Tejara166dd.com
166dd.com 时间:2021-04-08 阅读:(
)
Copyright2018AccentureSecurity.
Allrightsreserved.
1GOLDFIN:APersistentCampaignTargetingCISCountrieswithSOCKSBOTJuly26,2018CYBERADVISORYCopyright2018AccentureSecurity.
Allrightsreserved.
2SUMMARYAnumberofsecurityvendorsreportedaseriesofcyber-attacksinvolvingtheuseofamalwarefamilycalledSOCKSBOTandclaimedtobeassociatedwithCANDLEFISH(a.
k.
a.
Patchwork,DroppingElephant).
However,asdisclosedinthisreport,researchbyiDefenseanalystsshowsthatSOCKSBOTwasinfactusedbyathreatgroupinan18-month-longcampaigndubbedGoldfin,spoofingfinancialinstitutionsintheCommonwealthofIndependentStates(CIS)countriessinceasearlyasFebruary2017toasrecentlyasMay2018.
Basedonthetactics,techniquesandprocedures(TTPs)observedinthiscampaign,iDefenseassesseswithmoderateconfidencethatthereportedcampaignisunlikelytobeassociatedwithCANDLEFISH.
Inaddition,iDefenseanalystshaveidentifiedinfrastructureoverlapandtheshareduseofaPowerShellobfuscationtechniquewithFIN7.
AlthoughtheseobservationsarenotenoughtoattributetheGoldfincampaigntoFIN7,iDefenseassessesthesetobeinterestingandnoteworthyobservationsthatfurtherhighlightsthecomplexrelationshipsthatexistbehind-the-sceneinorganizedcybercrime.
HOWTOUSETHISREPORTINTENDEDAUDIENCEiDefenseisprovidinginformationaboutthereportedcampaignstothegeneraliDefensecustomerbase,withthisreportbeingintendedforsecurityoperationscenter(SOC)analystsandengineers.
Managementandexecutiveleadershipmayalsowanttousethisinformation.
HOWTOUSETHISINTELLIGENCEiDefenseisprovidingthisinformationsothatcustomersareawareofthemodusoperandiofahighlyactivethreatgroupthatistargetingfinancialinstitutionsforfinancialgain.
SOCanalystsandengineerscanusethisIA'sdetailedinformationpertainingtotheworkingsofamalwarefamilyandindicatorsofcompromise(IoCs)tocontainormitigatethediscussedthreatthroughmonitoringorblocking.
SOCanalystscanusetheinformationprovidedintheAnalysisandMitigationsectionsofthisIAforhuntingactivitiesforsystemsthatmayhavealreadybeencompromised.
AnalystsandsecurityengineerscanusetheIoCsbyaddingthemtohuntinglistsonendpointdetectionandresponse(EDR)solutionsaswellasnetwork-andhost-basedblackliststodetectanddenymalwareimplantationandcommand-and-control(C2)communication.
IntelligenceanalystsmaywanttousetheinformationprovidedinthisIAtobetterinformtheirownanalyses.
TheprovidedinformationcanalsohelpinformongoingintelligenceCopyright2018AccentureSecurity.
Allrightsreserved.
3analysesandforensicinvestigations,particularlyforcompromisediscovery,damageassessment,andattribution.
Managementandexecutiveleadershipmayusethisinformationtoassesstherisksassociatedwiththethreatdescribedhereintomakeoperationalandpolicydecisionsaccordingly.
HOWTHISINTELLIGENCEHELPSADDRESSEXISTINGORPOTENTIALTHREATSKnowledgeofthegroup'stactics,techniques,andprocedures(TTPs)shouldhelptobetterinformdetectionandresponsetoattacksbythisthreatgroup.
CAMPAIGNANALYSISiDefenseanalystscameacrosstwospear-phishingcampaignsinOctober2017involvingtheuseofamalwarefamilypubliclyknownasSOCKSBOT.
OnecampaignspoofstheHalykBank(Exhibit1)andanotherspoofsthePrivatBank(Exhibit2):Exhibit1:Spear-PhishingEmailSpoofingHalykBankCopyright2018AccentureSecurity.
