[.]com\/raw\/Va86JYqw<\/li>\n<li>hxxps:\/\/pastebin[.]com\/raw\/Va86JYqw<\/li>\n<\/ul>\n<p>Godlua\u30d6\u30ed\u30b0\u304b\u3089\u3082\u78ba\u8a8d\u3067\u304d\u308b\u3068\u304a\u308a\u3001IP\u30a2\u30c9\u30ec\u30b9104.238.151[.]101\u3068URL\u00a0d.heheda[.]tk\u3001\u00a0c.heheda[.]tk\u3001dd.heheda[.]tk\u306f\u3001\u30ec\u30dd\u30fc\u30c8\u306e\u8abf\u67fb\u7d50\u679c\u3067\u3082\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u308f\u304b\u3063\u3066\u3044\u307e\u3059\u3002Rocke\u30b0\u30eb\u30fc\u30d7\u306b\u95a2\u9023\u3057\u3066Reddit\u306b\u6295\u7a3f\u3055\u308c\u305f\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8 \u30ec\u30b9\u30dd\u30f3\u30b9 \u30b9\u30ec\u30c3\u30c9\u304b\u3089\u306f\u3001heheda[.]tk\u306e3\u3064\u306e\u30c9\u30e1\u30a4\u30f3\u306bC2\u63a5\u7d9a\u304c\u884c\u308f\u308c\u3066\u3044\u308b\u3053\u3068\u3082\u308f\u304b\u308a\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u30c9\u30e1\u30a4\u30f3\u306fIP\u30a2\u30c9\u30ec\u30b9104.238.151[.]101\u306b\u89e3\u6c7a\u3055\u308c\u308b\u3082\u306e\u3067\u3001\u3053\u308c\u3082Godlua\u306b\u95a2\u3059\u308b\u30ec\u30dd\u30fc\u30c8\u3067\u5f15\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u30b5\u30f3\u30d7\u30eb\u306b\u306f\u65e2\u77e5\u306eRocke\u30c9\u30e1\u30a4\u30f3sowcar[.]com\u3001z9ls[.]com\u3001baocangwh[.]cn\u3001gwjyhs[.]com\u3001w2wz[.]cn\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u5024\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u7279\u5b9a\u3055\u308c\u305f\u4fb5\u5bb3\u306e\u6307\u6a19\uff08IoC\uff09\u304c\u65e2\u77e5\u306eRocke\u30c9\u30e1\u30a4\u30f3\u3068Godlua\u304a\u3088\u3073Reddit\u30b9\u30ec\u30c3\u30c9\u306eIoC\u30ec\u30dd\u30fc\u30c8\u304b\u3089\u53d6\u5f97\u3057\u305fIoC\u3068\u3092\u3069\u306e\u3088\u3046\u306b\u7d50\u3073\u4ed8\u3051\u3066\u3044\u308b\u304b\u306b\u3064\u3044\u3066\u306f\u3001\u56f31\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/p>\n<p><img width=\"1534\" height=\"848\"  class=\"wp-image-99066 aligncenter lozad\"  data-src=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46.png\" sizes=\"(max-width: 1534px) 100vw, 1534px\" srcset=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46.png 1534w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46-300x166.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46-768x425.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46-1024x566.png 1024w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46-900x498.png 900w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46-370x205.png 370w\" \/><em>\u56f3 1 Godlua\u306e\u30ec\u30dd\u30fc\u30c8\u3001Reddit\u306e\u30b9\u30ec\u30c3\u30c9\u3067\u306e\u5831\u544a\u5185\u5bb9\u3068Rocke\u306e\u30c9\u30e1\u30a4\u30f3\u3068\u306e\u3064\u306a\u304c\u308a<\/em><\/p>\n<p>Godlua\u30de\u30eb\u30a6\u30a7\u30a2 \u30b5\u30f3\u30d7\u30eb\u304c\u8208\u5473\u6df1\u3044\u306e\u306f\u3001Rocke\u304cDoS\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3082\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u30ad\u30c3\u30c8\u306b\u8ffd\u52a0\u3057\u305f\u8a3c\u62e0\u304c\u898b\u3089\u308c\u308b\u70b9\u3067\u3059\u3002\u540c\u30ec\u30dd\u30fc\u30c8\u306f\u3001Rocke\u304c\u7b2c3\u6bb5\u968e\u306e\u30de\u30eb\u30a6\u30a7\u30a2 \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u8ffd\u52a0\u3059\u308b\u3053\u3068\u306b\u3088\u308a\u30013\u756a\u76ee\u306eC2\u30ea\u30af\u30a8\u30b9\u30c8\u3092c.heheda[.]tk\u306a\u3044\u3057c.cloudappconfig[.]com\u306b\u5bfe\u3057\u3066\u5b9f\u884c\u3057\u3001\u305d\u3053\u304b\u3089Godlua\u3068\u547c\u3070\u308c\u308bLUA\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u3068\u3044\u3046\u8a3c\u62e0\u3092\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u3088\u308a\u3001Rocke\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3 \u30d7\u30ec\u30a4\u30d6\u30c3\u30af\u306b\u306f\u3001\u30e2\u30b8\u30e5\u2015\u30eb\u5316\u6a5f\u80fd\u304c\u8ffd\u52a0\u3055\u308c\u305f\u3088\u3046\u3067\u3059\u3002\u307e\u305f\u3001DoS\u6a5f\u80fd\u306e\u307b\u304b\u306bGodlua\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u6b21\u306e\u65b0\u3057\u3044\u6a5f\u80fd\u3092\u52a0\u3048\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>HANDSHAKE<\/li>\n<li>HEARTBEAT<\/li>\n<li>LUA<\/li>\n<li>SHELL<\/li>\n<li>UPGRADE<\/li>\n<li>QUIT<\/li>\n<li>SHELL2<\/li>\n<li>PROXY<\/li>\n<\/ul>\n<p>Godlua\u306e\u30ec\u30dd\u30fc\u30c8\u306f\u307e\u305f\u3001Rocke\u304cLUA\u306e\u30b9\u30a4\u30c3\u30c1\u6a5f\u80fd\u3092\u8ffd\u52a0\u3057\u305f\u3068\u3044\u3046\u8a3c\u62e0\u3082\u63d0\u4f9b\u3057\u3066\u3044\u307e\u3059\u3002\u540c\u30ec\u30dd\u30fc\u30c8\u306b\u3088\u308c\u3070\u3001\u30a2\u30af\u30bf\u30fc\u306f\u30c9\u30e1\u30a4\u30f3www.liuxiaobei[.]com\u306b\u5bfe\u3057DoS\u653b\u6483\u3092\u884c\u3063\u305f\u3088\u3046\u3067\u3059\u3002\u672c\u7a3f\u57f7\u7b46\u6642\u70b9\u3067\u306f\u3001\u540c\u30c9\u30e1\u30a4\u30f3\u306f\u3069\u306e\u65e2\u77e5\u306e\u30b7\u30b9\u30c6\u30e0\u306b\u3082\u89e3\u6c7a\u3055\u308c\u307e\u305b\u3093\u3002\u7b2c3\u6bb5\u968e\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u305d\u306e\u307b\u304b\u306e\u6a5f\u80fd\u304c\u3001\u3069\u306e\u3088\u3046\u306a\u5f79\u5272\u3092\u679c\u305f\u3059\u306e\u304b\u306f\u73fe\u5728\u306e\u3068\u3053\u308d\u4e0d\u660e\u3067\u3059\u3002\u305f\u3060\u3057\u3001\"Shell\"\u3001\"Shell2\"\u3001\"Upgrade\"\u3001\"Proxy\"\u3068\u3044\u3063\u305f\u30aa\u30d7\u30b7\u30e7\u30f3\u304c\u5b58\u5728\u3059\u308b\u3053\u3068\u304b\u3089\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u30e2\u30b8\u30e5\u30e9\u30fc\u578b\u30b7\u30b9\u30c6\u30e0\u30a8\u30fc\u30b8\u30a7\u30f3\u30c8\u306e\u3055\u304d\u304c\u3051\u3068\u306a\u308a\u3001\u4eca\u5f8c\u306f\u6697\u53f7\u901a\u8ca8\u306e\u30de\u30a4\u30cb\u30f3\u30b0\u3084\u30c7\u30fc\u30bf\u7834\u58ca\u4ee5\u5916\u306e\u30b5\u30a4\u30d0\u30fc\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u67d4\u8edf\u306b\u3053\u306a\u305b\u308b\u3088\u3046\u306b\u306a\u308a\u305d\u3046\u3067\u3059\u3002<\/p>\n<h4><a