{"id":99619,"date":"2019-01-18T06:00:49","date_gmt":"2019-01-18T14:00:49","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=99619"},"modified":"2019-10-04T00:37:47","modified_gmt":"2019-10-04T07:37:47","slug":"darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/","title":{"rendered":"DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03"},"content":{"rendered":"<div class=\"entry-content\">\n<p>2018\u5e74\u306e\u590f\u306b\u3001Unit 42\u306f\u3001\u79c1\u305f\u3061\u304cDarkHydrus\u3068\u540d\u4ed8\u3051\u305f\u653b\u6483\u8005\u306e\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308b\u3001\u540c\u69d8\u306e\u6226\u7565\u3001\u30c4\u30fc\u30eb\u3001\u304a\u3088\u3073\u624b\u9806(TTP)\u3092\u4f7f\u7528\u3057\u305f\u4e2d\u6771\u3067\u306e\u4e00\u9023\u306e\u6d3b\u52d5\u306b\u95a2\u3059\u308b<a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east\/\">\u30ec\u30dd\u30fc\u30c8<\/a>\u3092<a href=\"https:\/\/unit42.paloaltonetworks.com\/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government\">\u30ea\u30ea\u30fc\u30b9<\/a>\u3057\u307e\u3057\u305f\u3002\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30d9\u30f3\u30c0\u30fc\u307e\u305f\u306f\u30c6\u30af\u30ce\u30ed\u30b8 \u30d9\u30f3\u30c0\u30fc\u306e\u30c9\u30e1\u30a4\u30f3\u306e\u30bf\u30a4\u30d7\u30df\u30b9\u3092\u7121\u65ad\u3067\u767b\u9332\u3057(\u30bf\u30a4\u30dd\u30b9\u30af\u30ef\u30c3\u30c6\u30a3\u30f3\u30b0)\u3001\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9\u306e\u4fb5\u5165\u30c6\u30b9\u30c8 \u30c4\u30fc\u30eb\u3092\u60aa\u7528\u3057\u3066\u3001\u5206\u6790\u56de\u907f\u30c6\u30af\u30cb\u30c3\u30af\u3068\u3057\u3066\u65b0\u3057\u3044\u30d5\u30a1\u30a4\u30eb \u30bf\u30a4\u30d7\u3092\u4f7f\u7528\u3059\u308b\u306a\u3069\u306e\u6226\u7565\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u306e\u304c\u89b3\u6e2c\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n<p>\u3053\u306e\u6700\u521d\u306e\u30ec\u30dd\u30fc\u30c8\u4ee5\u964d\u3001DarkHydrus\u306e\u65b0\u3057\u3044\u6d3b\u52d5\u306f\u89b3\u6e2c\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u3067\u3057\u305f\u3002\u305d\u3057\u3066\u3001\u6700\u8fd1\u306b\u306a\u3063\u3066360TIC\u304c\u3001DarkHydrus\u306b\u3088\u308b\u3082\u306e\u3068\u601d\u308f\u308c\u308b\u914d\u5e03\u6587\u66f8\u306b\u95a2\u3059\u308b\u30c4\u30a4\u30fc\u30c8\u3068<a href=\"https:\/\/ti.360.net\/blog\/articles\/latest-target-attack-of-darkhydruns-group-against-middle-east-en\/\">\u7d9a\u304d\u306e\u8abf\u67fb\u7d50\u679c<\/a>\u3092\u516c\u958b\u3057\u307e\u3057\u305f\u3002\u79c1\u305f\u3061\u306f\u3001\u914d\u5e03\u6587\u66f8\u306e\u5206\u6790\u30d7\u30ed\u30bb\u30b9\u306b\u304a\u3044\u3066\u3001\u8ffd\u52a0\u306e\u95a2\u9023\u30b5\u30f3\u30d7\u30eb\u3092\u53ce\u96c6\u3057\u3001Google\u30c9\u30e9\u30a4\u30d6API\u306e\u4f7f\u7528\u3092\u306f\u3058\u3081\u3068\u3059\u308b\u30da\u30a4\u30ed\u30fc\u30c9\u306e\u8ffd\u52a0\u6a5f\u80fd\u3092\u660e\u3089\u304b\u306b\u3057\u3066\u3001DarkHydrus\u306b\u3088\u308b\u3082\u306e\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u975e\u5e38\u306b\u9ad8\u3044\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3057\u305f\u3002\u5206\u6790\u7d50\u679c\u306fGoogle\u306b\u901a\u77e5\u6e08\u307f\u3067\u3059\u3002<\/p>\n<h2><span style=\"color: #000000;\">\u914d\u5e03\u6587\u66f8<\/span><\/h2>\n<p>\u79c1\u305f\u3061\u306f\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99acRogueRobin\u306e\u65b0\u3057\u3044\u4e9c\u7a2e\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308bDarkHydrus\u306e\u914d\u5e03\u6587\u66f8\u3092\u5408\u8a083\u3064\u53ce\u96c6\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u30893\u3064\u306e\u6587\u66f8\u306f\u3001\u975e\u5e38\u306b\u3088\u304f\u4f3c\u3066\u304a\u308a\u3001\u3044\u305a\u308c\u3082\u30de\u30af\u30ed\u306b\u3088\u308a\u6709\u52b9\u5316\u3055\u308c\u308b\u3001.xlsm\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u62e1\u5f35\u5b50\u306eExcel\u6587\u66f8\u3067\u3057\u305f\u3002\u56f31\u306b\u793a\u3059\u3088\u3046\u306b\u3001\u65e2\u77e5\u306e\u6587\u66f8\u306e\u3044\u305a\u308c\u306b\u3082\u3001\u30de\u30af\u30ed\u3092\u5b9f\u884c\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a\u3001\u30b3\u30f3\u30c6\u30f3\u30c4\u306e\u6709\u52b9\u5316\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3059\u308b\u3088\u3046\u53d7\u4fe1\u8005\u306b\u6307\u793a\u3059\u308b\u30eb\u30a2\u30fc\u753b\u50cf\u3084\u30e1\u30c3\u30bb\u30fc\u30b8\u306f\u542b\u307e\u308c\u3066\u3044\u307e\u305b\u3093\u3002\u79c1\u305f\u3061\u306f\u914d\u5e03\u30e1\u30ab\u30cb\u30ba\u30e0\u306b\u3064\u3044\u3066\u306f\u78ba\u8a8d\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f\u304c\u3001\u30b3\u30f3\u30c6\u30f3\u30c4\u306e\u6709\u52b9\u5316\u30dc\u30bf\u30f3\u3092\u30af\u30ea\u30c3\u30af\u3059\u308b\u6307\u793a\u306f\u3001\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u96fb\u5b50\u30e1\u30fc\u30eb\u306e\u672c\u6587\u5185\u306a\u3069\u3001\u914d\u5e03\u6642\u306b\u63d0\u4f9b\u3055\u308c\u305f\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3082\u306e\u3068\u601d\u308f\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_96153\" aria-describedby=\"caption-attachment-96153\" style=\"width: 747px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure1.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-96153 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure1.png\" sizes=\"(max-width: 747px) 100vw, 747px\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure1.png 1338w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure1-300x92.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure1-768x235.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure1-1024x314.png 1024w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure1-874x268.png 874w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure1-370x113.png 370w\" alt=\"\u56f31 DarkHydrus\u306e\u914d\u5e03\u6587\u66f8\u306b\u306f\u30eb\u30a2\u30fc\u753b\u50cf\u3084\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u306a\u3044\" width=\"747\" height=\"229\" \/><\/a><figcaption id=\"caption-attachment-96153\" class=\"wp-caption-text\">\u56f31 DarkHydrus\u306e\u914d\u5e03\u6587\u66f8\u306b\u306f\u30eb\u30a2\u30fc\u753b\u50cf\u3084\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u306a\u3044<span style=\"text-align: center; font-size: 16px;\"> \u00a0\u00a0<\/span><\/figcaption><\/figure>\n<p>\u79c1\u305f\u3061\u306f\u3001\u914d\u5e03\u30e1\u30ab\u30cb\u30ba\u30e0\u4ee5\u5916\u306b\u3001\u3053\u308c\u3089\u306e\u914d\u5e03\u6587\u66f8\u304c\u653b\u6483\u306b\u4f7f\u7528\u3055\u308c\u305f\u6b63\u78ba\u306a\u6642\u523b\u306b\u3064\u3044\u3066\u3082\u78ba\u8a8d\u3067\u304d\u3066\u3044\u307e\u305b\u3093\u3002\u305f\u3060\u3057\u3001\u3053\u308c\u30893\u3064\u306e\u914d\u5e03\u6587\u66f8\u5185\u3067\u89b3\u6e2c\u3055\u308c\u305f\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u306b\u3088\u3063\u3066\u3001DarkHydrus\u306e\u653b\u6483\u8005\u304c\u305d\u308c\u3089\u3092\u3044\u3064\u4f5c\u6210\u3057\u305f\u304b\u304c\u308f\u304b\u308a\u307e\u3059\u3002\u4f5c\u6210\u6642\u523b\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u306f\u3001\u60aa\u610f\u306e\u3042\u308b\u6587\u66f8\u3067\u3088\u304f\u898b\u3089\u308c\u308b\u30c7\u30d5\u30a9\u30eb\u30c8\u6642\u523b\u306e2006-09-16 00:00:00Z\u3067\u3057\u305f\u304c\u3001\u6700\u7d42\u5909\u66f4\u6642\u523b\u304c\u307e\u3060\u78ba\u8a8d\u53ef\u80fd\u3067\u3001DarkHydrus\u304c\u3053\u308c\u3089\u306e\u6587\u66f8\u30922018\u5e7412\u6708\u30682019\u5e741\u6708\u306b\u4f5c\u6210\u3057\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u88681\u306f\u3001\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u3068\u305d\u308c\u306b\u95a2\u9023\u3059\u308b\u30b5\u30f3\u30d7\u30eb \u30cf\u30c3\u30b7\u30e5\u306e\u8a73\u7d30\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<table class=\"table table-bordered table-striped\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"width: 557px;\"><b>SHA256<\/b><\/td>\n<td style=\"width: 169px;\"><b>\u6700\u7d42\u5909\u66f4\u65e5\u6642<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 557px;\">e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022<\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 169px;\">2018-12-15T05:14:32Z<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 557px;\">4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8<\/td>\n<td style=\"width: 169px;\">2018-12-23T05:45:43Z<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 557px;\">513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8<\/p>\n<p>&nbsp;<\/td>\n<td style=\"width: 169px;\">2019-01-08T06:51:21Z<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: left;\"><i>\u88681 \u914d\u5e03\u6587\u66f8\u306e\u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7<\/i><\/p>\n<p>Workbook_Open\u30b5\u30d6\u30eb\u30fc\u30c1\u30f3\u306b\u3088\u308a\u3001\u30b3\u30f3\u30c6\u30f3\u30c4\u306e\u6709\u52b9\u5316\u30dc\u30bf\u30f3\u304c\u62bc\u3055\u308c\u308b\u3068\u3059\u3050\u306b\u30de\u30af\u30ed\u304c\u5b9f\u884c\u3055\u308c\u3001\u653b\u6483\u8005\u304c\u4f5c\u6210\u3057\u305fNew_Macro\u95a2\u6570\u304c\u547c\u3073\u51fa\u3055\u308c\u307e\u3059\u3002New_Macro\u95a2\u6570\u306f\u3001\u6700\u521d\u306b\u8907\u6570\u306e\u6587\u5b57\u5217\u3092\u9023\u7d50\u3057\u3066\u3001\u30d5\u30a1\u30a4\u30eb%TEMP%\\WINDOWSTEMP.ps1\u306b\u66f8\u304d\u8fbc\u307e\u308c\u308bPowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u3053\u306e\u95a2\u6570\u306f\u3001\u8907\u6570\u306e\u6587\u5b57\u5217\u3092\u9023\u7d50\u3057\u30662\u756a\u76ee\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9\u3092\u4f5c\u6210\u3057\u307e\u3059\u304c\u3001\u3053\u306e2\u756a\u76ee\u306e\u30d5\u30a1\u30a4\u30eb\u306f.sct\u30d5\u30a1\u30a4\u30eb\u3067\u3001\u30d5\u30a1\u30a4\u30eb%TEMP%\\12-B-366.txt\u306b\u66f8\u304d\u8fbc\u307e\u308c\u307e\u3059\u3002.sct\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u591a\u304f\u306e\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u4f7f\u7528\u3055\u308c\u307e\u3059\u304c\u3001\u3053\u3053\u3067\u306fWindows\u30b9\u30af\u30ea\u30d7\u30c8 \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8 \u30d5\u30a1\u30a4\u30eb\u3068\u3057\u3066\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u6b21\u306b\u3053\u306e\u95a2\u6570\u306f\u3001\u7d44\u307f\u8fbc\u307fShell\u95a2\u6570\u3092\u4f7f\u7528\u3057\u3066\u3001\u6b21\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3001\u5b9f\u969b\u306b\u306f12-B-366.txt\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b.sct\u30d5\u30a1\u30a4\u30eb\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<pre><code