### { マルウェア | 脆弱性 | スパム | 0day | ボットネット } のセキュリティ・ブログ # English Report of "FHAPPI Campaign" : FreeHosting APT PowerSploit Poison Ivy _This is the English translation of analysis I made in Japanese: "#OCJP-136: 「FHAPPI」 Geocities.jpとPoison Ivy(スパ_ [イウェア)のAPT事件", it has been translated by a professional hacker and translator, Mr. "El" Kentaro. He is very](https://twitter.com/elkentaro) **_good so I will not change any words he wrote, please contact him for the Japanese/English "techie" translation. -_** _rgds, @unixfreaxjp_ |2|1|8|0|2|2|1| |---|---|---|---|---|---|---| リンク / 案内 [記事のアーカイブ](http://blog.0day.jp/p/blog-page.html) [RSS](http://blog.0day.jp/rss.xml) [OCJPって何?](http://blog.0day.jp/2012/01/cleanup-japan-ocjp.html) [ファイル送る便(英語版)](http://x.malwaremustdie.org/sendsample.html) [ファイル送る便(バックアップ)](http://www.geocities.jp/arc_ocd/sendsamplejp.html) モバイル アクセス 記事の検索 アーカイブ・ダイレクトリー アーカイブ・ダイレクトリー 最近の記事 今日のお勧め解析記事 |Col1|検索| |---|---| |アーカイブ・ダイレクトリー|Col2| |---|---| #### #OCJP 134 ダブル「 h ELF リ # 2 1 8 0 2 2 1 ----- VXRL(credit) contacted us regarding an APT phishing email that included a download link to a malware being hosted on a Geocities website. Sample/Evidence. *) Because we think its an APT attack we cannot disclose all of the contents of the email. After receiving the request to takedown and URL information, much of the received malware information was very unclear. I also examined the signature detection rate which turned out to be none. There was too few details. Without the definite proof Geocities would not be able to do anything I decided to reverse engineer the APT. Here are the results of my analysis please use it to remove the malware. From the URL the malware was hosted on GeoCities Japan, Geocities is not a malware or malicious site but a free website hosting for blogs and homepage. [#OCJP-128: ロシア系マルウェアボッ](http://blog.0day.jp/2015/10/ocjp-128-11.html) トネットのカムバック [【研究情報】暗号化されているマル](http://blog.0day.jp/2015/06/python.html) ウェアデータが何とかPythonで… Lockyランサムウェア: インフェック [ション仕組みのモニタリング・レコー](http://blog.0day.jp/2016/07/locky.html) ド #OCJP-130: スパムボットに感染され [たPCからのスパムメール(マルウェア](http://blog.0day.jp/2016/07/pc.html) url) PEStudio 8.18, Wireshark & [VirusTotalを使いマルウェア調査ガイ](http://blog.0day.jp/2014/04/pestudio-818-wireshark-virustotal.html) ドビデオを作りました のレポートを書かせて頂きます。 内容的 には「Linux OS x86」、「ELFバイナリリ バーシング」と「シェルコード」の絡み となります。 この記事を読むだけでも OKですし、もし再現したい場合ASM 、 gccとLinuxリバーシン... **0day.JPの人気の投稿** #OCJP-098: 【警告】 285件日本国内 のウェブサイトが「Darkleech [Apache Module」に感染されて、IEで](http://blog.0day.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html) アクセスすると「Blackhole」マル ウェア感染サイトに転送されてしまい ます! [bash 0dayマルウェア感染の「real](http://blog.0day.jp/2014/09/bash-0dayreal-time.html) time」リバースエンジニアリング [【警告】新規Linux/Mayhemマルウェ](http://blog.0day.jp/2015/06/linuxmayhem.html) アの感染 ----- **MalwareMustDie! (MMD)** [Linux Malware Research List](http://blog.malwaremustdie.org/2016/11/linux-malware.html) [MMD-0061-2016 - Linux/OverkillMod](http://blog.malwaremustdie.org/2016/11/mmd-0061-2016-emech-for-ddos.html) [MMD-0060-2016 - Linux/UDPfker](http://blog.malwaremustdie.org/2016/10/mmd-0060-2016-linuxudpfker-and-chinaz.html) [MMD-0059-2016 - Linux/IRCTelnet](http://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html) The account “vbiayay1” was used to host the actual malware sample. The contents of the hosted malware file was VBScript encoded script. [MMD-0058-2016 - Linux/NyaDrop](http://blog.malwaremustdie.org/2016/10/mmd-0058-2016-elf-linuxnyadrop.html) [MMD-0057-2016 - Linux/LuaBot](http://blog.malwaremustdie.org/2016/09/mmd-0057-2016-new-elf-botnet-linuxluabot.html) [MMD-0056-2016 - Linux/Mirai](http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html) [MMD-0055-2016 - Linux/PnScan](http://blog.malwaremustdie.org/2016/08/mmd-0054-2016-pnscan-elf-worm-that.html) [MMD-0054-2016 - ATMOS botnet](http://blog.malwaremustdie.org/2016/06/mmd-0054-2016-atmos-botnet-and-facts.html) [MMD-0053-2016 - Linux/STD IRCBot](http://blog.malwaremustdie.org/2016/04/mmd-0053-2016-bit-about-elfstd-irc-bot.html) [MMD-0052-2016 - Overall Linux DDoS](http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html) [MMD-0051-2016 - Linux/Tiny ELF-2](http://blog.malwaremustdie.org/2016/02/mmd-0051-2016-debungking-tiny-elf.html) [MMD-0050-2016 - Linux/Torte](http://blog.malwaremustdie.org/2016/01/mmd-0050-2016-incident-report-elf.html) [MMD-0049-2016 - Java/DldrRCE](http://blog.malwaremustdie.org/2016/01/mmd-0049-2016-case-of-java-trojan.html) [MMD-0048-2016 - Linux/DDOS.TF](http://blog.malwaremustdie.org/2016/01/mmd-0048-2016-ddostf-new-elf-windows.html) [MMD-0047-2015 - Linux/SSHV HidePID](http://blog.malwaremustdie.org/2015/12/mmd-0047-2015-sshv-ssh-bruter-elf.html) [MMD-0045-2015 - Linux/KDefend](http://blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html) [MMDブログアーカイブ](http://blog.malwaremustdie.org/2016/) **JVN脆弱性情報** 最新CVE情報 **Cyber Awareness (US-CERT)** **E** **l it (最新版のみ)** ----- _VBScript is a subset of Visual Basic and for people who have used Visual Basic or any VBA macro it should be a_ _familiar programming language. However VBScript is designed to be run and executed within the browser and only_ _can call functions considered basic such as file access and printing. Microsoft VBScript can be executed under_ _Windows Script Host or Powershell._ ## 2. Reversing marathon of base64 First I manually decoded the VBScript encoded sample, leading to the following code: *) if you want to know how this is possible contact me directly @malwaremustdie The code by using Windows Script Host VBScript creates and object in the shell (read: CMD) and executes a run of the following code: **powershell.exe -w hidden -ep bypass -Enc "etc etc etc".** The meaning is, during script execution powershell hides the output (-w hidden) and executes "etc etc etc" which is **the base 64 coded command (Enc = EncodedCommand) without authentication (-ep bypass, ep = ExecutionPolicy).** **[malekal's site](https://www.malekal.com)** Réparer l’association de fichiers sur Windows _21 時間前_ **[Didier Stevens](https://blog.didierstevens.com)** !exploitable Crash Analyzer – Statically Linked CRT _1 日前_ **[Sucuri Blog](https://blog.sucuri.net)** [Persistent Malicious Redirect](https://blog.sucuri.net/2018/07/persistent-malicious-redirect-variants.html) Variants _1 日前_ **[Virus Bulletin news](https://www.virusbulletin.com/rss)** New paper: Does malware based on Spectre exist? _1 日前_ **[Errata Security](https://blog.erratasec.com/)** Your IoT security concerns are stupid _5 日前_ **[Dynamoo's Blog](https://blog.dynamoo.com/)** [Phishing and fraudulent sites hosted](https://blog.dynamoo.com/2018/05/phishing-and-fraudulent-sites-hosted-on.html) on 188.241.58.60 (Qhoster) **Linuxセキュリティ・アップデート** マイクロソフト・セキュリティ情報 おすすめ研究サイト一覧 **[Schneier on Security](https://www.schneier.com/blog/)** [Installing a Credit Card Skimmer on a](https://www.schneier.com/blog/archives/2018/07/installing_a_cr.html) POS Terminal _19 時間前_ ----- _Designed on the basis of object oriented, it is based on .NET Framework. PowerShell is having strict policy for_ _performing the script execution, however, by using optional execution parameter the attacker can utilize PowerShell_ _to run a malicious script. Once called Microsoft Shell (MSH, codenamed Monad)._ Continuing the decoding