K\u1ef9 thu\u1eadt n\u00e0y li\u00ean quan \u0111\u1ebfn c\u00e1c trang x\u00e1c minh gi\u1ea3 m\u1ea1o tr\u00f4ng gi\u1ed1ng nh\u01b0 c\u00e1c d\u1ecbch v\u1ee5 h\u1ee3p ph\u00e1p, th\u01b0\u1eddng \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef tr\u00ean c\u00e1c n\u1ec1n t\u1ea3ng s\u1eed d\u1ee5ng m\u1ea1ng ph\u00e2n ph\u1ed1i n\u1ed9i dung (CDN). C\u00e1c trang n\u00e0y th\u01b0\u1eddng ng\u1ee5y trang th\u00e0nh\u00a0CAPTCHA<\/a>\u00a0th\u01b0\u1eddng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng, ch\u1eb3ng h\u1ea1n nh\u01b0 Google reCAPTCHA ho\u1eb7c Cloudflare CAPTCHA, \u0111\u1ec3 \u0111\u00e1nh l\u1eeba ng\u01b0\u1eddi d\u00f9ng tin r\u1eb1ng h\u1ecd \u0111ang t\u01b0\u01a1ng t\u00e1c v\u1edbi m\u1ed9t d\u1ecbch v\u1ee5 \u0111\u00e1ng tin c\u1eady.<\/p>\n H\u00ecnh 1. C\u00e1ch th\u1ee9c ph\u00e2n ph\u1ed1i CAPTCHA gi\u1ea3 m\u1ea1o<\/em><\/p>\n C\u00f3 hai h\u00ecnh th\u1ee9c \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 qu\u1ea3ng b\u00e1 c\u00e1c trang CAPTCHA gi\u1ea3 m\u1ea1o. Th\u1ee9 nh\u1ea5t, c\u00e1c trang web vi ph\u1ea1m b\u1ea3n quy\u1ec1n ho\u1eb7c trang web ph\u1ea7n m\u1ec1m b\u1ecb b\u1ebb kh\u00f3a. K\u1ebb t\u1ea5n c\u00f4ng sao ch\u00e9p c\u00e1c trang web n\u00e0y v\u00e0 ch\u00e8n qu\u1ea3ng c\u00e1o \u0111\u1ed9c h\u1ea1i v\u00e0o trang \u0111\u00e3 sao ch\u00e9p \u0111\u1ec3 chuy\u1ec3n h\u01b0\u1edbng ng\u01b0\u1eddi d\u00f9ng \u0111\u1ebfn CAPTCHA \u0111\u1ed9c h\u1ea1i. Th\u1ee9 hai, c\u00e1c k\u00eanh Telegram gi\u1ea3 m\u1ea1o v\u1ec1 n\u1ed9i dung vi ph\u1ea1m b\u1ea3n quy\u1ec1n v\u00e0 ti\u1ec1n \u0111i\u1ec7n t\u1eed. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng t\u1ea1o c\u00e1c k\u00eanh\u00a0Telegram<\/a>\u00a0v\u1edbi t\u00ean ch\u1ee9a c\u00e1c t\u1eeb kh\u00f3a li\u00ean quan \u0111\u1ebfn ti\u1ec1n \u0111i\u1ec7n t\u1eed ho\u1eb7c n\u1ed9i dung vi ph\u1ea1m b\u1ea3n quy\u1ec1n, ch\u1eb3ng h\u1ea1n nh\u01b0 ph\u1ea7n m\u1ec1m, phim \u1ea3nh,\u2026 Khi ng\u01b0\u1eddi d\u00f9ng t\u00ecm ki\u1ebfm, c\u00e1c k\u00eanh gi\u1ea3 m\u1ea1o n\u00e0y s\u1ebd xu\u1ea5t hi\u1ec7n \u1edf \u0111\u1ea7u t\u00ecm ki\u1ebfm. