今日威脅情報2021/1/25-26(第342期)

TI.360.CN

高級威脅分析

1、Google TAG發布朝鮮網絡攻擊組織對定向攻擊網絡安全人員，思路社工手段：聊天聊天啊聊天，建立感情後，幫忙分析個樣本、分析個工具、共享個數據唄……然後把帶後門的文件發給你，你就中招了……就這個事兒，多家安全廠商發布了看法：

https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/

先看國內的看法：

2、360的看法：破殼行動 - Lazarus(APT-C-26)組織針對安全研究人員的定向攻擊活動揭秘

https://mp.weixin.qq.com/s/W-C_tKVnXco8C3ctgAjoNQ

3、安恆的看法：防不勝防，黑客利用Visual Studio編譯器特性定向攻擊二進位漏洞安全研究員

https://mp.weixin.qq.com/s/UBD0hyXUooYuDrpsz8-MtQ

國外看法：

4、comae看法：PANDORABOX-朝鮮黑客針對安全研究人員

https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/

5、norfolkinfosec看法：朝鮮針對安全研究人員的惡意軟體

https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/

6、如何檢測自己是否中招？

# Checks the registry for IOCs# If not vulnerable should return "ERROR: The system was unable to find the specified registry key or value."reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig"reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig"reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update"
# Checks the paths of IOCs from https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/# If not vulnerable each will return falseTest-Path C:\Windows\System32\Nwsapagent.sys     -PathType LeafTest-Path C:\Windows\System32\helpsvc.sys        -PathType LeafTest-Path C:\ProgramData\USOShared\uso.bin       -PathType LeafTest-Path C:\ProgramData\VMware\vmnat-update.bin -PathType LeafTest-Path C:\ProgramData\VirtualBox\update.bin   -PathType Leaf
https://gist.github.com/ZephrFish/0deb1458aeb63ae832987cc53addc404
7、檢測Visual Studio手段之一，「同源、同技術」分析
rule exploit_tlb_sct{   meta:      description = "Detects malicious TLB files which may be delivered via Visual Studio projects"      author = "Rich Warren"      reference = "https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf"      date = "2021-01-26"   strings:      $a = ".sct" ascii nocase      $b = "script:" ascii nocase      $c = "scriptlet:" ascii nocase      $d = "soap:" ascii nocase      $e = "winmgmts:" ascii nocase   condition:      uint32be(0) == 0x4D534654 and any of them}
https://github.com/outflanknl/Presentations/blob/master/Nullcon2020_COM-promise_-_Attacking_Windows_development_environments.pdf
https://gist.github.com/rxwx/2138a3f41c1c657d769e6cf8c9d32ed1
8、APT16使用的ELMER後門的詳細分析，兔兔兔兔……
https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/
9、Lazarus攻擊新活動
https://blogs.jpcert.or.jp/ja/2021/01/Lazarus_malware2.html
技術分享

1、利用PDNS分析SUNBURST續集。OSINT溯源技術之一
https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc
2、Necro殭屍網絡分析
https://blog.netlab.360.com/necro/
漏洞相關

1、HackBack - A DIY guide to rob banks
https://www.exploit-db.com/papers/47682
2、CVE-2021-3115 golang RCE,利用windows 環境變量觸發，666！
https://www.bleepingcomputer.com/news/security/google-fixes-severe-golang-windows-rce-vulnerability/
網絡戰與網絡情報
1、被動收集衛星流量以獲取威脅情報
https://xorl.wordpress.com/2021/01/26/passive-collection-of-satellite-traffic-for-threat-intelligence/
https://www.blackhat.com/us-20/briefings/schedule/#whispers-among-the-stars-a-practical-look-at-perpetrating-and-preventing-satellite-eavesdropping-attacks-19391
2、【警惕】美軍GPS測試，幹擾、欺騙GPS信號，戰時武器！
https://spectrum.ieee.org/aerospace/aviation/faa-files-reveal-a-surprising-threat-to-airline-safety-the-us-militarys-gps-tests
3、nshc又整理2020年11月的攻擊活動，又是我看不懂系列
https://redalert.nshc.net/2021/01/26/monthly-threat-actor-group-intelligence-report-november-2020/