id=\"post-99064-_gkp7vdc44u2b\"><\/a>NetFlow\u5185\u306eRocke\u63a2\u7d22<\/h4>\n<p>Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001\u8abf\u67fb\u5bfe\u8c61\u3068\u306a\u3063\u305f\u30af\u30e9\u30a6\u30c9\u74b0\u5883\u306e28.1\uff05\u304c\u3001\u65e2\u77e5\u306eRocke C2\u30c9\u30e1\u30a4\u30f3\u3068\u5c11\u306a\u304f\u3068\u30821\u3064\u306e\u30a2\u30af\u30c6\u30a3\u30d6\u306a\u901a\u4fe1\u30bb\u30c3\u30b7\u30e7\u30f3\u3092\u884c\u3063\u3066\u3044\u308b\u3053\u3068\u3092\u767a\u898b\u3057\u3066\u3044\u307e\u3059\uff08\u672c\u7a3f\u57f7\u7b46\u6642\u70b9\uff09\u3002\u3053\u308c\u3089\u306e\u901a\u4fe1\u30bb\u30c3\u30b7\u30e7\u30f3\u306f\u3001\u5c11\u306a\u304f\u3068\u30822018\u5e7412\u6708\u304b\u3089\u672c\u7a3f\u57f7\u7b46\u6642\u70b9\u307e\u3067\u306f\u3001\u8907\u6570\u306e\u7d44\u7e54\u3067\u307b\u307c\u65e5\u5e38\u7684\u306b\u767a\u751f\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u306e\u8b58\u5225\u306f\u3001\u7d44\u7e54\u3068\u30af\u30e9\u30a6\u30c9\u30a8\u30c3\u30b8\u3067\u306eNetFlow\u901a\u4fe1\u306e\u30ad\u30e3\u30d7\u30c1\u30e3\u3092\u3059\u308b\u3053\u3068\u3067\u53ef\u80fd\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n<p>Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001Rocke\u306eTTP\u306e\u30d1\u30bf\u30fc\u30f3\u3092\u5206\u6790\u3057\u3001\u7279\u5b9a\u671f\u9593\u4e2d\u306b\u5229\u7528\u3055\u308c\u305fIP\u30a2\u30c9\u30ec\u30b9\u3068\u3001\u305d\u306eIP\u30a2\u30c9\u30ec\u30b9\u306b\u89e3\u6c7a\u3055\u308c\u308b\u65e2\u77e5\u306eRocke\u30c9\u30e1\u30a4\u30f3\u3092\u4f7f\u3044\u3001\u3053\u308c\u3089\u89e3\u6c7a\u5148IP\u30a2\u30c9\u30ec\u30b9\u3068Rocke\u95a2\u9023\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u6e08\u307fIP\u30a2\u30c9\u30ec\u30b9\u3067\u3042\u308b104.238.151[.]101\u306b\u5bfe\u3057\u3066\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u30af\u30a8\u30ea\u3092\u304b\u3051\u308b\u3068\u3044\u3046\u65b9\u6cd5\u3067\u3001Rocke\u306e\u901a\u4fe1\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002<\/p>\n<p>\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fIP\u30a2\u30c9\u30ec\u30b9\u306f\u3001\u7d44\u7e54\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5185\u90e8\u304b\u3089\u306e\u901a\u4fe1\u304c\u3001\u65e2\u77e5\u306e\u60aa\u610f\u3042\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306b\u95a2\u9023\u3057\u3066\u3044\u308b\u3068\u3044\u3046\u5f37\u529b\u306a\u8a3c\u62e0\u306b\u306a\u308a\u307e\u3059\u3002\u672c\u7a3f\u57f7\u7b46\u6b21\u70b9\u3067\u306f\u30012019\u5e741\u67081\u65e5\u4ee5\u964d\u3001104.238.151[.]101\u3092\u9006\u5f15\u304d\u3059\u308b\u3068\u6b21\u306eURL\u304c\u53d6\u5f97\u3055\u308c\u308b\u3053\u3068\u304c\u77e5\u3089\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>c.cloudappconfig[.]com<\/li>\n<li>d.cloudappconfig[.]com<\/li>\n<li>f.cloudappconfig[.]com<\/li>\n<li>img0.cloudappconfig[.]com<\/li>\n<li>img2.cloudappconfig[.]com<\/li>\n<li>v.cloudappconfig[.]com<\/li>\n<li>c.heheda[.]tk<\/li>\n<li>d.heheda[.]tk<\/li>\n<li>dd.heheda[.]tk<\/li>\n<\/ul>\n<p>\u3053\u308c\u3089\u306eURL\u306f\u3001Godlua\u3068Reddit\u306e\u4e21\u65b9\u306e\u30ec\u30dd\u30fc\u30c8\u3067\u5831\u544a\u3055\u308c\u3066\u3044\u305f\u3082\u306e\u3068\u4e00\u81f4\u3057\u3066\u3044\u308b\u306e\u3067\u3001\u3053\u306eIP\u30a2\u30c9\u30ec\u30b9\u3078\u306e\u63a5\u7d9a\u306f\u3059\u3079\u3066\u60aa\u610f\u304c\u3042\u308b\u3068\u898b\u306a\u3055\u308c\u308b\u3079\u304d\u3067\u3059\u3002Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u30014\u3064\u306e\u76e3\u8996\u5bfe\u8c61\u7d44\u7e54\u304b\u3089411\u56de\u3001\u4e00\u610f\u306a\u63a5\u7d9a\u304c\u3042\u3063\u305f\u69d8\u5b50\u3092\u7279\u5b9a\u3057\u307e\u3057\u305f\u3002\u305d\u308c\u3089\u306e\u7d44\u7e54\u306f\u30018\u56de\u307e\u305f\u306f\u305d\u308c\u4ee5\u4e0a\u3001\u5f53\u8a72IP\u30a2\u30c9\u30ec\u30b9104.238.151[.]101\u306b\u5bfe\u3057\u3066\u5b8c\u5168\u306b\u78ba\u7acb\u3055\u308c\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u63a5\u7d9a\u3092\u884c\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u5404\u7d44\u7e54\u3068\u306e\u63a5\u7d9a\u306f\u3054\u304f\u77ed\u3044\u6642\u9593\u3057\u304b\u6301\u7d9a\u3057\u307e\u305b\u3093\u3002\u6700\u521d\u306e\u63a5\u7d9a\u304c\u3042\u3063\u3066\u304b\u3089\u6700\u5f8c\u306b\u63a5\u7d9a\u304c\u884c\u308f\u308c\u308b\u307e\u3067\u306e\u30c7\u30eb\u30bf(\u5dee\u5206)\u306e\u6700\u9577\u671f\u9593\u306f\u3001\u7d44\u7e541\u3067\u78ba\u8a8d\u3055\u308c\u305f5\u65e5\u9593\u3067\u3057\u305f\u3002\u9006\u306b\u30c7\u30eb\u30bf\u306e\u6700\u77ed\u671f\u9593\u306f\u3001\u7d44\u7e544\u3067\u78ba\u8a8d\u3055\u308c\u305f\u3042\u308b\u5358\u4e00\u306e\u30b3\u30cd\u30af\u30b7\u30e7\u30f3\u306e1\u6642\u9593\u3067\u3057\u305f\uff08\u88682\u3092\u53c2\u7167\uff09\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>\u7d44\u7e54<\/strong><\/td>\n<td><strong>\u63a5\u7d9a\u5148IP<\/strong><\/td>\n<td><strong>\u7dcf\u63a5\u7d9a\u6570<\/strong><\/td>\n<td><strong>\u6700\u521d\u306b\u898b\u3089\u308c\u305f\u65e5\u6642<\/strong><\/td>\n<td><strong>\u6700\u5f8c\u306b\u898b\u3089\u308c\u305f\u65e5\u6642<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>104.238.151[.]101<\/td>\n<td>76<\/td>\n<td>4\/12\/19 3:00 AM<\/td>\n<td>4\/17\/19 8:00 AM<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>104.238.151[.]101<\/td>\n<td>160<\/td>\n<td>4\/13\/19 7:00 AM<\/td>\n<td>4\/15\/19 3:00 PM<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>104.238.151[.]101<\/td>\n<td>167<\/td>\n<td>4\/13\/19 7:00 AM<\/td>\n<td>4\/16\/19 10:00 AM<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>104.238.151[.]101<\/td>\n<td>8<\/td>\n<td>5\/10\/19 9:00 PM<\/td>\n<td>5\/10\/19 9:00 PM<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>\u88682 \u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fIP\u30a2\u30c9\u30ec\u30b9104.238.151[.]101\u3078\u306e\u7d44\u7e54\u304b\u3089\u306e\u63a5\u7d9a<\/em><\/p>\n<p>\u3053\u306e104.238.151[.]101\u304b\u3089\u63a8\u5b9a\u3092\u3059\u3059\u3081\u308b\u3068\u3001\u3053\u308c\u30894\u3064\u306e\u7d44\u7e54\u306f\u5225\u306e\u65e2\u77e5\u306eRocke\u30c9\u30e1\u30a4\u30f3\u306b\u3082\u63a5\u7d9a\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3057\u305f\u3002\u7d44\u7e541\u306f2019\u5e744\u670812\u65e5\u304b\u30895\u670831\u65e5\u306b\u304b\u3051\u30663\u3064\u306eRocke\u30c9\u30e1\u30a4\u30f3\u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3057\u305f\u304c\u3001290\u56de\u304c\u4e00\u610f\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u3067\u3057\u305f\u3002\u7d44\u7e544\u306f\u30012019\u5e743\u670820\u65e5\u304b\u30895\u670815\u65e5\u306b\u304b\u3051\u30667\u3064\u306eRocke\u30c9\u30e1\u30a4\u30f3\u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3057\u305f\u304c\u30018,231\u56de\u304c\u4e00\u610f\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u3067\u3057\u305f\u3002\u88683\u304b\u3089\u3082\u660e\u3089\u304b\u306a\u3088\u3046\u306b\u3001\u3053\u308c\u30894\u3064\u306e\u7d44\u7e54\u306f\u3001\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fIP\u30a2\u30c9\u30ec\u30b9104.238.151[.]101\u306b\u5bfe\u3059\u308b\u63a5\u7d9a\u304c\u78ba\u8a8d\u3055\u308c\u305f\u306e\u3068\u540c\u3058\u671f\u9593\u4e2d\u30017\u3064\u3042\u308b\u65e2\u77e5\u306eRocke\u30c9\u30e1\u30a4\u30f3\u306e\u3046\u30611\u3064\u307e\u305f\u306f\u305d\u308c\u4ee5\u4e0a\u306e\u30c9\u30e1\u30a4\u30f3\u306b\u63a5\u7d9a\u3057\u3066\u3044\u307e\u3057\u305f\u3002 \u3053\u306e\u3053\u3068\u304b\u3089\u3001\u30c9\u30e1\u30a4\u30f3heheda[.]tk\u3068cloudappcloudconfig[.]com\u304cRocke\u306b\u7d10\u3065\u304f\u30c9\u30e1\u30a4\u30f3\u3067\u3042\u308b\u3053\u3068\u3001\u305d\u3057\u3066Rocke\u306e\u7b2c3\u6bb5\u968e\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u540c\u6642\u671f\u306b\u306f\u3059\u3067\u306b\u5229\u7528\u53ef\u80fd\u306b\u306a\u3063\u3066\u3044\u305f\u3053\u3068\u304c\u5f37\u304f\u793a\u5506\u3055\u308c\u307e\u3059\u3002<\/p>\n<table>\n<tbody>\n<tr>\n<td><strong>\u7d44\u7e54<\/strong><\/td>\n<td><strong>Destination Domain<\/strong><\/td>\n<td><strong>\u63a5\u7d9a\u5148IP<\/strong><\/td>\n<td><strong>\u7dcf\u63a5\u7d9a\u6570<\/strong><\/td>\n<td><strong>\u6700\u521d\u306b\u898b\u3089\u308c\u305f\u65e5\u6642<\/strong><\/td>\n<td><strong>\u6700\u5f8c\u306b\u898b\u3089\u308c\u305f\u65e5\u6642<\/strong><\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td><strong>Heheda[.]tk |<\/strong><strong>cloudappconfig[.]com<\/strong><\/td>\n<td><strong>104.238.151[.]101<\/strong><\/td>\n<td>76<\/td>\n<td>4\/12\/19 3:00 AM<\/td>\n<td>4\/17\/19 8:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>sowcar[.]com<\/td>\n<td>125.74.45[.]101<\/td>\n<td>4<\/td>\n<td>4\/12\/19 2:00 PM<\/td>\n<td>4\/12\/19 2:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>27.221.54[.]252<\/td>\n<td>2<\/td>\n<td>4\/13\/19 4:00 AM<\/td>\n<td>4\/13\/19 4:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>systemten[.]org<\/td>\n<td>104.248.53[.]213<\/td>\n<td>202<\/td>\n<td>4\/10\/19 12:00 PM<\/td>\n<td>5\/31\/19 6:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>w2wz[.]cn<\/td>\n<td>113.96.98[.]113<\/td>\n<td>2<\/td>\n<td>4\/12\/19 2:00 PM<\/td>\n<td>4\/12\/19 2:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>125.74.45[.]101<\/td>\n<td>4<\/td>\n<td>4\/12\/19 2:00 PM<\/td>\n<td>4\/12\/19 2:00 PM<\/td>\n<\/tr>\n<tr>\n<td><strong><em>1\u306e\u5408\u8a08<\/em><\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<td><strong><em>290<\/em><\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>baocanwh[.]cn<\/td>\n<td>104.31.92[.]26<\/td>\n<td>8<\/td>\n<td>4\/25\/19 3:00 AM<\/td>\n<td>4\/25\/19 3:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>heheda[.]tk<\/td>\n<td>104.18.58[.]79<\/td>\n<td>26<\/td>\n<td>4\/14\/19 6:00 AM<\/td>\n<td>4\/15\/19 3:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>heheda[.]tk<\/td>\n<td>104.18.59[.]79<\/td>\n<td>22<\/td>\n<td>4\/14\/19 6:00 AM<\/td>\n<td>4\/15\/19 2:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><strong>Heheda[.]tk<\/strong>\u00a0|<strong>cloudappconfig[.]com<\/strong><\/td>\n<td><strong>104.238.151[.]101<\/strong><\/td>\n<td>160<\/td>\n<td>4\/13\/19 7:00 AM<\/td>\n<td>4\/15\/19 2:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>sowcar[.]com<\/td>\n<td>104.31.68[.]79<\/td>\n<td>77<\/td>\n<td>3\/20\/19 11:00 PM<\/td>\n<td>4\/3\/19 4:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.31.69[.]79<\/td>\n<td>70<\/td>\n<td>3\/20\/19 7:00 AM<\/td>\n<td>4\/10\/19 9:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>125.74.45[.]101<\/td>\n<td>6<\/td>\n<td>4\/12\/19 1:00 PM<\/td>\n<td>4\/12\/19 2:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>27.221.54[.]252<\/td>\n<td>6<\/td>\n<td>4\/13\/19 4:00 AM<\/td>\n<td>4\/13\/19 4:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>systemten[.]org<\/td>\n<td>104.248.53[.]213<\/td>\n<td>92<\/td>\n<td>4\/11\/19 5:00 PM<\/td>\n<td>4\/15\/19 3:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>w2wz[.]cn<\/td>\n<td>113.96.98[.]113<\/td>\n<td>9<\/td>\n<td>4\/12\/19 2:00 PM<\/td>\n<td>4\/12\/19 6:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>122.246.20[.]201<\/td>\n<td>8<\/td>\n<td>4\/22\/19 7:00 AM<\/td>\n<td>4\/22\/19 8:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>125.74.45[.]101<\/td>\n<td>6<\/td>\n<td>4\/12\/19 1:00 PM<\/td>\n<td>4\/12\/19 2:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>z9ls[.]com<\/td>\n<td>104.31.80[.]164<\/td>\n<td>2<\/td>\n<td>4\/14\/19 11:00 AM<\/td>\n<td>4\/14\/19 11:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.31.81[.]164<\/td>\n<td>4<\/td>\n<td>4\/15\/19 3:00 AM<\/td>\n<td>4\/15\/19 1:00 PM<\/td>\n<\/tr>\n<tr>\n<td><strong><em>2\u306e\u5408\u8a08<\/em><\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<td><strong><em>496<\/em><\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>heheda[.]tk<\/td>\n<td>104.18.58[.]79<\/td>\n<td>14<\/td>\n<td>4\/14\/19 11:00 AM<\/td>\n<td>4\/16\/19 10:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>heheda[.]tk<\/td>\n<td>104.18.59[.]79<\/td>\n<td>14<\/td>\n<td>4\/14\/19 11:00 AM<\/td>\n<td>4\/16\/19 10:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><strong>Heheda[.]tk<\/strong>\u00a0|<strong>cloudappconfig[.]com<\/strong><\/td>\n<td><strong>104.238.151[.]101<\/strong><\/td>\n<td>167<\/td>\n<td>4\/13\/19 7:00 AM<\/td>\n<td>4\/16\/19 10:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>sowcar[.]com<\/td>\n<td>104.31.68[.]79<\/td>\n<td>2<\/td>\n<td>4\/10\/19 9:00 AM<\/td>\n<td>4\/10\/19 9:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>systemten[.]org<\/td>\n<td>104.248.53[.]213<\/td>\n<td>214<\/td>\n<td>4\/10\/19 9:00 AM<\/td>\n<td>4\/19\/19 9:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>z9ls[.]com<\/td>\n<td>104.31.80[.]164<\/td>\n<td>106<\/td>\n<td>4\/14\/19 9:00 AM<\/td>\n<td>4\/18\/19 3:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.31.81[.]164<\/td>\n<td>108<\/td>\n<td>4\/14\/19 9:00 AM<\/td>\n<td>4\/18\/19 3:00 AM<\/td>\n<\/tr>\n<tr>\n<td><strong><em>3\u306e\u5408\u8a08<\/em><\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<td><strong><em>625<\/em><\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>baocanwh[.]cn<\/td>\n<td>104.18.38[.]253<\/td>\n<td>136<\/td>\n<td>4\/26\/19 9:00 PM<\/td>\n<td>4\/27\/19 3:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.18.39[.]253<\/td>\n<td>152<\/td>\n<td>4\/26\/19 10:00 PM<\/td>\n<td>4\/28\/19 3:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.31.92[.]26<\/td>\n<td>184<\/td>\n<td>4\/22\/19 9:00 AM<\/td>\n<td>4\/26\/19 6:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.31.93[.]26<\/td>\n<td>170<\/td>\n<td>4\/22\/19 9:00 AM<\/td>\n<td>4\/26\/19 6:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>119.28.48[.]240<\/td>\n<td>176<\/td>\n<td>4\/27\/19 1:00 PM<\/td>\n<td>4\/28\/19 10:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>gwjyhs[.]com<\/td>\n<td>104.27.138[.]191<\/td>\n<td>256<\/td>\n<td>4\/28\/19 11:00 AM<\/td>\n<td>5\/9\/19 10:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.27.139[.]191<\/td>\n<td>256<\/td>\n<td>4\/28\/19 10:00 AM<\/td>\n<td>5\/12\/19 5:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><strong>Heheda[.]tk<\/strong>\u00a0|<strong>cloudappconfig[.]com<\/strong><\/td>\n<td><strong>104.238.151[.]101<\/strong><\/td>\n<td>8<\/td>\n<td>5\/10\/19 9:00 PM<\/td>\n<td>5\/10\/19 9:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>sowcar[.]com<\/td>\n<td>104.31.68[.]79<\/td>\n<td>437<\/td>\n<td>3\/20\/19 7:00 AM<\/td>\n<td>4\/10\/19 2:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.31.69[.]79<\/td>\n<td>441<\/td>\n<td>3\/20\/19 2:00 PM<\/td>\n<td>4\/10\/19 2:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>27.221.54[.]252<\/td>\n<td>8<\/td>\n<td>4\/13\/19 4:00 AM<\/td>\n<td>4\/13\/19 4:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>systemten[.]org<\/td>\n<td>104.31.93[.]233<\/td>\n<td>4<\/td>\n<td>4\/5\/19 2:00 AM<\/td>\n<td>4\/5\/19 3:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.31.92[.]233<\/td>\n<td>4<\/td>\n<td>4\/5\/19 2:00 AM<\/td>\n<td>4\/5\/19 3:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.248.53[.]213<\/td>\n<td>4761<\/td>\n<td>4\/3\/19 4:00 AM<\/td>\n<td>5\/15\/19 1:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>thyrsi[.]com<\/td>\n<td>103.52.216[.]35<\/td>\n<td>178<\/td>\n<td>4\/27\/19 8:00 AM<\/td>\n<td>5\/10\/19 1:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>w2wz[.]cn<\/td>\n<td>118.25.145[.]241<\/td>\n<td>12<\/td>\n<td>4\/13\/19 5:00 AM<\/td>\n<td>4\/13\/19 9:00 AM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td>z9ls[.]com<\/td>\n<td>104.31.80[.]164<\/td>\n<td>522<\/td>\n<td>4\/13\/19 9:00 AM<\/td>\n<td>4\/21\/19 2:00 PM<\/td>\n<\/tr>\n<tr>\n<td><\/td>\n<td><\/td>\n<td>104.31.81[.]164<\/td>\n<td>526<\/td>\n<td>4\/13\/19 6:00 AM<\/td>\n<td>4\/21\/19 2:00 PM<\/td>\n<\/tr>\n<tr>\n<td><strong><em>4\u306e\u5408\u8a08<\/em><\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<td><strong><em>8231<\/em><\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td><strong>\u7dcf\u8a08<\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<td><strong>9642<\/strong><\/td>\n<td><\/td>\n<td><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em>\u88683 \u5168Rocke\u30c9\u30e1\u30a4\u30f3\u3078\u306e\u63a5\u7d9a\u3068IP\u30a2\u30c9\u30ec\u30b9104.238.151[.]101\u3078\u306e\u63a5\u7d9a\u3068\u306e\u6bd4\u8f03<\/em><\/p>\n<p>Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3053\u306e\u8abf\u67fb\u5185\u5bb9\u304b\u3089\u3055\u3089\u306b\u6b21\u306e\u6bb5\u968e\u306b\u63a8\u5b9a\u3092\u9032\u3081\u3001\u3059\u3079\u3066\u306e\u76e3\u8996\u5bfe\u8c61\u7d44\u7e54\u304b\u3089\u3001\u3059\u3079\u3066\u306e\u65e2\u77e5Rocke\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3059\u308b\u3001\u3059\u3079\u3066\u306e\u53ef\u8996\u306e\u63a5\u7d9a\u3092\u7279\u5b9a\u3057\u307e\u3057\u305f\u3002\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001\u30af\u30e9\u30a6\u30c9\u74b0\u5883\u306e28.1\uff05\u304c\u3001\u65e2\u77e5\u306eRocke\u30c9\u30e1\u30a4\u30f3\u3068\u306e\u5c11\u306a\u304f\u3068\u30821\u3064\u306e\u5b8c\u5168\u306b\u78ba\u7acb\u3055\u308c\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u63a5\u7d9a\u3092\u6301\u3063\u3066\u3044\u308b\u3053\u3068\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002\u6700\u3082\u65e9\u671f\u306b\u89b3\u6e2c\u3055\u308c\u305f\u63a5\u7d9a\u306f2018\u5e7412\u67084\u65e5\u306b\u884c\u308f\u308c\u305f\u3082\u306e\u3067\u3001\u3053\u308c\u306f\u5c11\u306a\u304f\u3068\u30822019\u5e746\u670810\u65e5\u307e\u3067\u7d99\u7d9a\u3057\u3001\u305d\u306e\u671f\u9593\u4e2d\u3001\u30c9\u30e1\u30a4\u30f3sowcar[.]com\u3068w2wz[.]cn\u306b\u5bfe\u3057\u3001146\u56de\u306e\u4e00\u610f\u306a\u63a5\u7d9a\u3092\u884c\u3063\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<h4><a id=\"post-99064-_x0is9lwv6iyt\"><\/a>Rocke\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af \u30d1\u30bf\u30fc\u30f3<\/h4>\n<p>\u6700\u5f8c\u306bUnit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001Pastebin\u304b\u3089\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u7b2c1\u6bb5\u968e\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092NetFlow\u30c7\u30fc\u30bf\u3068\u7a81\u304d\u5408\u308f\u305b\u3066\u7279\u5b9a\u3067\u304d\u308b\u304b\u3069\u3046\u304b\u3092\u8a66\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u7d50\u679c\u3001\u5408\u8a0850\u306e\u7d44\u7e54\u304cPastebin\u306b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u63a5\u7d9a\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u308950\u306e\u7d44\u7e54\u306e\u3046\u30618\u3064\u306f\u3001Rocke\u30c9\u30e1\u30a4\u30f3\u3078\u306e\u63a5\u7d9a\u3068\u540c\u3058\u6642\u9593\u5185\u306bPastebin\u3078\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u63a5\u7d9a\u3092\u884c\u3063\u3066\u3044\u305f\u3053\u3068\u304c\u5224\u660e\u3057\u307e\u3057\u305f\u3002NetFlow\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306f1\u6642\u9593\u5358\u4f4d\u307e\u3067\u3057\u304b\u7d30\u5206\u5316\u3067\u304d\u306a\u3044\u3053\u3068\u3001\u305d\u308c\u3089\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u63a5\u7d9a\u304c\u3069\u306e\u3088\u3046\u306a\u6027\u8cea\u306e\u3082\u306e\u3060\u3063\u305f\u304b\u78ba\u8a8d\u3059\u308b\u305f\u3081\u306e\u5b8c\u5168\u306a\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u304c\u5b58\u5728\u3057\u3066\u3044\u306a\u3044\u3053\u3068\u3001\u3053\u308c\u3089\u306e\u7406\u7531\u304b\u3089\u3001\u5404\u7d44\u7e54\u304c\u4fb5\u5bb3\u3092\u53d7\u3051\u305f\u6642\u9593\u3092\u6b63\u78ba\u306b\u7279\u5b9a\u3059\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3002\u305f\u3060\u3057\u3001\u3053\u308c\u3089\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u63a5\u7d9a\u304c\u767a\u751f\u3057\u305f\u6642\u9593\u5e2f\u3092\u6307\u6a19\u3068\u3057\u3066\u4f7f\u3048\u3070\u3001\u4eee\u306b\u624b\u5143\u306b\u5b8c\u5168\u306a\u30d1\u30b1\u30c3\u30c8\u30ad\u30e3\u30d7\u30c1\u30e3\u304c\u3042\u3063\u305f\u5834\u5408\u3001\u7d99\u7d9a\u3057\u3066\u8abf\u67fb\u3059\u3079\u304d\u4e3b\u306a\u6642\u9593\u5e2f\u304c\u5206\u304b\u308a\u307e\u3059\u3002<\/p>\n<p>NetFlow\u30c7\u30fc\u30bf\u5185\u3067Rocke\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u304c\u3069\u306e\u3088\u3046\u306b\u898b\u3048\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3068\u3001\u305d\u3053\u306b\u306f\u660e\u78ba\u306a\u30d1\u30bf\u30fc\u30f3\u304c\u3042\u308a\u307e\u3059\uff08\u56f32\u53c2\u7167\uff09\u3002\u6700\u521d\u306bPastebin\u3068\u306e\u63a5\u7d9a\u304c\u78ba\u7acb\u3055\u308c\u3001\u7d9a\u3044\u3066Rocke\u30c9\u30e1\u30a4\u30f3\u3078\u306e\u63a5\u7d9a\u304c\u78ba\u7acb\u3055\u308c\u307e\u3059\u3002\u56f32\u304b\u3089\u308f\u304b\u308b\u3088\u3046\u306b\u3001\u3053\u306e\u30d1\u30bf\u30fc\u30f3\u306f1\u6642\u9593\u3054\u3068\u306b\u7e70\u308a\u8fd4\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u304c\u3001\u30af\u30e9\u30a6\u30c9 \u30b7\u30b9\u30c6\u30e0\u306b\u3059\u3067\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u3066\u3044\u308b\u7b2c3\u6bb5\u968e\u306eRocke\u30da\u30a4\u30ed\u30fc\u30c9\u306b\u3088\u308b\u30d3\u30fc\u30b3\u30f3\u6a5f\u80fd\u3068\u305d\u306e\u5b58\u5728\u3068\u3092\u793a\u3059\u3082\u30461\u3064\u306e\u6307\u6a19\u3068\u306a\u308a\u307e\u3059\u3002\u3055\u3089\u306b\u56f32\u304b\u3089\u306f\u3001\u63a5\u7d9a\u5143\u306e\u30b7\u30b9\u30c6\u30e0\u304cPastebin\u306b\u63a5\u7d9a\u3057\u305f\u5f8c\u3001\u65e2\u77e5\u306eRocke\u30c9\u30e1\u30a4\u30f3\u3067\u3042\u308bz9ls[.]com\u3068systemten[.]org\u306b\u63a5\u7d9a\u3057\u3001\u540c\u3058\u6642\u9593\u5e2f\u306b\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fIP\u30a2\u30c9\u30ec\u30b9104.238.151[.]101\u306b\u63a5\u7d9a\u3059\u308b\u3001\u3068\u3044\u3046\u7279\u5fb4\u306e\u3042\u308b\u30d1\u30bf\u30fc\u30f3\u304c\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002\u3053\u306e\u30d1\u30bf\u30fc\u30f3\u306f\u7b2c3\u6bb5\u968e\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u305d\u306e\u6a5f\u80fd\u3068\u3057\u3066\u3082\u3064\u30d3\u30fc\u30b3\u30f3\u306e\u6027\u80fd\u306a\u3044\u3057\u30cf\u30fc\u30c8\u30d3\u30fc\u30c8\u578b\u306e\u6d3b\u52d5\u3092\u793a\u5506\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img width=\"326\" height=\"546\"  class=\"wp-image-99068 aligncenter lozad\"  data-src=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-47.png\" sizes=\"(max-width: 326px) 100vw, 326px\" srcset=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-47.png 326w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-47-179x300.png 179w\" \/><em>\u56f3 2 \u7279\u5fb4\u7684\u306aRocke\u306eNetFlow\u30d1\u30bf\u30fc\u30f3<\/em><\/p>\n<h4><a id=\"post-99064-_55qkcj5n1lmf\"><\/a>\u56de\u907f\u30fb\u7de9\u548c\u7b56<\/h4>\n<p>\u30af\u30e9\u30a6\u30c9\u74b0\u5883\u5185\u3067\u306eRocke\u306e\u6d3b\u52d5\u3092\u6291\u3048\u308b\u306b\u306f\u6b21\u306e\u5bfe\u7b56\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u3059\u3079\u3066\u306e\u30af\u30e9\u30a6\u30c9 \u30b7\u30b9\u30c6\u30e0\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u306b\u3064\u3044\u3066\u6700\u65b0\u30d1\u30c3\u30c1\u3092\u9069\u7528\u3057\u3001\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u66f4\u65b0\u3057\u307e\u3059\u3002<\/li>\n<li>\u3059\u3079\u3066\u306e\u30af\u30e9\u30a6\u30c9 \u30b7\u30b9\u30c6\u30e0\u306b\u6700\u65b0\u30d1\u30c3\u30c1\u304c\u9069\u7528\u3055\u308c\u3001\u66f4\u65b0\u6e08\u307f\u306e\u30af\u30e9\u30a6\u30c9 \u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u3092\u4f7f\u7528\u3067\u304d\u308b\u3088\u3046\u306a\u904b\u7528\u30b5\u30a4\u30af\u30eb\u3092\u7d44\u307f\u307e\u3059\u3002<\/li>\n<li>\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u3001\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3001\u30e6\u30fc\u30b6\u30fc\u306e\u3075\u308b\u307e\u3044\u306b\u3064\u3044\u3066\u306e\u30c1\u30a7\u30c3\u30af\u6a5f\u80fd\u3092\u6301\u3064\u30af\u30e9\u30a6\u30c9\u76e3\u8996\u88fd\u54c1\u3092\u8cfc\u5165\u30fb\u69cb\u6210\u3057\u307e\u3059\u3002<\/li>\n<li>\u30af\u30e9\u30a6\u30c9 \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u69cb\u6210\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30dd\u30ea\u30b7\u30fc\u3001\u30b0\u30eb\u30fc\u30d7\u3092\u30ec\u30d3\u30e5\u30fc\u3057\u3001\u305d\u308c\u3089\u304c\u73fe\u5728\u306e\u30b3\u30f3\u30d7\u30e9\u30a4\u30a2\u30f3\u30b9\u8981\u4ef6\u3092\u6e80\u305f\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/li>\n<li>\u30af\u30e9\u30a6\u30c9 \u30b3\u30f3\u30c6\u30ca\u306e\u8106\u5f31\u6027\u30b9\u30ad\u30e3\u30ca\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/li>\n<li>\u30c9\u30e1\u30a4\u30f3\u3084IP\u30d6\u30e9\u30c3\u30af\u30ea\u30b9\u30c8\u306e\u6307\u6a19\u3092\u63d0\u4f9b\u3057\u3066\u304f\u308c\u308b\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u95a2\u9023\u306e\u30d5\u30a3\u30fc\u30c9\u3092\u3059\u3079\u3066\u66f4\u65b0\u3057\u307e\u3059\u3002<\/li>\n<li>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u88fd\u54c1\u3067\u5bfe\u7b56\u3092\u884c\u3046\u5834\u5408\u306f\u3001MineMeld\u306b\u3088\u308b\u8105\u5a01\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u30d5\u30a3\u30fc\u30c9\u3092\u8cfc\u5165\u30fb\u8cfc\u8aad\u3059\u308b\u304b\u3001\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u88fd\u54c1\u3067\u306f\u65e2\u77e5\u306eRocke\u30c9\u30e1\u30a4\u30f3\u3001IP\u30a2\u30c9\u30ec\u30b9\u3078\u306e\u63a5\u7d9a\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b\u3088\u3046\u306b\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u65e2\u77e5\u306e\u60aa\u610f\u306e\u3042\u308b\u30c9\u30e1\u30a4\u30f3\u30fbIP\u30a2\u30c9\u30ec\u30b9\u3078\u306e\u63a5\u7d9a\u304c\u306a\u3044\u304b\u3069\u3046\u304b\u3001\u30af\u30e9\u30a6\u30c9 \u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u8abf\u67fb\u3057\u307e\u3059\u3002<\/li>\n<li>\u7d44\u7e54\u306e\u30af\u30e9\u30a6\u30c9\u74b0\u5883\u304b\u3089\u5916\u90e8\u306b\u51fa\u3066\u3044\u304f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af \u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u8abf\u3079\u3001\u30d3\u30fc\u30b3\u30f3\u578b\u306e\u3082\u306e\u304c\u306a\u3044\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<h3><a id=\"post-99064-_xptsusmoxflp\"><\/a>\u7d50\u8ad6<\/h3>\n<p>Rocke\u306f\u4e3b\u306b\u30d1\u30d6\u30ea\u30c3\u30af\u306a\u30af\u30e9\u30a6\u30c9 \u30a4\u30f3\u30d5\u30e9\u3092\u5bfe\u8c61\u3068\u3057\u3066\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u3092\u884c\u3046\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3059\u3002\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u30c4\u30fc\u30eb\u306f\u9032\u5316\u3057\u3064\u3065\u3051\u3066\u304a\u308a\u30012016\u5e74\u30842017\u5e74\u306b\u516c\u958b\u3055\u308c\u305f\u8106\u5f31\u6027\u3092\u4f7f\u3063\u3066\u3001\u69cb\u6210\u304c\u4e0d\u9069\u5207\u306a\u30af\u30e9\u30a6\u30c9 \u30a4\u30f3\u30d5\u30e9\u3092\u60aa\u7528\u3057\u3066\u3044\u307e\u3059\u3002\u540c\u30b0\u30eb\u30fc\u30d7\u306f\u3072\u3068\u3068\u304a\u308a\u306e\u8abf\u67fb\u3067\u306f\u898b\u3064\u304b\u3089\u306a\u3044\u3088\u3046\u306a\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u4f7f\u7528\u3057\u3001\u30af\u30e9\u30a6\u30c9 \u30b7\u30b9\u30c6\u30e0\u306e\u7ba1\u7406\u30a2\u30af\u30bb\u30b9\u3092\u53d6\u5f97\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u4fb5\u5bb3\u3055\u308c\u305f\u30b7\u30b9\u30c6\u30e0\u306f\u305d\u306e\u5f8cRocke\u306e\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u65e2\u77e5\u306eIP\u30a2\u30c9\u30ec\u30b9\u306a\u3044\u3057Rocke\u6240\u6709\u306e\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3057\u3001\u4e88\u6e2c\u3068\u691c\u51fa\u304c\u53ef\u80fd\u306a\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u6d3b\u52d5\u3092\u958b\u59cb\u3057\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001\u6b21\u306e\u65b9\u6cd5\u3067\u3053\u306e\u8105\u5a01\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u672c\u7a3f\u3067\u8aac\u660e\u3057\u305f\u3059\u3079\u3066\u306eC2\u30c9\u30e1\u30a4\u30f3\u306fPAN-DB\u306eURL Filtering\u306b\u3088\u308a\u60aa\u610f\u306e\u3042\u308b\u3082\u306e\u3068\u3057\u3066\u9069\u5207\u306b\u5206\u985e\u3055\u308c\u307e\u3059\u3002<\/li>\n<li>web\u30b7\u30a7\u30eb\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u305f\u3059\u3079\u3066\u306e\u9055\u6cd5\u306a\u30c4\u30fc\u30eb\u306f\u3001WildFire\u3068Traps\u306b\u3088\u3063\u3066\u60aa\u610f\u306e\u3042\u308b\u3082\u306e\u3068\u3057\u3066\u8b58\u5225\u3055\u308c\u307e\u3059\u3002<\/li>\n<li>ELF\u5f62\u5f0f\u3001PE\u5f62\u5f0f\u306e\u30de\u30eb\u30a6\u30a7\u30a2 \u30b7\u30b0\u30cd\u30c1\u30e3\u306f\u3001\u30a2\u30f3\u30c1\u30a6\u30a4\u30eb\u30b9\u6a5f\u80fd\u3092\u901a\u3058\u3066\u63d0\u4f9b\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/li>\n<\/ul>\n<p>AutoFocus\u3092\u304a\u4f7f\u3044\u306e\u304a\u5ba2\u69d8\u306f\u3001\u5f53\u8a72\u30b0\u30eb\u30fc\u30d7\u3092\u6b21\u306e\u30bf\u30b0\u3067\u3055\u3089\u306b\u8a73\u3057\u304f\u8abf\u67fb\u3067\u304d\u307e\u3059\u3002<\/p>\n<ul>\n<li><a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.IronCybercrimeGroup\">IronCybercrimeGroup<\/a><\/li>\n<li><a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.Xbash\">Xbash<\/a><\/li>\n<li><a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.Kerberods\">Kerberods<\/a><\/li>\n<li><a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.Godlua\">Godlua<\/a><\/li>\n<\/ul>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306f\u672c\u7a3f\u3067\u898b\u3064\u304b\u3063\u305f\u30d5\u30a1\u30a4\u30eb\u30b5\u30f3\u30d7\u30eb\u3084\u4fb5\u5bb3\u306e\u5146\u5019\u306a\u3069\u3092\u3075\u304f\u3080\u8abf\u67fb\u7d50\u679c\u3092Cyber Threat Alliance(CTA \u30b5\u30a4\u30d0\u30fc\u8105\u5a01\u30a2\u30e9\u30a4\u30a2\u30f3\u30b9)\u306e\u30e1\u30f3\u30d0\u30fc\u3068\u5171\u6709\u3057\u307e\u3057\u305f\u3002CTA \u306e\u30e1\u30f3\u30d0\u30fc\u306f\u3053\u306e\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u3092\u4f7f\u7528\u3057\u3066\u3001\u304a\u5ba2\u69d8\u306b\u4fdd\u8b77\u3092\u8fc5\u901f\u306b\u63d0\u4f9b\u3057\u3001\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u8005\u3092\u4f53\u7cfb\u7684\u306b\u963b\u5bb3\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002Cyber