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng c\u0169ng s\u1eed d\u1ee5ng c\u00e1c b\u00e0i \u0111\u0103ng tr\u00ean m\u1ea1ng x\u00e3 h\u1ed9i \u0111\u1ec3 d\u1ee5 n\u1ea1n nh\u00e2n \u0111\u1ebfn c\u00e1c k\u00eanh n\u00e0y. Khi ng\u01b0\u1eddi d\u00f9ng tham gia m\u1ed9t k\u00eanh nh\u01b0 v\u1eady, h\u1ecd s\u1ebd \u0111\u01b0\u1ee3c nh\u1eafc nh\u1edf ho\u00e0n t\u1ea5t x\u00e1c minh danh t\u00ednh th\u00f4ng qua bot \u201cSafeguard Captcha\u201d l\u1eeba \u0111\u1ea3o.<\/p>\n H\u00ecnh 2. Giao di\u1ec7n Bot Safeguard Captcha<\/em><\/p>\n Nh\u01b0 trong H\u00ecnh 2, khi ng\u01b0\u1eddi d\u00f9ng nh\u1ea5p v\u00e0o n\u00fat Verify, bot s\u1ebd m\u1edf m\u1ed9t trang c\u00f3 CAPTCHA gi\u1ea3 m\u1ea1o. Ng\u01b0\u1eddi d\u00f9ng \u0111\u01b0\u1ee3c hi\u1ec3n th\u1ecb m\u1ed9t trang b\u1eadt l\u00ean tr\u00f4ng gi\u1ed1ng nh\u01b0 x\u00e1c minh CAPTCHA h\u1ee3p l\u1ec7, nh\u1eafc h\u1ecd nh\u1ea5p v\u00e0o I\u2019m not a robot\/Verify\/Copy ho\u1eb7c m\u1ed9t s\u1ed1 n\u00fat t\u01b0\u01a1ng t\u1ef1 (H\u00ecnh 3).<\/p>\n H\u00ecnh 3. V\u00ed d\u1ee5 v\u1ec1 trang CAPTCHA gi\u1ea3 m\u1ea1o<\/em><\/p>\n Trang gi\u1ea3 m\u1ea1o c\u00f3 n\u1ed9i dung \u0111\u1ed9c h\u1ea1i<\/strong><\/p>\n Khi nh\u1ea5p v\u00e0o n\u00fat I\u2019m not a robot\/Verify\/Copy, ng\u01b0\u1eddi d\u00f9ng \u0111\u01b0\u1ee3c h\u01b0\u1edbng d\u1eabn th\u1ef1c hi\u1ec7n m\u1ed9t chu\u1ed7i thao t\u00e1c b\u1ea5t th\u01b0\u1eddng:<\/p>\n – M\u1edf h\u1ed9p tho\u1ea1i Run (Win+R).<\/p>\n – Nh\u1ea5n Ctrl+V.<\/p>\n – Nh\u1ea5n Enter.<\/p>\n Vi\u1ec7c ch\u1ecdn v\u00e0o c\u00e1c n\u00fat tr\u00ean s\u1ebd t\u1ef1 \u0111\u1ed9ng sao ch\u00e9p l\u1ec7nh PowerShell v\u00e0o clipboard. Sau \u0111\u00f3, n\u1ebfu ng\u01b0\u1eddi d\u00f9ng d\u00e1n l\u1ec7nh v\u00e0o h\u1ed9p tho\u1ea1i Run v\u00e0 nh\u1ea5n Enter, h\u1ec7 th\u1ed1ng s\u1ebd th\u1ef1c thi l\u1ec7nh.<\/p>\n H\u00ecnh 4. V\u00ed d\u1ee5 v\u1ec1 c\u00e1c t\u1eadp l\u1ec7nh \u0111\u01b0\u1ee3c sao ch\u00e9p v\u00e0o clipboard v\u00e0 \u0111\u01b0\u1ee3c th\u1ef1c thi th\u00f4ng qua h\u1ed9p tho\u1ea1i Run<\/em><\/p>\n L\u1ec7nh n\u00e0y c\u00f3 th\u1ec3 thay \u0111\u1ed5i \u0111\u00f4i ch\u00fat t\u00f9y theo t\u1eebng trang web v\u00e0 thay \u0111\u1ed5i sau m\u1ed7i v\u00e0i ng\u00e0y, nh\u01b0ng th\u01b0\u1eddng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 t\u1ea3i\u00a0Lumma Stealer<\/a>\u00a0t\u1eeb m\u00e1y ch\u1ee7 t\u1eeb xa, th\u01b0\u1eddng l\u00e0 m\u1ed9t CDN \u0111\u00e3 bi\u1ebft c\u00f3 th\u1eddi gian d\u00f9ng th\u1eed mi\u1ec5n ph\u00ed, ho\u1eb7c n\u1ec1n