返回 TI 主页

2024-03-14 By 红雨滴团队 | 事件追踪

QiAnXin Threat Intelligence Center detected targeted phishing emails received by customers during routine endpoint operations. The attachment, named "版權資訊及版權保護政策 Dentsu Taipei.zip," contained a malicious lnk file and a normal PDF lure. Tianqing EDR intercepted the script Trojan in time. Although the attackers did not cause significant damage to our customers, the Chinese lure and subsequent Trojan used by this group caught our interest. After some investigation, we named this criminal group UTG-Q-007. Their targets include Asian countries such as China, South Korea, Vietnam, and India, with industries involving construction, real estate marketing, and the internet. They utilize the unique ROTbot Trojan to steal sensitive data such as cryptocurrency, intellectual property, and social media accounts. Similar to the profit model of faceduck Group (ducktail), they hijack Facebook business account ads. We have disclosed relevant details to the open-source community for analysis and investigation by friendly companies.

2024-03-13 By 红雨滴团队 | 事件追踪

QiAnXin Threat Intelligence Center has observed a diligent domestic ransomware operator, mainly active during weekends, able to physically bypass security personnel's detection of alerts. On Saturdays, they utilize various Nday vulnerabilities for intrusion, conduct continuous internal information gathering, assess the number of controlled machines, and on Sunday evenings, they deploy ransomware trojans in bulk to provide a "surprise" for the victims returning to work the next day. The tools predominantly used for lateral movement include Cobalt Strike, fscan, frp, and ransomware delivery packages, exhibiting a high similarity to the tactics employed by domestic red teams during penetration testing.

2024-03-13 By 红雨滴团队 | 事件追踪

奇安信威胁情报中心观察到一伙较为勤奋的国产勒索运营商,工作时间主要在周末,可以在物理上绕过安全人员对告警的发现。周六的时候使用一些Nday漏洞进行入侵,全天无休的进行内网信息收集,控制机器数量评估,并在周日晚上控制木马批量投递勒索软件,为了给第二天要上班的受害者一个“惊喜”,攻击者在横向移动所使用的工具主要有Cobalt Strike、fscan、frp、勒索投递包等,攻击手法与护网期间的国内红队有着很高的相似性。

2024-03-05 By 红雨滴团队 | 事件追踪

Recently, the QiAnXin Threat Intelligence Center discovered a batch of espionage attack samples disguised as installation programs of software products under the SGA, a South Korean software company. These samples, upon execution, release legitimate installation packages to deceive victims and secretly execute malicious DLLs processed by VMProtect. The malicious DLLs, implemented in Go language, collect various types of information from infected devices and transmit them to the attackers, then erase traces of the attack. Based on the digital signatures carried by the espionage software samples, we associated them with another type of malicious software used as a backdoor, also written in Go and protected by VMProtect. This backdoor software shares multiple characteristics with historical attack samples from the Kimsuky organization, leading us to believe that both types of malicious software are associated with the Kimsuky group.

2024-03-05 By 红雨滴团队 | 事件追踪

近期奇安信威胁情报中心发现一批以韩国软件公司SGA旗下产品安装程序为伪装的窃密攻击样本,样本运行后释放正常的安装包迷惑受害者,并暗中执行经过VMProtect处理的恶意DLL,恶意DLL由Go语言实现,收集感染设备上的各类信息回传给攻击者,然后清除攻击痕迹。 根据窃密软件样本携带的数字签名我们关联到另一种用作后门的恶意软件,同样为Go编写,并带有VMProtect保护壳。此后门软件与Kimsuky组织历史攻击样本存在多处特征重叠,因此我们认为这两种恶意软件均和Kimsuky组织存在关联。

2024-02-22 By 红雨滴团队 | 事件追踪

奇安信威胁情报中心在日常终端运营过程中发现客户收到了定向的钓鱼邮件,附件名为“版權資訊及版權保護政策 Dentsu Taipei.zip”,内容包含恶意的lnk文件和正常的PDF诱饵,经过调查我们将该犯罪团伙命名为UTG-Q-007

2024-02-02 By 红雨滴团队 | 专题报告

近日,奇安信威胁情报中心发布《全球高级持续性威胁(APT)2023年度报告》,该报告通过分析奇安信威胁雷达对 2023 年境内的 APT 攻击活动的全方位遥感测绘数据,展示了我国境内 APT 攻击活动及高级持续性威胁发展趋势,并结合开源情报分析了全球范围内高级持续性威胁发展变化及特点,发现同2022年一样,政府部门、国防军事仍是2023年APT攻击活动的重灾区。此外,科研教育、信息技术也是2023年APT威胁的主要行业目标。
APT 年度报告 2023

2023-12-25 By 红雨滴团队 | 事件追踪

On December 18th, Reuters reported that the hacker organization Predatory Sparrow, linked to Israel and also known as Gonjeshke Darande and Indra, launched an attack on Iranian gas stations on Monday, resulting in approximately 70% of Iran's gas station services being disrupted. In a statement on their Telegram channel , the group claimed that "this cyber attack was carried out in a controlled manner to avoid potential harm to emergency services" and declared it as a "response to the aggressive actions of the Islamic Republic and its proxies in the region."

2023-12-25 By 红雨滴团队 | 事件追踪

12 月 18 日路透社发文表示,与以色列有联系的黑客组织Predatory Sparrow(又称Gonjeshke Darande、Indra)称周一针对伊朗加油站发动袭击,导致伊朗约 70% 的加油站服务中断。 该组织在 Telegram 上的一份声明中表示]“这次网络攻击是以受控方式进行的,以避免对紧急服务造成潜在损害”,并宣称这次网络打击是 "对伊斯兰共和国及其在该地区代理人侵略行为的回应"。

2023-12-20 By 红雨滴团队 | 事件追踪

Recently, QiAnXin Threat Intelligence Center uncovered malicious LNK files targeting the South Korean region. These LNK files, upon execution, release bait files and VBS scripts. One sample employs a bait HWP document titled "Guidelines for Email Security Inspection." The initial assessment suggested APT37's involvement based on LNK file size and code execution characteristics. However, further analysis of the released VBS script's behavior and C2 communication revealed a closer association with the Konni group. This indicates that Konni has recently adjusted its tactics for LNK-type file attacks. Notably, Konni, APT37, and Kimsuky—three APT groups believed to have connections—share some similarities in the LNK files they use.