of the "etc etc etc" code, leads to the following script↓ Once again its a VBScript, this script creates a web client object and uses the proxy setting and user rights to download a file from a url and execute the file. This allow the opening of a .doc (MS word) file. **[XyliBox](http://www.xylibox.com/)** [Citadel 0.0.1.1 (Atmos)](http://www.xylibox.com/2016/02/citadel-0011-atmos.html) _2 年前_ **Andre' M. DiMino -** **SemperSecurus** Another look at a cross-platform DDoS botnet _4 年前_ **[contagio](http://contagiodump.blogspot.com/)** Rootkit Umbreon / Umreon - x86, ARM samples _3 か月前_ **[MALware FORensics SECurity](http://malforsec.blogspot.com/)** [Sundown Exploit kit](http://feedproxy.google.com/~r/MalwareForensicsSecurity/~3/ZdM7yb7ydkg/sundown-exploit-kit.html) _1 年前_ **[S!Ri.URZ](http://siri-urz.blogspot.com/)** [ThinkPoint](http://siri-urz.blogspot.com/2016/05/thinkpoint.html) _2 年前_ ----- Then by utilizing IEX (Invoke-Expression) commandlet will allow it to execute a script under Windows PowerShell and download and execute a .ps1 file from another url. Lets dive into the .ps1 file↓ ----- Once again its a base 64 encoded code, and it shows that it used the IEX command to decode. Looks like this malicious actor really likes base 64, so back to reversing the base 64 manually. ----- The above is the decoded code, but its another base 64 encoded code. (_ _|||);;;; However it finally revealed some of the infection code, the actual malware payload is in this base 64 code. The code also revealed infection vectors for 32 bit and 64 bit, it hides itself as a fake “Security Update” process and uses powershell.exe to execute the base 64 code by decoding it with an IEX command. Ok, back to decoding base 64 again!! Once decoded the 2 functions came up and a shellcode appeared. ----- The above codes are all self-explanatory, read the commands line by line. It explains how a powershell can be used as lethal vector to exploit a bad malware by process injection, and all are in a script!!! ## 3.Copy/Pasting PowerSploit/CodeExecution PoC ----- Copy-and-Paste rulzzz….(maybe) This is one of the reasons I am against releasing malware code to the public. GitHub is full of these types source codes. ## 4.ShellCode The main payload of this sample turned out to be mostly a copy and paste job of the PowerSploit/CodeExection and the shell code and multilayered base64 encoding is original to this sample. So to reveal the actually shell code we have decode the rest using base 64 again…oh no.. **$Shellcode = [System.Convert]::FromBase64String($Shellcode32)** Once decoded the shellcode header can be analyzed as:↓ ----- We could just reverse engineer it as is, however it might take some time.. ----- So looks like we need and XOR Key “0xe9” and byte length: 0x2183 I didn't want to write it further before but now ----- Its getting late and I need my beauty sleep, and I can’t spend much time on this so I will share a neat way to handle this shellcode :) So I used assembly and created a PE binary file using this shellcode. Saving the shell code data in the .text section of the assembly file and the entry point(EP) will be "adjusted" by the compiler during compilation process therefore you can execute this shellcode as a binary PE file. This method is very useful when analyzing shellcodes. And by using a Unix environment you can create this PE without risking an infection. (For this sample I conducted most of my analysis in FreeBSD) ----- By using gcc or nasm to compile the PE file can be created in FreeBSD. So we can now analyze the code for further analysis and behavior analysis of the malware without any risk.