{"id":1707,"date":"2022-08-09T15:42:26","date_gmt":"2022-08-09T08:42:26","guid":{"rendered":"https:\/\/dt-corp.com.vn\/?p=1707"},"modified":"2022-08-09T15:42:26","modified_gmt":"2022-08-09T08:42:26","slug":"tin-tac-trung-quoc-su-dung-backdoor-moi-trong-cac-cuoc-tan-cong-apt","status":"publish","type":"post","link":"https:\/\/dt-corp.com.vn\/?p=1707","title":{"rendered":"Tin t\u1eb7c Trung Qu\u1ed1c s\u1eed d\u1ee5ng backdoor m\u1edbi trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng APT"},"content":{"rendered":"

C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ph\u00e1t hi\u1ec7n m\u1ed9t lo\u1ea1t c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng di\u1ec5n ra h\u1ed3i \u0111\u1ea7u n\u0103m s\u1eed d\u1ee5ng ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i Windows m\u1edbi \u0111\u1ec3 gi\u00e1m s\u00e1t c\u00e1c t\u1ed5 ch\u1ee9c ch\u00ednh ph\u1ee7 trong ng\u00e0nh c\u00f4ng nghi\u1ec7p qu\u1ed1c ph\u00f2ng c\u1ee7a m\u1ed9t s\u1ed1 qu\u1ed1c gia \u1edf \u0110\u00f4ng \u00c2u.<\/b><\/p>\n

Kaspersky x\u00e1c \u0111\u1ecbnh chi\u1ebfn d\u1ecbch li\u00ean quan t\u1edbi m\u1ed9t nh\u00f3m hacker t\u1ea5n c\u00f4ng c\u00f3 ch\u1ee7 \u0111\u00edch (APT) TA428 c\u1ee7a Trung Qu\u1ed1c. Nh\u00f3m n\u00e0y \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn v\u1edbi h\u00e0nh vi tr\u1ed9m c\u1eafp th\u00f4ng tin v\u00e0 ho\u1ea1t \u0111\u1ed9ng gi\u00e1n \u0111i\u1ec7p c\u0169ng nh\u01b0 t\u1ea5n c\u00f4ng c\u00e1c t\u1ed5 ch\u1ee9c \u1edf ch\u00e2u \u00c1 v\u00e0 \u0110\u00f4ng \u00c2u.<\/p>\n

TA428 \u0111\u00e3 x\u00e2m nh\u1eadp th\u00e0nh c\u00f4ng m\u1ea1ng c\u1ee7a h\u00e0ng ch\u1ee5c m\u1ee5c ti\u00eau, th\u1eadm ch\u00ed chi\u1ebfm quy\u1ec1n ki\u1ec3m so\u00e1t to\u00e0n b\u1ed9 c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng m\u1ea1ng th\u00f4ng qua vi\u1ec7c t\u1ea5n c\u00f4ng c\u00e1c h\u1ec7 th\u1ed1ng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 qu\u1ea3n l\u00fd c\u00e1c gi\u1ea3i ph\u00e1p an ninh.<\/p>\n

C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u c\u1ee7a Kaspersky ICS CERT cho bi\u1ebft:\u00a0“Cu\u1ed9c t\u1ea5n c\u00f4ng nh\u1eafm v\u00e0o c\u00e1c nh\u00e0 m\u00e1y c\u00f4ng nghi\u1ec7p, ph\u00f2ng thi\u1ebft k\u1ebf v\u00e0 vi\u1ec7n nghi\u00ean c\u1ee9u, c\u01a1 quan ch\u00ednh ph\u1ee7, b\u1ed9 v\u00e0 ban ng\u00e0nh \u1edf m\u1ed9t s\u1ed1 n\u01b0\u1edbc \u0110\u00f4ng \u00c2u (Belarus, Nga v\u00e0 Ukraine), c\u0169ng nh\u01b0 Afghanistan”.<\/p>\n

“Nhi\u1ec1u manh m\u1ed1i v\u00e0 b\u1eb1ng ch\u1ee9ng cho th\u1ea5y gi\u00e1n \u0111i\u1ec7p l\u00e0 m\u1ee5c \u0111\u00edch cu\u1ed1i c\u00f9ng c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng”.<\/i><\/p>\n

\n
\"TA428_campaign_targets.png\"<\/div>\n

\u200b<\/p><\/div>\n

TA428 s\u1eed d\u1ee5ng c\u00e1c email l\u1eeba \u0111\u1ea3o c\u00f3 ch\u1ee9a th\u00f4ng tin b\u00ed m\u1eadt v\u1ec1 c\u00e1c t\u1ed5 ch\u1ee9c \u0111\u01b0\u1ee3c nh\u1eafm m\u1ee5c ti\u00eau v\u00e0 m\u00e3 \u0111\u1ed9c khai th\u00e1c l\u1ed7 h\u1ed5ng CVE-2017-11882 trong Microsoft Office \u0111\u1ec3 tri\u1ec3n khai ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i PortDoor.<\/p>\n

PortDoor c\u0169ng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng l\u1eeba \u0111\u1ea3o tr\u1ef1c tuy\u1ebfn do c\u00e1c tin t\u1eb7c Trung Qu\u1ed1c kh\u1edfi x\u01b0\u1edbng v\u00e0o th\u00e1ng 4 n\u0103m 2021 \u0111\u1ec3 x\u00e2m nh\u1eadp v\u00e0o h\u1ec7 th\u1ed1ng c\u1ee7a m\u1ed9t nh\u00e0 th\u1ea7u qu\u1ed1c ph\u00f2ng thi\u1ebft k\u1ebf t\u00e0u ng\u1ea7m cho H\u1ea3i qu\u00e2n Nga.<\/p>\n