Allrightsreserved.
4Exhibit2:ContentofaSpear-PhishingE-mailSpoofingPrivatBankSharedonthePublicForumdoneckforum.
comAsExhibits1and2show,bothemailscontainanidenticalmessage,evendowntothelocationoftheembeddedhyperlinks.
TheonlydifferencesaretheembeddedURLsandthesignatureoftheemailinordertoreflectthefinancialinstitutiontheattackerswerespoofing.
Thisinformationsuggestssomesortofphishingkitwaslikelyusedtogeneratethephishingemails.
Anapproximatetranslationofthee-mailspoofingHalykBankisasfollows:Subject:Notificationofopeninganaccount(HalykBankofKazakhstan)Dearcustomer,anaccountwiththePeople'sBankofKazakhstanhasbeenopenedinyourname,youcanfinddetailedinformationintheattachedfile.
Ifyoudidnotreceiveanenvelopewithaloginandpassword,thenyouneedtoregistertoaccessthePersonalArea.
Incaseoflossoflogin/password,youcanregisteranewoneinthesection"Passwordrecovery".
Ifintheprocessofworkyouhaveanyquestionsorproblems,pleasecontacttheCustomerServiceDepartmentatthecontactslistedbelow.
Ourspecialistsarealwaysreadytohelpyou.
Theembeddedmalicioushyperlinksusedintherespectiveattacksareasfollows:hxxp://halyk-bank[.
]com/dog.
ziphxxp://privatbank-ua[.
]com/dog.
zipSubsequenttechnicalanalysisoftheinfectionchaininvolvedlediDefensetouncoveran18-monthlongcampaignofspoofingbanksinCIScountries,withthemostrecentcampaignobservedonMay28,2018spoofingtheIdeaBankCJSC:Copyright2018AccentureSecurity.
Allrightsreserved.
5Exhibit3:Spear-PhishingEmailSpoofingIdeaBankCJSCTheforummemberreportsthattwospear-phishingemailswerereceived:oneclaimingtobeanotificationaboutopeninganaccountandtheotherclaimingtobeanotificationofaloanbeingtakenout.
Thecontentofthelatteremailisapproximatelytranslatedbelow:Dearclient,inyourname,aloanwasissuedtoIdeaBank,formoredetails,seetheattachedfileinwhichthefullnameandphonenumberofyourpersonalloanexpertisindicated,theamountandconditionsforrepayingtheloan.
Anenvelopewithacreditagreementwassenttoyouraddress.
Incaseyoudidnotreceivetheenvelope,youshouldcontactyourpersonalexpert.
Incaseoflossofthecontract,youcanrestoreitatthenearestbranchofthebankorrequestaduplicatethroughyourpersonalexpert.
Foranyquestionsyouareinterestedin,youcancontactyourpersonalexpertortheCustomerServiceDepartmentatthecontactslistedbelow.
Ourspecialistsarealwaysreadytohelpyou.
Yoursfaithfully,IdeaBankCJSCPhoneforcallsfromabroad:+375(17)306-33-14Intheattacksobserved,allinvolvedaphishingemailwithtwoembeddedURLsdirectingtheusertodownloadafilenameddog.
zip.
Basedonthecontentofthee-mailsandthedomainnames,thefollowingbankswerespoofedinthiscampaign:HalykBank(Kazakhstan)PrivatBank(Ukraine)IdeaBank(Belarus)Copyright2018AccentureSecurity.
Allrightsreserved.
6TejaraBank(Iran)Itisalsonoteworthythatinbothphishingkits,therearealwaystwohyperlinkslinkingtothesamemaliciousfile:oneinthebodyofthemessageandoneattheendofthee-mailinalinkcalledДоговор(whichtranslatestoContract).
Thenextsectiondetailstheinfectionchainthatfollowstheinitialdownload.
INFECTIONCHAINANALYSISThegeneralinfectionchainobservedinthiscampaignisasshowninExhibit4:Exhibit4:TheInfectionChainUsedintheSOCKSBOTCampaignSTAGE1-JAVASCRIPTDROPPERBothlinksdeliveredaZIParchivefilenameddog.
zip:hxxp://halyk-bank[.