(^-^v So it turns out that much of the behavior of the sample conducts many malware actions, the shellcode extracts information of its victim and calls back to a C2 server and other nefarious actions. Writing out exactly what the payload does will take a very long time but here is the draft of the sample’s payload b h i di i h d i i I d f d i i ( f l h d i i ) ↓ ----- (This hand writing diagram contains the shellcode process, for both shellcodes used by FHAPPI. The first one is what had been injected by the powershell.exe, the second one is what had been injected into the userinit.exe process. I’ll clean up once I get to it, besides the malicious actor could be reading this post too. So once the necessary steps are taken I might clean this up) _Shellcode is a piece of code used as a payload that uses software security holes in computer security. Shell codes are_ _often written in machine language. In order to allow an attacker to control an intruding machine, they often launches_ _a shell, for that a machine language code is executed._ _Shell code is not necessarily just to start a shell, even without opening any shell, intrusion of malicious commands_ _can be performed, for example, executing a specific function of a library by addressing specific work space in kernel_ _for execution of a malicious activities, so it is said that the name of shell code is insufficient. However, other terms_ _have not been established so far._ ## 5.POISON IVY The shell code utilizes many system calls and hence the shell code itself is somewhat bloated (This hand writing diagram contains the shellcode process, for both shellcodes used by FHAPPI. The first one is what ----- _*) you will need to sort these out by analyzing the flow of the malware in assembly mode._ I notices this is a 「Poison Ivy」 during the first stage of trace-assembly analysis of the shellcode: _*) you will need to sort these out by analyzing the flow of the malware in assembly mode._ ----- As you can see a fake 「userinit.exe」process was made, and a malicious code was injected in the process and then to be executed. The victims will see a BAD 「userinit.exe」process is doing bad stuff. This is a typical Poison Ivy scheme. Further, the usage of the certain combination of DLL is showing a typical pattern of the threat too. More over, the date stamped in the MUTEX name is mostly used by Poison Ivy (specific format). _What looks like a mouse, should be a mouse.._ If you want to see the whole figure of Poison Ivy used by this campaign, you will need to compile it as a binary and analyze it as per described above, or you can decrypt the XOR with a patience, and then go by opcode per opcode reversing. It is very do-able, and as the proof you can see the following screenshots of what I decrypted by radare2 (I only use one r2 shell for this under a FreeBSD OS, no fancy stuff, if I can do this then you can do the same) ----- ## Another shellcode in a shellcode.. ----- This second shell code was generated during the XOR-decrypting process when PowerSploit (malware script of powershell.exe) injected the first shell code, and the first shell code to then injecting this second shell code into userinit.exe process. First shell code is the whole PoisonIvy itself, second shellcode is the installed infectious **payload to the client's PC. See the screenshot I took while cracking the first shell code by XOR below in radare2, it** shows the second shell code was formed during the first shell code was XOR-decrypted itself: ----- ↑It's hard to see or noticing malicious part of the second shellcode by ASCII view, let's see it in binary mode↓ ----- Now I see