OceanLouts

证书搜索

https://www.zoomeye.org/searchResult?q=%22O%3DDigiCert%20SHA2%20Extended%20Validation%20Server%20CA%22
https://www.zoomeye.org/searchResult?q=%22O%3DBeijing%20Baidu%20Netcom%20Science%20Technology%20Co.%2C%20Ltd%20%20%20%20%20%20%20%20%20Subject%20Public%22%20%2B%22Subject%3A%20C%3DCN%2CST%3Dbeijing%22%20%20%20%2B%22Issuer%3A%20C%3DCN%2CST%3Dbeijing%22
https://www.zoomeye.org/searchResult?q=%22%20C%3DCN%2C%20ST%3DBeijing%2C%20O%3D%20China%20Telecom%20%5C(Group%5C)%2C%20CN%3D*.mboxsogou.com%22%2C%20CN%3D*.mboxsogou.com%22)

TA505 SDBbot后门组件

持久化方式关键截图

创建一个shim数据库(SDB),以使用加载程序代码修补services.exe完成程序组件安装。
image.png

image.png

image.png

相关链接

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.win32.sdbbot.aa.tmsr/
https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/

YARA

  1. rule ta505_unpacped_new_mem
  2. {
  3.     meta:
  4.         description = "TA505 SDBot"
  5.         author = "James_inthe_box"
  6.         reference = ""
  7.         date = "2020/08"
  8.         maltype = "SDBot"
  10.     strings:
  11.         $string1 = "windows_7_windows_10_check_running_once_mutex" ascii
  12.         $string2 = "Unknown OS" wide
  13.         $string3 = "BotInfo.txt" wide
  14.         $string4 = "ver=%s" wide
  15.         $string5 = "domain=%s" wide
  16.         $string6 = "pc=%s" wide
  17.         $string7 = "geo=%s" wide
  18.         $string8 = "rights=admin" wide
  19.         $string9 = "rights=user" wide
  20.         $string10 = "proxyenabled=1" wide
  21.         $string11 = "proxyenabled=0" wide
  22.         $string12 = "BotDLL.dll" ascii
  24.     condition:
  25.         10 of ($string*) and filesize > 400KB
  26. }

紫狐rootkit

相关链接

https://zhuanlan.zhihu.com/p/44849652
https://ppfocus.com/0/mi53e9ddf.html