]com/dog.
zip-211fbf34749df5e717e8b11fecb3f648hxxp://privatbank-ua[.
]com/dog.
zip-b3fb88a5aa791aea141bf3b4cf045355BothcontainaJavaScriptfilenameddog.
jswiththeMD5signatures9a273653364dfb143ff196d826d2bac4and21a09cf81f3584a741c7167f622d6c50,respectively.
TheJavaScriptfilecontainsheavilyobfuscatedcodeasExhibit5shows.
Themaliciouscodeisinfacthiddenascommentsandisdynamicallydeobfuscatedoncethescripthasbeenexecuted.
Copyright2018AccentureSecurity.
Allrightsreserved.
7Exhibit5:ObfuscatedCodeindog.
jsOncedeobfuscated(seeExhibit6),itisclearthatthecodeisdesignedtodotwothings:1.
Tolookforarunninganti-virusprocesses,suchasavp.
exe(KasperskyAntivirus).
Notethatsomevariantsofthemalwarealsosearchforekrn.
exe(ESET),cis.
exe(Comodo)andavgnt.
exe(Avira).
2.
TodropandexecuteaPowerShellscriptnamedsetup.
ps1.
ThisscriptisgeneratedbasedonBase64encodeddatastoredinvariablesnameddllDataandcode.
3.
Deletesetup.
ps1Exhibit6:DeobfuscatedCodeindog.
jsCopyright2018AccentureSecurity.
Allrightsreserved.
8STAGE2-POWERSHELLDROPPERWITHEMPIREThePowerShellscriptsetup.
ps1usedineachattackhastherespectiveMD5signatures521c81c62836a233a6e771bc3491300fand00c38b787eac602ffaed0b9372f2c443.
Thescriptisdesignedforthefollowing(seeExhibit7):1.
CreateaPowerShellscriptnamedcheckupdate.
ps1inC:\Users\Public\Downloads\(Thispathishardcodedinthemalware).
ThecontentofthisscriptisstoredinavariablenameddataandisBased64encoded2.
Createacmdletthatwould:a.
movethescriptcheckupdate.
ps1tothehomedirectoryforthecurrentPowerShellinstallb.
establishpersistencebycreatingaWindowsservicenamedCheckforupdates,setto"delay-auto"startandexecutecheckupdate.
ps13.
UseamodifiedversionofthefunctionInvoke-EventVwrBypassfromtheEmpirePost-exploitationframeworktobypassUACandexecutetheabovecmdletExhibit7:DeobfuscatedCodeinsetup.
ps1Copyright2018AccentureSecurity.
Allrightsreserved.
9STAGE3-POWERSHELLREFLECTIVELOADERSimilarly,checkupdate.
ps1usedineachattackhastherespectiveMD5signatures54e7f3a1a1a8857e35a45f4eb2a3317dand29573b1fa60bce8e04dd2a4d554a7447.
Unsurprisingly,thisscriptalsocontainsobfuscatedcode.
Themaliciouspayloadiscompressed,Base64encoded,andembeddedwithinthescript,whichissimilartoatechniqueusedinPowerSploit.
However,theobservedtechniqueappearstobeavariantofPowerSploitastheencodedpayloadisfurthersplitintoanumberofchunksthataredynamicallyloadedintoanarrayvariablenamed$OArrasshowninExhibit8:Exhibit8:ObfuscatedCodeincheckupdate.
ps1ThecodeisinfactaPowerShellreflectiveloaderscriptwithadynamic-linklibrary(DLL)binaryembeddedasBase64-encodeddata(Exhibit9).
Copyright2018AccentureSecurity.
Allrightsreserved.
10Exhibit9:DeobfuscatedCodeincheckupdate.
ps1STAGE4-SOCKSBOTThespecificSOCKSBOTsampleanalyzedinthisreporthasthefollowingproperties:Filename:socksbot.
dllMD5:90f35fd205556a04d13216c33cb0dbe3FileSize:17.
0KB(17408bytes)CompiledTimeStamp:2017-10-2717:46:05Copyright2018AccentureSecurity.
Allrightsreserved.
