OceanLouts
证书搜索
https://www.zoomeye.org/searchResult?q=%22O%3DDigiCert%20SHA2%20Extended%20Validation%20Server%20CA%22
https://www.zoomeye.org/searchResult?q=%22O%3DBeijing%20Baidu%20Netcom%20Science%20Technology%20Co.%2C%20Ltd%20%20%20%20%20%20%20%20%20Subject%20Public%22%20%2B%22Subject%3A%20C%3DCN%2CST%3Dbeijing%22%20%20%20%2B%22Issuer%3A%20C%3DCN%2CST%3Dbeijing%22
https://www.zoomeye.org/searchResult?q=%22%20C%3DCN%2C%20ST%3DBeijing%2C%20O%3D%20China%20Telecom%20%5C(Group%5C)%2C%20CN%3D*.mboxsogou.com%22%2C%20CN%3D*.mboxsogou.com%22)
TA505 SDBbot后门组件
持久化方式关键截图
创建一个shim数据库(SDB),以使用加载程序代码修补services.exe完成程序组件安装。
相关链接
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/backdoor.win32.sdbbot.aa.tmsr/
https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/
YARA
rule ta505_unpacped_new_mem
{
meta:
description = "TA505 SDBot"
author = "James_inthe_box"
reference = ""
date = "2020/08"
maltype = "SDBot"
strings:
$string1 = "windows_7_windows_10_check_running_once_mutex" ascii
$string2 = "Unknown OS" wide
$string3 = "BotInfo.txt" wide
$string4 = "ver=%s" wide
$string5 = "domain=%s" wide
$string6 = "pc=%s" wide
$string7 = "geo=%s" wide
$string8 = "rights=admin" wide
$string9 = "rights=user" wide
$string10 = "proxyenabled=1" wide
$string11 = "proxyenabled=0" wide
$string12 = "BotDLL.dll" ascii
condition:
10 of ($string*) and filesize > 400KB
}
紫狐rootkit
相关链接
https://zhuanlan.zhihu.com/p/44849652
https://ppfocus.com/0/mi53e9ddf.html