[{"category":"\u4e8b\u4ef6\u8ffd\u8e2a","publish_time":"2024-11-04 10:47:02","tags":["APT","SOUTHEAST ASIA","OCEANLOTUS","MSI TRANSFORMS"],"abstract":"The QiAnXin Threat Intelligence Center has discovered that the new OceanLotus group (APT-Q-31) has recently become active again and is employing a new tactic of MSI file abuse, which is the first time that the use of this technique has been captured in domestic APT campaigns targeting government and enterprises. The two OceanLotus attack sets share attack resources, but have completely different TTPs. The last time a new Sea Lotus was active was in late 2023.","title":"New Trend in MSI File Abuse: New OceanLotus Group First to Use MST Files to Deliver Tromas ","link":"https:\/\/ti.qianxin.com\/blog\/articles\/new -trend-in-msi-file-abuse-new-oceanlotus-group-first-to-use-mst-files-to-deliver-special-trojan-en"},{"category":"\u4e8b\u4ef6\u8ffd\u8e2a","publish_time":"2024-11-04 09:47:30","tags":["APT","\u4e1c\u5357\u4e9a","\u6d77\u83b2\u82b1","MSI TRANSFORMS"],"abstract":"\u5947\u5b89\u4fe1\u5a01\u80c1\u60c5\u62a5\u4e2d\u5fc3\u53d1\u73b0\uff0c\u65b0\u6d77\u83b2\u82b1\u7ec4\u7ec7APT-Q-31\u8fd1\u671f\u91cd\u65b0\u6d3b\u8dc3\uff0c\u5e76\u91c7\u7528MSI\u6587\u4ef6\u6ee5\u7528\u7684\u65b0\u624b\u6cd5\uff0c\u8fd9\u662f\u9996\u6b21\u5728\u56fd\u5185\u9488\u5bf9\u653f\u4f01\u7684APT\u6d3b\u52a8\u4e2d\u6355\u83b7\u5230\u8be5\u6280\u672f\u7684\u4f7f\u7528\u3002\u6d77\u83b2\u82b1\u7684\u4e24\u4e2a\u653b\u51fb\u96c6\u5408\u5171\u4eab\u653b\u51fb\u8d44\u6e90\uff0c\u4f46TTP\u5b8c\u5168\u4e0d\u540c\u3002\u4e0a\u6b21\u65b0\u6d77\u83b2\u82b1\u7684\u6d3b\u8dc3\u662f2023\u5e74\u672b\u3002","title":"MSI\u6587\u4ef6\u6ee5\u7528\u65b0\u8d8b\u52bf\uff1a\u65b0\u6d77\u83b2\u82b1\u7ec4\u7ec7\u9996\u5ea6\u5229\u7528MST\u6587\u4ef6\u6295\u9012\u7279\u9a6c ","link":"https:\/\/ti.qianxin.com\/blog\/articles\/new -trend-in-msi-file-abuse-new-oceanlotus-group-first-to-use-mst-files-to-deliver-special-trojan-cn"},{"category":"\u4e8b\u4ef6\u8ffd\u8e2a","publish_time":"2024-10-16 15:31:45","tags":["APT","SOUTH ASIA","MYSTERIOUS ELEPHANT"],"abstract":"The QiAnXin Threat Intelligence Center has recently discovered a batch of special CHMs, in which the html is very simple and only executes an external file, which leads to a very low number of VT reports. Based on the similarity of the malicious samples, this article suggests that these special CHM attack samples and the C# backdoor are most likely from the Mysterious Elephant group.","title":"Suspected Mysterious Elephant Group Uses CHM Files to Attack Multiple Countries in South Asia","link":"https:\/\/ti.qianxin.com\/blog\/articles\/suspected-mysterious-elephant-group-uses-chm-files-to-attack-multiple-countries-in-south-asia-en"},{"category":"\u4e8b\u4ef6\u8ffd\u8e2a","publish_time":"2024-10-16 