Threat Alliance\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u6b21\u306eWeb\u30b5\u30a4\u30c8\u3092\u3054\u89a7\u304f\u3060\u3055\u3044:\u00a0<a href=\"https:\/\/www.cyberthreatalliance.org\/\" data-page-track=\"true\" data-page-track-value=\"company:rockein-the-netflow: text:\u7d50\u8ad6:www.cyberthreatalliance.org\">www.cyberthreatalliance.org<\/a><\/p>\n<h4><a id=\"post-99064-_qv5u3h2ntgjw\"><\/a>IOC<\/h4>\n<h4><a id=\"post-99064-_4nbv9w1ahf5v\"><\/a>\u30c9\u30e1\u30a4\u30f3<\/h4>\n<ul style=\"list-style-type: disc;\">\n<li>sowcar[.]com<\/li>\n<li>thyrsi[.]com<\/li>\n<li>w2wz[.]cn<\/li>\n<li>baocangwh[.]cn<\/li>\n<li>z9ls[.]com<\/li>\n<li>gwjyhs[.]com<\/li>\n<li>heheda[.]tk<\/li>\n<li>cloudappconfig[.]com<\/li>\n<li>systemten[.]org<\/li>\n<\/ul>\n<h4><a id=\"post-99064-_lig5az0924n\"><\/a>IP \u30a2\u30c9\u30ec\u30b9<\/h4>\n<ul>\n<li>43.224.225[.]220<\/li>\n<li>67.21.64[.]34<\/li>\n<li>103.52.216[.]35<\/li>\n<li>104.248.53[.]213<\/li>\n<li>104.238.151[.]101<\/li>\n<li>198.204.231[.]250<\/li>\n<li>205.185.122[.]229<\/li>\n<\/ul>\n<h4><a id=\"post-99064-_udmcg6jp9wrl\"><\/a>\u30cf\u30c3\u30b7\u30e5\u5024<\/h4>\n<ul>\n<li>1608899ff3bd9983df375fd836464500f160f6305fcc35cfb64abbe94643c962<\/li>\n<li>28f92f36883b69e281882f19fec1d89190e913a4e301bfc5d80242b74fcba6fe<\/li>\n<li>a84283095e0c400c3c4fe61283eca6c13dd0a6157a57adf95ae1dcec491ec519<\/li>\n<li>6797018a6f29ce3d447bd3503372f78f9513d4648e5cd3ab5ab194a50c72b9c4<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u30a8\u30b0\u30bc\u30af\u30c6\u30a3\u30d6\u30b5\u30de\u30ea\u30fc Unit 42\u306f6\u30f6\u6708\u304b\u3051\u3066\u4e2d\u56fd\u3092\u62e0\u70b9\u3068\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u30b0\u30eb\u30fc\u30d7Rocke\u306e\u8abf\u67fb\u3092\u884c\u3044\u307e\u3057\u305f\u3002Rocke\u306f\u30af\u30e9\u30a6\u30c9\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u3066\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u51e6\u7406\u3092\u884c\u3063\u3066\u3044\u308b\u6700\u3082\u60aa\u540d\u9ad8\u3044\u8105\u5a01\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067<\/p>\n","protected":false},"author":317,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4326,4436,4434,4428],"tags":[6598,6331,5705],"product_categories":[],"coauthors":[1394],"class_list":["post-99271","post","type-post","status-publish","format-standard","hentry","category-cloud-cybersecurity-research","category-cloud-cybersecurity-research-ja","category-cybercrime-ja","category-threat-research-ja","tag-cloud-malware-agent","tag-netflow-ja","tag-rocke-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>NetFlow\u5185\u306eRocke\u63a2\u7d22<\/title>\n<meta name=\"description\" content=\"\u4e2d\u56fd\u3092\u62e0\u70b9\u3068\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u30b0\u30eb\u30fc\u30d7Rocke\u306e\u8abf\u67fb\u5831\u544a\u3067\u3059\u3002Rocke\u306f\u30af\u30e9\u30a6\u30c9\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u3066\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u51e6\u7406\u3092\u884c\u3063\u3066\u3044\u308b\u6700\u3082\u60aa\u540d\u9ad8\u3044\u8105\u5a01\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3001\u8a73\u7d30\u306a\u8abf\u67fb\u7d50\u679c\u306f\u30ea\u30f3\u30af\u3057\u305f\u30af\u30e9\u30a6\u30c9\u8105\u5a01\u30ec\u30dd\u30fc\u30c8\u304b\u3089\u3054\u89a7\u3044\u305f\u3060\u3051\u307e\u3059\u3002\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NetFlow\u5185\u3067\u653b\u6483\u30b0\u30eb\u30fc\u30d7Rocke\u3092\u63a2\u7d22\u3059\u308b\" \/>\n<meta property=\"og:description\" content=\"\u4e2d\u56fd\u3092\u62e0\u70b9\u3068\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u30b0\u30eb\u30fc\u30d7Rocke\u306e\u8abf\u67fb\u5831\u544a\u3067\u3059\u3002Rocke\u306f\u30af\u30e9\u30a6\u30c9\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u3066\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u51e6\u7406\u3092\u884c\u3063\u3066\u3044\u308b\u6700\u3082\u60aa\u540d\u9ad8\u3044\u8105\u5a01\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3001\u8a73\u7d30\u306a\u8abf\u67fb\u7d50\u679c\u306f\u30ea\u30f3\u30af\u3057\u305f\u30af\u30e9\u30a6\u30c9\u8105\u5a01\u30ec\u30dd\u30fc\u30c8\u304b\u3089\u3054\u89a7\u3044\u305f\u3060\u3051\u307e\u3059\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-01T13:00:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-09-05T04:29:42+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46.png\" \/>\n<meta name=\"author\" content=\"Nathaniel Quist\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"NetFlow\u5185\u3067\u653b\u6483\u30b0\u30eb\u30fc\u30d7Rocke\u3092\u63a2\u7d22\u3059\u308b\" \/>\n<meta name=\"twitter:description\" content=\"\u4e2d\u56fd\u3092\u62e0\u70b9\u3068\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u30b0\u30eb\u30fc\u30d7Rocke\u306e\u8abf\u67fb\u5831\u544a\u3067\u3059\u3002Rocke\u306f\u30af\u30e9\u30a6\u30c9\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u3066\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u51e6\u7406\u3092\u884c\u3063\u3066\u3044\u308b\u6700\u3082\u60aa\u540d\u9ad8\u3044\u8105\u5a01\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3001\u8a73\u7d30\u306a\u8abf\u67fb\u7d50\u679c\u306f\u30ea\u30f3\u30af\u3057\u305f\u30af\u30e9\u30a6\u30c9\u8105\u5a01\u30ec\u30dd\u30fc\u30c8\u304b\u3089\u3054\u89a7\u3044\u305f\u3060\u3051\u307e\u3059\u3002\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"NetFlow\u5185\u306eRocke\u63a2\u7d22","description":"\u4e2d\u56fd\u3092\u62e0\u70b9\u3068\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u30b0\u30eb\u30fc\u30d7Rocke\u306e\u8abf\u67fb\u5831\u544a\u3067\u3059\u3002Rocke\u306f\u30af\u30e9\u30a6\u30c9\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u3066\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u51e6\u7406\u3092\u884c\u3063\u3066\u3044\u308b\u6700\u3082\u60aa\u540d\u9ad8\u3044\u8105\u5a01\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3001\u8a73\u7d30\u306a\u8abf\u67fb\u7d50\u679c\u306f\u30ea\u30f3\u30af\u3057\u305f\u30af\u30e9\u30a