{"id":1536,"date":"2022-07-11T15:26:58","date_gmt":"2022-07-11T08:26:58","guid":{"rendered":"https:\/\/dt-corp.com.vn\/?p=1536"},"modified":"2022-07-11T15:26:58","modified_gmt":"2022-07-11T08:26:58","slug":"hacker-khai-thac-loi-follina-de-cai-backdoor-rozena","status":"publish","type":"post","link":"https:\/\/dt-corp.com.vn\/?p=1536","title":{"rendered":"Hacker khai th\u00e1c l\u1ed7i Follina \u0111\u1ec3 c\u00e0i backdoor Rozena"},"content":{"rendered":"

C\u00e1c chuy\u00ean gia v\u1eeba ph\u00e1t hi\u1ec7n m\u1ed9t chi\u1ebfn d\u1ecbch phishing l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng Follina \u0111\u01b0\u1ee3c ti\u1ebft l\u1ed9 g\u1ea7n \u0111\u00e2y \u0111\u1ec3 ph\u00e1t t\u00e1n backdoor ho\u00e0n to\u00e0n m\u1edbi tr\u00ean h\u1ec7 th\u1ed1ng Windows.<\/b><\/p>\n

\n
\"Capture.JPG\"<\/div>\n

\u200b<\/p><\/div>\n

Nh\u00e0 nghi\u00ean c\u1ee9u Cara Lin c\u1ee7a Fortinet FortiGuard Labs cho bi\u1ebft: \u201cBackdoor Rozena c\u00f3 kh\u1ea3 n\u0103ng ch\u00e8n m\u1ed9t k\u1ebft n\u1ed1i shell t\u1eeb xa tr\u1edf l\u1ea1i m\u00e1y c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng<\/i>\u201d.<\/p>\n

C\u00f3 m\u00e3 CVE-2022-30190, l\u1ed7 h\u1ed5ng th\u1ef1c thi m\u00e3 t\u1eeb xa tr\u00ean Microsoft Windows Support Diagnostic Tool (MSDT) hi\u1ec7n \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1. Tuy nhi\u00ean, n\u00f3 b\u1ecb khai th\u00e1c nhi\u1ec1u trong nh\u1eefng tu\u1ea7n g\u1ea7n \u0111\u00e2y sau khi \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 cu\u1ed1i th\u00e1ng 5 n\u0103m 2022.<\/p>\n

\u0110i\u1ec3m kh\u1edfi \u0111\u1ea7u cho chu\u1ed7i t\u1ea5n c\u00f4ng m\u1edbi nh\u1ea5t m\u00e0 Fortinet quan s\u00e1t \u0111\u01b0\u1ee3c l\u00e0 m\u1ed9t t\u00e0i li\u1ec7u Office \u0111\u01b0\u1ee3c v\u0169 kh\u00ed h\u00f3a. Khi m\u1edf ra, t\u00e0i li\u1ec7u n\u00e0y k\u1ebft n\u1ed1i v\u1edbi URL Discord CDN \u0111\u1ec3 truy xu\u1ea5t t\u1ec7p HTML (“index.htm”), ti\u1ebfp \u0111\u1ebfn n\u00f3 g\u1ecdi ti\u1ec7n \u00edch ch\u1ea9n \u0111o\u00e1n b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng L\u1ec7nh PowerShell \u0111\u1ec3 t\u1ea3i xu\u1ed1ng c\u00e1c payload ti\u1ebfp theo t\u1eeb c\u00f9ng m\u1ed9t kh\u00f4ng gian t\u1ec7p \u0111\u00ednh k\u00e8m CDN.<\/p>\n

\u0110i\u1ec1u n\u00e0y bao g\u1ed3m ch\u00e8n Rozena (“Word.exe”) v\u00e0 m\u1ed9t t\u1ec7p batch (“cd.bat”) \u0111\u1ec3 k\u1ebft th\u00fac c\u00e1c quy tr\u00ecnh MSDT, thi\u1ebft l\u1eadp t\u00ednh b\u1ec1n v\u1eefng c\u1ee7a backdoor b\u1eb1ng c\u00e1ch s\u1eeda \u0111\u1ed5i Windows Registry v\u00e0 t\u1ea3i xu\u1ed1ng t\u00e0i li\u1ec7u Word v\u00f4 h\u1ea1i l\u00e0m m\u1ed3i nh\u1eed.<\/p>\n

Ch\u1ee9c n\u0103ng ch\u00ednh c\u1ee7a m\u00e3 \u0111\u1ed9c l\u00e0 ch\u00e8n shellcode \u0111\u1ec3 kh\u1edfi ch\u1ea1y reverse shell t\u1edbi m\u00e1y ch\u1ee7 c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng (“microsofto.duckdns[.]org”), t\u1eeb \u0111\u00f3 cho ph\u00e9p hacker ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng c\u1ea7n thi\u1ebft \u0111\u1ec3 theo d\u00f5i v\u00e0 n\u1eafm b\u1eaft th\u00f4ng tin, \u0111\u1ed3ng th\u1eddi duy tr\u00ec backdoor trong h\u1ec7 th\u1ed1ng b\u1ecb x\u00e2m nh\u1eadp.<\/p>\n