15:31:45","tags":["APT","\u5357\u4e9a\u5730\u533a","MYSTERIOUS ELEPHANT"],"abstract":"\u5947\u5b89\u4fe1\u5a01\u80c1\u60c5\u62a5\u4e2d\u5fc3\u8fd1\u671f\u53d1\u73b0\u4e00\u6279\u7279\u522b\u7684 CHM\uff0c\u5176\u4e2dhtml\u5341\u5206\u7b80\u5355\uff0c\u4ec5\u6267\u884c\u4e00\u4e2a\u5916\u90e8\u6587\u4ef6\uff0c\u8fd9\u5bfc\u81f4VT\u62a5\u6bd2\u6570\u5f88\u4f4e\u3002\u672c\u6587\u57fa\u4e8e\u6076\u610f\u6837\u672c\u76f8\u4f3c\u6027\u8ba4\u4e3a\u8fd9\u4e9b\u7279\u6b8a\u7684 CHM \u653b\u51fb\u6837\u672c\u548c C# \u540e\u95e8\u5f88\u53ef\u80fd\u6765\u81ea Mysterious Elephant \u7ec4\u7ec7\u3002","title":"\u7591\u4f3c Mysterious Elephant \u7ec4\u7ec7\u5229\u7528 CHM \u6587\u4ef6\u653b\u51fb\u5357\u4e9a\u591a\u56fd","link":"https:\/\/ti.qianxin.com\/blog\/articles\/suspected-mysterious-elephant-group-uses-chm-files-to-attack-multiple-countries-in-south-asia-cn"},{"category":"\u4e8b\u4ef6\u8ffd\u8e2a","publish_time":"2024-10-12 14:42:20","tags":["APT","SOUTHERN ASIA","BITTER"],"abstract":"Bitter Group Enables New Trojan Horse MiyaRat, Domestic Users Become Primary Targets. Bitter has been trying a variety of no-kill methods this year: loading the havoc framework through powershell in June, and directly distributing the steganography plugin that was in use in 2018 in July, with less than ideal results, and ultimately distributing a brand new trojan horse, MiyaRat, in September. it was still was successfully captured by us.","title":"Bitter Group Launches New Trojan Miyarat, Domestic Users Become Primary Ttargets","link":"https:\/\/ti.qianxin.com\/blog\/articles\/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-en"},{"category":"\u4e8b\u4ef6\u8ffd\u8e2a","publish_time":"2024-10-12 14:42:20","tags":["APT","\u5357\u4e9a\u5730\u533a","BITTER"],"abstract":"Bitter \u5728\u4eca\u5e74\u4e00\u76f4\u5728\u5c1d\u8bd5\u5404\u79cd\u514d\u6740\u65b9\u6cd5\uff1a6\u6708\u4efd\u901a\u8fc7 powershell \u52a0\u8f7d havoc \u6846\u67b6\u30017 \u6708\u4efd\u76f4\u63a5\u4e0b\u53d1 2018 \u5e74\u5c31\u5728\u4f7f\u7528\u7684\u7a83\u5bc6\u63d2\u4ef6\uff0c\u6548\u679c\u90fd\u4e0d\u592a\u7406\u60f3\uff0c\u6700\u7ec8\u5728 9 \u6708\u4efd\u4e0b\u53d1\u4e86\u5168\u65b0\u7684\u7279\u9a6c MiyaRat \u8fd8\u662f\u88ab\u6211\u4eec\u6210\u529f\u6355\u83b7\u3002","title":"\u8513\u7075\u82b1\u7ec4\u7ec7\u542f\u7528\u5168\u65b0\u7279\u9a6c MiyaRat\uff0c\u56fd\u5185\u7528\u6237\u6210\u4e3a\u9996\u8981\u76ee\u6807","link":"https:\/\/ti.qianxin.com\/blog\/articles\/bitter-group-launches-new-trojan-miyarat-domestic-users-become-primary-targets-cn"},{"category":"\u6f0f\u6d1e\u901a\u544a","publish_time":"2020-07-15 15:57:00","tags":["CVE-2020-1350","MICROSOFT DNS SERVER"],"abstract":"2020\u5e747\u670814\u65e5\uff0c\u5728\u5fae\u8f6f\u6bcf\u6708\u7684\u4f8b\u884c\u8865\u4e01\u65e5\u5f53\u5929\uff0c\u4fee\u590d\u4e86\u4e00\u4e2aWindow