记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

通过ZoomEye追踪最新Office Word 0day(CVE-2021-40444)团伙

2021-09-16 21:36



作者:heige@404实验室

公众号:黑哥说安全



【注:文章里数据基于9月11日查询结果,目标部分数据已经覆盖更新】



前置知识:

如果之前你没看过,请在看本文之前阅读下面2篇文章:


     1.谈谈网络空间“行为测绘” 


    2.【行为测绘应用实战】一个ZoomEye查询打尽BazarLoader C2 



正文开始:



实际上这个是mhtml相关漏洞(https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 ),攻击者通过Word调用那实在攻击,这个攻击样本已经到处都有了,为了方便直接引用趋势的分析报告了:



https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html 



从文章的最后IOCs列表里可以看到C2 Server涉及3个域名地址:


hxxps://joxinu[.]com hxxps://dodefoh[.]comhxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html



直接ZoomEye搜索这3个域名:https://www.zoomeye.org/searchResult?q=dodefoh.com%20joxinu.com%20pawevi.com 都覆盖到了,涉及3个ip:



IP:45.147.229.242 德国, 法兰克福 运营商:combahton.netZoomEye更新时间:2021-09-06 22:01CobaltStrike Beacon 信息: C2 Server: dodefoh.com,/hr.html,joxinu.com,/ml.html C2 Server: dodefoh.com,/ml.html,joxinu.com,/hr.html Spawnto_x86: %windir%\\syswow64\\rundll32.exe证书信息: Subject: CN=dodefoh.com Issuer: C=GB,ST=Greater Manchester,UnknownOID=2.5.4.7,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA

IP:104.194.10.21 美国, 皮斯卡特维 运营商:versaweb.comZoomEye更新时间:2021-07-14 01:40CobaltStrike Beacon 信息: C2 Server: dodefoh.com,/tab_shop_active,joxinu.com,/tab_shop_active C2 Server: dodefoh.com,/tab_shop_active,joxinu.com,/ce Spawnto_x86: %windir%\\syswow64\\rundll32.exe证书信息: Subject: CN=zikived.com Issuer: C=GB,ST=Greater Manchester,UnknownOID=2.5.4.7,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA
IP:45.153.240.220 德国, 法兰克福 运营商:combahton.netZoomEye更新时间:2021-08-29 15:25Banner信息:简单目测下为Apache默认的证书信息: Subject: CN=pawevi.com Issuer: C=US,O=Let's Encrypt,CN=R3



根据以上信息推断如下:



1、45.147.229.242 及 104.194.10.21 为攻击使用的 CobaltStrike 上线服务器。

其中45.147.229.242 为本次实际攻击调用,从证书来看绑定的就是dodefoh.com,而104.194.10.21为备用或者之前演习测试使用的,从证书来看之前还绑定域名为zikived.com



2、45.153.240.220 绑定的域名pawevi.com,为Apache WEB服务,从趋势提供的IOC来看应该是配合mhtml漏洞加载的远程页面。



我们留意到攻击者使用的CobaltStrike的banner及证书,有高度的人为修改配置过的痕迹,这就是典型的网络空间行为测绘中的“行为”特征:



45.147.229.242 



HTTP/1.1 404 Not FoundDate: Mon, 6 Sep 2021 14:01:21 GMTServer: Microsoft-IIS/8.5Content-Type: text/plainCache-Control: max-age=1Connection: keep-aliveX-Powered-By: ASP.NETContent-Length: 0

证书: Subject: CN=dodefoh.com Issuer: C=GB,ST=Greater Manchester,UnknownOID=2.5.4.7,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA



104.194.10.21



HTTP/1.1 404 Not FoundCache-Control: max-age=1Connection: keep-aliveX-Powered-By: ASP.NETContent-Length: 0Date: Tue, 13 Jul 2021 17:40:00 GMTServer: Microsoft-IIS/8.5Content-Type: text/plain

证书: Subject: CN=zikived.com Issuer: C=GB,ST=Greater Manchester,UnknownOID=2.5.4.7,O=Sectigo Limited,CN=Sectigo RSA Domain Validation Secure Server CA



单从证书Issuer内容匹配:

https://www.zoomeye.org/searchResult?q=%22ST%3DGreater%20Manchester%22%20%2B%22O%3DSectigo%20Limited%2CCN%3DSectigo%20RSA%20Domain%20Validation%20Secure%20Server%20CA%22



一共得到 6,376,104 条结果,很显然他们这个是在伪装某个通用程序(后文有确认)。那么我们提取下banner的特征,虽然顺序不太一样,内容基本一致,简单提取特征:



"HTTP/1.1 404 Not Found" +"Connection: keep-alive" +"X-Powered-By: ASP.NET" +"Content-Length: 0" +"Server: Microsoft-IIS" +"Content-Type: text/plain"



https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1%20%20404%20Not%20Found%22%20%2B%22Connection%3A%20keep-alive%22%20%2B%22X-Powered-By%3A%20ASP.NET%22%20%2B%22Content-Length%3A%200%22%20%2B%22Server%3A%20Microsoft-IIS%22%20%2B%22Content-Type%3A%20text%2Fplain%22