\n
\"malware.png\"<\/div>\n<\/div>\n

Hacker khai th\u00e1c l\u1ed7 h\u1ed5ng\u00a0Follina<\/a>\u00a0\u0111\u1ec3 ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c th\u00f4ng qua c\u00e1c t\u00e0i li\u1ec7u Word \u0111\u1ed9c h\u1ea1i. K\u1ef9 thu\u1eadt s\u1eed d\u1ee5ng l\u00e0 social engineering, d\u1ef1a tr\u00ean Microsoft Excel, shortcut Windows (LNK) v\u00e0 t\u1ec7p h\u00ecnh \u1ea3nh ISO d\u01b0\u1edbi d\u1ea1ng dropper \u0111\u1ec3 tri\u1ec3n khai m\u00e3 \u0111\u1ed9c nh\u01b0 Emotet, QBot, IcedID v\u00e0 Bumblebee \u0111\u1ed1i v\u1edbi thi\u1ebft b\u1ecb n\u1ea1n nh\u00e2n.<\/p>\n

C\u00e1c m\u00e3 \u0111\u1ed9c t\u1ea3i v\u1ec1 (dropper) \u0111\u01b0\u1ee3c cho l\u00e0 tr\u1ef1c ti\u1ebfp t\u1eeb c\u00e1c email ho\u1eb7c t\u1eeb t\u1ec7p ZIP \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 b\u1eb1ng m\u1eadt kh\u1ea9u d\u01b0\u1edbi d\u1ea1ng t\u1ec7p \u0111\u00ednh k\u00e8m, t\u1ec7p HTML tr\u00edch xu\u1ea5t dropper khi m\u1edf ho\u1eb7c li\u00ean k\u1ebft \u0111\u1ec3 t\u1ea3i xu\u1ed1ng dropper trong n\u1ed9i dung email.<\/p>\n

M\u1eb7c d\u00f9 c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n v\u00e0o \u0111\u1ea7u th\u00e1ng 4 v\u1edbi c\u00e1c t\u1ec7p Excel c\u00f3 macro XLM, quy\u1ebft \u0111\u1ecbnh ch\u1eb7n macro theo m\u1eb7c \u0111\u1ecbnh c\u1ee7a Microsoft c\u00f9ng th\u1eddi \u0111i\u1ec3m \u0111\u01b0\u1ee3c cho l\u00e0 \u0111\u00e3 bu\u1ed9c hacker ph\u1ea3i chuy\u1ec3n sang ph\u01b0\u01a1ng ph\u00e1p thay th\u1ebf nh\u01b0 gi\u1ea3 m\u1ea1o HTML c\u0169ng nh\u01b0 c\u00e1c t\u1ec7p .LNK v\u00e0 .ISO.<\/p>\n

Th\u00e1ng tr\u01b0\u1edbc, Cyble \u0111\u00e3 ti\u1ebft l\u1ed9 chi ti\u1ebft v\u1ec1 m\u1ed9t c\u00f4ng c\u1ee5 m\u00e3 \u0111\u1ed9c c\u00f3 t\u00ean Quantum \u0111ang \u0111\u01b0\u1ee3c b\u00e1n tr\u00ean c\u00e1c di\u1ec5n \u0111\u00e0n ng\u1ea7m \u0111\u1ec3 trang b\u1ecb cho nh\u1eefng k\u1ebb t\u1ed9i ph\u1ea1m m\u1ea1ng kh\u1ea3 n\u0103ng t\u1ea1o c\u00e1c t\u1ec7p .LNK v\u00e0 .ISO \u0111\u1ed9c h\u1ea1i.<\/p>\n

Microsoft \u0111\u00e3 t\u1ea1m d\u1eebng k\u1ebf ho\u1ea1ch v\u00f4 hi\u1ec7u h\u00f3a c\u00e1c macro Office trong c\u00e1c t\u1ec7p \u0111\u01b0\u1ee3c t\u1ea3i xu\u1ed1ng t\u1eeb internet. H\u00e3ng cho bi\u1ebft \u0111ang d\u00e0nh th\u1eddi gian \u0111\u1ec3 th\u1ef1c hi\u1ec7n “c\u00e1c thay \u0111\u1ed5i b\u1ed5 sung \u0111\u1ec3 n\u00e2ng cao kh\u1ea3 n\u0103ng s\u1eed d\u1ee5ng”.<\/p>\n

Theo:<\/b>\u00a0The Hacker News<\/b><\/i><\/a><\/div>\n","protected":false},"excerpt":{"rendered":"

C\u00e1c chuy\u00ean gia v\u1eeba ph\u00e1t hi\u1ec7n m\u1ed9t chi\u1ebfn d\u1ecbch phishing l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng Follina \u0111\u01b0\u1ee3c ti\u1ebft l\u1ed9 g\u1ea7n \u0111\u00e2y \u0111\u1ec3 ph\u00e1t t\u00e1n backdoor ho\u00e0n to\u00e0n m\u1edbi tr\u00ean h\u1ec7 th\u1ed1ng Windows. \u200b Nh\u00e0","protected":false},"author":3,"featured_media":1538,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[13],"tags":[],"class_list":["post-1536","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/dt-corp.com.vn\/wp-content\/uploads\/2022\/07\/Capture.jpg","_links":{"self":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts\/1536","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1536"}],"version-history":[{"count":1,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts\/1536\/revisions"}],"predecessor-version":[{"id":1539,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts\/1536\/revisions\/1539"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/media\/1538"}],"wp:attachment":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1536"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1536"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}