DNS Server\u4e2d\u7684\u4e25\u91cd\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u7531\u4e8eWindows DNS Server\u672a\u80fd\u6b63\u786e\u5904\u7406\u7279\u5b9a\u7578\u5f62\u6570\u636e\u4ea4\u4e92\uff0c\u4ece\u800c\u5bfc\u81f4\u8fdc\u7a0b\u65e0\u9700\u9a8c\u8bc1\u7684\u653b\u51fb\u8005\u901a\u8fc7\u5229\u7528\u5728\u672c\u5730\u7cfb\u7edf\u8d26\u6237\u4e0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u8be5\u6f0f\u6d1e\u5728\u5fae\u8f6f\u7684\u901a\u544a\u4e2d\u88ab\u5b9a\u7ea7\u4e3a\u53ef\u8815\u866b\u5316\u7ea7\u522b\uff0c\u6b64\u7c7b\u578b\u7684\u6f0f\u6d1e\u5728\u88ab\u5229\u7528\u540e\uff0c\u5f80\u5f80\u4f1a\u5bfc\u81f4\u4e25\u91cd\u7684\u5b89\u5168\u5a01\u80c1\uff0c\u7c7b\u4f3c\u4e4b\u524d\u88ab\u5229\u7528\u6765\u4f20\u64adWannaCry\u8815\u866b\u7684\u6c38\u6052\u4e4b\u84dd\u6f0f\u6d1e\u3002\n\n\u5947\u5b89\u4fe1\u5a01\u80c1\u60c5\u62a5\u4e2d\u5fc3\u7ea2\u96e8\u6ef4\u56e2\u961f\u7b2c\u4e00\u65f6\u95f4\u8ddf\u8fdb\u4e86\u8be5\u6f0f\u6d1e\uff0c\u57fa\u4e8e\u6240\u5f97\u5230\u7684\u6280\u672f\u7ec6\u8282\uff0c\u8be5\u6f0f\u6d1e\u662f\u7531\u4e8eWindows DNS Server\u5904\u7406\u7578\u5f62\u56de\u5e94\u6570\u636e\u65f6\u5b58\u5728\u7684\u6574\u6570\u6ea2\u51fa\u95ee\u9898\uff0c\u76ee\u524d\u7ea2\u96e8\u6ef4\u56e2\u961f\u5df2\u7ecf\u9a8c\u8bc1\u4e86\u6b64\u6f0f\u6d1e\u53ef\u88ab\u653b\u51fb\u8005\u5b8c\u5168\u64cd\u63a7\u89e6\u53d1\uff0c\u5b58\u5728\u88ab\u5927\u8303\u56f4\u653b\u51fb\u5229\u7528\u7684\u53ef\u80fd\u6027\u3002\u800c\u4e14\u6f0f\u6d1e\u5f71\u54cd\u4eceWindows Server 2008\u52302019\u7684\u64cd\u4f5c\u7cfb\u7edf\uff0c\u51e0\u4e4e\u6db5\u76d6\u6240\u6709\u76f8\u5173\u7684Windows\u670d\u52a1\u5668\u3002\u56e0\u6b64\uff0c\u5947\u5b89\u4fe1\u5a01\u80c1\u60c5\u62a5\u4e2d\u5fc3\u63d0\u9192\u542f\u7528\u4e86Windows DNS Server\u76f8\u5173\u529f\u80fd\u7684\u7528\u6237\u53ca\u65f6\u5b89\u88c5\u8be5\u6f0f\u6d1e\u7684\u8865\u4e01\u3002\n","title":"QiAnXinTI-SV-2020-0013 Microsoft DNS Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2020-1350\uff09\u901a\u544a","link":"https:\/\/ti.qianxin.com\/advisory\/articles\/microsoft-dns-server-remote-code-execution-vulnerability-notice"},{"category":"\u6f0f\u6d1e\u901a\u544a","publish_time":"2020-04-08 10:34:35","tags":["CVE-2020-6819","CVE-2020-6820","FIREFOX"],"abstract":"2020\u5e744\u67083\u65e5\uff0cMozilla\u5728\u5176\u5b89\u5168\u901a\u544a\u4e2d\u6279\u9732\u5176\u4fee\u590d\u4e86\u4e24\u4e2a\u9488\u5bf9Firefox\u6d4f\u89c8\u5668\u7684\u5728\u91ce0day\u6f0f\u6d1e\uff08CVE-2020-6819\u3001CVE-2020-6820\uff09\u3002\n\u5947\u5b89\u4fe1\u5a01\u80c1\u60c5\u62a5\u4e2d\u5fc3\u7ea2\u96e8\u6ef4\u56e2\u961f\u7b2c\u4e00\u65f6\u95f4\u8ddf\u8fdb\u4e86\u8fd9\u4e24\u4e2a\u6f0f\u6d1e\uff0c\u4eceMozilla\u53d1\u9001\u7684\u516c\u544a\u4e2d\u53ef\u77e5\uff0c\nCVE-2020-6819\u662f\u6d4f\u89c8\u5668\u5728\u5904