一共得到“About 576 results (Nearly year: 574 results)”结果,这里要注意一下,使用的是"Server: Microsoft-IIS" 而不是 "Server: Microsoft-IIS/8.5",这个数据级还算比较符合一个“恶意组织”的规模,但是很可能还存在误报,比如可能不一定是这个团伙的,可能包含了其他团伙的结果,也有可能这个团伙活动的只是近期习惯使用IIS/8.5,历史上还用过其他版本的进行伪装。



我们继续加上证书的特征:


+"ST=Greater Manchester"


"HTTP/1.1 404 Not Found" +"Connection: keep-alive" +"X-Powered-By: ASP.NET" +"Content-Length: 0" +"Server: Microsoft-IIS" +"Content-Type: text/plain" +"ST=Greater Manchester"



https://www.zoomeye.org/searchResult?

q=%22HTTP%2F1.1%20%20404%20Not%20Found%22%20%2B%22Connection%3A%20keep-alive%22%20%2B%22X-Powered-By%3A%20ASP.NET%22%20%2B%22Content-Length%3A%200%22%20%2B%22Server%3A%20Microsoft-IIS%22%20%2B%22Content-Type%3A%20text%2Fplain%22%20%2B%22ST%3DGreater%20Manchester%22



得到“About 326 results (Nearly year: 326 results)”条结果,检验下之前推断的版本问题情况:



"HTTP/1.1 404 Not Found" +"Connection: keep-alive" +"X-Powered-By: ASP.NET" +"Content-Length: 0" +"Server: Microsoft-IIS" +"Content-Type: text/plain" +"ST=Greater Manchester" -"Server: Microsoft-IIS/8.5"



https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1%20%20404%20Not%20Found%22%20%2B%22Connection%3A%20keep-alive%22%20%2B%22X-Powered-By%3A%20ASP.NET%22%20%2B%22Content-Length%3A%200%22%20%2B%22Server%3A%20Microsoft-IIS%22%20%2B%22Content-Type%3A%20text%2Fplain%22%20%2B%22ST%3DGreater%20Manchester%22%20-%22Server%3A%20Microsoft-IIS%2F8.5%22



看到了7条,大部分是“Server: Microsoft-IIS/10.0”,而且从banner特征可以看出来,符合Kong API Gateway(https://github.com/Kong/kong)的特征,看起来这个证书也是相关的,这个可能就是攻击者伪造的对象,从banner及证书Subject等写法来看是属于误报,这里直接排除掉:



"HTTP/1.1 404 Not Found" +"Connection: keep-alive" +"X-Powered-By: ASP.NET" +"Content-Length: 0" +"Server: Microsoft-IIS" +"Content-Type: text/plain" +"ST=Greater Manchester" -kong



https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1%20%20404%20Not%20Found%22%20%2B%22Connection%3A%20keep-alive%22%20%2B%22X-Powered-By%3A%20ASP.NET%22%20%2B%22Content-Length%3A%200%22%20%2B%22Server%3A%20Microsoft-IIS%22%20%2B%22Content-Type%3A%20text%2Fplain%22%20%2B%22ST%3DGreater%20Manchester%22%20-kong



一共319条结果,这个结果基本上是比较精确的,但是很可能存在漏报,因为考虑到证书没有获取或者没有配置ssl上线的情况,所以宽泛点可以使用如下语法:



"HTTP/1.1 404 Not Found" +"Connection: keep-alive" +"X-Powered-By: ASP.NET" +"Content-Length: 0" +"Server: Microsoft-IIS" +"Content-Type: text/plain" -kong -"Vary: Accept"



https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1%20%20404%20Not%20Found%22%20%2B%22Connection%3A%20keep-alive%22%20%2B%22X-Powered-By%3A%20ASP.NET%22%20%2B%22Content-Length%3A%200%22%20%2B%22Server%3A%20Microsoft-IIS%22%20%2B%22Content-Type%3A%20text%2Fplain%22%20-kong%20-%22Vary%3A%20Accept%22&page=2&pageSize=20&t=all



得到551条结果,其中-"Vary: Accept"排除的是一个显而易见的误报,如果是用来做威胁情报判断可以启用这个所谓宽泛点的搜索结果,如果我们要继续对这个“组织”进行“画像”,要求比较精准,我们应该采用上面那个319的进行分析。



从国家发布来看主要分布在美国,少数在德国,荷兰有1个ip ,对证书及CobaltStrike Beacon的配置文件进行数据提取及统计:



证书里的subject对应的域名:


badiwaw.com                    ->  2barovur.com                    ->  2bemesak.com                    ->  1beyezil.com                    ->  3boatver.com                    ->  2bucudiy.com                    ->  2buloxo.com                     ->  1bulozeb.com                    ->  2buremih.com                    ->  2cajeti.com                     ->  1capuxix.com                    ->  2cegabox.com                    ->  1cohusok.com                    ->  1comecal.com                    ->  2comhook.com                    ->  1cubigif.com                    ->  2cujicir.com                    ->  1cuyuzah.com                    ->  2dahefu.com                     ->  1damacat.com                    ->  2dapapev.com                    ->  1davevud.com                    ->  1derotin.com                    ->  2digised.com                    ->  1dihata.com                     ->  2dimuyum.com                    ->  2dirupun.com                    ->  2docrule.com                    ->  1dodefoh.com                    ->  1etcle.com                      ->  2fepaza.com                     ->  2finegeo.com                    ->  2flexzap.com                    ->  2fonazax.com                    ->  3formpi.com                     ->  1ganobaz.com                    ->  1gerepa.com                     ->  1gihevu.com                     ->  1gisopow.com                    ->  1gohaduw.com                    ->  2govahuk.com                    ->  2gucunug.com                    ->  1hacoyay.com                    ->  2hakakor.com                    ->  2hakenu.com                     ->  2hayitad.com                    ->  2hejalij.com                    ->  1hesovaw.com                    ->  2hexihan.com                    ->  2hireja.com                     ->  2hitark.com                     ->  1hiwiko.com                     ->  1hizewad.com                    ->  2hoguyum.com                    ->  2howiwo.com                     ->  2hubnick.com                    ->  1hubojo.com                     ->  2hufamal.com                    ->  1hulixo.com                     ->  2innohigh.com                   ->  1jafiha.com                     ->  2jecubat.com                    ->  2jegufe.com                     ->  1jenupe.com                     ->  1jikoxaz.com                    ->  1jinoso.com                     ->  2jumpbill.com                   ->  1kayohe.com                     ->  2kedorux.com                    ->  1keholus.com                    ->  2kelowuh.com                    ->  1kidukes.com                    ->  2kizuho.com                     ->  2koviluk.com                    ->  1koxiga.com                     ->  3kuhohi.com                     ->  1kuwoxic.com                    ->  1kuyeguh.com                    ->  1lajipil.com                    ->  2landhat.com                    ->  1laputo.com                     ->  2lessfox.com                    ->  1lifige.com                     ->  1lostzoom.com                   ->  1lozobo.com                     ->  2luherih.com                    ->  2maloxob.com                    ->  2masaxoc.com                    ->  2mebonux.com                    ->  1mevepu.com                     ->  2meyalax.com                    ->  1mgfee.com                      ->  2mibiwom.com                    ->  2moduwoj.com                    ->  1nacicaw.com                    ->  1nagiwo.com                     ->  1nemupim.com                    ->  3neoalt.com                     ->  2newiro.com                     ->  1newodi.com                     ->  1nokuje.com                     ->  2nupahe.com                     ->  2nuzeto.com                     ->  1nuzotud.com                    ->  1pathsale.com                   ->  1pavateg.com                    ->  2paxobuy.com                    ->  2payufe.com                     ->  3pazovet.com                    ->  2pecojap.com                    ->  2pigaji.com                     ->  1pilagop.com                    ->  2pipipub.com                    ->  2plushawk.com                   ->  1pobosa.com                     ->  2pofafu.com                     ->  1pofifa.com                     ->  2prorean.com                    ->  2quickomni.com                  ->  1raniyev.com                    ->  3rasokuc.com                    ->  2refebi.com                     ->  2rinutov.com                    ->  2riolist.com                    ->  2rivuha.com                     ->  2ronedep.com                    ->  1roxiya.com                     ->  2rucajit.com                    ->  1rurofo.com                     ->  1rusoti.com                     ->  2sazoya.com                     ->  4scalewa.com                    ->  3secost.com                     ->  1sexefo.com                     ->  2showero.com                    ->  2showmeta.com                   ->  1showmod.com                    ->  1sidevot.com                    ->  2slicemia.com                   ->  1somerd.com                     ->  1sopoyeh.com                    ->  2stacknew.com                   ->  1surfell.com                    ->  1tafobi.com                     ->  1talkeve.com                    ->  2tamunar.com                    ->  2tepabaf.com                    ->  2tepiwo.com                     ->  1tifiru.com                     ->  1tonbits.com                    ->  1tophal.com                     ->  2tosayoj.com                    ->  1touchroof.com                  ->  3tryddr.com                     ->  1trywd.com                      ->  2tucosu.com                     ->  2upfros.com                     ->  1vigave.com                     ->  1vinayik.com                    ->  1vumedoj.com                    ->  2waceko.com                     ->  2wezaju.com                     ->  2wideri.com                     ->  2wigeco.com                     ->  1wingsst.com                    ->  1winohak.com                    ->  2wiwege.com                     ->  2wordten.com                    ->  1wudepen.com                    ->  2wukeyos.com                    ->  1wuluxo.com                     ->  2xagadi.com                     ->  1xesoxaf.com                    ->  1xisiyi.com                     ->  1xivuli.com                     ->  2xoxalab.com                    ->  1xudivum.com                    ->  1yazorac.com                    ->  2yedawu.com                     ->  1yeruje.com                     ->  1yeyidun.com                    ->  2yipeyic.com                    ->  1yisimen.com                    ->  2yiyuro.com                     ->  2yodofed.com                    ->  2yowofe.com                     ->  1yuxicu.com                     ->  4zedoxuf.com                    ->  2zeheza.com                     ->  2zikived.com                    ->  2zikojut.com                    ->  2zojuya.com                     ->  2zokotej.com                    ->  2zosohev.com                    ->  1zovipiy.com                    ->  1zulomuw.com                    ->  2zuveye.com                     ->  2



分布很均,没有特别集中分布的表现,开始以为是随机生成,通过ping后存活并可以得到对应的IP,ZoomEye搜索符合这个团队特征。另外注意域名比较短很可能是通过某些程序算法实现的并注册的。



证书jarm:



07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2 : 2907d14d16d21d21d07c42d41d00041d58c7162162b6a603d3d90a2b76865b53 : 3107d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 : 7