11Asmentionedinthelastsection,theSOCKSBOTimplantistypicallydeliveredasaBase64-encodedstringreflectivelyloaded(viatheReflectiveLoader@@YGKPAX@Zexportedfunction)inanewlystartedsvchost.
exeprocess.
Assuch,theimplantexistsonlyinmemoryandnevertouchesthedisk.
Theimplantwillfirstverifyifanyofthemutexesinthefollowingformatarepresentinordertonotruntwice:Global\%snpsGlobal\%sstpExhibit10showsanexampleofacreatedmutex.
Exhibit10:MutexCreationa321c0d8979a05bdnpsTheSOCKSBOTimplanthasthefollowingcapabilities:Enumerateprocesses(processlist)TakescreenshotsDownload,upload,write,andexecutefilesCreateandinjectintonewprocessesCommunicatetoC2viasocketsThisimplantwillcommunicatewiththedesignatedC2serverbyfirstcreatingabufferandwill,onfirstexecution,communicatetotheC2serverthatithassuccessfullyinfectedatargetbyusinga.
phpURIthatispseudo-randomlygenerated.
SOCKSBOTusestheObtainUserAgentStringAPItodeterminethedefaultuser-agentofthemachine.
AnexampleofarequesttotheC246.
166.
163[.
]243isshowninExhibit11.
Exhibit11:TraffictotheC2ServerTheC2serverortheoperatoroftheSOCKSBOTimplantcanthenrespondwithaspecificHTTPstatuscodetoperformasetofactions.
Exhibit12showsthisoptionintheimplant.
Copyright2018AccentureSecurity.
Allrightsreserved.
12Exhibit12:C2OptionsThefollowingstatuscodesaresupported:200:createandstartnewsocket202:enumerateprocessesandtakescreenshot203:performasetofactions(download,upload,execute)Exhibit13showsanexampleofpossibleactions:Exhibit13:HTTPStatusCode203ReturnOptionsTheactionsthattheoperatorcanperformareasfollows:WriteandexecutefilesCopyright2018AccentureSecurity.
Allrightsreserved.
13ExecutePowerShellscriptsExecuteaPowerShellscriptandexitSOCKSBOTcanthuswriteotherPowerShellscriptstothe%TEMP%folderandexecutethesehiddenfromtheuser.
Thisisachievedwiththefollowingcommand:%s\System32\WindowsPowerShell\v1.
0\powershell.
exe-ExecutionPolicyBypass-NoLogo-NonInteractive-NoProfile-WindowStyleHidden-File"%s"ThisallowstheattackertouploadotherobfuscatedPowerShellscriptsonthemachineand,assuch,makesSOCKSBOTapowerfulandpersistentbackdoor.
Altogether,theSOCKSBOTsamplesobservedandanalyzedinthisreportareasfollows:90f35fd205556a04d13216c33cb0dbe32a4d16ddad27c6eb60e197b6b07c2df014f71d5cb8f15f0a9943b5d709a85b7392dfd0534b080234f9536371be63e37a039d9e47e4474bee24785f8ec530769555a57741f49d6c887992353bc47846bcOnlythreedifferentC2servershavebeenobserved:5.
8.
88[.
]6446.
166.
163[.
]2435.
135.
73[.
]113INFECTIONCHAINVARIATIONSWhilethedescribedinfectionchainaboveisthemostcommoninfectionchainobserved,iDefenseanalystshavealsoobservedanumberofdifferentvariationsinrelatedcampaigns:1.
SOCKSBOTDropper2.
dog.
jsObfuscation3.
RandomPowerShellScriptNames4.
ReflectiveloadingPowerShellScriptObfuscationVARIATION1:SOCKSBOTDROPPERAsidefromthePowerShellreflectiveloader,iDefenseanalystshavealsoidentifiedadropperexecutablebinarywiththefollowingpropertiesthatwasusedtoreflectivelyloadSOCKSBOTintoachosenprocess(usuallysvchost.
exe):Filename:MD5:14f71d5cb8f15f0a9943b5d709a85b73FileSize:23.
6KB(24200bytes)CompiledTimeStamp:2017-02-0113:40:14Copyright2018AccentureSecurity.