the suspicious「 CreateThread 」DLL call printed out in there, very suspicious. The type of this shellcode is in x86-32 with the size of 255 bytes. To get more idea on how it works, you will have to see it's flow with any tool you prefer, but I have my beloved one, and the result is like this: ----- ----- **_GetComputerNameA, GetPriorityClass, SetPriorityClass DLL functions were called._** To explain it a bit more, Poison Ivy shellcode during injection of the userinit.exe process was direct/undirectly involved in loading the necessary DLLs in the kernel space. The second shellcode (injected to the userinit.exe) has two types of "calls", the short ones are caling to the "Hint" address of the function in a DLL in memory map and second one is aiming for the "RVA" addresses. To confirm about which address belongs to which functions of what DLL, one needs to know which DLL that was beforehand used or loaded by the malware and then during the condition of "infection" or during the simulation of that infection, the dump of the related DLL can show exact addresses that are applicable. For this case, there are many ways to dissect this, in the Windows OS there is tool called PE Dumper. This tool (or similar ones) will show which are RVA and Hint calls addresses and goes to specific functions. This is why I can know precisely which call were used. Noted: I can not be too transparent for not inspiring other bad guys to do the same. In my test PC (it's a 64bit windows since I run it as image under BSD) the snapshot of kernel.dll calls can be seen as per following screenshot picture: ----- The reversed process for the second shellcode can be disassembled as per what I did in below report (it is the "head" of the longer analysis). ----- You can see this "bad" userinit.exe is operated and creating the file called 「Plug1.dat」, it made socket for the further works, and querying PC info through 「HKEY_LOCAL_MACHINE\SYSTEM\Setup の SystemSetupInProgress」, we'll see the values sent afterward. The next malicious process will be executed too. And these overall process will be looped. I had to terminate the process of loop itself in the 9th time, so I save the data of the Plug1.dat to Plug9.dat. The process being executed by the second shellcode can be seen clearly. I made a graph to describe it as per below: ----- ※)memo: A hand-made diagram I wrote was actually describing the whole process of the shellcode injected via powershell.exe, which also having the process traced of the second shellcode. The both shellcode are in interaction during the infection process. _...now it started to sound like a mouse too..it is a mouse!_ Up to this point, there is no doubt this is a Poison Ivy. ----- seems that there is a socket(),gethostbyname() and a connect() call. These revealed hostname and IP address for the callback, along with minor information. The IP address is a dial-up IP in South Korea.↓ Network/BGP Information→「61.97.243.15||4766 | 61.97.243.0/24 | KIXS-AS | KR | kisa.or.kr | KRNIC」 So the hacker was utilizing another country for the CNC purpose, let's see more: Hostname: web.outlooksysm.net Network/BGP Information 61.97.243.15||4766 | 61.97.243.0/24 | KIXS-AS | KR | kisa.or.kr | KRNIC ----- This is the used domain's WHOIS info: Domain Name: outlooksysm.net Registry Domain ID: 10632213 Registrar WHOIS Server: grs-whois.cndns.com Registrar URL: http://www.cndns.com Updated Date: 2016-05-27T11:24:02Z Create Date: 2016-05-27T11:19:45Z Registrar Registration Expiration Date: 2017-05-27T11:19:45Z Registrar: SHANGHAI MEICHENG TECHNOLOGY INFORMATION DEVELOPMENT CO., LTD. Registrar IANA ID: 1621 Registrar Abuse