分布比较集中。



CobaltStrike Beacon 配置信息中的C2 Server 列表:



IP地址 -> C2 Server -> 该IP下探测出该C2 Server的数量 23.106.215.137:443 -> laputo.com,/fr -> 1 23.19.227.178:443 -> gohaduw.com,/us.html -> 2 23.82.140.162:443 -> kidukes.com,/as -> 1 -> kidukes.com,/br -> 1 172.241.27.70:443 -> scalewa.com,/sm.html -> 40 23.106.223.184:443 -> hacoyay.com,/be -> 1 192.254.79.154:443 -> riolist.com,/av -> 32 23.108.57.230:443 -> pilagop.com,/an.html -> 1 192.198.89.242:443 -> zeheza.com,/ro -> 2 45.147.231.12:443 -> waceko.com,/FAQ.html -> 2 23.81.246.18:443 -> showero.com,/bn -> 9 -> showero.com,/lt -> 9 108.177.235.13:443 -> koviluk.com,/copyright.html -> 2 23.92.212.54:443 -> gerepa.com,/ce -> 2 209.222.98.225:443 -> showero.com,/bn -> 48 -> showero.com,/lt -> 49 104.243.33.123:443 -> pazovet.com,/dhl.js -> 2 108.62.141.5:443 -> touchroof.com,/modcp,focuslex.com,/modcp -> 32 172.93.105.162:443 -> mevepu.com,/modules.css -> 2 172.98.197.30:443 -> jinoso.com,/d_config -> 1 -> jinoso.com,/eso -> 1 23.108.57.186:443 -> kuyeguh.com,/ba.css -> 1 -> kuyeguh.com,/Content.css -> 1 23.106.160.95:443 -> zedoxuf.com,/links.html -> 2 103.195.100.2:443 -> yeyidun.com,/an -> 2 64.187.238.138:443 -> showmod.com,/an -> 8 -> showmod.com,/as -> 8 104.194.10.22:443 -> koxiga.com,/xmlconnect -> 2 209.222.101.221:443 -> ganobaz.com,/styles -> 1 -> ganobaz.com,/RELEASES -> 1 23.106.160.77:443 -> yawero.com,/skin.js,sazoya.com,/skin.js,192.198.86.130,/skin.js -> 2 23.106.160.143:443 -> dihata.com,/search.js -> 2 172.241.27.22:443 -> pigaji.com,/favicon.css -> 1 192.254.65.202:443 -> hireja.com,/Content -> 2 23.106.160.231:443 -> hoguyum.com,/rw -> 1 -> hoguyum.com,/da -> 1 209.222.104.194:443 -> bulozeb.com,/ak.html -> 16 -> bulozeb.com,/mg.html -> 16 192.198.93.86:443 -> yisimen.com,/link -> 1 -> yisimen.com,/es -> 1 23.108.57.50:443 -> kelowuh.com,/FAQ.js -> 1 -> kelowuh.com,/remove.js -> 1 209.222.98.33:443 -> dapapev.com,/br.js -> 1 -> dapapev.com,/fam_cart.js -> 1 173.234.155.86:443 -> xivuli.com,/nd.js -> 2 108.62.12.114:443 -> gimazic.com,/ur,fipoleb.com,/ur -> 2 23.82.140.156:443 -> tifiru.com,/btn_bg -> 2 206.221.176.171:443 -> nokuje.com,/tab_home -> 2 206.221.184.130:443 -> gohaduw.com,/us.html -> 2 204.16.247.104:443 -> wezaju.com,/nv -> 1 -> wezaju.com,/skin -> 1 199.191.56.170:443 -> tucosu.com,/ur.html -> 21 -> tucosu.com,/Content.html -> 21 185.150.190.54:443 -> raniyev.com,/styles.html,movufa.com,/styles.html -> 1 -> raniyev.com,/RELEASE.html,movufa.com,/styles.html -> 1 23.106.160.136:443 -> riolist.com,/av -> 6 104.243.34.210:443 -> wudepen.com,/template -> 2 104.243.42.31:443 -> wideri.com,/language.css -> 6 -> wideri.com,/tab_shop.css -> 6 209.222.101.21:443 -> lajipil.com,/lt.js -> 2 23.106.215.71:443 -> wukeyos.com,/modules -> 2 45.58.112.202:443 -> tepiwo.com,/ur.html -> 1 -> tepiwo.com,/be.html -> 1 23.108.57.145:443 -> hakakor.com,/logo.js -> 1 89.163.140.101:443 -> waceko.com,/FAQ.html -> 2 199.127.61.223:443 -> pofafu.com,/avatars -> 2 23.106.215.151:443 -> raniyev.com,/styles.html,movufa.com,/styles.html -> 1 -> raniyev.com,/RELEASE.html,movufa.com,/styles.html -> 1 23.82.140.186:443 -> yazorac.com,/us.css -> 18 -> yazorac.com,/ms.css -> 18 209.222.98.75:443 -> wuluxo.com,/as.css -> 2 209.222.98.168:443 -> lozobo.com,/posting -> 2 172.93.201.14:443 -> nihahi.com,/modcp.css,yedawu.com,/modcp.css -> 9 -> nihahi.com,/html.css,yedawu.com,/modcp.css -> 9 199.127.61.167:443 -> winohak.com,/common -> 104 108.62.118.51:443 -> barovur.com,/eo.html -> 2 23.106.160.144:443 -> raniyev.com,/styles.html,movufa.com,/styles.html -> 1 -> raniyev.com,/RELEASE.html,movufa.com,/styles.html -> 1 108.177.235.115:443 -> buremih.com,/styles.html -> 2 172.93.105.2:443 -> hetamuf.com,/mobile-home.js,hepide.com,/link.js -> 1 -> hetamuf.com,/link.js,hepide.com,/link.js -> 1 103.195.101.98:443 -> jafiha.com,/FAQ -> 1 -> jafiha.com,/skin -> 1 23.106.160.141:443 -> hejalij.com,/panel.js -> 2 104.194.11.248:443 -> hakakor.com,/logo.js -> 2 104.238.205.32:443 -> luherih.com,/lt -> 2 199.191.57.246:443 -> rivuha.com,/styles.html -> 1 -> rivuha.com,/link.html -> 1 104.243.33.221:443 -> xoxalab.com,/d_config.js,bucejay.com,/d_config.js -> 1 -> xoxalab.com,/link.js,bucejay.com,/link.js -> 1 104.243.34.58:443 -> hakenu.com,/eso.js -> 1 -> hakenu.com,/en.js -> 1 192.111.146.22:443 -> dahefu.com,/Content.html -> 1 -> dahefu.com,/posting.html -> 1 23.106.215.64:443 -> rivuha.com,/styles.html -> 1 -> rivuha.com,/link.html -> 1 23.108.57.15:443 -> pipipub.com,/admin -> 2 23.82.140.227:443 -> scalewa.com,/sm.html -> 34 23.106.215.141:443 -> maloxob.com,/admin.css -> 2 104.238.222.148:443 -> mebonux.com,/modcp.html -> 2 104.171.117.58:443 -> barovur.com,/eo.html -> 2 108.62.118.63:443 -> dirupun.com,/RELEASE_NOTES -> 2 209.222.98.14:443 -> xivuli.com,/nd.js -> 2 108.62.141.174:443 -> keholus.com,/ee -> 1 -> keholus.com,/Content -> 1 152.89.247.37:443 -> pobosa.com,/mk.js,racijo.com,/mk.js -> 2 142.234.157.105:443 -> zokotej.com,/mobile-android -> 1 -> zokotej.com,/tab_home_active -> 1 23.106.160.163:443 -> hexihan.com,/panel.html,vojefe.com,/btn_bg.html -> 2 192.254.76.78:443 -> capuxix.com,/media.css -> 96 104.194.11.107:443 -> zuveye.com,/default -> 2 103.195.103.171:443 -> zedoxuf.com,/links.html -> 2 104.171.125.14:443 -> moduwoj.com,/panel -> 1 -> moduwoj.com,/btn_bg -> 1 199.127.61.113:443 -> dirupun.com,/RELEASE_NOTES -> 2 173.234.155.101:443 -> hakenu.com,/eso.js -> 1 -> hakenu.com,/en.js -> 1 104.194.9.236:443 -> zosohev.com,/cr -> 2 23.92.222.170:443 -> roxiya.com,/FAQ -> 2 23.82.128.16:443 -> jesage.com,/profile,nefida.com,/profile -> 1 -> jesage.com,/profile,nefida.com,/ur -> 1 23.83.134.44:443 -> roxiya.com,/FAQ -> 2 152.89.247.172:443 -> fonazax.com,/kj -> 2 108.62.141.155:443 -> damacat.com,/styles -> 1 -> damacat.com,/logo -> 1 206.221.176.220:443 -> sidevot.com,/nd.html -> 2 23.82.19.204:443 -> comecal.com,/ml.js,rexagi.com,/ml.js -> 2 104.194.9.51:443 -> nemupim.com,/FAQ.html,sulezo.com,/r_config.html -> 1 -> nemupim.com,/r_config.html,sulezo.com,/r_config.html -> 1 104.194.10.21:443 -> dodefoh.com,/tab_shop_active,joxinu.com,/tab_shop_active -> 1 -> dodefoh.com,/tab_shop_active,joxinu.com,/ce -> 1 108.62.141.82:443 -> pobosa.com,/mk.js,racijo.com,/mk.js -> 2 108.62.118.29:443 -> derotin.com,/Content.html -> 2 142.234.157.125:443 -> lajipil.com,/lt.js -> 2 104.194.9.228:443 -> cuyuzah.com,/tab_home_active.css -> 1 104.194.9.101:443 -> xesoxaf.com,/remove.js -> 1 23.106.215.61:443 -> gojihu.com,/fam_cart.js,yuxicu.com,/fam_cart.js -> 2 104.171.122.198:443 -> hesovaw.com,/tab_shop_active.js -> 2 23.82.19.133:443 -> pazovet.com,/dhl.js -> 1 108.62.118.185:443 -> wuluxo.com,/as.css -> 2 45.126.211.2:443 -> bideluw.com,/af,hubojo.com,/af -> 2 172.96.143.218:443 -> jenupe.com,/templates.js -> 2 45.138.172.37:443 -> rasokuc.com,/bn.js -> 2 23.82.19.187:443 -> buloxo.com,/modcp.js -> 2 185.150.189.202:443 -> pofifa.com,/ki -> 1 -> pofifa.com,/Content -> 1 192.254.65.154:443 -> refebi.com,/bg -> 1 -> refebi.com,/faq -> 1 74.118.138.162:443 -> pavateg.com,/btn_bg -> 1 23.106.215.46:443 -> hexihan.com,/panel.html,vojefe.com,/btn_bg.html -> 2 173.234.155.82:443 -> lozobo.com,/posting -> 2 45.147.229.242:443 -> dodefoh.com,/hr.html,joxinu.com,/ml.html -> 1 -> dodefoh.com,/ml.html,joxinu.com,/hr.html -> 1 199.127.62.132:443 -> keholus.com,/ee -> 1 -> keholus.com,/Content -> 1 185.150.190.244:443 -> paxobuy.com,/eso -> 2 108.62.12.246:443 -> xisiyi.com,/gv -> 2 104.194.10.26:443 -> hiwiko.com,/r_config.html -> 1 -> hiwiko.com,/styles.html -> 1 23.82.140.102:443 -> badiwaw.com,/btn_bg -> 1 23.82.19.173:443 -> gojihu.com,/fam_cart.js,yuxicu.com,/fam_cart.js -> 2 199.127.61.201:443 -> yiyuro.com,/nl.js -> 2 192.198.88.110:443 -> dihata.com,/search.js -> 2 185.150.190.45:443 -> tamunar.com,/boxes -> 1 -> tamunar.com,/links -> 1 108.62.141.200:443 -> nemupim.com,/FAQ.html,sulezo.com,/r_config.html -> 1 104.243.32.108:443 -> hulixo.com,/ky -> 1 -> hulixo.com,/rn -> 1 104.194.10.3:443 -> bucudiy.com,/profile -> 1 199.127.60.15:443 -> fepaza.com,/sq.css -> 1 -> fepaza.com,/rw.css -> 1 104.243.34.57:443 -> yeruje.com,/es -> 2 23.106.160.78:443 -> sidevot.com,/nd.html -> 2 45.153.241.250:443 -> cubigif.com,/jp.html -> 1 -> cubigif.com,/fam_newspaper.html -> 1 104.243.40.170:443 -> kidukes.com,/as -> 1 -> kidukes.com,/br -> 1 23.106.223.116:443 -> koxiga.com,/xmlconnect -> 2 185.150.190.154:443 -> badiwaw.com,/link -> 1 -> badiwaw.com,/btn_bg -> 1 23.106.223.182:443 -> hulixo.com,/ky -> 1 -> hulixo.com,/rn -> 1 108.62.118.121:443 -> zuveye.com,/default -> 2 45.58.127.226:443 -> mezugen.com,/remove,zuwevex.com,/remove -> 2 23.81.246.189:443 -> nemupim.com,/FAQ.html,sulezo.com,/r_config.html -> 1 -> nemupim.com,/r_config.html,sulezo.com,/r_config.html -> 1 23.83.133.29:443 -> wiwege.com,/tab_home -> 2 54.158.194.151:443 -> yeyidun.com,/an -> 1 23.81.246.20:443 -> yipeyic.com,/adminhtml.css -> 2 23.108.57.130:443 -> hesovaw.com,/tab_shop_active.js -> 2 74.118.138.209:443 -> cuyuzah.com,/tab_home_active.css -> 2 104.243.43.207:443 -> fonazax.com,/kj -> 1 173.234.155.146:443 -> nagiwo.com,/ny,howeyoh.com,/ky -> 2 108.62.118.236:443 -> paxobuy.com,/eso -> 2 104.243.33.7:443 -> wiwege.com,/tab_home -> 2 23.106.215.44:443 -> xesoxaf.com,/remove.js -> 1 -> xesoxaf.com,/sitemap.js -> 1 185.150.191.44:443 -> hacoyay.com,/be -> 2 142.234.157.160:443 -> wigeco.com,/cs -> 1 -> wigeco.com,/groupcp -> 1 23.82.128.104:443 -> zikojut.com,/ee.css -> 1 23.83.133.226:443 -> sexefo.com,/styles.html -> 2 23.81.246.131:443 -> bideluw.com,/af,hubojo.com,/af -> 2 192.111.144.150:443 -> damacat.com,/styles -> 1 -> damacat.com,/logo -> 1 104.194.11.148:443 -> rasokuc.com,/bn.js -> 2 45.147.229.161:443 -> rucajit.com,/language.html -> 2 45.147.229.93:443 -> tamunar.com,/boxes -> 1 -> tamunar.com,/links -> 1 209.222.98.111:443 -> sexefo.com,/styles.html -> 2 104.194.10.57:443 -> cubigif.com,/jp.html -> 1 -> cubigif.com,/fam_newspaper.html -> 1 45.153.241.251:443 -> luherih.com,/lt -> 2 185.150.191.35:443 -> zikojut.com,/ee.css -> 2