style=\"font-family: Menlo, Consolas, 'DejaVu Sans Mono', monospace; font-size: 80%; color: #aa0000;\">regsvr32.exe \/s \/n \/u \/i:%TEMP%\\12-B-366.txt scrobj.dll<\/code><\/pre>\n<p>\u6b63\u898f\u306eregsvr32.exe\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u4f7f\u7528\u3057\u305f.sct\u30d5\u30a1\u30a4\u30eb\u306e\u5b9f\u884c\u306f\u3001Casey Smith (<a href=\"https:\/\/twitter.com\/subTee\">@subtee<\/a>)\u304c\u6700\u521d\u306b\u767a\u898b\u3057\u305f\u3001AppLocker\u3092\u30d0\u30a4\u30d1\u30b9\u3059\u308b\u305f\u3081\u306e\u6280\u6cd5\u3068\u3057\u3066\u7528\u3044\u3089\u308c\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u6700\u7d42\u7684\u306b\u306f<a href=\"https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/server\/regsvr32_command_delivery_server.rb\">Metasploit\u306e\u30e2\u30b8\u30e5\u30fc\u30eb<\/a>\u304c\u4f5c\u6210\u3055\u308c\u307e\u3057\u305f\u3002WINDOWSTEMP.ps1\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001base64\u3092\u4f7f\u7528\u3057\u3066\u57cb\u3081\u8fbc\u307f\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u3092\u30c7\u30b3\u30fc\u30c9\u3057\u3001System.IO.Compression.GzipStream\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3067\u305d\u308c\u3092\u89e3\u51cd\u3059\u308b\u30c9\u30ed\u30c3\u30d1\u3067\u3059\u3002\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u30c7\u30b3\u30fc\u30c9\u3055\u308c\u3066\u89e3\u51cd\u3055\u308c\u305f\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u3092%APPDATA%\\Microsoft\\Windows\\Templates\\WindowsTemplate.exe\u306b\u4fdd\u5b58\u3057\u3001%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\OneDrive.lnk\u306bLNK\u306e\u30b7\u30e7\u30fc\u30c8\u30ab\u30c3\u30c8\u3092\u4f5c\u6210\u3057\u3066\u3001Windows\u3092\u8d77\u52d5\u3059\u308b\u305f\u3073\u306bWindowsTemplate.exe\u3092\u5b9f\u884c\u3057\u7d9a\u3051\u307e\u3059\u3002WindowsTemplate.exe\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306f\u3001C#\u3067\u8a18\u8ff0\u3055\u308c\u305fRogueRobin\u306e\u65b0\u3057\u3044\u4e9c\u7a2e\u3067\u3059\u3002<\/p>\n<h2><span style=\"color: #000000;\">RogueRobin .NET\u30da\u30a4\u30ed\u30fc\u30c9<\/span><\/h2>\n<p>DarkHydrus\u306b\u95a2\u3059\u308b\u79c1\u305f\u3061\u306e\u4ee5\u524d\u306e\u30d6\u30ed\u30b0\u3067\u306f\u3001PowerShell\u3092\u30d9\u30fc\u30b9\u3068\u3057\u305f\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u5206\u6790\u3057\u3001RogueRobin\u3068\u540d\u4ed8\u3051\u307e\u3057\u305f\u3002\u4e00\u65b9\u3001.sct\u30d5\u30a1\u30a4\u30eb\u306eAppLocker\u30d0\u30a4\u30d1\u30b9\u6280\u6cd5\u3092\u4f7f\u7528\u3057\u305f\u914d\u5e03\u6587\u66f8\u3092\u5206\u6790\u3059\u308b\u3068\u3001C#\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u304c\u5143\u306eRogueRobin\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u6a5f\u80fd\u7684\u306b\u4f3c\u3066\u3044\u308b\u3053\u3068\u306b\u6c17\u4ed8\u304d\u307e\u3057\u305f\u3002RogueRobin\u306ePowerShell\u3068C#\u306e\u4e9c\u7a2e\u306b\u985e\u4f3c\u6027\u304c\u3042\u308b\u3053\u3068\u304b\u3089\u3001DarkHydrus\u30b0\u30eb\u30fc\u30d7\u304c\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u305f\u4e9c\u7a2e\u306b\u30b3\u30fc\u30c9\u3092\u79fb\u690d\u3057\u305f\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002<\/p>\n<p>RogueRobin\u306eC#\u306e\u4e9c\u7a2e\u306f\u3001\u305d\u306e\u4e9c\u7a2e\u304c\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u74b0\u5883\u3067\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u898b\u7834\u308b\u305f\u3081\u306b\u3001PowerShell\u306e\u4e9c\u7a2e\u3068\u540c\u3058\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u88682\u306b\u793a\u3059\u4e00\u9023\u306e\u30b3\u30de\u30f3\u30c9\u306b\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u5b9f\u884c\u3055\u308c\u308b\u4e00\u822c\u7684\u306a\u5206\u6790\u30c4\u30fc\u30eb\u306e\u30c1\u30a7\u30c3\u30af\u306e\u307b\u304b\u306b\u3001\u4eee\u60f3\u5316\u3055\u308c\u305f\u74b0\u5883\u3001\u30e1\u30e2\u30ea\u4e0d\u8db3\u3001\u30d7\u30ed\u30bb\u30c3\u30b5 \u30ab\u30a6\u30f3\u30c8\u306e\u30c1\u30a7\u30c3\u30af\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u30c7\u30d0\u30c3\u30ac\u304c\u30d7\u30ed\u30bb\u30b9\u306b\u63a5\u7d9a\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3082\u30c1\u30a7\u30c3\u30af\u3057\u3001\u30c7\u30d0\u30c3\u30ac\u306e\u5b58\u5728\u3092\u691c\u51fa\u3059\u308b\u3068\u7d42\u4e86\u3057\u307e\u3059\u3002<\/p>\n<table class=\"table table-bordered table-striped\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"width: 335px;\"><b><br \/>\nPowerShell\u30b3\u30de\u30f3\u30c9<\/b><\/td>\n<td style=\"width: 385px;\"><b>\u8aac\u660e<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">'gwmi -query \"select * from win32_BIOS where SMBIOSBIOSVERSION LIKE '%VBOX%'\"<\/td>\n<td style=\"width: 385px;\">win32_BIOS WMI\u30af\u30e9\u30b9\u304b\u3089VirtualBox\u74b0\u5883\u306e\u691c\u51fa\u3092\u8a66\u307f\u308b\u30af\u30a8\u30ea<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">gwmi -query \"select * from win32_BIOS where SMBIOSBIOSVERSION LIKE '%bochs%'\"<\/td>\n<td style=\"width: 385px;\">win32_BIOS WMI\u30af\u30e9\u30b9\u304b\u3089Bochs\u74b0\u5883\u306e\u691c\u51fa\u3092\u8a66\u307f\u308b\u30af\u30a8\u30ea<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">gwmi -query \"select * from win32_BIOS where SMBIOSBIOSVERSION LIKE '%qemu%'\"<\/td>\n<td style=\"width: 385px;\">win32_BIOS WMI\u30af\u30e9\u30b9\u304b\u3089QEMU\u74b0\u5883\u306e\u691c\u51fa\u3092\u8a66\u307f\u308b\u30af\u30a8\u30ea<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">gwmi -query \"select * from win32_BIOS where SMBIOSBIOSVERSION LIKE '%VirtualBox%'\"<\/td>\n<td style=\"width: 385px;\">win32_BIOS WMI\u30af\u30e9\u30b9\u304b\u3089VirtualBox\u74b0\u5883\u306e\u691c\u51fa\u3092\u8a66\u307f\u308b\u30af\u30a8\u30ea<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">gwmi -query \"select * from win32_BIOS where SMBIOSBIOSVERSION LIKE '%VM%'\"<\/td>\n<td style=\"width: 385px;\">win32_BIOS WMI\u30af\u30e9\u30b9\u304b\u3089VMWare\u74b0\u5883\u306e\u691c\u51fa\u3092\u8a66\u307f\u308b\u30af\u30a8\u30ea<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">gwmi -query \"Select * from win32_BIOS where Manufacturer LIKE '%XEN%'\"<\/td>\n<td style=\"width: 385px;\">win32_BIOS WMI\u30af\u30e9\u30b9\u304b\u3089Xen\u74b0\u5883\u306e\u691c\u51fa\u3092\u8a66\u307f\u308b\u30af\u30a8\u30ea<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">gwmi win32_computersystem<\/td>\n<td style=\"width: 385px;\">\u3053\u306e\u30af\u30a8\u30ea\u306f\u3001\u6587\u5b57\u5217\"VMware\"\u306e\u30b7\u30b9\u30c6\u30e0\u60c5\u5831\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">gwmi -query \"Select TotalPhysicalMemory from Win32_ComputerSystem\"<\/td>\n<td style=\"width: 385px;\">\u3053\u306e\u30af\u30a8\u30ea\u306f\u3001\u7269\u7406\u30e1\u30e2\u30ea\u306e\u5408\u8a08\u304c2,900,000,000\u30d0\u30a4\u30c8\u672a\u6e80\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">gwmi -Class win32_Processor | select NumberOfCores<\/td>\n<td style=\"width: 385px;\">\u3053\u306e\u30af\u30a8\u30ea\u306f\u3001CPU\u30b3\u30a2\u6570\u304c1\u500b\u672a\u6e80\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 335px;\">Get-Process | select Company<\/td>\n<td style=\"width: 385px;\">\u5b9f\u884c\u4e2d\u306e\u30d7\u30ed\u30bb\u30b9\u306b\"Wireshark\"\u307e\u305f\u306f\"Sysinternals\"\u3068\u3044\u3046\u4f1a\u793e\u540d\u304c\u3042\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: left;\"><i>\u88682 RogueRobin\u306eC#\u306e\u4e9c\u7a2e\u306b\u3088\u308b\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u56de\u907f\u30c1\u30a7\u30c3\u30af<\/i><\/p>\n<p>\u5143\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u540c\u69d8\u306b\u3001RogueRobin\u306eC#\u306e\u4e9c\u7a2e\u306f\u3001DNS\u30c8\u30f3\u30cd\u30ea\u30f3\u30b0\u3092\u4f7f\u7528\u3057\u3066\u3001\u3055\u307e\u3056\u307e\u306aDNS\u30af\u30a8\u30ea \u30bf\u30a4\u30d7\u3092\u4f7f\u7528\u3059\u308bC2\u30b5\u30fc\u30d0\u30fc\u3068\u901a\u4fe1\u3057\u307e\u3059\u3002\u3053\u306e\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9 \u30c1\u30a7\u30c3\u30af\u3068\u540c\u69d8\u306b\u3001DNS\u30af\u30a8\u30ea\u3092\u767a\u884c\u3059\u308b\u305f\u3073\u306b\u63a5\u7d9a\u3055\u308c\u3066\u3044\u308b\u30c7\u30d0\u30c3\u30ac\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3001\u30c7\u30d0\u30c3\u30ac\u3092\u691c\u51fa\u3059\u308b\u3068\u3001DNS\u30af\u30a8\u30ea\u3092\u767a\u884c\u3057\u3066676f6f646c75636b.gogle[.]co\u3092\u89e3\u6c7a\u3057\u307e\u3059\u3002\u3053\u306e\u30c9\u30e1\u30a4\u30f3\u306f\u3001Google\u304c\u6240\u6709\u3057\u3066\u3044\u308b\u6b63\u898f\u306e\u3082\u306e\u3067\u3059\u3002\u3053\u306e\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3676f6f646c75636b\u306f\u300116\u9032\u6570\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f\u6587\u5b57\u5217\u3067\u3001\u30c7\u30b3\u30fc\u30c9\u3059\u308b\u3068goodluck\u306b\u306a\u308a\u307e\u3059\u3002\u3053\u306eDNS\u30af\u30a8\u30ea\u306f\u3001\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u304cC2\u6a5f\u80fd\u306b\u79fb\u52d5\u3059\u308b\u305f\u3081\u306e\u30d1\u30c3\u30c1\u3092\u521d\u671f\u30c7\u30d0\u30c3\u30b0 \u30c1\u30a7\u30c3\u30af\u306b\u9069\u7528\u6e08\u307f\u306e\u5834\u5408\u306b\u306e\u307f\u30c8\u30ea\u30ac\u3055\u308c\u308b\u305f\u3081\u3001\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u3078\u306e\u30e1\u30e2\u3068\u3057\u3066\u5b58\u5728\u3059\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3067\u3059\u304c\u3001\u5206\u6790\u56de\u907f\u624b\u6bb5\u3068\u3057\u3066\u5b58\u5728\u3057\u3066\u3044\u308b\u53ef\u80fd\u6027\u3082\u3042\u308a\u307e\u3059\u3002\u56f32\u306f\u3001\u63a5\u7d9a\u3055\u308c\u3066\u3044\u308b\u30c7\u30d0\u30c3\u30ac\u3092\u691c\u51fa\u3057\u3066\u5bfe\u5fdc\u3059\u308bDNS\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u767a\u884c\u3059\u308b\u30b3\u30fc\u30c9\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_96154\" aria-describedby=\"caption-attachment-96154\" style=\"width: 670px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure2.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-96154 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure2.png\" sizes=\"(max-width: 670px) 100vw, 670px\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure2.png 670w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure2-300x82.