\u7406nsDocShell\u6790\u6784\u51fd\u6570\u65f6\uff0c\u7531\u4e8e\u7ade\u4e89\u6761\u4ef6\u95ee\u9898\u5bfc\u81f4\u7684UAF\u6f0f\u6d1e\uff0c\u800cCVE-2020-6820\u5219\u662f\u6d4f\u89c8\u5668\u5728\u5904\u7406ReadableStream\u65f6\u7531\u4e8e\u7ade\u4e89\u6761\u4ef6\u5bfc\u81f4\u7684UAF\u6f0f\u6d1e\u3002\u503c\u5f97\u6ce8\u610f\u7684\u662f\uff0c\u8fd9\u4e24\u4e2a\u6f0f\u6d1eMozilla\u90fd\u63d0\u793a\u53d1\u73b0\u4e86\u76f8\u5173\u9488\u5bf9\u6027\u7684\u5728\u91ce\u5229\u7528\u653b\u51fb\uff0c\u5728\u6f0f\u6d1e\u88ab\u5229\u7528\u65f6\u6781\u53ef\u80fd\u4e3a0day\u72b6\u6001\uff0c\u968f\u7740\u8865\u4e01\u7684\u53d1\u5e03\uff0c\u76f8\u5173\u7684\u6280\u672f\u7ec6\u8282\u53ef\u80fd\u88ab\u7814\u7a76\u5e76\u5bfc\u81f4\u66f4\u5927\u8303\u56f4\u7684\u653b\u51fb\u3002\n","title":"QianxinTI-SV-2020-0012 Firefox\u5728\u91ce\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2020-6819\u3001CVE-2020-6820\uff09\u901a\u544a","link":"https:\/\/ti.qianxin.com\/advisory\/articles\/firefox-wild-remote-code-execution-vulnerability-notice"},{"category":"\u6f0f\u6d1e\u901a\u544a","publish_time":"2020-03-25 13:58:51","tags":["ADV200006","TYPE 1\u5b57\u4f53\u5904\u7406\u6f0f\u6d1e"],"abstract":"2020\u5e743\u670824\u65e5\uff0c\u5fae\u8f6f\u5b98\u65b9\u53d1\u5e03\u4e86\u4e00\u4e2a\u975e\u4f8b\u884c\u7684\u9884\u8b66\u901a\u544a\u3002\u901a\u544a\u63cf\u8ff0\u6709\u4e24\u4e2a\u6f0f\u6d1e\u5b58\u5728\u4e8eWindows Adobe Type Manager\u5e93\u5904\u7406Adobe Type 1 PostScript\u5b57\u4f53\u6a21\u5757\u4e2d\uff0c\u53ef\u80fd\u5bfc\u81f4\u4ee3\u7801\u6267\u884c\uff0c\u6709\u610f\u601d\u7684\u662f2015\u5e74Hacking Team\u6cc4\u9732\u7684\u5de5\u5177\u4e2d\u5176\u4e2d\u4e00\u4e2a\u6f0f\u6d1e\u4e5f\u662f\u51fa\u4e8e\u8be5\u6a21\u5757\u3002\u4ece\u901a\u544a\u4e2d\u53ef\u77e5\u8be5\u6f0f\u6d1e\u5df2\u7ecf\u88ab\u7528\u4e8e\u6709\u9650\u7684\u5728\u91ce\u653b\u51fb\u4e2d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u591a\u79cd\u65b9\u5f0f\u5229\u7528\u6b64\u6f0f\u6d1e\uff1a\u4f8b\u5982\u8bf1\u5bfc\u7528\u6237\u6253\u5f00\u7279\u5236\u6587\u6863\u6216\u901a\u8fc7\u5728Windows\u9884\u89c8\u7a97\u683c\u4e2d\u67e5\u770b\u6765\u6267\u884c\u6f0f\u6d1e\u653b\u51fb\u3002\u7531\u4e8e\u5fae\u8f6f\u4f1a\u5728\u7a0d\u540e\u56db\u6708\u7684\u8865\u4e01\u65e5\u624d\u5bf9\u8be5\u6f0f\u6d1e\u8fdb\u884c\u4fee\u590d\uff0c\u6240\u4ee5\u5947\u5b89\u4fe1\u5a01\u80c1\u60c5\u62a5\u4e2d\u5fc3\u53d1\u5e03\u8be5\u901a\u544a\u63d0\u9192\u7528\u6237\u901a\u8fc7\u9002\u5f53\u7684\u7f13\u89e3\u63aa\u65bd\u505a\u597d\u63d0\u524d\u9632\u8303\u3002","title":"QiAnXinTI-SV-2020-0009 Microsoft Windows Type 1\u5b57\u4f53\u5904\u7406\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08ADV200006\uff09\u901a\u544a","link":"https:\/\/ti.qianxin.com\/advisory\/articles\/type-1-font-handling-remote-code-execution-vulnerability"}]