CobaltStrike Beacon 配置信息中的 Spawnto_x86 路径列表:


%windir%\syswow64\WUAUCLT.exe -> 2 %windir%\syswow64\mstsc.exe -> 34 %windir%\syswow64\rundll32.exe -> 18 %windir%\syswow64\runonce.exe -> 2 %windir%\syswow64\wusa.exe -> 104



那么到底这个组织是谁呢?随机我提取了那相对精准的319个结果的IP查询了下多家威胁情报平台,最终没找到已知的APT或者黑产组织,更多的都只是标记为CobaltStrike,于是我们又查询 CobaltStrike Beacon 配置信息中的C2 Server 域名,通过奇安信威胁情报匹配到waceko.com 属于TA551的记录,随后结合vt平台等人工分析最终得到如下结论:



IP: www.waceko.com,waceko.com)可能跟TA551有关

IP: 172.241.27.70 疑似UNC1878有关 (VT记录有样本名称有UNC1878,相关性

较弱)





我们回归ZoomEye搜索:


waceko.com 对应2个IP:45.147.231.12 89.163.140.101 都位于德国, 法兰克福,运营商:combahton.net ,Spawnto_x86: %windir%\syswow64\wusa.exe

172.241.27.70 美国, 达拉斯 运营商:leaseweb.com 证书subject为scalewa.com, C2 Server: scalewa.com,/sm.html ,Spawnto_x86 %windir%\syswow64\wusa.exe



这里要注意到一点是waceko.com对应的IP位于德国,运营商跟实际攻击使用的IP是一样的,只是Spawnto_x86对应的路径不一致。



当然从攻击者使用的法律纠纷等方式,没有看到针对性政治相关的信息,再结合IP及域名的使用风格,目前我个人趋向是黑产组织使用!只是按以往的经验Word级别的0Day被用于常规的黑产是有点不太寻常,这里有几个偏YY的推断:



1、不排除与黑产结合的APT攻击运营模式

2、被低估的0day:

https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-defenses-bypassed-as-new-info-emerges/ 


从这个的报道里有提到需要点击“编辑”才能触发,如果原始攻击的exp确实存在这个问题话,很可能当时这个漏洞被严重低估而流落到黑产组织可能,随后样本被公开后,多个研究者研究证实不需要这个点击可直接触发。



比较有意思的是这个漏洞被曝光后,有国外及国内的朋友翻出了我10年前写的文章:


https://seclists.org/fulldisclosure/2011/Jan/224

Hacking with mhtml protocol handler

Author: www.80vul.com [Email:5up3rh3i#gmail.com]Release Date: 2011/1/15References:http://www.80vul.com/mhtml/Hacking%20with%20mhtml%20protocol%20handler.txt


可惜10年过去了,早已物是人非了,80vul.com的域名也被运营商给卖了,主机硬盘不知道猪猪侠那还有没有保存!当然我是想再次告诉大家的是:考古真的是有价值的!真的!真真的!



鸣谢:海先生@奇安信、林海@微步在线、dawu@知道创宇404实验室、k@知道创宇NDR产品团队及ZoomEye团队小伙



IOCs:


C2 IP/Domain

23.106.215.137104.238.205.6345.147.230.64199.127.61.9574.118.138.12574.118.138.123192.198.86.13023.19.227.17823.82.140.16223.82.19.130104.238.221.50172.241.27.7023.106.223.18423.92.210.210206.221.185.106192.254.79.15423.106.160.21823.108.57.230199.101.185.62192.169.6.73172.98.201.38108.62.141.121192.198.89.24223.82.19.21945.147.231.12213.227.155.7172.241.29.11023.83.133.1423.106.160.151199.241.187.13874.118.138.25423.108.57.39108.62.141.774.118.138.160204.16.247.17123.81.246.18108.177.235.13209.222.98.79104.171.121.174192.198.92.24674.118.138.13923.106.160.40199.191.57.22245.128.156.17723.92.212.54209.222.98.225104.243.33.123108.62.141.523.92.216.30172.241.27.145206.221.176.103172.93.105.162172.98.197.30192.198.85.18223.81.246.24723.108.57.186192.198.89.58104.243.37.14323.106.160.95103.195.100.2104.254.62.10064.187.238.138173.234.155.124104.194.10.22209.222.101.221199.101.185.5823.82.140.22323.106.160.7774.118.138.24923.81.246.11323.106.215.20923.106.160.14345.147.230.7123.81.246.102172.241.27.22192.254.65.20223.82.185.104185.150.190.15323.106.215.45199.241.184.2160.202.65.11423.106.160.231209.222.104.19474.118.138.207104.244.156.18209.222.101.242104.194.9.113209.222.104.19464.187.238.58192.111.144.6108.62.118.193108.62.12.19023.83.133.187192.254.76.21423.83.134.212192.198.93.8623.108.57.50192.254.78.106209.222.98.33104.194.11.92199.101.184.190173.234.155.86104.194.8.1323.106.160.2223.19.227.247104.194.8.13108.62.12.11445.147.231.98172.97.71.15623.82.140.15623.82.185.122104.194.10.20645.147.230.84172.96.172.21823.108.57.23107.161.114.22674.118.138.237206.221.176.171192.198.81.46108.62.141.55206.221.184.130204.16.247.10423.19.227.8199.191.56.170108.177.235.21223.81.246.177173.234.155.98104.194.11.118192.111.149.58107.161.114.226185.150.190.54104.254.57.12623.106.160.51160.202.116.4245.147.230.8023.106.160.136104.243.34.21074.118.138.25323.106.223.49104.243.42.31104.238.221.213209.222.101.2123.106.215.71104.194.10.2223.106.223.110104.194.10.33172.96.143.178108.62.12.100108.62.118.1523.81.246.20645.58.112.20245.147.229.5123.108.57.145199.127.61.194108.62.118.14945.153.240.23489.163.140.101199.127.61.22323.81.246.222104.243.37.30192.254.68.130108.62.118.21823.106.215.15123.82.140.186209.222.98.7523.81.246.167209.222.98.168172.93.201.14199.127.61.167199.241.187.12674.118.138.134108.62.118.51104.194.10.18123.106.160.14423.106.223.150108.177.235.214108.177.235.115172.93.105.2103.195.101.9823.106.160.14145.58.117.178104.194.11.248104.238.205.32108.62.12.80199.191.57.246185.150.189.186104.243.33.221204.16.247.190104.243.34.58192.111.146.22192.111.153.186104.194.10.20145.58.123.178173.234.155.26108.62.141.18423.106.215.6418.222.162.2074.118.138.15923.108.57.1523.82.140.227104.244.156.179172.93.201.161104.152.186.1423.106.215.141104.238.222.148192.111.146.58104.171.117.58108.62.118.63104.243.35.115209.222.98.1489.163.210.8523.81.246.123108.62.141.174152.89.247.37192.111.154.86104.194.9.47142.234.157.105192.198.86.13023.106.160.163192.254.76.78172.93.110.138104.194.11.107103.195.103.17145.147.229.185104.171.125.14199.127.61.113173.234.155.101104.194.9.23623.92.222.170172.93.102.16423.82.128.1623.83.134.44152.89.247.172108.62.141.155206.221.176.220204.16.247.94104.243.33.10023.82.19.204104.194.9.51104.194.10.21108.62.141.82108.62.118.29172.96.160.214142.234.157.12523.106.223.246104.194.9.228104.194.9.10123.106.215.61204.16.247.176104.238.221.42104.171.122.19823.82.19.133108.62.118.18545.126.211.2172.96.143.21845.138.172.37172.82.179.5823.82.19.187185.150.189.202192.254.65.15423.106.223.1174.118.138.16223.106.215.46173.234.155.8245.147.229.242199.127.62.132192.111.146.58185.150.190.244108.62.12.246104.194.10.2623.82.140.10274.118.138.24623.82.19.173199.127.61.201192.198.88.110185.150.190.45108.62.141.200104.243.32.108104.194.10.3199.127.60.15104.243.34.5723.106.160.7845.153.241.250108.62.118.232104.243.40.17023.106.223.116152.89.247.26185.150.190.15423.106.223.182108.62.118.12145.147.230.23645.58.127.22623.81.246.18923.83.133.2954.158.194.15123.81.246.2023.108.57.13074.118.138.209104.243.43.207108.62.12.186173.234.155.146108.62.118.236104.243.33.723.106.215.44185.150.191.44142.234.157.16023.82.128.10423.83.133.22623.81.246.131104.194.11.14845.147.229.161216.126.193.12645.147.229.93209.222.98.111192.111.144.150104.194.10.57209.222.101.9645.153.241.251185.150.191.35laputo.comgohaduw.comkidukes.comscalewa.comhacoyay.comriolist.compilagop.comzeheza.comwaceko.comshowero.comkoviluk.comgerepa.compazovet.comtouchroof.commevepu.comjinoso.comkuyeguh.comzedoxuf.comyeyidun.comshowmod.comkoxiga.comganobaz.comyawero.comdihata.compigaji.comhireja.comhoguyum.combulozeb.comyisimen.comkelowuh.comdapapev.comxivuli.comgimazic.comtifiru.comnokuje.comwezaju.comtucosu.comraniyev.comwudepen.comwideri.comlajipil.comwukeyos.comtepiwo.comhakakor.compofafu.comyazorac.comwuluxo.comlozobo.comnihahi.comwinohak.combarovur.comburemih.comhetamuf.comjafiha.comhejalij.comluherih.comrivuha.comxoxalab.comhakenu.comdahefu.compipipub.commaloxob.commebonux.comdirupun.comkeholus.compobosa.comzokotej.comhexihan.comcapuxix.comzuveye.commoduwoj.comzosohev.comroxiya.comjesage.comfonazax.comdamacat.comsidevot.comcomecal.comnemupim.comdodefoh.comderotin.comcuyuzah.comxesoxaf.comgojihu.comhesovaw.combideluw.comjenupe.comrasokuc.combuloxo.compofifa.comrefebi.compavateg.compaxobuy.comxisiyi.comhiwiko.combadiwaw.comyiyuro.comtamunar.comhulixo.combucudiy.comfepaza.comyeruje.comcubigif.commezugen.comwiwege.comyipeyic.comnagiwo.comwigeco.comzikojut.comsexefo.comrucajit.com



往 期 热 门

(点击图片跳转)

震惊!安全圈某知名大佬竟被人制成表情包!


一个ZoomEye查询搜尽BazarLoader C2


Golang的字符编码与regexp




知识来源: ?id=78594093cdd85af53d66f7fa48cf6a9b&source_url=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2FBx_IUzfc6uERHSB0UW-HzQ

阅读:19240 | 评论:0 | 标签:0day CVE 追踪

想收藏或者和大家分享这篇好文章→复制链接地址

“通过ZoomEye追踪最新Office Word 0day(CVE-2021-40444)团伙”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

永久免费持续更新精选优质黑客技术文章Hackdig,帮你成为掌握黑客技术的英雄

求赞助求支持💖

标签云