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure2-370x102.png 370w\" alt=\"\u56f32 \u30c7\u30d0\u30c3\u30ac\u304c\u691c\u51fa\u3055\u308c\u308b\u3068DNS\u30af\u30a8\u30ea\u3092gogle.co\u306b\u767a\u884c\u3059\u308b\u30b3\u30fc\u30c9\" width=\"670\" height=\"184\" \/><\/a><figcaption id=\"caption-attachment-96154\" class=\"wp-caption-text\">\u56f32 \u30c7\u30d0\u30c3\u30ac\u304c\u691c\u51fa\u3055\u308c\u308b\u3068DNS\u30af\u30a8\u30ea\u3092gogle.co\u306b\u767a\u884c\u3059\u308b\u30b3\u30fc\u30c9<\/figcaption><\/figure>\n<p>RogueRobin\u306b\u3088\u3063\u3066\u767a\u884c\u3055\u308c\u305fDNS\u30ea\u30af\u30a8\u30b9\u30c8\u306f\u3059\u3079\u3066\u3001\u7d44\u307f\u8fbc\u307f\u306enslookup.exe\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u4f7f\u7528\u3057\u3066C2\u30b5\u30fc\u30d0\u30fc\u3068\u901a\u4fe1\u3057\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3055\u307e\u3056\u307e\u306a\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u7528\u3057\u3066\u3001DNS\u5fdc\u7b54\u304b\u3089\u30c7\u30fc\u30bf\u3092\u62bd\u51fa\u3057\u307e\u3059\u3002\u307e\u305a\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u6b21\u306e\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u7528\u3057\u3066\u3001C2\u30b5\u30fc\u30d0\u30fc\u304cC2\u901a\u4fe1\u3092\u30ad\u30e3\u30f3\u30bb\u30eb\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u8abf\u3079\u307e\u3059\u3002<\/p>\n<pre><code style=\"font-family: Menlo, Consolas, 'DejaVu Sans Mono', monospace; font-size: 80%; color: #aa0000;\">216.58.192.174|2a00:1450:4001:81a::200e|2200::|download.microsoft.com|ntservicepack.microsoft.com|windowsupdate.microsoft.com|update.microsoft.com<\/code><\/pre>\n<p>\u307e\u305f\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99acRogueRobin\u306f\u3001\u88683\u306e\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u7528\u3057\u3066\u3001DNS\u5fdc\u7b54\u304b\u3089\u60c5\u5831\u3092\u62bd\u51fa\u3059\u308b\u306e\u306b\u9069\u5207\u306a\u30c7\u30fc\u30bf\u304c\u305d\u306e\u5fdc\u7b54\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n<table class=\"table table-bordered table-striped\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"width: 614px;\"><b><br \/>\n\u6b63\u898f\u8868\u73fe<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 614px;\">([^r-v\\\\s])[r-v]([\\\\w\\\\d+\\\\\/=]+)-\\\\w+.(&lt;domainList[0]&gt;|&lt;domainList[1]&gt;|&lt;domainList[n]&gt;)<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 614px;\">Address:\\\\s+(([a-fA-F0-9]{0,4}:{1,4}[\\\\w|:]+){1,8})<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 614px;\">Address:\\\\s+(([a-fA-F0-9]{0,4}:{1,2}){1,8})<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 614px;\">([^r-v\\\\s]+)[r-v]([\\\\w\\\\d+\\\\\/=]+).(&lt;domainList[0]&gt;|&lt;domainList[1]&gt;|&lt;domainList[n]&gt;)<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 614px;\">(\\\\w+).(&lt;domainList[0]&gt;|&lt;domainList[1]&gt;|&lt;domainList[n]&gt;)<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 614px;\">Address:\\\\s+(\\\\d+.\\\\d+.\\\\d+.\\\\d+)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: left;\"><i>\u88683 RogueRobin\u3067\u4f7f\u7528\u3055\u308c\u308b\u6b63\u898f\u8868\u73fe<\/i><\/p>\n<p>PowerShell\u30d0\u30fc\u30b8\u30e7\u30f3\u3068\u540c\u69d8\u306b\u3001C#\u306e\u4e9c\u7a2e\u306fDNS\u30af\u30a8\u30ea\u3092\u767a\u884c\u3057\u3066\u3001\u3069\u306e\u30af\u30a8\u30ea \u30bf\u30a4\u30d7\u304cC2\u30b5\u30fc\u30d0\u30fc\u3068\u6b63\u5e38\u306b\u901a\u4fe1\u3067\u304d\u308b\u304b\u3092\u8abf\u3079\u307e\u3059\u3002\u56f33\u306f\u3001DNS\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u767a\u884c\u3057\u3066\u3001TXT\u3001SOA\u3001MX\u3001CNAME\u3001SRV\u3001A\u304a\u3088\u3073AAAA\u306e\u30af\u30a8\u30ea \u30bf\u30a4\u30d7\u3092\u4f7f\u7528\u3059\u308bC2\u30c9\u30e1\u30a4\u30f3\u306e\u30ab\u30b9\u30bf\u30e0\u4f5c\u6210\u3055\u308c\u305f\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u3092\u89e3\u6c7a\u3059\u308bRogueRobin\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_96155\" aria-describedby=\"caption-attachment-96155\" style=\"width: 470px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure3.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-96155 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure3.png\" sizes=\"(max-width: 470px) 100vw, 470px\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure3.png 470w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure3-300x188.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure3-370x231.png 370w\" alt=\"\u56f33 \u3055\u307e\u3056\u307e\u306aDNS\u30af\u30a8\u30ea \u30bf\u30a4\u30d7\u3092\u30c6\u30b9\u30c8\u3059\u308bRogueRobin\" width=\"470\" height=\"294\" \/><\/a><figcaption id=\"caption-attachment-96155\" class=\"wp-caption-text\">\u56f33 \u3055\u307e\u3056\u307e\u306aDNS\u30af\u30a8\u30ea \u30bf\u30a4\u30d7\u3092\u30c6\u30b9\u30c8\u3059\u308bRogueRobin<\/figcaption><\/figure>\n<p>aqhpc.akdns[.]live\u306a\u3069\u306e\u30c6\u30b9\u30c8 \u30af\u30a8\u30ea\u306e\u30c9\u30e1\u30a4\u30f3\u306b\u306f\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e\u30d7\u30ed\u30bb\u30b9ID\u306e\u6841\u3092\u88684\u306e\u6587\u5b57\u306b\u7f6e\u304d\u63db\u3048\u3066(\u305f\u3068\u3048\u3070\u3001PID 908\u306fqhp)\u3001\u3053\u308c\u3089\u306e\u6587\u5b57\u3092\u9759\u7684\u306a\u6587\u5b57a\u3068c\u3067\u56f2\u3080\u3053\u3068\u306b\u3088\u3063\u3066\u751f\u6210\u3055\u308c\u308b\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u304c\u3042\u308a\u307e\u3059\u3002C2\u30b5\u30fc\u30d0\u30fc\u306f\u3001\u3069\u306e\u30af\u30a8\u30ea \u30bf\u30a4\u30d7\u306b\u3082\u5fdc\u7b54\u3057\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u304c\u5909\u6570\u306b\u4fdd\u5b58\u3057\u3066\u305d\u306e\u5f8c\u306eDNS\u30ea\u30af\u30a8\u30b9\u30c8\u3067\u4f7f\u7528\u3059\u308b\u4e00\u610f\u306eID\u5024\u3092\u63d0\u4f9b\u3067\u304d\u307e\u3059\u3002<\/p>\n<table class=\"table table-bordered table-striped\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"width: 104px;\"><b>\u6587\u5b57 <\/b><\/td>\n<td style=\"width: 78px;\"><b>\u6841<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">h<\/td>\n<td style=\"width: 78px;\">0<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">i<\/td>\n<td style=\"width: 78px;\">1<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">j<\/td>\n<td style=\"width: 78px;\">2<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">k<\/td>\n<td style=\"width: 78px;\">3<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">l<\/td>\n<td style=\"width: 78px;\">4<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">m<\/td>\n<td style=\"width: 78px;\">5<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">n<\/td>\n<td style=\"width: 78px;\">6<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">o<\/td>\n<td style=\"width: 78px;\">7<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">p<\/td>\n<td style=\"width: 78px;\">8<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 104px;\">q<\/td>\n<td style=\"width: 78px;\">9<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: left;\"><i>\u88684 RogueRobin\u3067\u4f7f\u7528\u3055\u308c\u308b\u6587\u5b57\u306e\u7f6e\u304d\u63db\u3048<\/i><\/p>\n<p>\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u305d\u306e\u5f8c\u306eDNS\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f7f\u7528\u3057\u3066C2\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u30b8\u30e7\u30d6\u3092\u53d6\u5f97\u3057\u3001\u3053\u308c\u3092\u30b3\u30de\u30f3\u30c9\u3068\u3057\u3066\u51e6\u7406\u3057\u307e\u3059\u3002\u30b8\u30e7\u30d6\u3092\u53d6\u5f97\u3059\u308b\u305f\u3081\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u6b21\u306e\u69cb\u9020\u3092\u6301\u3064\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u3092\u69cb\u7bc9\u3057\u3001DNS\u30af\u30a8\u30ea\u3092C2\u30b5\u30fc\u30d0\u30fc\u306b\u767a\u884c\u3057\u307e\u3059\u3002<\/p>\n<p>c&lt;\u4e00\u610f\u306eID&gt;&lt;3\u6841\u306b\u3059\u308b\u305f\u3081\u306b'0'\u304c\u30d1\u30c7\u30a3\u30f3\u30b0\u3055\u308c\u305f\u30b8\u30e7\u30d6ID&gt;&lt;\u30b7\u30fc\u30b1\u30f3\u30b9\u756a\u53f7&gt;c<\/p>\n<p>\u751f\u6210\u3055\u308c\u305f\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u306f\u6b21\u306b\u3001\u6570\u5b57\u3092\u6587\u5b57\u306b\u7f6e\u63db(\u88684\u306e\u9006\u65b9\u5411)\u3059\u308b\u6a5f\u80fd\u304c\u9069\u7528\u3055\u308c\u3001\u4e8b\u5b9f\u4e0a\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u306e\u3059\u3079\u3066\u306e\u6841\u304c\u6587\u5b57\u306b\u5909\u63db\u3055\u308c\u307e\u3059\u3002\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u88683\u306e\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u7528\u3057\u3066\u3053\u306e\u30af\u30a8\u30ea\u306e\u5fdc\u7b54\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u30ad\u30e3\u30f3\u30bb\u30eb\u3067\u306f\u306a\u3044\u5fdc\u7b54\u3092\u53d7\u4fe1\u3059\u308b\u3068\u3001DNS\u5fdc\u7b54\u304b\u3089\u30c7\u30fc\u30bf\u3092\u62bd\u51fa\u3057\u3001\u3053\u308c\u3092\u30b3\u30de\u30f3\u30c9\u3068\u898b\u306a\u3057\u307e\u3059\u3002\u88685\u306f\u3001RogueRobin\u306eC#\u306e\u4e9c\u7a2e\u304c\u51e6\u7406\u3067\u304d\u308b\u30b3\u30de\u30f3\u30c9\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306f\u65e2\u306b\u5206\u6790\u6e08\u307f\u306ePowerShell\u306e\u4e9c\u7a2e\u3068\u975e\u5e38\u306b\u3088\u304f\u4f3c\u3066\u3044\u307e\u3059\u3002<\/p>\n<table class=\"table table-bordered table-striped\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"width: 131px;\"><b>\u6b63\u898f\u8868\u73fe <\/b><\/td>\n<td style=\"width: 492px;\"><b>\u00a0\u8aac\u660e<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^kill<\/td>\n<td style=\"width: 492px;\">\u6307\u5b9a\u3055\u308c\u305f\u30b9\u30ec\u30c3\u30c9\u540d\u306b\u57fa\u3065\u3044\u3066\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3067\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u30b9\u30ec\u30c3\u30c9\u3092\u5f37\u5236\u7d42\u4e86\u3057\u307e\u3059<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^\\$fileDownload<\/td>\n<td style=\"width: 492px;\">DNS\u30c8\u30f3\u30cd\u30eb\u3092\u4ecb\u3057\u3066C2\u30b5\u30fc\u30d0\u30fc\u306b\u30d5\u30a1\u30a4\u30eb\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u307e\u3059<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^\\$importModule<\/td>\n<td style=\"width: 492px;\">\u63d0\u4f9b\u3055\u308c\u305fPowerShell\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u3001'modules'\u3068\u3044\u3046\u30ea\u30b9\u30c8\u306b\u8ffd\u52a0\u3057\u307e\u3059<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^\\$x_mode<\/td>\n<td style=\"width: 