t\u1ea3ng l\u01b0u tr\u1eef v\u00e0 c\u1ed9ng t\u00e1c m\u00e3 h\u1ee3p ph\u00e1p nh\u01b0\u00a0GitHub<\/a>, t\u1eeb \u0111\u00f3 b\u1eaft \u0111\u1ea7u qu\u00e1 tr\u00ecnh c\u00e0i \u0111\u1eb7t ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i. \u0110\u1ec3 ph\u00e2n t\u00edch k\u1ef9 h\u01a1n chu\u1ed7i l\u00e2y nhi\u1ec5m n\u00e0y, th\u1ef1c hi\u1ec7n l\u1ec7nh H\u00ecnh 5.<\/p>\n H\u00ecnh 5. L\u1ec7nh k\u00edch ho\u1ea1t chu\u1ed7i l\u00e2y nhi\u1ec5m c\u1ee7a Lumma<\/em><\/p>\n L\u1ec7nh n\u00e0y kh\u00e1 \u0111\u01a1n gi\u1ea3n, th\u1ef1c hi\u1ec7n gi\u1ea3i m\u00e3 v\u00e0 th\u1ef1c thi n\u1ed9i dung t\u1eeb t\u1ec7p win15[.]txt t\u1eeb xa \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef t\u1ea1i https[:]\/\/win15.b-cdn[.]net\/win15[.]txt. T\u1ec7p n\u00e0y ch\u1ee9a m\u1ed9t t\u1eadp l\u1ec7nh PowerShell \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a Base64, sau \u0111\u00f3 t\u1ea3i xu\u1ed1ng v\u00e0 ch\u1ea1y Lumma Stealer.<\/p>\n H\u00ecnh 6. N\u1ed9i dung c\u1ee7a t\u1ec7p win15.txt<\/em><\/p>\n Khi \u0111\u01b0\u1ee3c gi\u1ea3i m\u00e3, t\u1eadp l\u1ec7nh PowerShell th\u1ef1c hi\u1ec7n c\u00e1c h\u00e0nh \u0111\u1ed9ng sau:<\/p>\n 1. T\u1ea3i xu\u1ed1ng ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i: L\u1ec7nh s\u1ebd t\u1ea3i xu\u1ed1ng t\u1ec7p win15[.]zip t\u1eeb https[:]\/\/win15.b-cdn[.]net\/win15[.]zip \u0111\u1ebfn [User Profile]\\AppData\\Roaming\\bFylC6zX[.]zip.<\/p>\n 2. Tr\u00edch xu\u1ea5t ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i: T\u1ec7p ZIP \u0111\u00e3 t\u1ea3i xu\u1ed1ng \u0111\u01b0\u1ee3c gi\u1ea3i n\u00e9n v\u00e0o th\u01b0 m\u1ee5c C:\\Users\\[User]\\AppData\\Roaming\\7oCDTWY, m\u1ed9t th\u01b0 m\u1ee5c \u1ea9n trong th\u01b0 m\u1ee5c AppData c\u1ee7a ng\u01b0\u1eddi d\u00f9ng.<\/p>\n 3. Th\u1ef1c thi ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i: T\u1eadp l\u1ec7nh ch\u1ea1y t\u1ec7p Set-up[.]exe t\u1eeb kho l\u01b0u tr\u1eef \u0111\u00e3 gi\u1ea3i n\u00e9n, hi\u1ec7n \u0111\u1eb7t t\u1ea1i C:\\Users\\[User]\\AppData\\Roaming\\7oCDTWYu\\Set-up[.]exe.<\/p>\n 4. Thi\u1ebft l\u1eadp c\u01a1 ch\u1ebf duy tr\u00ec: T\u1eadp l\u1ec7nh t\u1ea1o m\u1ed9t m\u1ee5c entry trong Windows Registry \u0111\u1ec3 duy tr\u00ec, \u0111\u1ea3m b\u1ea3o ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i ch\u1ea1y m\u1ed7i khi h\u1ec7 th\u1ed1ng kh\u1edfi \u0111\u1ed9ng. Key \u0111\u01b0\u1ee3c th\u00eam v\u00e0o HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run. T\u00ean key l\u00e0 5TQjtTuo, v\u1edbi gi\u00e1 tr\u1ecb tr\u1ecf \u0111\u1ebfn Set-up[.]exe .