Allrightsreserved.
14Signer:MagnumTravelClub(Serial:1F8A3E60EEC1E3AA63B39BDD26E110FB)Notethatthebinarywassignedwithacode-signingcertificatepurportedlyfromanorganizationcalledMagnumTravelClub.
ThisdropperwillcreateacopyofitselfinC:\Programdata\Logsasahiddensystemfileandwillthendeletetheoriginalfile.
Anothercopywillbecreatedin%appdata%\Microsoft\Windows\StartMenu\Programs\Startupwiththesamepropertiestoensurepersistence.
Finally,thedropperwillstartanewsvchost.
exeprocessinasuspendedstateandconsequentlyreflectivelyload(andinject)theSOCKSBOTimplantintotheprocess.
AnadditionalWindowsservicemaybecreatedforpersistenceaswell,whichisdonebyfirstenumeratingexistinglegitimateservicesandcreatinganewservicespoofingoneoftheserviceswithanalmostidenticalname.
Inthiscase,anewservicenamedXindowsErrorReportingServicewascreated(seeExhibit14).
Exhibit14:ServiceCreationWhilethisdropperdoesindeedloadtheSOCKSBOTimplant,allotheriterationsorcampaignshaveusedscripts,inparticularJavaScriptandPowerShell,toreflectivelyloadtheSOCKSBOTpayload.
VARIATION2:DOG.
JSOBFUSCATIONWhilemostdog.
jssamplesobservedwereobfuscatedasreportedintheinfectionchainsection,therearealsoversionsthatwerenotobfuscatedatallorwereobfuscatedusingadifferentobfuscationtechniquesuchasdifferentcharacterencoding(Exhibit15):Copyright2018AccentureSecurity.
Allrightsreserved.
15Exhibit15:ADifferentObfuscationTechniqueUsedindog.
jsOnceexecuted,thissample(MD5:b01cf8f375bc0aff2cfe3dc1b4c1823c)willdeobfuscateandgenerateanewfilecalled~~1.
tmpin%appdata%\Futures.
Thescriptisdeletedafterexecution.
VARIATION3:RANDOMPOWERSHELLSCRIPTNAMESCertainvariantsofdog.
jsalsohaveanewfunctiontorandomlygeneratefilenamesforthesecond-andthird-stagePowerShellscripts:functionmakerndps1(){vartext="";varpossible="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";for(vari=0;i<5;i++)text+=possible.
charAt(Math.
floor(Math.
random()*possible.
length));returntext+'.
ps1';}4.
REFLECTIVELOADINGPOWERSHELLSCRIPTOBFUSCATIONAsidefromchangestothedog.
jsobfuscation,iDefenseanalystshavealsofoundadifferentobfuscationtechniqueusedtoobscurethecodeinthereflectiveloadingscript(seeExhibit16):Copyright2018AccentureSecurity.
Allrightsreserved.
16Exhibit16:DifferentObfuscationTechniqueUsedintheReflectiveLoadingPowerShellScriptThesampleconcernedhastheMD5signaturec38b06f871d2268972fa01725b59d7ed.
Notealsothattheexecutioncommandusedforpersistenceisagainencoded(seeExhibit17):Exhibit17:ObfuscatedExecutionCommandinCheckforupdateServiceUsedforPersistenceATTRIBUTIONBasedonthepreferencetospooffinancialinstitutionsinCIScountries,thenetworkinfrastructureusedandtheobservedtargeting,iDefenseassesseswithmoderateconfidencethatthereportedcampaignisunlikelytobeassociatedwithCANDLEFISH.
Furthermore,iDefenseanalystshaveidentifiedanumberofinterestingandnoteworthyoverlapswithFIN7:IdenticalWHOISinformationusedindomainsassociatedwiththeGoldfincampaignandFIN7,aswellasnetworkhostingoverlapShareduseofaPowerShellobfuscationtechniqueCopyright2018AccentureSecurity.
Allrightsreserved.
17OVERLAP1:IDENTICALWHOISINFORMATIONANDNETWORKHOSTINGOVERLAPResearchshowsthatthedomainsprivat-bankau[.