492px;\">\u4ee3\u66ff\u30e2\u30fc\u30c9\u3067\u3042\u308b'x_mode'\u3092\u30aa\u30f3\u306b\u3057\u3066\u3001\u4ee3\u66ffC2\u30c1\u30e3\u30cd\u30eb\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u524d\u306b\"OFF\"\u304c\u4ed8\u3044\u3066\u3044\u308b\u5834\u5408\u306f\u3001'x_mode'\u3092\u30aa\u30d5\u306b\u3057\u307e\u3059\u3002\u305d\u308c\u4ee5\u5916\u306e\u5834\u5408\u3001\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u3001\u3053\u306e\u4ee3\u66ffC2\u6a5f\u80fd\u3092\u4f7f\u7528\u3059\u308b\u305f\u3081\u306e\u6539\u884c\u533a\u5207\u308a\u306e\u8a2d\u5b9a\u3092\u8ffd\u52a0\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^\\$ClearModules<\/td>\n<td style=\"width: 492px;\">\u524d\u306b\u5b9f\u884c\u3057\u305f'modules'\u30ea\u30b9\u30c8\u3092\u30af\u30ea\u30a2\u3057\u307e\u3059<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^\\$fileUpload<\/td>\n<td style=\"width: 492px;\">\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306b\u306f\u3001\u65b0\u898f\u30d5\u30a1\u30a4\u30eb\u3092\u30b7\u30b9\u30c6\u30e0\u306b\u4fdd\u5b58\u3059\u308b\u305f\u3081\u306e\u30d1\u30b9\u3068\u3057\u3066\u4f7f\u7528\u3055\u308c\u308b\u6587\u5b57\u5217\u304c\u7d9a\u304d\u307e\u3059\u3002\u6b21\u306b\u3053\u306e\u30b3\u30de\u30f3\u30c9\u306f\u3001C2\u30b5\u30fc\u30d0\u30fc\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3001\u30c7\u30fc\u30bf\u3092\u53d6\u5f97\u3057\u3066\u3053\u306e\u30d5\u30a1\u30a4\u30eb \u30d1\u30b9\u306b\u4fdd\u5b58\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^testmode<\/td>\n<td style=\"width: 492px;\">\u30c6\u30b9\u30c8\u6a5f\u80fd\u3092\u5b9f\u884c\u3057\u3066\u3001C2\u3068\u6b63\u5e38\u306b\u901a\u4fe1\u3067\u304d\u308bDNS\u30af\u30a8\u30ea \u30bf\u30a4\u30d7\u3092\u8abf\u3079\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^showconfig<\/td>\n<td style=\"width: 492px;\">C2\u30c9\u30e1\u30a4\u30f3\u3084\u4f7f\u7528\u53ef\u80fd\u306aDNS\u30af\u30a8\u30ea \u30bf\u30a4\u30d7\u306e\u30ea\u30b9\u30c8\u306a\u3069\u306e\u3001\u30b5\u30f3\u30d7\u30eb\u306e\u8a2d\u5b9a\u3092\u542b\u3080\u7e26\u7dda(\"|\")\u3067\u533a\u5207\u3089\u308c\u305f\u6587\u5b57\u5217\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^changeConfig<\/td>\n<td style=\"width: 492px;\">\u30d1\u30a4\u30d7(\u7e26\u7dda\"|\")\u3067\u533a\u5207\u3089\u308c\u305f\u6587\u5b57\u5217\u3092\u4f7f\u7528\u3057\u3066\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e\u8a2d\u5b9a\u5185\u3067C2\u306e\u5024\u3092\u8a2d\u5b9a\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002\u6587\u5b57\u5217\u306e\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u306f\"&lt;\u30c9\u30e1\u30a4\u30f3\u306e\u30ea\u30b9\u30c8&gt;|&lt;\u6700\u5c0f\u30af\u30a8\u30ea \u30b5\u30a4\u30ba&gt;|&lt;\u6700\u5927\u30af\u30a8\u30ea \u30b5\u30a4\u30ba&gt;|&lt;hasGarbage&gt;|&lt;sleepPerRequest&gt;|&lt;\u6700\u5927\u30ea\u30af\u30a8\u30b9\u30c8&gt;|&lt;\u30af\u30a8\u30ea \u30bf\u30a4\u30d7&gt;|&lt;hibridMode&gt;|&lt;\u73fe\u5728\u306e\u30af\u30a8\u30ea \u30e2\u30fc\u30c9&gt;\"\u3067\u3059<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^slp<\/td>\n<td style=\"width: 492px;\">\u30b9\u30ea\u30fc\u30d7\u5024\u3068\u30b8\u30c3\u30bf\u5024\u3092\u8a2d\u5b9a\u3057\u307e\u3059<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 131px;\">^exit<\/td>\n<td style=\"width: 492px;\">\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u7d42\u4e86\u3057\u307e\u3059<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: left;\"><i>\u88685 RogueRobin\u306eC#\u306e\u4e9c\u7a2e\u5185\u3067\u4f7f\u7528\u53ef\u80fd\u306a\u30b3\u30de\u30f3\u30c9<\/i><\/p>\n<h2><span style=\"color: #000000;\">C2\u306eGoogle\u30c9\u30e9\u30a4\u30d6\u306e\u4f7f\u7528<\/span><\/h2>\n<p>RogueRobin\u306e\u4ee5\u524d\u306ePowerShell\u306e\u4e9c\u7a2e\u3067\u306f\u4f7f\u7528\u3067\u304d\u306a\u304b\u3063\u305f\u3082\u306e\u306e\u3001\u65b0\u3057\u3044C#\u306e\u4e9c\u7a2e\u3067\u4f7f\u7528\u3067\u304d\u308b\u306e\u304cx_mode\u3067\u3059\u3002\u3053\u308c\u306f\u3001\u4ee3\u66ff\u30b3\u30de\u30f3\u30c9\u3092\u6709\u52b9\u306b\u3057\u3066\u3001Google\u30c9\u30e9\u30a4\u30d6API\u3092\u4f7f\u7528\u3059\u308b\u30c1\u30e3\u30cd\u30eb\u3092\u5236\u5fa1\u3059\u308b\u3001\u975e\u5e38\u306b\u8208\u5473\u6df1\u3044\u30b3\u30de\u30f3\u30c9\u3067\u3059\u3002x_mode\u30b3\u30de\u30f3\u30c9\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u306f\u7121\u52b9\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u304c\u3001DNS\u30c8\u30f3\u30cd\u30ea\u30f3\u30b0 \u30c1\u30e3\u30cd\u30eb\u304b\u3089\u53d7\u4fe1\u3057\u305f\u30b3\u30de\u30f3\u30c9\u3067\u6709\u52b9\u306b\u3059\u308b\u3068\u3001RogueRobin\u306f\u3001Google\u30c9\u30e9\u30a4\u30d6API\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f7f\u7528\u3057\u3066\u4e00\u610f\u306eID\u3092\u53d7\u4fe1\u3057\u3001\u30b8\u30e7\u30d6\u3092\u53d6\u5f97\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>x_mode\u3067\u306f\u3001RogueRobin\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u3092Google\u30c9\u30e9\u30a4\u30d6 \u30a2\u30ab\u30a6\u30f3\u30c8\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u3001\u30d5\u30a1\u30a4\u30eb\u306e\u5909\u66f4\u6642\u523b\u3092\u7d99\u7d9a\u7684\u306b\u30c1\u30a7\u30c3\u30af\u3057\u3066\u3001\u653b\u6483\u8005\u304c\u5909\u66f4\u3092\u52a0\u3048\u305f\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u6700\u521d\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u304c\u4eca\u5f8c\u306e\u901a\u4fe1\u306b\u4f7f\u7528\u3059\u308b\u4e00\u610f\u306eID\u3092\u542b\u3081\u308b\u3088\u3046\u306b\u30d5\u30a1\u30a4\u30eb\u3092\u5909\u66f4\u3057\u307e\u3059\u3002\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u653b\u6483\u8005\u306b\u3088\u308b\u305d\u306e\u5f8c\u306e\u3059\u3079\u3066\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u5909\u66f4\u3092\u30b8\u30e7\u30d6\u3068\u898b\u306a\u3057\u3001\u305d\u306e\u30b8\u30e7\u30d6\u3092\u30b3\u30de\u30f3\u30c9\u3068\u3057\u3066\u898b\u306a\u3057\u3066\u3001\u88685\u306b\u793a\u3059\u540c\u3058\u30b3\u30de\u30f3\u30c9 \u30cf\u30f3\u30c9\u30e9\u3067\u51e6\u7406\u3057\u307e\u3059\u3002<\/p>\n<p>Google\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3059\u308b\u305f\u3081\u306b\u3001DNS\u30c8\u30f3\u30cd\u30ea\u30f3\u30b0\u3092\u4f7f\u7528\u3057\u3066C2\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u53d7\u3051\u53d6\u3063\u305fx_mode\u30b3\u30de\u30f3\u30c9\u306e\u5f8c\u306b\u3001Google\u30c9\u30e9\u30a4\u30d6 \u30a2\u30ab\u30a6\u30f3\u30c8\u3068\u306e\u3084\u308a\u53d6\u308a\u306b\u5fc5\u8981\u306a\u6539\u884c\u533a\u5207\u308a\u306e\u8a2d\u5b9a\u306e\u30ea\u30b9\u30c8\u304c\u8ffd\u52a0\u3055\u308c\u307e\u3059\u3002\u56f34\u306b\u3001x_mode\u30b3\u30de\u30f3\u30c9\u3092\u51e6\u7406\u3059\u308bRogueRobin\u306e\u30b3\u30fc\u30c9\u3092\u793a\u3057\u307e\u3059\u3002\u3053\u306e\u30b3\u30fc\u30c9\u306f\u5177\u4f53\u7684\u306b\u306f\u3001\u6539\u884c\u3067\u30b3\u30de\u30f3\u30c9 \u30c7\u30fc\u30bf\u3092\u5206\u5272\u3057\u3001\u751f\u6210\u3055\u308c\u305f\u914d\u5217\u3092\u4f7f\u7528\u3057\u3066\u3001x_mode\u306e\u8a2d\u5b9a\u3068\u3057\u3066\u4f7f\u7528\u3055\u308c\u308b\u5909\u6570\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_96156\" aria-describedby=\"caption-attachment-96156\" style=\"width: 468px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure4.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-96156 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure4.png\" sizes=\"(max-width: 468px) 100vw, 468px\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure4.png 427w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure4-300x249.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure4-370x308.png 370w\" alt=\"\u56f34 x_mode\u30b3\u30de\u30f3\u30c9\u3068\u6539\u884c\u533a\u5207\u308a\u306e\u8a2d\u5b9a\" width=\"468\" height=\"389\" \/><\/a><figcaption id=\"caption-attachment-96156\" class=\"wp-caption-text\">\u56f34 x_mode\u30b3\u30de\u30f3\u30c9\u3068\u6539\u884c\u533a\u5207\u308a\u306e\u8a2d\u5b9a<\/figcaption><\/figure>\n<p>\u56f34\u306b\u793a\u3059\u3088\u3046\u306b\u3001\u8a2d\u5b9a\u306f\u88686\u306b\u793a\u3059\u5909\u6570\u306b\u683c\u7d0d\u3055\u308c\u3001\u3053\u308c\u3089\u3092\u4f7f\u7528\u3057\u3066\u653b\u6483\u8005\u304c\u5236\u5fa1\u3059\u308bGoogle\u30a2\u30ab\u30a6\u30f3\u30c8\u306b\u5bfe\u3057\u3066\u8a8d\u8a3c\u3092\u5b9f\u884c\u3057\u305f\u5f8c\u3001Google\u30c9\u30e9\u30a4\u30d6\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u304a\u3088\u3073\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002<\/p>\n<table class=\"table table-bordered table-striped\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"width: 119px;\"><b>\u5909\u6570\u540d<\/b><\/td>\n<td style=\"width: 448px;\"><b>\u8aac\u660e<\/b><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\">gdu<\/td>\n<td style=\"width: 448px;\">\u30d5\u30a1\u30a4\u30eb\u3092Google\u30c9\u30e9\u30a4\u30d6 \u30a2\u30ab\u30a6\u30f3\u30c8\u306b\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u305f\u3081\u306eGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\">gduu<\/td>\n<td style=\"width: 448px;\">\u30d5\u30a1\u30a4\u30eb\u3092Google\u30c9\u30e9\u30a4\u30d6 \u30a2\u30ab\u30a6\u30f3\u30c8\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u305f\u3081\u306eGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\">gdue<\/td>\n<td style=\"width: 448px;\">Google\u30c9\u30e9\u30a4\u30d6 \u30a2\u30ab\u30a6\u30f3\u30c8\u3067\u30d5\u30a1\u30a4\u30eb\u3092\u66f4\u65b0\u3059\u308b\u305f\u3081\u306eGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\">gdo2t<\/td>\n<td style=\"width: 448px;\">OAUTH access_token\u306e\u53d6\u5f97\u306b\u4f7f\u7528\u3055\u308c\u308bGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\">client_id<\/td>\n<td style=\"width: 448px;\">OAUTH\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306eclient_id<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\">cs<\/td>\n<td style=\"width: 448px;\">OAUTH\u306eclient_secret<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 119px;\">r_t<\/td>\n<td style=\"width: 448px;\">OAUTH\u306erefresh_token<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: left;\"><i>\u88686 Google\u30c9\u30e9\u30a4\u30d6\u3092C2\u3068\u3057\u3066\u4f7f\u7528\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a\u8a2d\u5b9a\u3092\u683c\u7d0d\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u308b\u5909\u6570<\/i><\/p>\n<p>OAUTH\u30a2\u30af\u30bb\u30b9 \u30c8\u30fc\u30af\u30f3\u3092\u53d6\u5f97\u3057\u3066\u3001\u653b\u6483\u8005\u304c\u63d0\u4f9b\u3057\u305fGoogle\u30a2\u30ab\u30a6\u30f3\u30c8\u306b\u5bfe\u3057\u3066\u8a8d\u8a3c\u3092\u5b9f\u884c\u3059\u308b\u305f\u3081\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306fHTTP\u30d8\u30c3\u30c0\u30fc\u304a\u3088\u3073POST\u30c7\u30fc\u30bf\u306b\u8ffd\u52a0\u3055\u308c\u305fgrant_type\u3001client_id\u3001client_secret\u3001\u304a\u3088\u3073refresh_token\u30d5\u30a3\u30fc\u30eb\u30c9\u3092\u4f7f\u7528\u3057\u3066\u3001gdo2t\u5909\u6570\u306b\u683c\u7d0d\u3055\u308c\u3066\u3044\u308bURL\u306bHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u9001\u4fe1\u3057\u307e\u3059\u3002\u56f35\u306b\u793a\u3059\u3088\u3046\u306b\u3001\u3053\u308c\u3089\u306e\u30d5\u30a3\u30fc\u30eb\u30c9\u306e\u5024\u306f\u3001x_mode\u30b3\u30de\u30f3\u30c9\u306e\u767a\u884c\u6642\u306b\u6700\u521d\u306b\u8a2d\u5b9a\u3055\u308c\u305f\u5909\u6570\u306b\u8a2d\u5b9a\u3055\u308c\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_96157\" aria-describedby=\"caption-attachment-96157\" style=\"width: 746px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure5.