6\u30c9\u8105\u5a01\u30ec\u30dd\u30fc\u30c8\u304b\u3089\u3054\u89a7\u3044\u305f\u3060\u3051\u307e\u3059\u3002","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/","og_locale":"ja_JP","og_type":"article","og_title":"NetFlow\u5185\u3067\u653b\u6483\u30b0\u30eb\u30fc\u30d7Rocke\u3092\u63a2\u7d22\u3059\u308b","og_description":"\u4e2d\u56fd\u3092\u62e0\u70b9\u3068\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u30b0\u30eb\u30fc\u30d7Rocke\u306e\u8abf\u67fb\u5831\u544a\u3067\u3059\u3002Rocke\u306f\u30af\u30e9\u30a6\u30c9\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u3066\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u51e6\u7406\u3092\u884c\u3063\u3066\u3044\u308b\u6700\u3082\u60aa\u540d\u9ad8\u3044\u8105\u5a01\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3001\u8a73\u7d30\u306a\u8abf\u67fb\u7d50\u679c\u306f\u30ea\u30f3\u30af\u3057\u305f\u30af\u30e9\u30a6\u30c9\u8105\u5a01\u30ec\u30dd\u30fc\u30c8\u304b\u3089\u3054\u89a7\u3044\u305f\u3060\u3051\u307e\u3059\u3002","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/","og_site_name":"Unit 42","article_published_time":"2019-08-01T13:00:11+00:00","article_modified_time":"2019-09-05T04:29:42+00:00","og_image":[{"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46.png","type":"","width":"","height":""}],"author":"Nathaniel Quist","twitter_card":"summary_large_image","twitter_title":"NetFlow\u5185\u3067\u653b\u6483\u30b0\u30eb\u30fc\u30d7Rocke\u3092\u63a2\u7d22\u3059\u308b","twitter_description":"\u4e2d\u56fd\u3092\u62e0\u70b9\u3068\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u30b0\u30eb\u30fc\u30d7Rocke\u306e\u8abf\u67fb\u5831\u544a\u3067\u3059\u3002Rocke\u306f\u30af\u30e9\u30a6\u30c9\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u3066\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u51e6\u7406\u3092\u884c\u3063\u3066\u3044\u308b\u6700\u3082\u60aa\u540d\u9ad8\u3044\u8105\u5a01\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3001\u8a73\u7d30\u306a\u8abf\u67fb\u7d50\u679c\u306f\u30ea\u30f3\u30af\u3057\u305f\u30af\u30e9\u30a6\u30c9\u8105\u5a01\u30ec\u30dd\u30fc\u30c8\u304b\u3089\u3054\u89a7\u3044\u305f\u3060\u3051\u307e\u3059\u3002","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/"},"author":{"name":"Nathaniel Quist","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/6f4153adb969c91f103a21af22c5d1de"},"headline":"NetFlow\u5185\u306eRocke\u63a2\u7d22","datePublished":"2019-08-01T13:00:11+00:00","dateModified":"2019-09-05T04:29:42+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/"},"wordCount":678,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46.png","keywords":["Cloud Malware Agent","NetFlow","Rocke"],"articleSection":["Cloud Cybersecurity Research","\u30af\u30e9\u30a6\u30c9 \u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30ea\u30b5\u30fc\u30c1","\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/","name":"NetFlow\u5185\u306eRocke\u63a2\u7d22","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46.png","datePublished":"2019-08-01T13:00:11+00:00","dateModified":"2019-09-05T04:29:42+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/6f4153adb969c91f103a21af22c5d1de"},"description":"\u4e2d\u56fd\u3092\u62e0\u70b9\u3068\u3059\u308b\u30b5\u30a4\u30d0\u30fc\u72af\u7f6a\u30b0\u30eb\u30fc\u30d7Rocke\u306e\u8abf\u67fb\u5831\u544a\u3067\u3059\u3002Rocke\u306f\u30af\u30e9\u30a6\u30c9\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u3066\u6697\u53f7\u901a\u8ca8\u30de\u30a4\u30cb\u30f3\u30b0\u51e6\u7406\u3092\u884c\u3063\u3066\u3044\u308b\u6700\u3082\u60aa\u540d\u9ad8\u3044\u8105\u5a01\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3001\u8a73\u7d30\u306a\u8abf\u67fb\u7d50\u679c\u306f\u30ea\u30f3\u30af\u3057\u305f\u30af\u30e9\u30a6\u30c9\u8105\u5a01\u30ec\u30dd\u30fc\u30c8\u304b\u3089\u3054\u89a7\u3044\u305f\u3060\u3051\u307e\u3059\u3002","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/#primaryimage","url":"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46.png","contentUrl":"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2019\/07\/word-image-46.png"},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/rockein-the-netflow\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"NetFlow\u5185\u306eRocke\u63a2\u7d22"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/6f4153adb969c91f103a21af22c5d1de","name":"Nathaniel Quist","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/e1c6c4d2290a309ae8265f45775289cd","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/Nathaniel-Quist_Headshot-Insights-300x300.png","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/Nathaniel-Quist_Headshot-Insights-300x300.png","caption":"Nathaniel Quist"},"description":"Nathaniel Quist is the Manager of the Cloud Threat Intelligence Team for Cortex Cloud, where he collaborates with the Cortex and Unit 42 researchers to track threat actors targeting cloud platforms and services. He holds a Master of Science in Information Security Engineering from The SANS Institute and has authored several publications for Palo Alto Networks' Unit 42, Prisma Cloud, and the SANS InfoSec Reading Room. Outside of cloud threats, he enjoys puzzles, blockchain, and ranching.","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/author\/nathaniel-quist\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/99271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/317"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=99271"}],"version-history":[{"count":6,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/99271\/revisions"}],"predecessor-version":[{"id":99318,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/99271\/revisions\/99318"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=99271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=99271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=99271"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=99271"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=99271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}