]com,halyk-bank[.
]com,andtejara-bank[.
]comallhavetheorganizationnameGoldfinLLC,anear-identicalregistrantaddress(seebelow),anda@rambler.
rue-mailaddressusedastheregistrante-mailaddress.
RegistrantOrganization:GoldfinLLCRegistrantStreet:ulArbat5RegistrantCity:MoscowRegistrantState/Province:MoscowRegistrantPostalCode:115343RegistrantCountry:RUThispatternoverlapswithtwootherdomains-despanabrandfood[.
]comandsilverdiners[.
]com(seeExhibit18)-thatiDefensecurrentassesseswithlowconfidencearelikelyassociatedwithFIN7duetothefollowing:1.
SpoofingrestaurantchainsDespaaBrandFoods(legitimatedomaindespanabrandfoods.
com)andSilverDiner(legitimatedomainsilverdiners.
com),aknowntechniqueassociatedwithFIN7.
Thewebsitedespanabrandfood[.
]comremainsindexedbyGoogle(seeExhibit19)2.
PreviouslyresolvedtotheIPaddress192.
99.
14[.
]211,whichwasreportedbyTrustwaveandtr1dxasassociatedwithFIN7towardslate2016andearly2017.
Inaddition,likemanydomainsassociatedwithFIN7aswellastheCarbanakgroup,manyofthedomainsusedintheGoldfincampaignwerealsoparkedat31.
41.
41[.
]41whichisassociatedwithCISHosting.
However,iDefenseanalystsareawarebothhostsarelikelytobeshared/parkinghostshencetheassociationwithFIN7basedonthisoverlapisoflowconfidence.
Exhibit18:WHOISInformationSimilaritiesbetweenDomainsUsedintheGoldfinCampaignandThoseAssociatedwithFIN7Copyright2018AccentureSecurity.
Allrightsreserved.
18Exhibit19:Spoofingdomaindespanabrandfood[.
]comremainsindexedbyGoogleatthetimeofwriting,showingtheattacker'sintentiontoplagiarisethelegitimatewebsitedespanabrandfoods[.
]comExhibit20illustratestheoverlappinginfrastructurebetweentheGoldfincampaignandinfrastructureassociatedwithFIN7:Exhibit20:MaltegoGraphShowingtheOverlappingInfrastructurebetweenGoldfinCampaignandFIN7Copyright2018AccentureSecurity.
Allrightsreserved.
19OVERLAP2:SHAREDUSEOFAPOWERSHELLOBFUSCATIONTECHNIQUEAsmentionedintheinfectionchainanalysis,thecodeembeddedwithinthethird-stagePowerShellscriptcheckupdate.
ps1isobfuscatedusingatechniquesimilartothatofPowerSploit.
However,thetechniqueusedappearstobeanichevariantastheembeddedpayloadisfurthersplitintochunksanddynamicallyaddedtoanarrayvariablenamed$OArr.
Interestingly,iDefenseanalystshavepreviouslyobservedthisobfuscationusedinaPowerShellcomponent(MD5:87327b4045b9d004697aec7e7a4b9ba8)thatwasdroppedbyaHALFBAKEDsample(MD5:31fcf8a4ec7a4c693eda9336321cf401)backinAugust2017.
HALFBAKEDisamalwarefamilyassociatedwithFIN7.
Exhibit21:SimilarPowerShellObfuscationTechniqueUsedbetweentheGoldfinCampaignandFIN7WhiletheaboveoverlappingfeaturesarenotstrongenoughtobeusedtoconcludethattheGoldfincampaignisassociatedwithFIN7,iDefenseanalystsbelievetheyaresignificantandnoteworthyandmaywelladdtonewevidencethatmaycometolightinthefutureasresearchcontinues.
Theyalsohighlightthecomplexhiddenrelationshipsthatexistbehind-the-scenesinorganizedcybercrime.
MITIGATIONToeffectivelydefendagainstthethreatsdescribedinthisreport,iDefenserecommendsblockingthefollowingaccessURIsandIPaddress:blopsadmvdrl[.
]combipovnerlvd[.