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-96157 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure5.png\" sizes=\"(max-width: 746px) 100vw, 746px\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure5.png 746w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure5-300x84.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure5-370x104.png 370w\" alt=\"\u56f35 OAUTH\u30a2\u30af\u30bb\u30b9 \u30c8\u30fc\u30af\u30f3\u3092\u53d6\u5f97\u3059\u308b\u305f\u3081\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\" width=\"746\" height=\"209\" \/><\/a><figcaption id=\"caption-attachment-96157\" class=\"wp-caption-text\">\u56f35 OAUTH\u30a2\u30af\u30bb\u30b9 \u30c8\u30fc\u30af\u30f3\u3092\u53d6\u5f97\u3059\u308b\u305f\u3081\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8<\/figcaption><\/figure>\n<p>\u6b21\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u4ee5\u4e0b\u306e\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u7528\u3057\u3066\u3001HTTP\u5fdc\u7b54\u304b\u3089\u30a2\u30af\u30bb\u30b9 \u30c8\u30fc\u30af\u30f3\u3092\u53d6\u5f97\u3057\u307e\u3059(\u56f35\u3092\u53c2\u7167)\u3002<\/p>\n<p>\\\"access_token\\\":(.*)<\/p>\n<p>\u6709\u52b9\u306a\u30a2\u30af\u30bb\u30b9 \u30c8\u30fc\u30af\u30f3\u3067\u8a8d\u8a3c\u3055\u308c\u308b\u3068\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306fGoogle\u30c9\u30e9\u30a4\u30d6 \u30a2\u30ab\u30a6\u30f3\u30c8\u3078\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3092\u8a66\u307f\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u305f\u3081\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u307e\u305agduu\u306b\u683c\u7d0d\u3055\u308c\u3066\u3044\u308bURL\u3078\u306eHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u3001\u4ee5\u4e0b\u306eJSON\u30c7\u30fc\u30bf\u3092Google\u30c9\u30e9\u30a4\u30d6 \u30a2\u30ab\u30a6\u30f3\u30c8\u306b\u9001\u4fe1\u3057\u307e\u3059\u3002<\/p>\n<p>{ \"name\" :\"&lt;process ID of Trojan&gt;.txt\" }<\/p>\n<p>Google\u30c9\u30e9\u30a4\u30d6\u306f\u3001\u30d8\u30c3\u30c0\u30fc\u306bLocation\u30d5\u30a3\u30fc\u30eb\u30c9\u3092\u542b\u3080HTTP\u5fdc\u7b54\u3067\u3053\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5fdc\u7b54\u3057\u307e\u3059\u3002\u3053\u306e\u30d5\u30a3\u30fc\u30eb\u30c9\u306b\u306f\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u304c&lt;\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e\u30d7\u30ed\u30bb\u30b9ID&gt;.txt\u30d5\u30a1\u30a4\u30eb\u306e\u30b3\u30f3\u30c6\u30f3\u30c4\u306e\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u306b\u4f7f\u7528\u3059\u308bURL\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u3053\u308c\u306f&lt;\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e\u30d7\u30ed\u30bb\u30b9ID&gt;.&lt;C2\u30c9\u30e1\u30a4\u30f3&gt;\u3068\u3044\u3046\u69cb\u9020\u3067\u3001\u30d7\u30ed\u30bb\u30b9ID\u306f\u88684\u3068\u540c\u3058\u6587\u5b57\u7f6e\u63db\u95a2\u6570\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002\u6b21\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u4ee5\u4e0b\u306e\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u7528\u3057\u3066\u3001\u30b3\u30f3\u30c6\u30f3\u30c4 \u30a2\u30c3\u30d7\u30ed\u30fc\u30c9 \u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5bfe\u3059\u308bHTTP\u5fdc\u7b54\u306e\u30d5\u30a1\u30a4\u30ebID\u5024\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n<p>\\\"id\\\":(.*)<\/p>\n<p>\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3053\u306e\u30d5\u30a1\u30a4\u30ebID\u5024\u3092\u4f7f\u7528\u3057\u3066&lt;\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e\u30d7\u30ed\u30bb\u30b9ID&gt;.txt\u30d5\u30a1\u30a4\u30eb\u306e\u5909\u66f4\u6642\u9593\u306b\u5bfe\u3059\u308b\u5909\u66f4\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3053\u3068\u3067\u3001\u653b\u6483\u8005\u306b\u3088\u308a\u30d5\u30a1\u30a4\u30eb\u306b\u52a0\u3048\u3089\u308c\u305f\u5909\u66f4\u3092\u76e3\u8996\u3057\u307e\u3059\u3002\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u6b21\u306e\u3088\u3046\u306a\u69cb\u9020\u306eURL\u306b\u5bfe\u3059\u308bHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u3066\u3001\u30d5\u30a1\u30a4\u30eb\u306e\u5909\u66f4\u6642\u9593\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<p>&lt;'gdu'\u306eGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL&gt; + &lt;\u30d5\u30a1\u30a4\u30ebID&gt; + \"?supportTeamDrives=true&amp;fields=modifiedTime\"<\/p>\n<p>\u6b21\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u4ee5\u4e0b\u306e\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u7528\u3057\u3066\u3001HTTP\u5fdc\u7b54\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u306e\u5909\u66f4\u6642\u9593\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u3053\u308c\u306f\u3001modification_time\u3068\u3044\u3046\u540d\u524d\u306e\u5909\u6570\u306b\u4fdd\u5b58\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\\\"modifiedTime\\\":(.*)<\/p>\n<p>\u6b21\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f2\u3064\u76ee\u306e\u30d5\u30a1\u30a4\u30eb\u3092Google\u30c9\u30e9\u30a4\u30d6\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3057\u305f\u6700\u521d\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u653b\u6483\u8005\u304c\u5909\u66f4\u3059\u308b\u306e\u3092\u5f85\u6a5f\u3059\u308b\u9593\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u304c\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u7d99\u7d9a\u7684\u306b\u66f8\u304d\u8fbc\u3081\u308b\u3088\u3046\u306b\u3059\u308b\u305f\u3081\u3067\u3059\u3002\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001&lt;\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e\u30d7\u30ed\u30bb\u30b9ID&gt;\u3092&lt;\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e\u30d7\u30ed\u30bb\u30b9ID&gt;-U.txt\u3068\u3044\u3046\u540d\u524d\u306eGoogle\u30c9\u30e9\u30a4\u30d6 \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b2\u3064\u76ee\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\u901a\u4fe1\u30eb\u30fc\u30d7\u306e\u7e70\u308a\u8fd4\u3057\u3054\u3068\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u6700\u521d\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u5909\u66f4\u6642\u9593\u304c\u5909\u66f4\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u78ba\u8a8d\u3057\u3001\u66f4\u65b0\u3055\u308c\u3066\u3044\u306a\u3044\u5834\u5408\u306f\u3001\u6b21\u306e\u3088\u3046\u306a\u69cb\u9020\u306eURL\u306b\u5bfe\u3059\u308bHTTP POST\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u3001\u6587\u5b57\u5217b&lt;\u4e00\u610f\u306eID&gt;c&lt;5\u3064\u306e\u30e9\u30f3\u30c0\u30e0\u306a\u82f1\u5c0f\u6587\u5b57&gt;.&lt;C2\u30c9\u30e1\u30a4\u30f3&gt;\u3092\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u3093\u30672\u3064\u76ee\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u66f4\u65b0\u3057\u307e\u3059\u3002<\/p>\n<p>&lt;Google Drive URL in 'gdue'&gt; + &lt;second file identifier&gt; + \"?supportsTeamDrive=true&amp;uploadType=resumable&amp;fields=kind,id,name,mimeType,parents\"<\/p>\n<p>\u3042\u308bRogueRobin\u30b5\u30f3\u30d7\u30eb(SHA256: f1b2bc0831\u2026)\u3067\u3001\u4f5c\u6210\u8005\u306fx_mode\u30b3\u30de\u30f3\u30c9\u3092\u767a\u884c\u3059\u308b\u3068\u304d\u306b\u3001\u653b\u6483\u8005\u304c\u63d0\u4f9b\u3057\u305fGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL\u3092\u4f7f\u7528\u305b\u305a\u3001\u66ff\u308f\u308a\u306b\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL\u3092\u7d44\u307f\u8fbc\u307f\u307e\u3057\u305f(\u56f36\u3092\u53c2\u7167)\u3002\u3053\u308c\u306f\u3001\u6211\u3005\u304c\u78ba\u8a8d\u3057\u305f\u4e2d\u3067\u3001RogueRobin\u306b\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL\u304c\u7d44\u307f\u8fbc\u307e\u308c\u305f\u552f\u4e00\u306e\u4e8b\u4f8b\u3067\u3042\u308a\u3001\u4f5c\u6210\u8005\u306f\u30c6\u30b9\u30c8\u4e2d\u306b\u3053\u308c\u3092\u898b\u843d\u3068\u3057\u305f\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_96158\" aria-describedby=\"caption-attachment-96158\" style=\"width: 856px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure6.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-96158 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure6.png\" sizes=\"(max-width: 856px) 100vw, 856px\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure6.png 856w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure6-300x52.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure6-768x133.