近日,有专业黑产团队针对交易所用户进行大规模邮件批量撒网钓鱼攻击。慢雾建议用户认清官方邮箱后缀,谨慎对待未知来源邮件里的链接与附件。 原文标题:《慢雾:伪 Electrum 鱼叉钓鱼攻击分析》 撰文:爱上平顶山,就职于慢雾安全团队 近日,慢雾安全团队收到情报,有专业黑产团队针对交易所用户进行大规模邮件批量撒网钓鱼攻击。 钓鱼邮件如图: 慢雾安全团队收到情报后,第一时间展开分析。 以下是详细分析过程: 攻击细节 我们点击跳转目标页面: 从上图可以看到,针对 Mac OS X / macOS / Windows 不同系统都给出了下载链接;链接指向黑客木马文件存放位置。 于 3 天前,创建的账号,里面存在两个项目: b*****.github.io b*****t 上图样本 「Bi****-Setup.exe」 是 Windows 下的恶意文件。 「index.html」 是一个仿冒的升级提示页面,诱导用户升级下载。 详细分析 接下来我们对 Windows 端和 Mac 端分别进行分析: 1.Windows 端 下图为样本 「Bi****-Setup.exe」 数字签名: (1) EXE 文件基本信息 文件名称:B-KYC-Setup.exe 子文件信息: script.txt / 877da6cdd4eb284e2d8887b24a24168c / Unknown setup.exe / fe1818a5e8aed139a8ccf9f60312bb30 / EXE WinSCP.exe / e71c39688fad97b66af3e297a04c3663 / EXE (2)关键行为 行为描述: 屏蔽窗口关闭消息 详情信息:hWnd = 0x00030336, Text = Deep Onion Setup: Completed, ClassName = #32770 (3)进程行为 行为描述: 创建本地线程 详情信息: TargetProcess: %temp%.exe, InheritedFromPID = 2000, ProcessID = 2888, ThreadID = 2948, StartAddress = 00405209, Parameter = 0001034A TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3140, ThreadID = 3188, StartAddress = 008B9F7C, Parameter = 00000000 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3140, ThreadID = 3192, StartAddress = 00819BF4, Parameter = 0272E170 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3164, ThreadID = 3196, StartAddress = 008B9F7C, Parameter = 00000000 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3164, ThreadID = 3200, StartAddress = 00819BF4, Parameter = 0272E270 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3172, ThreadID = 3232, StartAddress = 008B9F7C, Parameter = 00000000 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3120, ThreadID = 3236, StartAddress = 008B9F7C, Parameter = 00000000 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3172, ThreadID = 3240, StartAddress = 00819BF4, Parameter = 0272E170 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3120, ThreadID = 3244, StartAddress = 00819BF4, Parameter = 0272E170 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3180, ThreadID = 3248, StartAddress = 008B9F7C, Parameter = 00000000 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3180, ThreadID = 3252, StartAddress = 00819BF4, Parameter = 0272E170 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3140, ThreadID = 3264, StartAddress = 009B8C28, Parameter = 026F4B90 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3164, ThreadID = 3280, StartAddress = 009B8C28, Parameter = 026F4C90 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3172, ThreadID = 3284, StartAddress = 009B8C28, Parameter = 026F4B90 TargetProcess: WinSCP.exe, InheritedFromPID = 2888, ProcessID = 3120, ThreadID = 3352, StartAddress = 009B8C28, Parameter = 026F4B90 (责任编辑:admin1) |