]comkiprovolswe[.
]comkiprovol[.
]comvoievnenibrinw[.
]combnrnboerxce[.
]comtejara-bank[.
]comprivat-bankau[.
]comCopyright2018AccentureSecurity.
Allrightsreserved.
20halyk-bank[.
]comwedogreatpurchases[.
]comprivatbank-ua[.
]commoneyma-r[.
]comfisrteditionps[.
]comessentialetimes[.
]comdewifal[.
]commicro-earth[.
]com5.
8.
88[.
]6446.
166.
163[.
]2435.
135.
73[.
]113Itwillalsobeusefulforincidentresponseandthreat-huntingpurposestoverifytheexistenceofanyofthefollowingartefacts:ArandomlynamedfileinC:\Programdata\Logsor%appdata%\Microsoft\Windows\StartMenu\Programs\StartupRandomlynamedPowerShellorJavaScriptfilesin%temp%Afilenameddog.
zipanddog.
jsAfilenamed~~1.
tmpin%appdata%\FuturesAservicenamewithsignificantspellingerrorsAservicenamedCheckforupdatesAPowerShellscriptnamedcheckupdate.
ps1indefaultPowerShellinstallationdirectoryAsvchost.
exeprocessthatdoesnothavewininit.
exeasparentprocessItwillalsobeusefultoverifytheexistenceofanyofthefollowinghashesonthehost:de394e9d294d2c325298eb54826ba11609d43765c2259a8df868a5fa6206ae2b9a273653364dfb143ff196d826d2bac46da6025fc7956f644b0b161781071cec211fbf34749df5e717e8b11fecb3f648dae11ed0013d58000f10919b8cba8023949b7e0f9d309e8a7ab32fa4664a7906bdaa27c6284ff95c01178db7a96121a450598c4dc7c299d0cbd92c128a56944e21a09cf81f3584a741c7167f622d6c50b3fb88a5aa791aea141bf3b4cf04535554e7f3a1a1a8857e35a45f4eb2a3317d29573b1fa60bce8e04dd2a4d554a74477b528c9d8150e4a4ab27b90a4e3337637f1aa2b2d539aa7d3dbb067417457309b10c3d00a7ceff0b7050f450968c8f6929573b1fa60bce8e04dd2a4d554a7447c38b06f871d2268972fa01725b59d7edCopyright2018AccentureSecurity.
Allrightsreserved.
21CONTACTUSJoshuaRayjoshua.
a.
ray@accenture.
comHowardMarshallhoward.
marshall@accenture.
comRobertCoderrerobert.
c.
coderre@accenture.
comJaysonJeanjayson.
jean@accenture.
comEmilyCodyemily.
a.
cody@accenture.
comABOUTACCENTUREAccentureisaleadingglobalprofessionalservicescompany,providingabroadrangeofservicesandsolutionsinstrategy,consulting,digital,technologyandoperations.
Combiningunmatchedexperienceandspecializedskillsacrossmorethan40industriesandallbusinessfunctions—underpinnedbytheworld'slargestdeliverynetwork—Accentureworksattheintersectionofbusinessandtechnologytohelpclientsimprovetheirperformanceandcreatesustainablevaluefortheirstakeholders.
Withapproximately425,000peopleservingclientsinmorethan120countries,Accenturedrivesinnovationtoimprovethewaytheworldworksandlives.
Visitusatwww.
accenture.
comABOUTACCENTURESECURITYAccentureSecurityhelpsorganizationsbuildresiliencefromtheinsideout,sotheycanconfidentlyfocusoninnovationandgrowth.
Leveragingitsglobalnetworkofcybersecuritylabs,deepindustryunderstandingacrossclientvaluechainsandservicesthatspanthesecuritylifecycle,Accentureprotectsorganization'svaluableassets,end-to-end.
Withservicesthatincludestrategyandriskmanagement,cyberdefense,digitalidentity,applicationsecurityandmanagedsecurity,Accentureenablesbusinessesaroundtheworldtodefendagainstknownsophisticatedthreats,andtheunknown.
Followus@AccentureSecureonTwitterorvisittheAccentureSecurityblog.