<\/p>\n Tuy nhi\u00ean, trong m\u1ed9t s\u1ed1 tr\u01b0\u1eddng h\u1ee3p, c\u01a1 ch\u1ebf ph\u00e2n ph\u1ed1i ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i c\u00f3 th\u1ec3 ph\u1ee9c t\u1ea1p h\u01a1n. Trong v\u00ed d\u1ee5 H\u00ecnh 7, t\u1eadp l\u1ec7nh ph\u00e2n ph\u1ed1i l\u00e0 m\u00e3 JavaScript \u1ea9n trong t\u1ec7p tr\u00f4ng gi\u1ed1ng nh\u01b0 t\u1ec7p mp3 (c\u00e1c \u0111\u1ecbnh d\u1ea1ng t\u1ec7p kh\u00e1c nh\u01b0 mp4 v\u00e0 png c\u0169ng \u0111\u00e3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng). Tr\u00ean th\u1ef1c t\u1ebf, ngo\u00e0i JavaScript, t\u1ec7p c\u00f3 th\u1ec3 ch\u1ee9a t\u1ec7p mp3\/mp4 b\u1ecb h\u1ecfng, m\u00e3 ph\u1ea7n m\u1ec1m h\u1ee3p l\u1ec7 ho\u1eb7c ch\u1ec9 l\u00e0 d\u1eef li\u1ec7u ng\u1eabu nhi\u00ean.<\/p>\n T\u1eadp l\u1ec7nh \u0111\u01b0\u1ee3c th\u1ef1c thi b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng c\u00f4ng c\u1ee5 \u1ee9ng d\u1ee5ng HTML c\u1ee7a Microsoft\u00a0 mshta[.]exe, b\u1eb1ng c\u00e1ch nh\u1eafc ng\u01b0\u1eddi d\u00f9ng d\u00e1n l\u1ec7nh sau v\u00e0o h\u1ed9p tho\u1ea1i Run:<\/p>\n H\u00ecnh 7. L\u1ec7nh k\u00edch ho\u1ea1t chu\u1ed7i l\u00e2y nhi\u1ec5m d\u1ef1a tr\u00ean JS<\/em><\/p>\n L\u1ec7nh mshta ph\u00e2n t\u00edch t\u1ec7p d\u01b0\u1edbi d\u1ea1ng t\u1ec7p HTA v\u00e0 th\u1ef1c thi b\u1ea5t k\u1ef3 m\u00e3 JavaScript n\u00e0o trong th\u1ebb script, k\u00edch ho\u1ea1t chu\u1ed7i l\u00e2y nhi\u1ec5m sau:<\/p>\n L\u1edbp (1)<\/strong><\/em><\/p>\n H\u00ecnh 8 l\u00e0 m\u00e3 l\u1ec7nh JS b\u00ean trong t\u1ec7p mp3 \u0111\u01b0\u1ee3c th\u1ef1c thi b\u1edfi mshta.<\/p>\n H\u00ecnh 8. T\u1eadp l\u1ec7nh JS trong t\u1ec7p never[.]mp3<\/em><\/p>\n L\u1edbp (2)<\/strong><\/em><\/p>\n Sau khi ph\u00e2n t\u00edch gi\u00e1 tr\u1ecb Kwb, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u thu \u0111\u01b0\u1ee3c \u0111o\u1ea1n m\u00e3 sau v\u00e0 \u0111o\u1ea1n m\u00e3 n\u00e0y s\u1ebd \u0111\u01b0\u1ee3c th\u1ef1c thi b\u1edfi h\u00e0m eval.