Contact Email: domain@cndns.com Registrar Abuse Contact Phone: +86.2151697771 Reseller: (null) Domain Status: ok https://icann.org/epp#ok Registry Registrant ID: Registrant Name: Liu Ying Registrant Organization: Liu Ying Registrant Street: Nan An Shi Jing Hua Lu 88Hao Registrant City: NanAnShi Registrant State/Province: FuJian Registrant Postal Code: 009810 Registrant Country: CN Registrant Phone : +86 13276905963 ----- So we know where this asshole is coming from... Just analyzing the code is not enough evidence, I needed a safe way to execute PE file to conduct further behavioral analysis. This way I could capture all the CNC/C2 traffic.↓ In this traffic was sent my test PC info (knew this after decoded) (@。@;; ----- The first transmission has a size of 256 bytes…this looks interesting…↓ ----- So by looking ups some reference material turns out that this 256 byte transmission is an identifiable traffic pattern for the Poison Ivy RAT. (The Challenge and Response Traffic for Poison Ivy) ↓ ----- _Poison Ivy: Poison Ivy also known as PIVY is a RAT (Remote Administration Tool), its a back door style malware._ _Many espionage related malware utilize this Poison Ivy kit in APT(Targeted Attacks)_ ## 7.Conclusion This APT campaign utilized many variants to falsely have the victim download a malicious VBScript, which then downloaded a secondary staged attack .doc file and opening it. Behind this action it quietly executes a PowerShell(PowerSploit) attack to infect the victims with Poison Ivy into a process running in memory. ----- PowerSploit used shellcode. The concept of infection is fileless, its avoiding known signature for detection by multiple encodings and wraps, and it is also 100% avoiding the original attacker's working territory. This will make the current APT campaign has better chance of success other cases caused by similar payload. This APT campaign utilized multiple accounts on Geocities Japan, leading to the possibility that there is a larger APT campaign being conducted. The TPPs of this attack were the first to be recognized in Japan, and after discussing the attack with my friends and fellow researchers we have named it “Free Hosting (pivoted) APT PowerSploit Poison Ivy” (FHAPPI) Credit: El Kentaro (FHAPPI Idea and logo、credit), Luffy, Syota Shinogi 、Ino Yuji (credit) ++ To avoid further victims I really hope that the vbiayay1 account on Geocities.jp gets taken down quickly and the malware deleted. I hope that this analysis can help in the investigation and the countering of this threat. Also from the analysis I am certain that the Korean IP address 61.97.243.15 is a CNC for Poison Ivy therefore recommend blocking access to and from this IP. I also have already contacted Gmail regarding the email sender, the following address were used: **1. wisers.data@gmail.com** **2. health.pro.demo30@gmail.com** These accounts can be used in other APT campaigns, so I suggest blocking & start tracing these addresses. I also hope that malware source codes and PoC are not shared in public. ## 8.Sample I’m still working on this, so I will only share the hashes for the samples. I will add the VT URLs once I am done. 1 2 3 4 5 6 7 8 9 10 1.MD5 (Meeting_sumxx.doc) = 0011fb4f42ee9d68c0f2dc62562f53e0 2.MD5 (xxx0301.ps1) = b862a2cfe8f79bdbb4e1d39e0cfcae3a 3.MD5 (Meeting_xxx.doc) = 0011fb4f42ee9d68c0f2dc62562f53e0 4.MD5 (xxx0301.ps1) = b862a2cfe8f79bdbb4e1d39e0cfcae3a 5.MD5 (xxx0301.wsc) = 7c9689e015563410d331af91e0a0be8c 6.MD5 (shellcode-bin) = cb9a199fc68da233cec9d2f3d4deb081 7.MD5 (stupid-shellcode.exe) = 661d4e056c8c0f6804cac7e6b24a79ec Other samples. (credit: Syota Shinogi) MD5 (f0921.ps1) = e798a7c33a58fc249965ac3de0fee67b ----- Thanks to Syota Shinogi’s help (credit) in further researching he found another Geocities Japan account. It uses the same PowerSploit shell code and the .doc file was a document in Mongolian, possibly targeting users in or related to Mongol. Screen shot ↓ ----- 9,2.File name contains the APT information URL and attack campaign related information : ↓ This shows the attack date, target ID and some form of versioning/series type of information. 