LEGALNOTICE&DISCLAIMER:2018Accenture.
Allrightsreserved.
Accenture,theAccenturelogo,iDefenseandothertrademarks,servicemarks,anddesignsareregisteredorunregisteredtrademarksofAccentureanditssubsidiariesintheUnitedStatesandinforeigncountries.
Alltrademarksarepropertiesoftheirrespectiveowners.
Allmaterialsareintendedfortheoriginalrecipientonly.
ThereproductionanddistributionofthismaterialisforbiddenwithoutexpresswrittenpermissionfromiDefense.
Theopinions,statements,andassessmentsinthisreportaresolelythoseoftheindividualauthor(s)anddonotconstitutelegaladvice,nordotheynecessarilyreflecttheviewsofAccenture,itssubsidiaries,oraffiliates.
Giventheinherentnatureofthreatintelligence,thecontentcontainedinthisalertisbasedoninformationgatheredandunderstoodatthetimeofitscreation.
Itissubjecttochange.
ACCENTUREPROVIDESTHEINFORMATIONONAN"AS-IS"BASISWITHOUTREPRESENTATIONORWARRANTYANDACCEPTSNOLIABILITYFORANYACTIONORFAILURETOACTTAKENINRESPONSETOTHEINFORMATIONCONTAINEDORREFERENCEDINTHISALERT.
麻花云怎么样?麻花云公司成立于2007年,当前主打产品为安徽移动BGP线路,数据中心连入移动骨干网。提供5M,10M大带宽云主机,香港云服务器产品,数据中心为香港将军澳机房,香港宽频机房 cn2-GIA优质线路、采用HYPER-V,KVM虚拟技术架构一、麻花云官网点击直达麻花云官方网站合肥网联网络科技有限公司优惠码: 专属优惠码:F1B07B 享受85折优惠。最新活动 :双11 云上嗨购 香港云主...
轻云互联成立于2018年的国人商家,广州轻云互联网络科技有限公司旗下品牌,主要从事VPS、虚拟主机等云计算产品业务,适合建站、新手上车的值得选择,香港三网直连(电信CN2GIA联通移动CN2直连);美国圣何塞(回程三网CN2GIA)线路,所有产品均采用KVM虚拟技术架构,高效售后保障,稳定多年,高性能可用,网络优质,为您的业务保驾护航。官方网站:点击进入广州轻云网络科技有限公司活动规则:用户购买任...
厦门靠谱云股份有限公司 双十一到了,站长我就给介绍一家折扣力度名列前茅的云厂商——萤光云。1H2G2M的高防50G云服务器,依照他们的规则叠加优惠,可以做到12元/月。更大配置和带宽的价格,也在一般云厂商中脱颖而出,性价比超高。官网:www.lightnode.cn叠加优惠:全区季付55折+满100-50各个配置价格表:地域配置双十一优惠价说明福州(带50G防御)/上海/北京1H2G2M12元/月...
166dd.com为你推荐
futureshop笔记本电脑一般国外比国内便宜多少微信回应封杀钉钉微信大封杀什么时候结束18comic.fun贴吧经常有人说A站B站,是什么意思啊?javmoo.com0904-javbo.net_avop210hhb主人公叫什么,好喜欢,有知道的吗5xoy.comhttp://www.5yau.com (舞与伦比),以前是这个地址,后来更新了,很长时间没玩了,谁知道现在的地址? 谢谢,www.niuav.com在那能找到免费高清电影网站呢 ?www.kaspersky.com.cn卡巴斯基杀毒软件有免费的吗?稳定版的怎么找?partnersonline电脑内一切浏览器无法打开66smsm.com【回家的欲望(回家的诱惑)大结局】 回家的诱惑全集66 67 68 69 70集QOVD快播观看地址??莱姿蔓不蔓不枝的蔓是什么意思
台湾主机 双线主机租用 美国vps评测 搬瓦工官网 nerd evssl证书 建站代码 web服务器的架设 佛山高防服务器 免费phpmysql空间 100mbps 酷番云 江苏双线服务器 双12 网购分享 秒杀品 实惠 空间服务器 97rb 脚本大全 更多