<\/p>\n H\u00ecnh 9. L\u1edbp 2 c\u1ee7a t\u1eadp l\u1ec7nh<\/em><\/p>\n L\u1edbp (3)<\/em><\/strong><\/p>\n Sau khi t\u00ednh to\u00e1n c\u00e1c gi\u00e1 tr\u1ecb cho kXN v\u00e0 zzI, l\u1ec7nh ActiveX cu\u1ed1i c\u00f9ng \u0111\u01b0\u1ee3c x\u00e2y d\u1ef1ng v\u00e0 th\u1ef1c thi, n\u00f3 ch\u1ee9a m\u1ed9t t\u1eadp l\u1ec7nh PowerShell \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a trong bi\u1ebfn $PBwR.<\/p>\n H\u00ecnh 10. L\u1edbp gi\u1ea3i m\u00e3 (2) t\u1eadp l\u1ec7nh JS<\/em><\/p>\n L\u1edbp (4)<\/strong><\/em><\/p>\n Sau khi gi\u1ea3i m\u00e3 t\u1eadp l\u1ec7nh PowerShell, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ph\u00e1t hi\u1ec7n ra r\u1eb1ng m\u1ee5c \u0111\u00edch ch\u00ednh c\u1ee7a n\u00f3 l\u00e0 t\u1ea3i xu\u1ed1ng v\u00e0 th\u1ef1c thi m\u1ed9t t\u1ec7p PowerShell kh\u00e1c t\u1eeb \u0111\u01b0\u1eddng d\u1eabn: hXXps:\/\/connect[.]klipfuzj[.]shop\/firefire[.]png.<\/p>\n H\u00ecnh 11. L\u1edbp gi\u1ea3i m\u00e3 (3) t\u1eadp l\u1ec7nh PowerShell<\/em><\/p>\n Ph\u00e2n t\u00edch t\u1ec7p firefire<\/strong><\/p>\n C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u cho bi\u1ebft, firefire[.]png ch\u00ednh l\u00e0 t\u1ec7p PowerShell l\u1edbn (g\u1ea7n b\u1eb1ng 31MB) v\u1edbi nhi\u1ec1u l\u1edbp che gi\u1ea5u v\u00e0 ch\u1ed1ng debug. Sau khi gi\u1ea3i m\u00e3 v\u00e0 x\u00f3a m\u00e3 kh\u00f4ng c\u1ea7n thi\u1ebft, ch\u00fang ta c\u00f3 th\u1ec3 th\u1ea5y m\u1ee5c \u0111\u00edch ch\u00ednh c\u1ee7a t\u1ec7p l\u00e0 t\u1ea1o v\u00e0 th\u1ef1c thi t\u1eadp l\u1ec7nh PowerShell \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a nh\u01b0 H\u00ecnh 12.<\/p>\n H\u00ecnh 12. T\u1ec7p firefire<\/em><\/p>\n Kh\u00f3a gi\u1ea3i m\u00e3 l\u00e0 \u0111\u1ea7u ra c\u1ee7a l\u1ec7nh Invoke-Metasploit, b\u1ecb ch\u1eb7n n\u1ebfu AMSI \u0111\u01b0\u1ee3c b\u1eadt. Do \u0111\u00f3, m\u1ed9t th\u00f4ng b\u00e1o l\u1ed7i \u0111\u01b0\u1ee3c t\u1ea1o ra b\u1edfi AMSI: AMSI_RESULT_NOT_DETECTED, \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng l\u00e0m kh\u00f3a. N\u1ebfu AMSI b\u1ecb t\u1eaft, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i s\u1ebd kh\u00f4ng gi\u1ea3i m\u00e3 \u0111\u01b0\u1ee3c t\u1eadp l\u1ec7nh.<\/p>\n T\u1eadp l\u1ec7nh PowerShell \u0111\u01b0\u1ee3c gi\u1ea3i m\u00e3 c\u00f3 k\u00edch th\u01b0\u1edbc kho\u1ea3ng 1,5 MB v\u00e0 m\u1ee5c \u0111\u00edch ch\u00ednh c\u1ee7a n\u00f3 l\u00e0 t\u1ea1o v\u00e0 ch\u1ea1y m\u1ed9t t\u1ec7p th\u1ef1c thi \u0111\u1ed9c h\u1ea1i.