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure6-370x64.png 370w\" alt=\"\u56f36 \u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL\u304c\u4f7f\u7528\u3055\u308c\u305fRogueRobin\u306e\u30b5\u30f3\u30d7\u30eb\" width=\"856\" height=\"148\" \/><\/a><figcaption id=\"caption-attachment-96158\" class=\"wp-caption-text\">\u56f36 \u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305fGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL\u304c\u4f7f\u7528\u3055\u308c\u305fRogueRobin\u306e\u30b5\u30f3\u30d7\u30eb<\/figcaption><\/figure>\n<p>\u6700\u521d\u306e\u30d5\u30a1\u30a4\u30eb\u306emodification_time\u304c\u5909\u66f4\u3055\u308c\u308b\u3068\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306fGoogle\u30c9\u30e9\u30a4\u30d6\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u305f\u6700\u521d\u306e\u30d5\u30a1\u30a4\u30eb\u304b\u3089\u30b3\u30f3\u30c6\u30f3\u30c4\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u6b21\u306e\u3088\u3046\u306a\u69cb\u9020\u306eURL\u306b\u5bfe\u3059\u308bHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u3066\u3001\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30b3\u30f3\u30c6\u30f3\u30c4\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002<\/p>\n<p>&lt;Google Drive URL in 'gdu'&gt; + &lt;first file identifier&gt; + \"?alt=media\"<\/p>\n<p>\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u306e\u30b3\u30f3\u30c6\u30f3\u30c4\u3092\u4f7f\u7528\u3057\u3066\u3001modification_time\u5909\u6570\u3092\u73fe\u5728\u306e\u5909\u66f4\u6642\u9593\u306b\u8a2d\u5b9a\u3057\u3001\u653b\u6483\u8005\u304c\u30d5\u30a1\u30a4\u30eb\u306b\u66f4\u306a\u308b\u5909\u66f4\u3092\u52a0\u3048\u305f\u3068\u304d\u306b\u308f\u304b\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30c7\u30fc\u30bf\u3092\u3001TXT\u30af\u30a8\u30ea \u30e2\u30fc\u30c9\u3092\u4f7f\u7528\u3057\u3001DNS\u30c8\u30f3\u30cd\u30ea\u30f3\u30b0 \u30d7\u30ed\u30c8\u30b3\u30eb\u3092\u4ecb\u3057\u3066\u53d6\u5f97\u3055\u308c\u305f\u3082\u306e\u3068\u898b\u306a\u3057\u3066\u3001\u4e00\u610f\u306eID\u306e\u5834\u5408\u3068\u540c\u3058\u65b9\u6cd5\u3067\u51e6\u7406\u3057\u307e\u3059\u3002\u5177\u4f53\u7684\u306b\u306f\u3001\u4ee5\u4e0b\u306e\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u7528\u3057\u3066\u30c7\u30fc\u30bf\u3092\u691c\u7d22\u3057\u3066\u51e6\u7406\u3057\u307e\u3059\u3002<\/p>\n<p>\\\"(\\\\w+).(&lt;domainList[0]&gt;|&lt;domainList[1]&gt;|&lt;domainList[n]&gt;).\\\"<\/p>\n<p>\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001Google\u30c9\u30e9\u30a4\u30d6\u4e0a\u306e\u30d5\u30a1\u30a4\u30eb\u304b\u3089\u53d6\u5f97\u3057\u305f\u4e00\u610f\u306eID\u5024\u3092\u4f7f\u7528\u3057\u3001Google\u30c9\u30e9\u30a4\u30d6\u901a\u4fe1\u30c1\u30e3\u30cd\u30eb\u3092\u4f7f\u7528\u3057\u3066\u30b8\u30e7\u30d6\u3092\u53d6\u5f97\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002Google\u30c9\u30e9\u30a4\u30d6 \u30a2\u30ab\u30a6\u30f3\u30c8\u304b\u3089\u30b8\u30e7\u30d6\u3092\u53d6\u5f97\u3059\u308b\u305f\u3081\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u307e\u305a\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u69cb\u9020\u306e\u6587\u5b57\u5217\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u5185\u306e\u5404\u8981\u7d20\u306f\u3001\u88684\u306e\u6587\u5b57\u7f6e\u63db\u306e\u6570\u5024\u306b\u3088\u3063\u3066\u6c7a\u307e\u308a\u307e\u3059\u3002<\/p>\n<p>c&lt;\u4e00\u610f\u306eID&gt;&lt;3\u6841\u306b\u3059\u308b\u305f\u3081\u306b'0'\u304c\u30d1\u30c7\u30a3\u30f3\u30b0\u3055\u308c\u305f\u30b8\u30e7\u30d6ID&gt;&lt;\u30b7\u30fc\u30b1\u30f3\u30b9\u756a\u53f7&gt;c.&lt;C2\u30c9\u30e1\u30a4\u30f3&gt;<\/p>\n<p>\u6b21\u306b\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u524d\u306b\u4e00\u610f\u306eID\u3092\u53d6\u5f97\u3057\u305f\u3068\u304d\u3068\u540c\u3058\u65b9\u6cd5\u3067\u3001Google\u30c9\u30e9\u30a4\u30d6\u306b\u5bfe\u3059\u308bOAUTH\u30a2\u30af\u30bb\u30b9 \u30c8\u30fc\u30af\u30f3\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3053\u306e\u30a2\u30af\u30bb\u30b9 \u30c8\u30fc\u30af\u30f3\u3092\u4f7f\u7528\u3057\u3066\u3001\u4e0a\u306e\u6587\u5b57\u5217\u3092Google\u30c9\u30e9\u30a4\u30d6\u306b\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u305f\u6700\u521d\u306e\u30d5\u30a1\u30a4\u30eb&lt;\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306e\u30d7\u30ed\u30bb\u30b9ID&gt;.txt\u306b\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u66f8\u304d\u8fbc\u3093\u3060\u5f8c\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u5909\u66f4\u6642\u9593\u306b\u5bfe\u3059\u308b\u5909\u66f4\u3092\u7d99\u7d9a\u7684\u306b\u30c1\u30a7\u30c3\u30af\u3059\u308b\u30eb\u30fc\u30d7\u306b\u5165\u308a\u3001\u653b\u6483\u8005\u304c\u30d5\u30a1\u30a4\u30eb\u306b\u5909\u66f4\u3092\u52a0\u3048\u308b\u306e\u3092\u52b9\u7387\u7684\u306b\u5f85\u6a5f\u3057\u307e\u3059\u3002\u653b\u6483\u8005\u304c\u30d5\u30a1\u30a4\u30eb\u3092\u5909\u66f4\u3057\u3066modification_time\u304c\u5909\u66f4\u3055\u308c\u308b\u3068\u3001\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u4ee5\u4e0b\u306e\u69cb\u9020\u306eURL\u306b\u5bfe\u3059\u308bHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u3066\u3001\u30d5\u30a1\u30a4\u30eb\u304b\u3089\u30b3\u30f3\u30c6\u30f3\u30c4\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002<\/p>\n<p>&lt;'gdu'\u306eGoogle\u30c9\u30e9\u30a4\u30d6\u306eURL&gt; + &lt;'f_id'\u306e\u30d5\u30a1\u30a4\u30ebID&gt; + \"?alt=media\"<\/p>\n<p>\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u5185\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u305f\u30c7\u30fc\u30bf\u3092\u3001TXT\u30af\u30a8\u30ea \u30e2\u30fc\u30c9\u3092\u4f7f\u7528\u3057\u3066DNS\u30c8\u30f3\u30cd\u30ea\u30f3\u30b0 \u30c1\u30e3\u30cd\u30eb\u304b\u3089\u53d7\u3051\u53d6\u3063\u305f\u30c7\u30fc\u30bf\u304b\u3089\u30b8\u30e7\u30d6\u3092\u53d6\u5f97\u3059\u308b\u5834\u5408\u3068\u540c\u3058\u65b9\u6cd5\u3067\u51e6\u7406\u3057\u307e\u3059\u3002\u5177\u4f53\u7684\u306b\u306f\u3001\u4ee5\u4e0b\u306e\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u7528\u3057\u3001\u30c7\u30fc\u30bf\u3092\u691c\u7d22\u3057\u3066\u51e6\u7406\u3057\u307e\u3059\u3002<\/p>\n<p>([^r-v\\\\s]+)[r-v]([\\\\w\\\\d+\\\\\/=]+).(&lt;domainList[0]&gt;|&lt;domainList[1]&gt;|&lt;domainList[n]&gt;)<\/p>\n<p>\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u306f\u3001\u4e00\u81f4\u3059\u308b\u30c7\u30fc\u30bf\u3001\u5177\u4f53\u7684\u306b\u306f\u30bb\u30d1\u30ec\u30fc\u30bf\u4e0a\u306e\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3(\u3059\u306a\u308f\u3061r\u3068v\u306e\u9593\u306e\u6587\u5b57)\u3092\u5206\u5272\u3057\u3001\u3088\u308a\u591a\u304f\u306e\u30c7\u30fc\u30bf\u304c\u5fc5\u8981\u306a\u5834\u5408\u306f\u3001\u30bb\u30d1\u30ec\u30fc\u30bf\u306e\u524d\u306b\u3042\u308b\u30c7\u30fc\u30bf\u3092\u4f7f\u7528\u3057\u3066\u30b7\u30fc\u30b1\u30f3\u30b9\u756a\u53f7\u3084\u30d6\u30fc\u30eb\u5024(0\u307e\u305f\u306f1)\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002\u30bb\u30d1\u30ec\u30fc\u30bf\u306e\u5f8c\u306b\u3042\u308b\u30c7\u30fc\u30bf\u306f\u3001\u88685\u306b\u793a\u3059\u30b3\u30de\u30f3\u30c9 \u30cf\u30f3\u30c9\u30e9\u306b\u5f93\u3046\u6587\u5b57\u5217\u3068\u3057\u3066\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<h2><span style=\"color: #000000;\">\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3<\/span><\/h2>\n<p><a href=\"https:\/\/twitter.com\/360TIC\/status\/1083289987339042817\">360TIC<\/a>\u306b\u3088\u308a\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f513813af15\u2026\u306b\u95a2\u9023\u3059\u308bC2\u30c9\u30e1\u30a4\u30f3\u306e\u521d\u671f\u306e\u30ea\u30b9\u30c8\u306f\u3001\u6709\u540d\u306a\u30c6\u30af\u30ce\u30ed\u30b8 \u30d9\u30f3\u30c0\u30fc\u3084\u30b5\u30fc\u30d3\u30b9 \u30d7\u30ed\u30d0\u30a4\u30c0\u30fc\u306e\u540d\u524d\u3068\u898b\u9593\u9055\u3048\u3066\u3057\u307e\u3044\u305d\u3046\u306a\u30c9\u30e1\u30a4\u30f3\u540d\u3092\u4f7f\u7528\u3057\u3066\u304a\u308a\u3001DarkHydrus\u306e\u4ee5\u524d\u306e\u6d3b\u52d5\u3068\u30c6\u30fc\u30de\u304c\u975e\u5e38\u306b\u3088\u304f\u4f3c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30ea\u30b9\u30c8\u306f\u3001DarkHydrus\u306b\u3082\u30ea\u30f3\u30af\u3057\u3066\u3044\u308b\u3088\u304f\u4f3c\u305f\u30c9\u30e1\u30a4\u30f3\u540d\u3092\u63d0\u4f9b\u3059\u308b\u3001ClearSky Security\u306e\u4e00\u9023\u306e\u30c4\u30a4\u30fc\u30c8\u306b\u3088\u3063\u3066\u3055\u3089\u306b\u62e1\u5f35\u3055\u308c\u307e\u3057\u305f(<a href=\"https:\/\/twitter.com\/ClearskySec\/status\/1083381871411646464\">\u3053\u3061\u3089<\/a>\u3068<a href=\"https:\/\/twitter.com\/ClearskySec\/status\/1083381924574449664\">\u3053\u3061\u3089<\/a>\u3068<a href=\"https:\/\/twitter.com\/ClearskySec\/status\/1083776585474457600\">\u3053\u3061\u3089<\/a>)\u3002\u3053\u308c\u3089\u306e\u30c9\u30e1\u30a4\u30f3\u3068DarkHydrus\u3068\u306e\u95a2\u9023\u3092\u7406\u89e3\u3057\u3084\u3059\u3044\u3088\u3046\u306b\u3001\u30c9\u30e1\u30a4\u30f3\u306e\u30ea\u30b9\u30c8\u9593\u3092\u8996\u899a\u7684\u306b\u30de\u30c3\u30d4\u30f3\u30b0\u3057\u307e\u3057\u305f(\u56f37\u53c2\u7167)\u3002\u3053\u306e\u56f3\u306f\u3001DarkHydrus\u30b0\u30eb\u30fc\u30d7\u304c\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u3067\u4e00\u8cab\u3057\u305f\u547d\u540d\u30b9\u30ad\u30fc\u30de\u3068\u69cb\u9020\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002DarkHydrus\u30b0\u30eb\u30fc\u30d7\u306f\u591a\u6570\u306e\u30c9\u30e1\u30a4\u30f3\u3092\u767b\u9332\u3057\u3001\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc\u3092\u8a2d\u5b9a\u3057\u3066\u3001C2\u30c9\u30e1\u30a4\u30f3\u306e\u30d7\u30e9\u30a4\u30de\u30eaDNS\u3068\u3057\u3066\u4f7f\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_96159\" aria-describedby=\"caption-attachment-96159\" style=\"width: 796px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure7.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-96159 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure7.png\" sizes=\"(max-width: 796px) 100vw, 796px\" srcset=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure7.png 2640w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure7-300x256.png 300w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure7-768x655.png 768w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure7-1024x874.png 1024w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure7-874x746.png 874w, https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/01\/darkhydrus_figure7-370x316.png 370w\" alt=\"\u56f37 DarkHydrus\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306e\u76f8\u95a2\u56f3\" width=\"796\" height=\"679\" \/><\/a><figcaption id=\"caption-attachment-96159\" class=\"wp-caption-text\">\u56f37 DarkHydrus\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306e\u76f8\u95a2\u56f3<\/figcaption><\/figure>\n<p>\u3053\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e\u305f\u3081\u306b\u3001C2\u7528\u306b\u5c0e\u5165\u3055\u308c\u305f\u7279\u5b9a\u306e\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc\u3092\u4f7f\u7528\u3057\u3066\u3001\u653b\u6483\u8005\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u3092\u30af\u30e9\u30b9\u30bf\u5316\u3067\u304d\u307e\u3059\u3002\u56f37\u3067\u306f\u3001\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u30923\u3064\u306e\u30b0\u30eb\u30fc\u30d7\u306b\u660e\u78ba\u306b\u30af\u30e9\u30b9\u30bf\u5316\u3057\u3066\u3044\u307e\u3059\u30022\u3064\u306e\u30af\u30e9\u30b9\u30bf\u306b\u95a2\u9023\u3059\u308b\u30e9\u30a4\u30d6 \u30da\u30a4\u30ed\u30fc\u30c9\u3092\u53d6\u308a\u51fa\u3059\u3053\u3068\u304c\u3067\u304d\u307e\u3057\u305f\u30023\u3064\u76ee\u306e\u30af\u30e9\u30b9\u30bf\u306fClearSky Security\u3068\u3082\u5171\u6709\u3055\u308c\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u30e9\u30a4\u30d6 \u30da\u30a4\u30ed\u30fc\u30c9\u3092ClearSky Security\u3068\u95a2\u9023\u4ed8\u3051\u308b\u3053\u3068\u306f\u3067\u304d\u307e\u305b\u3093\u3067\u3057\u305f\u30023\u3064\u76ee\u306e\u30af\u30e9\u30b9\u30bf\u306f\u4ed6\u306e2\u3064\u306e\u30af\u30e9\u30b9\u30bf\u3068\u76f4\u63a5\u95a2\u4fc2\u304c\u3042\u308b\u3088\u3046\u306b\u306f\u898b\u3048\u307e\u305b\u3093\u304c\u3001\u3053\u306e\u30af\u30e9\u30b9\u30bf\u306f\u3001\u30c9\u30e1\u30a4\u30f3\u3068\u30ab\u30b9\u30bf\u30e0 \u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc\u306e\u69cb\u9020\u3092\u901a\u3058\u3066\u4ed6\u306e2\u3064\u306e\u30af\u30e9\u30b9\u30bf\u3068\u95a2\u9023\u3057\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u6975\u3081\u3066\u9ad8\u3044\u3068\u8a00\u3048\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u30c9\u30e1\u30a4\u30f3\u540d\u81ea\u4f53\u304c\u975e\u5e38\u306b\u4f3c\u3066\u304a\u308a\u3001\u3044\u304f\u3064\u304b\u306e\u4f8b\u3067\u306f\u307e\u3063\u305f\u304f\u540c\u3058\u3067\u3001\u30c8\u30c3\u30d7 \u30ec\u30d9\u30eb \u30c9\u30e1\u30a4\u30f3\u304c\u7570\u306a\u3063\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u53d6\u308a\u51fa\u3057\u305f\u30da\u30a4\u30ed\u30fc\u30c9\u306b\u95a2\u9023\u4ed8\u3051\u308b\u3053\u3068\u304c\u3067\u304d\u305f2\u3064\u306e\u30cd\u30fc\u30e0 \u30b5\u30fc\u30d0\u30fc\u306e\u30bb\u30c3\u30c8\u306f\u3001tbs1\/tbs2.microsoftonline.services\u3068tvs1\/tvs2.trafficmanager.live\u3067\u3059\u3002C2\u30c9\u30e1\u30a4\u30f3\u3068\u305d\u306e\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc\u306e\u5206\u5e03\u3092\u56f37\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<table class=\"table table-bordered table-striped\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td width=\"11%\"><b>\u30b5\u30f3\u30d7\u30eb<\/b><\/td>\n<td width=\"88%\">f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0<\/p>\n<p>5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><b>DNS<\/b><\/td>\n<td width=\"88%\">tbs1\/tbs2.microsoftonline.services<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><b>\u30c9\u30e1\u30a4\u30f3<\/b><\/td>\n<td width=\"88%\">0ffice365[.]agency<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><\/td>\n<td width=\"88%\">0ffice365[.]life<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><\/td>\n<td width=\"88%\">0ffice365[.]services<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><\/td>\n<td width=\"88%\">0nedrive[.]agency<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><\/td>\n<td width=\"88%\">corewindows[.]agency<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><\/td>\n<td width=\"88%\">microsoftonline[.]agency<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><\/td>\n<td width=\"88%\">onedrive[.]agency<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><\/td>\n<td width=\"88%\">sharepoint[.]agency<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><\/td>\n<td width=\"88%\">skydrive[.]agency<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><\/td>\n<td width=\"88%\">skydrive[.]services<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><b>\u30b5\u30f3\u30d7\u30eb<\/b><\/td>\n<td width=\"88%\">eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><b>DNS<\/b><\/td>\n<td width=\"88%\">tvs1\/tvs2.trafficmanager.live<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><b>\u30c9\u30e1\u30a4\u30f3<\/b><\/td>\n<td width=\"88%\">akamaiedge[.]live<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><b>\u00a0<\/b><\/td>\n<td width=\"88%\">akamaized[.]live<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><b>\u00a0<\/b><\/td>\n<td width=\"88%\">akdns[.]live<\/td>\n<\/tr>\n<tr>\n<td width=\"11%\"><b>\u00a0<\/b><\/td>\n<td width=\"88%\">edgekey[.]live<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: left;\"><i>\u88687: \u30b5\u30f3\u30d7\u30eb\u3068\u30c9\u30e1\u30a4\u30f3\u306e\u95a2\u9023<\/i><\/p>\n<p>\u30c9\u30e1\u30a4\u30f3\u306e3\u3064\u76ee\u306e\u30af\u30e9\u30b9\u30bf\u306b\u306f6\u3064\u306e\u7570\u306a\u308b\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc\u304c\u95a2\u9023\u4ed8\u3051\u3089\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u4ed6\u306e2\u3064\u306e\u30af\u30e9\u30b9\u30bf\u3068\u306f\u7570\u306a\u308a\u3001\u3059\u3079\u3066\u4e92\u3044\u306b\u76f4\u63a5\u7d50\u3073\u4ed8\u3051\u3089\u308c\u3066\u3044\u307e\u3059\u3002\u5404\u30c9\u30e1\u30a4\u30f3\u306f6\u3064\u306e\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc\u3092\u9806\u306b\u5229\u7528\u3057\u3066\u3044\u308b\u3088\u3046\u306b\u898b\u3048\u307e\u3059\u304c\u3001\u5947\u5999\u306a\u3053\u3068\u306b\u3001\u8907\u6570\u306e\u30c9\u30e1\u30a4\u30f3\u304c\u5229\u7528\u3057\u3066\u3044\u305f\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc\u306e1\u3064\u306f\u73fe\u5728\u767b\u9332\u3055\u308c\u3066\u3044\u306a\u3044\u3088\u3046\u3067\u3059\u3002IP\u89e3\u6c7a\u306e\u5c65\u6b74\u3092\u8abf\u3079\u308b\u3068\u3001\u30a2\u30af\u30c6\u30a3\u30d6\u306a\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc\u9593\u3067\u5171\u901a\u306eIP 107.175.75[.]123\u304c\u5b58\u5728\u3059\u308b\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002\u3053\u306eIP\u306f\u975e\u5e38\u306b\u8208\u5473\u6df1\u3044IP\u3067\u3059\u3002\u3053\u306eIP\u306e\u30c9\u30e1\u30a4\u30f3\u89e3\u6c7a\u5c65\u6b74\u306b\u3088\u308b\u3068\u3001\u904e\u53bb\u306b\u3082\u30c9\u30e1\u30a4\u30f3hotmai1l[.]com\u306b\u89e3\u6c7a\u3055\u308c\u3066\u3044\u305f\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3057\u305f\u3002\u3053\u308c\u306f\u3001DarkHydrus\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u3068\u306e\u95a2\u9023\u6027\u304c\u975e\u5e38\u306b\u9ad8\u3044\u3053\u3068\u304c\u904e\u53bb\u306b\u7279\u5b9a\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3\u3067\u3059\u3002\u3055\u3089\u306b\u3001\u3053\u306eIP\u306f\u3001\u6211\u3005\u304cDarkHydrus\u3068\u95a2\u9023\u4ed8\u3051\u305f\u5225\u306eIP 107.175.150[.]113 (\u88ab\u5bb3\u7d44\u7e54\u306e\u540d\u524d\u3092\u542b\u3080\u30c9\u30e1\u30a4\u30f3\u540d\u306b\u89e3\u6c7a\u3055\u308c\u308b)\u3068\u540c\u3058\u30b5\u30fc\u30d3\u30b9 \u30d7\u30ed\u30d0\u30a4\u30c0\u30fc\u304a\u3088\u3073\u30af\u30e9\u30b9B\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7bc4\u56f2\u306b\u5c5e\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h2><span style=\"color: #000000;\">\u7d50\u8ad6<\/span><\/h2>\n<p>DarkHydrus\u30b0\u30eb\u30fc\u30d7\u306f\u6d3b\u52d5\u3092\u7d99\u7d9a\u3057\u3066\u304a\u308a\u3001\u6226\u7565\u306b\u306f\u65b0\u305f\u306a\u30c6\u30af\u30cb\u30c3\u30af\u304c\u52a0\u308f\u3063\u3066\u3044\u307e\u3059\u3002DarkHydrus\u306e\u6700\u65b0\u306e\u914d\u4fe1\u6587\u66f8\u306b\u3088\u308b\u3068\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u304cAppLocker\u30d0\u30a4\u30d1\u30b9\u306a\u3069\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9\u306e\u4fb5\u5165\u30c6\u30b9\u30c8 \u30c6\u30af\u30cb\u30c3\u30af\u3092\u60aa\u7528\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u5224\u660e\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u914d\u4fe1\u6587\u66f8\u306b\u3088\u3063\u3066\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3055\u308c\u305f\u30da\u30a4\u30ed\u30fc\u30c9\u306f\u3001DarkHydrus\u306e\u653b\u6483\u8005\u304c\u4ee5\u524d\u306ePowerShell\u30d9\u30fc\u30b9\u306eRogueRobin\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306e\u4e9c\u7a2e\u306b\u79fb\u690d\u3057\u305f\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u306f\u3001OilRig\u306a\u3069\u306e\u4e2d\u6771\u3067\u6d3b\u52d5\u3059\u308b\u4ed6\u306e\u653b\u6483\u8005\u306e\u30b0\u30eb\u30fc\u30d7\u3067\u3088\u304f\u898b\u3089\u308c\u308b\u632f\u308b\u821e\u3044\u3067\u3059\u3002\u6700\u5f8c\u306b\u3001RogueRobin\u306e\u65b0\u3057\u3044\u4e9c\u7a2e\u306f\u3001C2\u30c1\u30e3\u30cd\u30eb\u306bGoogle\u30c9\u30e9\u30a4\u30d6 \u30af\u30e9\u30a6\u30c9 \u30b5\u30fc\u30d3\u30b9\u3092\u4f7f\u7528\u3067\u304d\u307e\u3059\u3002\u3053\u308c\u306f\u3001DarkHydrus\u304c\u30a4\u30f3\u30d5\u30e9\u30b9\u30c8\u30e9\u30af\u30c1\u30e3\u306e\u305f\u3081\u306b\u6b63\u898f\u306e\u30af\u30e9\u30a6\u30c9 \u30b5\u30fc\u30d3\u30b9\u3092\u60aa\u7528\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001\u4ee5\u4e0b\u306b\u3088\u3063\u3066\u65e2\u306b\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u3053\u306e\u30ec\u30dd\u30fc\u30c8\u306e\u3059\u3079\u3066\u306e\u30b5\u30f3\u30d7\u30eb\u306fWildFire\u5185\u3067\u60aa\u610f\u304c\u3042\u308b\u3068\u5224\u65ad\u3055\u308c\u307e\u3059<\/li>\n<li>\u30c9\u30e1\u30a4\u30f3\u306f\u60aa\u610f\u304c\u3042\u308b\u3082\u306e\u3068\u3057\u3066\u5206\u985e\u3055\u308c\u3066\u3044\u307e\u3059<\/li>\n<li>\u6b21\u306e\u3088\u3046\u306a\u3001\u8ffd\u52a0\u306e\u30b3\u30f3\u30c6\u30ad\u30b9\u30c8\u306e\u305f\u3081\u306eAutofocus\u30bf\u30b0\u3092\u4f7f\u7528\u3067\u304d\u307e\u3059\u3002<a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.DarkHydrus\">DarkHydrus<\/a>\u304a\u3088\u3073<a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.RogueRobin\">RogueRobin<\/a><\/li>\n<\/ul>\n<h2><span style=\"color: #000000;\">IOC<\/span><\/h2>\n<h3><span style=\"color: #000000;\">\u914d\u4fe1\u6587\u66f8SHA256<\/span><\/h3>\n<p>513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8<\/p>\n<p>e068c6536bf353abe249ad0464c58fb85d7de25223442dd220d64116dbf1e022<\/p>\n<p>4e40f80114e5bd44a762f6066a3e56ccdc0d01ab2a18397ea12e0bc5508215b8<\/p>\n<h3><span style=\"color: #000000;\">RogueRobin SHA256<\/span><\/h3>\n<p>eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97<\/p>\n<p>f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0<\/p>\n<p>5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c<\/p>\n<h3><span style=\"color: #000000;\">RogueRobin C2s<\/span><\/h3>\n<p>akdns[.]live<\/p>\n<p>akamaiedge[.]live<\/p>\n<p>edgekey[.]live<\/p>\n<p>akamaized[.]live<\/p>\n<p>0ffice365[.]agency<\/p>\n<p>0nedrive[.]agency<\/p>\n<p>corewindows[.]agency<\/p>\n<p>microsoftonline[.]agency<\/p>\n<p>onedrive[.]agency<\/p>\n<p>sharepoint[.]agency<\/p>\n<p>skydrive[.]agency<\/p>\n<p>0ffice365[.]life<\/p>\n<p>0ffice365[.]services<\/p>\n<p>skydrive[.]services<\/p>\n<p>skydrive[.]agency<\/p>\n<h3><span style=\"color: #000000;\">\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc<\/span><\/h3>\n<p>tvs1.trafficmanager[.]live<\/p>\n<p>tvs2.trafficmanager[.]live<\/p>\n<p>tbs1.microsoftonline[.]services<\/p>\n<p>tbs2.microsoftonline[.]services<\/p>\n<p>brit.ns.cloudfronts[.]services<\/p>\n<p>dns.cloudfronts[.]services<\/p>\n<p>ns2.akadns[.]services<\/p>\n<p>britns.akadns[.]services<\/p>\n<p>britns.akadns[.]live<\/p>\n<p>ns2.akadns[.]live<\/p>\n<h3><span