Sau khi x\u00e2m nh\u1eadp th\u00e0nh c\u00f4ng m\u1ee5c ti\u00eau, nhi\u1ec1u backdoor c\u00f3 li\u00ean quan t\u1edbi TA428 \u0111\u01b0\u1ee3c tri\u1ec3n khai, bao g\u1ed3m nccTrojan, Logtu, Cotx, DNSep, v\u00e0 CotSam – m\u1ed9t ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i ho\u00e0n to\u00e0n m\u1edbi. Backdoor cho ph\u00e9p hacker thu th\u1eadp, \u0111\u00e1nh c\u1eafp th\u00f4ng tin h\u1ec7 th\u1ed1ng v\u00e0 c\u00e1c t\u1ec7p t\u1eeb c\u00e1c thi\u1ebft b\u1ecb b\u1ecb x\u00e2m nh\u1eadp.<\/p>\n

\u0110\u1ec3 tri\u1ec3n khai CotSam, hacker s\u1eed d\u1ee5ng t\u1ec7p Microsoft Word \u0111\u1ed9c h\u1ea1i v\u1edbi c\u00e1c m\u00e3 \u0111\u1ed9c t\u01b0\u01a1ng \u1ee9ng v\u1edbi hai phi\u00ean b\u1ea3n Microsoft Word 2007 cho h\u1ec7 th\u00f4ng 32-bit v\u00e0 Microsoft Word 2010 cho h\u1ec7 th\u1ed1ng 64-bit.<\/p>\n

\n
\"TA428_attack_flow.png\"<\/div>\n<\/div>\n

Sau khi m\u1edf r\u1ed9ng t\u1ea5n c\u00f4ng trong m\u1ea1ng b\u1eb1ng c\u00e1ch r\u00f2 qu\u00e9t, t\u00ecm ki\u1ebfm, khai th\u00e1c l\u1ed7 h\u1ed5ng, v\u00e0 kh\u1edfi ch\u1ea1y c\u00f4ng c\u1ee5 b\u1ebb kh\u00f3a m\u1eadt kh\u1ea9u Ladon, hacker gi\u00e0nh \u0111\u01b0\u1ee3c \u0111\u1eb7c quy\u1ec1n mi\u1ec1n v\u00e0 thu th\u1eadp nhi\u1ec1u th\u00f4ng tin b\u00ed m\u1eadt.<\/p>\n

Ti\u1ebfp \u0111\u1ebfn, c\u00e1c th\u00f4ng tin n\u00e0y \u0111\u01b0\u1ee3c g\u1eedi cho c\u00e1c m\u00e1y ch\u1ee7 C2 t\u1eeb c\u00e1c qu\u1ed1c gia kh\u00e1c nhau d\u01b0\u1edbi d\u1ea1ng t\u1ec7p ZIP \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a v\u00e0 b\u1ea3o v\u1ec7 b\u1eb1ng m\u1eadt kh\u1ea9u.<\/p>\n

C\u00e1c b\u1eb1ng ch\u1ee9ng cho th\u1ea5y, t\u1ea5t c\u1ea3 c\u00e1c th\u00f4ng tin b\u1ecb \u0111\u00e1nh c\u1eafp \u0111\u1ec1u chuy\u1ec3n \u0111\u1ebfn m\u00e1y ch\u1ee7 c\u00f3 \u0111\u1ecba ch\u1ec9 IP c\u1ee7a Trung Qu\u1ed1c.<\/p>\n

Th\u00f4ng qua vi\u1ec7c ph\u00e2n t\u00edch chi\u1ebfn thu\u1eadt, k\u1ef9 thu\u1eadt v\u00e0 quy tr\u00ecnh (TTP), ph\u01b0\u01a1ng th\u1ee9c khai th\u00e1c, c\u00e1c c\u00f4ng c\u1ee5 v\u00e0 m\u00e1y ch\u1ee7 C2 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng, v\u00e0 th\u1eddi gian ho\u1ea1t \u0111\u1ed9ng c\u1ee7a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u c\u1ee7a Kaspersky k\u1ebft lu\u1eadn TA428 l\u00e0 nh\u00f3m \u0111\u1ee9ng \u0111\u1eb1ng sau c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y.<\/p>\n

Theo: whitehat.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ph\u00e1t hi\u1ec7n m\u1ed9t lo\u1ea1t c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng di\u1ec5n ra h\u1ed3i \u0111\u1ea7u n\u0103m s\u1eed d\u1ee5ng ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i Windows m\u1edbi \u0111\u1ec3 gi\u00e1m s\u00e1t c\u00e1c t\u1ed5 ch\u1ee9c ch\u00ednh ph\u1ee7","protected":false},"author":3,"featured_media":1709,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[13],"tags":[],"class_list":["post-1707","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/dt-corp.com.vn\/wp-content\/uploads\/2022\/08\/apt-1-2-702x459-1-1170x568-1.jpg","_links":{"self":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts\/1707","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1707"}],"version-history":[{"count":1,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts\/1707\/revisions"}],"predecessor-version":[{"id":1710,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/posts\/1707\/revisions\/1710"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=\/wp\/v2\/media\/1709"}],"wp:attachment":[{"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dt-corp.com.vn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}