From December 2023 to the present, QiAnXin Threat Intelligence Center has observed that a ransomware written in rust language is very active on the Chinese Internet. A large number of domestic machines have been blackmailed, and more than 20 units have been victimized in government and enterprise terminals alone. We Call it Rast ransomware. Rast ransomware has a very special logic: after the ransom is completed, the local machine name and unique identification will be uploaded to the remote mysql database. Through reverse analysis, we obtained the account password of the MySQL database and counted the victims in the database. We found that in just ten months, more than 6,800 terminals were charged, of which more than 5,700 were successfully encrypted. The scale of the impact was huge. Far exceeded our expectations.

从 2023 年 12 月份至今，奇安信威胁情报中心观察到中文互联网上有一款由 rust 语言编写的勒索软件非常活跃，国内大量机器被勒索，仅在政企终端中的受害单位高达 20 余个，我们将其称之为 Rast ransomware。Rast 勒索软件有一个非常特殊的逻辑：勒索完成后会将本机的机器名和唯一标识上传到远程的 mysql 数据库中。通过逆向分析我们拿到了 mysql 数据库的账号密码并统计了数据库中的受害者，发现在短短十个月的时间内有 6800 多台终端被控，其中 5700 余台被成功加密，影响规模之大远远超出了我们的预期。

The CVE-2024-30051 vulnerability was first discovered by Kaspersky. According to the simple analysis report of the vulnerability initially uploaded to VT, we found the actual sample exploited by QakBot and analyzed it in detail through the characteristics of the vulnerability in the report.

CVE-2024-30051漏洞最早由卡巴斯基发现，根据最初上传到VT的该漏洞的简单分析报告，我们通过该报告中漏洞的特征，找到了QakBot利用的实际样本并对其进行了详细分析。

Attackers often conduct very complex information collection before using vulnerability attacks. APT-Q-12 uses multiple sets of complex email probes and periodically delivers probe emails to the target to collect the victim's usage habits and behavior. Logic, including commonly used email platforms and brands, will be treated differently for different office products.

攻击者在使用漏洞攻击前往往会进行非常复杂的信息收集，APT-Q-12使用多套复杂的邮件探针，周期性的向目标投递探针邮件以此来收集受害者的使用习惯和行为逻辑，包括常用的邮件平台、品牌，在针对不同office产品又会进行区别处理。

Recently, we discovered a new variant of the Spyder downloader of the Patchwork group, and observed attackers using Spyder to distribute two secret-stealing components, which are used to capture screenshots and collect file information respectively. Although the core function of the Spyder downloader has not changed, it still releases subsequent components from the remotely downloaded encrypted ZIP package and executes it, but some changes have been made in terms of code structure and C2 communication format. The following is the attack process of the Spyder downloader and secret-stealing components discovered this time.

近期我们发现摩诃草组织 Spyder 下载器出现新变种，并观察到攻击者借助 Spyder 下发两款窃密组件，分别用于截屏和收集文件信息。虽然 Spyder 下载器的核心功能没变，仍是从远程下载的加密 ZIP 包中释放出后续组件并执行，但在代码结构和 C2 通信格式等方面做了一些改动。以下是本次发现的 Spyder 下载器和窃密组件的攻击过程。

近日，奇安信威胁情报中心发布《网络安全威胁2024年中报告》，内容涵盖高级持续性威胁（APT）、勒索软件、互联网黑产、漏洞利用等几方面。该报告指出上半年内涉及我国的高级持续性威胁事件主要在信息技术、政府、科研教育领域，受害目标集中在广东等地区。此外，还观察到的多个持续针对国内重点目标的未知威胁组织（UTG）瞄准新能源、低轨卫星、人工智能、航天航空等多个领域。2024年上半年全球范围内的勒索软件攻击波及包括中国在内的多个国家，受害者包括个人用户，以及各种规模的组织机构，政府、医疗、制造、能源等行业屡次遭到勒索攻击。银狐木马黑产团伙、Bigpanzi、暗蚊、金相狐等多个黑产组织活动被披露。漏洞方面，2024年上半年披露的高危漏洞数量达25个。往年微软、谷歌、苹果三足鼎立的格局被打破，Google依旧是相关漏洞最多的厂商，旗下的Chrome仍是目前攻击者热衷的浏览器攻击向量，微软、苹果的相关漏洞数量有所回落，留下的份额被网络边界设备漏洞填补。

With the advent of the COVID-19 pandemic in 2020, the sharp fluctuations in the domestic securities and fund markets have caused attackers to be eager to know the future market trends in order to protect their principal. BerBeroka's launch of Operation Giant at this time is in line with historical objective laws. In addition to attacks on core server areas, we also observed that the personal terminals of some top fund managers were controlled. The attackers wanted to obtain the fund portfolios and investment strategies of these financial elites.