style=\"color: #000000;\">\u95a2\u9023\u30c9\u30e1\u30a4\u30f3<\/span><\/h3>\n<p>iecvlist-microsoft[.]live<\/p>\n<p>data-microsoft[.]services<\/p>\n<p>asimov-win-microsoft[.]services<\/p>\n<p>onecs-live[.]services<\/p>\n<p>akamaiedge[.]services<\/p>\n<p>phicdn[.]world<\/p>\n<p>azureedge[.]today<\/p>\n<p>nsatc[.]agency<\/p>\n<p>Akamai[.]agency<\/p>\n<p>t-msedge[.]world<\/p>\n<p>&nbsp;<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The DarkHydrus group has begun using a new version of the RogueRobin backdoor. This version is written in C# and in addition to using DNS Tunneling for command and control, can also use Google Drive. <\/p>\n","protected":false},"author":22,"featured_media":99566,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4322,1974,4431,4428],"tags":[6451,4521,6805,6251,6806],"product_categories":[4340,4444],"coauthors":[935,934],"class_list":["post-99619","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-actor-groups","category-malware-ja","category-threat-actor-groups-ja","category-threat-research-ja","tag-darkhydrus-ja","tag-dns-tunneling-ja","tag-google-drive-ja","tag-middle-east-ja","tag-roguerobin","product_categories-advanced-wildfire","product_categories-advanced-wildfire-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03<\/title>\n<meta name=\"description\" content=\"2018\u5e74\u590f\u306b\u5831\u544a\u3057\u305fDarkHydrus\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308b\u4e2d\u6771\u3067\u306e\u6d3b\u52d5\u306b\u95a2\u3059\u308b\u30ec\u30dd\u30fc\u30c8\u306e\u7d9a\u7de8\u3067\u3059\u3002\u6700\u8fd1360TIC\u304c\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u95a2\u4e0e\u304c\u7591\u308f\u308c\u308b\u653b\u6483\u3092\u8abf\u67fb\u3057\u7d50\u679c\u3092\u516c\u958b\u3057\u307e\u3057\u305f\u3002Unit42\u3082\u8ffd\u52a0\u3067\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u653b\u6483\u306b\u3064\u3044\u3066\u95a2\u9023\u30b5\u30f3\u30d7\u30eb\u3092\u53ce\u96c6\u3057\u65b0\u305f\u306b\u8ffd\u52a0\u3055\u308c\u305f\u6a5f\u80fd\u3092\u660e\u3089\u304b\u306b\u3057\u3066\u3044\u307e\u3059\u3002\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03\" \/>\n<meta property=\"og:description\" content=\"2018\u5e74\u590f\u306b\u5831\u544a\u3057\u305fDarkHydrus\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308b\u4e2d\u6771\u3067\u306e\u6d3b\u52d5\u306b\u95a2\u3059\u308b\u30ec\u30dd\u30fc\u30c8\u306e\u7d9a\u7de8\u3067\u3059\u3002\u6700\u8fd1360TIC\u304c\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u95a2\u4e0e\u304c\u7591\u308f\u308c\u308b\u653b\u6483\u3092\u8abf\u67fb\u3057\u7d50\u679c\u3092\u516c\u958b\u3057\u307e\u3057\u305f\u3002Unit42\u3082\u8ffd\u52a0\u3067\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u653b\u6483\u306b\u3064\u3044\u3066\u95a2\u9023\u30b5\u30f3\u30d7\u30eb\u3092\u53ce\u96c6\u3057\u65b0\u305f\u306b\u8ffd\u52a0\u3055\u308c\u305f\u6a5f\u80fd\u3092\u660e\u3089\u304b\u306b\u3057\u3066\u3044\u307e\u3059\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-18T14:00:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-10-04T07:37:47+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/10\/unit42-blog-600x300.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Robert Falcone, Bryan Lee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03\" \/>\n<meta name=\"twitter:description\" content=\"2018\u5e74\u590f\u306b\u5831\u544a\u3057\u305fDarkHydrus\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308b\u4e2d\u6771\u3067\u306e\u6d3b\u52d5\u306b\u95a2\u3059\u308b\u30ec\u30dd\u30fc\u30c8\u306e\u7d9a\u7de8\u3067\u3059\u3002\u6700\u8fd1360TIC\u304c\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u95a2\u4e0e\u304c\u7591\u308f\u308c\u308b\u653b\u6483\u3092\u8abf\u67fb\u3057\u7d50\u679c\u3092\u516c\u958b\u3057\u307e\u3057\u305f\u3002Unit42\u3082\u8ffd\u52a0\u3067\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u653b\u6483\u306b\u3064\u3044\u3066\u95a2\u9023\u30b5\u30f3\u30d7\u30eb\u3092\u53ce\u96c6\u3057\u65b0\u305f\u306b\u8ffd\u52a0\u3055\u308c\u305f\u6a5f\u80fd\u3092\u660e\u3089\u304b\u306b\u3057\u3066\u3044\u307e\u3059\u3002\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03","description":"2018\u5e74\u590f\u306b\u5831\u544a\u3057\u305fDarkHydrus\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308b\u4e2d\u6771\u3067\u306e\u6d3b\u52d5\u306b\u95a2\u3059\u308b\u30ec\u30dd\u30fc\u30c8\u306e\u7d9a\u7de8\u3067\u3059\u3002\u6700\u8fd1360TIC\u304c\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u95a2\u4e0e\u304c\u7591\u308f\u308c\u308b\u653b\u6483\u3092\u8abf\u67fb\u3057\u7d50\u679c\u3092\u516c\u958b\u3057\u307e\u3057\u305f\u3002Unit42\u3082\u8ffd\u52a0\u3067\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u653b\u6483\u306b\u3064\u3044\u3066\u95a2\u9023\u30b5\u30f3\u30d7\u30eb\u3092\u53ce\u96c6\u3057\u65b0\u305f\u306b\u8ffd\u52a0\u3055\u308c\u305f\u6a5f\u80fd\u3092\u660e\u3089\u304b\u306b\u3057\u3066\u3044\u307e\u3059\u3002","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/","og_locale":"ja_JP","og_type":"article","og_title":"DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03","og_description":"2018\u5e74\u590f\u306b\u5831\u544a\u3057\u305fDarkHydrus\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308b\u4e2d\u6771\u3067\u306e\u6d3b\u52d5\u306b\u95a2\u3059\u308b\u30ec\u30dd\u30fc\u30c8\u306e\u7d9a\u7de8\u3067\u3059\u3002\u6700\u8fd1360TIC\u304c\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u95a2\u4e0e\u304c\u7591\u308f\u308c\u308b\u653b\u6483\u3092\u8abf\u67fb\u3057\u7d50\u679c\u3092\u516c\u958b\u3057\u307e\u3057\u305f\u3002Unit42\u3082\u8ffd\u52a0\u3067\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u653b\u6483\u306b\u3064\u3044\u3066\u95a2\u9023\u30b5\u30f3\u30d7\u30eb\u3092\u53ce\u96c6\u3057\u65b0\u305f\u306b\u8ffd\u52a0\u3055\u308c\u305f\u6a5f\u80fd\u3092\u660e\u3089\u304b\u306b\u3057\u3066\u3044\u307e\u3059\u3002","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/","og_site_name":"Unit 42","article_published_time":"2019-01-18T14:00:49+00:00","article_modified_time":"2019-10-04T07:37:47+00:00","og_image":[{"width":600,"height":300,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/10\/unit42-blog-600x300.jpg","type":"image\/jpeg"}],"author":"Robert Falcone, Bryan Lee","twitter_card":"summary_large_image","twitter_title":"DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03","twitter_description":"2018\u5e74\u590f\u306b\u5831\u544a\u3057\u305fDarkHydrus\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308b\u4e2d\u6771\u3067\u306e\u6d3b\u52d5\u306b\u95a2\u3059\u308b\u30ec\u30dd\u30fc\u30c8\u306e\u7d9a\u7de8\u3067\u3059\u3002\u6700\u8fd1360TIC\u304c\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u95a2\u4e0e\u304c\u7591\u308f\u308c\u308b\u653b\u6483\u3092\u8abf\u67fb\u3057\u7d50\u679c\u3092\u516c\u958b\u3057\u307e\u3057\u305f\u3002Unit42\u3082\u8ffd\u52a0\u3067\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u653b\u6483\u306b\u3064\u3044\u3066\u95a2\u9023\u30b5\u30f3\u30d7\u30eb\u3092\u53ce\u96c6\u3057\u65b0\u305f\u306b\u8ffd\u52a0\u3055\u308c\u305f\u6a5f\u80fd\u3092\u660e\u3089\u304b\u306b\u3057\u3066\u3044\u307e\u3059\u3002","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/"},"author":{"name":"Robert Falcone","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/99e613cb620722a191a363182abe6fb1"},"headline":"DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03","datePublished":"2019-01-18T14:00:49+00:00","dateModified":"2019-10-04T07:37:47+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/"},"wordCount":1156,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/10\/unit42-blog-600x300.jpg","keywords":["DarkHydrus","DNS tunneling","Google Drive","Middle East","RogueRobin"],"articleSection":["Threat Actor Groups","\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30a2\u30af\u30bf\u30fc \u30b0\u30eb\u30fc\u30d7","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/","name":"DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/10\/unit42-blog-600x300.jpg","datePublished":"2019-01-18T14:00:49+00:00","dateModified":"2019-10-04T07:37:47+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/99e613cb620722a191a363182abe6fb1"},"description":"2018\u5e74\u590f\u306b\u5831\u544a\u3057\u305fDarkHydrus\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306b\u3088\u308b\u4e2d\u6771\u3067\u306e\u6d3b\u52d5\u306b\u95a2\u3059\u308b\u30ec\u30dd\u30fc\u30c8\u306e\u7d9a\u7de8\u3067\u3059\u3002\u6700\u8fd1360TIC\u304c\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u95a2\u4e0e\u304c\u7591\u308f\u308c\u308b\u653b\u6483\u3092\u8abf\u67fb\u3057\u7d50\u679c\u3092\u516c\u958b\u3057\u307e\u3057\u305f\u3002Unit42\u3082\u8ffd\u52a0\u3067\u540c\u30b0\u30eb\u30fc\u30d7\u306e\u653b\u6483\u306b\u3064\u3044\u3066\u95a2\u9023\u30b5\u30f3\u30d7\u30eb\u3092\u53ce\u96c6\u3057\u65b0\u305f\u306b\u8ffd\u52a0\u3055\u308c\u305f\u6a5f\u80fd\u3092\u660e\u3089\u304b\u306b\u3057\u3066\u3044\u307e\u3059\u3002","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/10\/unit42-blog-600x300.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2019\/10\/unit42-blog-600x300.jpg","width":600,"height":300},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"DarkHydrus\u304cC2\u901a\u4fe1\u306bGoogle\u30c9\u30e9\u30a4\u30d6\u3092\u4f7f\u7528\u3067\u304d\u308b\u65b0\u3057\u3044\u30c8\u30ed\u30a4\u306e\u6728\u99ac\u3092\u914d\u5e03"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/99e613cb620722a191a363182abe6fb1","name":"Robert Falcone","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Robert Falcone"},"url":"https:\/\/unit42.paloaltonetworks.com\/ja\/author\/robertfalcone\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/99619","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/22"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=99619"}],"version-history":[{"count":3,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/99619\/revisions"}],"predecessor-version":[{"id":99621,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/99619\/revisions\/99621"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/99566"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=99619"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=99619"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=99619"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=99619"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=99619"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}