<\/p>\n H\u00ecnh 13. T\u1eadp l\u1ec7nh PowerShell \u0111\u00e3 gi\u1ea3i m\u00e3<\/em><\/p>\n Ph\u01b0\u01a1ng ph\u00e1p v\u00e0 k\u1ef9 thu\u1eadt l\u00e2y nhi\u1ec5m<\/strong><\/p>\n Lumma Stealer \u0111\u00e3 \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n s\u1eed d\u1ee5ng nhi\u1ec1u ph\u01b0\u01a1ng ph\u00e1p l\u00e2y nhi\u1ec5m kh\u00e1c nhau, v\u1edbi hai k\u1ef9 thu\u1eadt ch\u00ednh n\u1ed5i b\u1eadt trong c\u00e1c chi\u1ebfn d\u1ecbch ph\u00e2n ph\u1ed1i c\u1ee7a n\u00f3, \u0111\u00f3 l\u00e0:\u00a0DLL sideloading<\/a>\u00a0v\u00e0 ti\u00eam payload \u0111\u1ed9c h\u1ea1i v\u00e0o ph\u1ea7n l\u1edbp ph\u1ee7 c\u1ee7a ph\u1ea7n m\u1ec1m mi\u1ec5n ph\u00ed h\u1ee3p ph\u00e1p. C\u00e1c k\u1ef9 thu\u1eadt n\u00e0y \u0111\u1eb7c bi\u1ec7t hi\u1ec7u qu\u1ea3 trong vi\u1ec7c tr\u1ed1n tr\u00e1nh ph\u00e1t hi\u1ec7n, b\u1edfi v\u00ec ch\u00fang khai th\u00e1c l\u1ee3i d\u1ee5ng v\u00e0o l\u00f2ng tin m\u00e0 ng\u01b0\u1eddi d\u00f9ng \u0111\u1eb7t v\u00e0o c\u00e1c \u1ee9ng d\u1ee5ng v\u00e0 ti\u1ebfn tr\u00ecnh h\u1ec7 th\u1ed1ng ph\u1ed5 bi\u1ebfn r\u1ed9ng r\u00e3i.<\/p>\n – DLL sideloading: DLL sideloading l\u00e0 m\u1ed9t k\u1ef9 thu\u1eadt m\u00e0 trong \u0111\u00f3 c\u00e1c th\u01b0 vi\u1ec7n li\u00ean k\u1ebft \u0111\u1ed9ng (DLL) \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c t\u1ea3i b\u1edfi m\u1ed9t \u1ee9ng d\u1ee5ng h\u1ee3p ph\u00e1p. K\u1ef9 thu\u1eadt n\u00e0y khai th\u00e1c c\u00e1c l\u1ed7 h\u1ed5ng ho\u1eb7c c\u1ea5u h\u00ecnh sai trong ph\u1ea7n m\u1ec1m v\u00f4 t\u00ecnh t\u1ea3i c\u00e1c t\u1ec7p DLL t\u1eeb c\u00e1c th\u01b0 m\u1ee5c kh\u00f4ng \u0111\u00e1ng tin c\u1eady.<\/p>\n K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 nh\u00fang Lumma Stealer DLL v\u00e0o c\u00f9ng th\u01b0 m\u1ee5c v\u1edbi m\u1ed9t \u1ee9ng d\u1ee5ng \u0111\u00e1ng tin c\u1eady, khi\u1ebfn n\u00f3 t\u1ea3i khi \u1ee9ng d\u1ee5ng \u0111\u01b0\u1ee3c th\u1ef1c thi. V\u00ec DLL \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c t\u1ea3i trong b\u1ed1i c\u1ea3nh c\u1ee7a m\u1ed9t ti\u1ebfn tr\u00ecnh \u0111\u00e1ng tin c\u1eady, n\u00ean c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt truy\u1ec1n th\u1ed1ng kh\u00f3 ph\u00e1t hi\u1ec7n ra s\u1ef1 x\u00e2m nh\u1eadp h\u01a1n nhi\u1ec1u.