9.3.The Deletion process of the APT malware files With the help of the Yahoo Incident Response Division (YIRD) and JP-CERT/CC and other great security folks in Japan the files was successfully deleted. The following files were deleted.↓ ----- ※)Deletion confirmed time : 2017 March. 11th 10:00 am thank you all for your help. 9.4.FHAPPI Campaign targeting Mongol The user lgxpoy6」contains data for Mongolian APT target. The infection vector is the same, judging from the date it started sometime in September of last year. Many artifacts and web sigs has gone or faded but, what the heck, so lets analyze this too for the malware improvement comparison.. The first installer script was not obfuscated using base 64. ----- The encode command executed by powershell.exe has the same format ↓ Mongolian Decoy Document ↓ ----- Still uses PowerSploit to inject the malware into memory, no changes here.↓ ----- A slightly different shell code design ↓ ----- The Mongolia related campaign also uses XOR but a different key “0xd4” but the byte length is the same “0x2183” ----- The CNC is in the mainland of China, with the hostname(S) that I will expose later can be seen in screenshots in next part) ----- The Poison Ivy version used in the Mongolia campaign is the same as the main analysis shown above that aims other country. The interesting part is the hostnames used in the Mongolia campaign were hardcoded two hostnames instead of one (the main analysis APT is only have one hardcoded domains). However please see the template used, this version of PIVY can contains up to 3 (three) hostnames (or IPs). ----- PS: Did you see what domains that was used? ;) Hmm, okay, good, now we know exactly who is behind this attack.. ----- Thu Mar 15 05:42:14 JST 2017 @luffy(credit) corrected some Japanese wording in documentation. (thank you) [Fri Mar 17 00:48:30 JST 2017 @elkentaro translated the whole documents into English](https://twitter.com/elkentaro) ※)PS: I might update this later with more material. # 0 件のコメント: コメントを投稿 コメントを入力... コメントの記入者: [Google ][アカウン] 公開公開 プレビュープレビュー [ホーム](http://blog.0day.jp/) [登録: 投稿 (Atom)](http://blog.0day.jp/feeds/posts/default) 人気の投稿 #OCJP-098: [【警告】 285件日本国内のウェブサイトが「Darkleech Apache Module」に感染されて、IEでアクセスすると「Blackhole」マルウェア感染サイトに転送され](http://blog.0day.jp/2013/03/ocjp-098-285blackhole-exploit-kit.html) てしまいます! コメントを入力... 公開公開 ----- [bash 0dayマルウェア感染の「real time」リバースエンジニアリング](http://blog.0day.jp/2014/09/bash-0dayreal-time.html) ゼロデイが出るといつも大忙し。 特にリバースエンジニアリングの僕らの手が回らない状態です。 《一日目》 CVE-2014-6271(bash 0day)の発表後24時間 以内にMalwareMustDieのチームメートから連絡があり、私が調査してマルウェア感染攻撃を発見し... [【警告】新規Linux/Mayhemマルウェアの感染](http://blog.0day.jp/2015/06/linuxmayhem.html) 下記のIPアドレスから Linux/Mayhemマルウェア の感染動きを発見、wordpressのサイトが狙われています。 wordpressの安全性が低いパスワードを狙いbruteで攻撃さ れ、クラッキングされるとPHPマルウェアインストーラーファイルをサーバーにアップロードさ... [#OCJP-128: ロシア系マルウェアボットネットのカムバック](http://blog.0day.jp/2015/10/ocjp-128-11.html) 以前の 0day.jp記事に も日本国内に対して「Kelihosマルウェア・ボットネット」の感染を報告しましたが 今回このロシア系マルウェア感染ボットネットが 「カムバック」しましたので、 今日我々「MalwareMustDie」が12時間モニターしたら、日本国内の感染IP1... [(c) 2017, ZeroDay Japan | http://blog.0day.jp |. 「シンプル」テーマ. Powered by Blogger.](https://www.blogger.com) -----