Clik here to view.
新威胁:ZHtrap僵尸网络分析报告
版权 版权声明:本文为Netlab原创,依据 CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。 概述 从2021年2月28日起,360网络安全研究院的BotMon系统检测到IP(107.189.30.190)在持续传播一批未知ELF样本。经分析,我们确认这些样本隶属于一个新的botnet家族,结合其运行特点,我们将其命名为ZHtrap,本文对其做一分析,文章要点如下:...
View ArticleClik here to view.
New Threat: ZHtrap botnet implements honeypot to facilitate finding more victims
Overview In the security community, when people talk about honeypot, by default we would assume this is one of the most used toolkits for security researchers to lure the bad guys. But recently we came...
View ArticleClik here to view.
Necro再次升级,使用Tor+动态域名DGA 双杀Windows&Linux
版权 版权声明:本文为Netlab原创,依据 CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。 概述 自从我们1月份公开Necro后不久,它就停止了传播,但从3月2号开始,BotMon系统检测到Necro再次开始传播。蜜罐数据显示本次传播所用的漏洞除了之前的TerraMaster RCE(CVE_2020_35665)和Zend RCE...
View ArticleClik here to view.
Necro upgrades again, using Tor + dynamic domain DGA and aiming at both...
Overview Back in January, we blogged about a new botnet Necro and shortly after our report, it stopped spreading. On March 2nd, we noticed a new variant of Necro showing up on our BotMon tracking radar...
View ArticleClik here to view.
Microsoft Exchange 漏洞(CVE-2021-26855)在野扫描分析报告
背景介绍 2021年3月2号,微软披露了Microsoft Exchange服务器的远程代码执行漏洞[1]。 2021年3月3号开始,360网络安全研究院Anglerfish蜜罐开始模拟和部署Microsoft...
View ArticleClik here to view.
Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis
Background On March 2, 2021, Microsoft disclosed a remote code execution vulnerability in Microsoft Exchange server[1]。 We customized our Anglerfish honeypot to simulate and deploy Microsoft Exchange...
View ArticleClik here to view.
双头龙(RotaJakiro),一个至少潜伏了3年的后门木马
版权 版权声明:本文为Netlab原创,依据 CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。 概述 2021年3月25日,360 NETLAB的BotMon系统发现一个的VT 0检测的可疑ELF文件(MD5=64f6cfe44ba08b0babdd3904233c4857),它会与4个业务类型截然不同的域名进行通信,端口均为TCP...
View ArticleClik here to view.
RotaJakiro: A long live secret backdoor with 0 VT detection
Overview On March 25, 2021, 360 NETLAB's BotMon system flagged a suspiciousELF file (MD5=64f6cfe44ba08b0babdd3904233c4857) with 0 VT detection, the sample communicates with 4 domains on TCP 443...
View Article威胁快讯:Sysrv-hello再次升级,通过感染网页文件提高传播能力
版权 版权声明: 本文为Netlab原创,依据 CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。 概述 从去年末到现在,挖矿类型的botnet家族一直活跃,除了新家族不断出现,一些老家族也频繁升级,主要是为了提高传播能力和隐蔽性,我们的 BotMon...
View ArticleThreat Alert: New update from Sysrv-hello, now infecting victims‘ webpages to...
Overview From the end of last year to now, we have see the uptick of the mining botnet families. While new families have been popping up, some old ones are get frequently updated. Our BotMon system has...
View ArticleClik here to view.
“双头龙”源自海莲花组织?
我们的双头龙blog发布后引起了较大反响,除了媒体转载,一些安全同行还纷纷在我们blog下面留言和提问,其中5月4号的一则留言提到双头龙跟海莲花(OceanLotus)样本的C2行为有联系: 留言所提到的样本为一个zip打包文件,2016年就已出现。该zip可以解压出多个文件,那个名为Noi dung chi...
View ArticleClik here to view.
RotaJakiro, the Linux version of the OceanLotus
On Apr 28, we published our RotaJakiro backdoor blog, at that time, we didn’t have the answer for a very important question, what is this backdoor exactly for? We asked the community for clues and two...
View ArticleClik here to view.
威胁快讯:z0Miner 正在利用 ElasticSearch 和 Jenkins 漏洞大肆传播
版权版权声明: 本文为Netlab原创,依据 CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。概述最近几个月受比特币、门罗币大涨的刺激,各种挖矿家族纷纷活跃起来,我们的 BotMon 系统每天都能检测到几十上百起的挖矿类 Botnet 攻击事件。根据我们统计,它们多数是已经出现过的老家族,有的只是换了新的钱包或者传播方式,z0Miner 就是其中一例。z0Miner...
View ArticleClik here to view.
Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch and...
OverviewIn recent months, with the huge rise of Bitcoin and Monroe, various mining botnet have kicked into high gear, and our BotMon system detects dozens of mining Botnet attacks pretty much every...
View ArticleClik here to view.
Analysis report of the Facefish rootkit
Background In Feb 2021, we came across an ELF sample using some CWP’s Ndays exploits, we did some analysis, but after checking with a partner who has some nice visibility in network traffic in some...
View ArticleClik here to view.
窃密者Facefish分析报告
背景介绍 2021年2月,我们捕获了一个通过CWP的Nday漏洞传播的未知ELF样本,简单分析后发现这是一个新botnet家族的样本。它针对Linux x64系统,配置灵活,并且使用了一个基于Diffie–Hellman和Blowfish的私有加密协议。但因为通过合作机构(在中国区有较好网络通信观察视野)验证后发现对应的C2通信命中为0,所以未再深入分析。...
View ArticleClik here to view.
被拦截的伊朗域名的快速分析
伊朗新闻网站被美国阻断的事成为了最近的新闻热点,报道的主要内容是: 美国司法部查封36个伊朗的新闻网站,其中许多网站与伊朗的“虚假信息活动”有关。这些网站首页通知显示,根据美国法律,这些网站已被美国政府查封,通知上还附有美国联邦调查局和美国商务部产业安全局的印徽。 到底哪些新闻站被拦截了,我们查询了几个新闻源都没有给出全部被拦截的网站列表。...
View ArticleClik here to view.
Mirai_ptea Botnet利用KGUARD DVR未公开漏洞报告
版权 版权声明:本文为Netlab原创,依据 CC BY-SA 4.0 许可证进行授权,转载请附上出处链接及本声明。 概述 2021-06-22我们检测到一个我们命名为mirai_ptea的mirai变种样本通过未知漏洞传播。经过分析,该漏洞为KGUARD...
View ArticleClik here to view.
Mirai_ptea Botnet is Exploiting Undisclosed KGUARD DVR Vulnerability
Overview On 2021-06-22 we detected a sample of a mirai variant that we named mirai_ptea propagating through a new vulnerability targeting KGUARD DVR. Coincidently, a day later, on June 23, we received...
View ArticleClik here to view.
威胁快讯:TeamTNT新变种通过ELF打包bash脚本,正通过Hadoop ResourceManager RCE 传播
TeamTNT是一个比较活跃的挖矿家族,曾被腾讯和PAN等国内外安全厂商多次分析[1][2],我们的BotMon系统也曾多次捕获。以往经验显示,TeamTNT家族喜欢使用新技术,比如名为EzuriCrypter的加密壳就是首次在TeamTNT样本中被检测到。近期,我们的Anglerfish蜜罐再次捕获到TeamTNT的新变种,使用了如下新技术和工具: 通过ELF文件包装入口bash脚本。...
View Article