<\/p>\n – Ti\u00eam ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i v\u00e0o l\u1edbp ph\u1ee7 c\u1ee7a ph\u1ea7n m\u1ec1m: M\u1ed9t ph\u01b0\u01a1ng ph\u00e1p kh\u00e1c th\u01b0\u1eddng \u0111\u01b0\u1ee3c Lumma Stealer s\u1eed d\u1ee5ng l\u00e0 \u0111\u01b0a m\u1ed9t ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i v\u00e0o l\u1edbp ph\u1ee7 c\u1ee7a ph\u1ea7n m\u1ec1m mi\u1ec5n ph\u00ed. L\u1edbp ph\u1ee7 th\u01b0\u1eddng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng cho ch\u1ee9c n\u0103ng ph\u1ea7n m\u1ec1m h\u1ee3p ph\u00e1p, ch\u1eb3ng h\u1ea1n nh\u01b0 hi\u1ec3n th\u1ecb giao di\u1ec7n \u0111\u1ed3 h\u1ecda ho\u1eb7c x\u1eed l\u00fd m\u1ed9t s\u1ed1 s\u1ef1 ki\u1ec7n \u0111\u1ea7u v\u00e0o. B\u1eb1ng c\u00e1ch s\u1eeda \u0111\u1ed5i l\u1edbp ph\u1ee7 c\u1ee7a ph\u1ea7n m\u1ec1m, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 \u0111\u01b0a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i v\u00e0o m\u00e0 kh\u00f4ng l\u00e0m gi\u00e1n \u0111o\u1ea1n ho\u1ea1t \u0111\u1ed9ng b\u00ecnh th\u01b0\u1eddng c\u1ee7a \u1ee9ng d\u1ee5ng.<\/p>\n Ph\u01b0\u01a1ng ph\u00e1p n\u00e0y \u0111\u1eb7c bi\u1ec7t nguy hi\u1ec3m v\u00ec ph\u1ea7n m\u1ec1m v\u1eabn ti\u1ebfp t\u1ee5c c\u00f3 v\u1ebb h\u1ee3p ph\u00e1p trong khi m\u00e3 \u0111\u1ed9c v\u1eabn \u00e2m th\u1ea7m th\u1ef1c thi \u1edf ch\u1ebf \u0111\u1ed9 backgroud, n\u00f3 c\u0169ng gi\u00fap ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i tr\u00e1nh b\u1ecb ph\u00e1t hi\u1ec7n b\u1edfi c\u00e1c c\u00f4ng c\u1ee5 b\u1ea3o m\u1eadt t\u1eadp trung v\u00e0o gi\u00e1m s\u00e1t h\u1ec7 th\u1ed1ng.<\/p>\n C\u1ea3 hai ph\u01b0\u01a1ng ph\u00e1p tr\u00ean \u0111\u1ec1u d\u1ef1a v\u00e0o vi\u1ec7c khai th\u00e1c c\u00e1c \u1ee9ng d\u1ee5ng \u0111\u00e1ng tin c\u1eady, l\u00e0m t\u0103ng \u0111\u00e1ng k\u1ec3 kh\u1ea3 n\u0103ng l\u00e2y nhi\u1ec5m th\u00e0nh c\u00f4ng. C\u00e1c k\u1ef9 thu\u1eadt n\u00e0y c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng k\u1ebft h\u1ee3p v\u1edbi c\u00e1c k\u1ef9 thu\u1eadt kh\u00e1c, ch\u1eb3ng h\u1ea1n nh\u01b0 phishing ho\u1eb7c trojan h\u00f3a c\u00e1c g\u00f3i ph\u1ea7n m\u1ec1m, \u0111\u1ec3 t\u1ed1i \u0111a h\u00f3a vi\u1ec7c l\u00e2y lan Lumma Stealer \u0111\u1ebfn nhi\u1ec1u m\u1ee5c ti\u00eau.<\/p>\n Ph\u00e2n t\u00edch m\u1eabu m\u00e3 \u0111\u1ed9c<\/strong><\/p>\n \u0110\u1ec3 ch\u1ee9ng minh c\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a tr\u00ecnh c\u00e0i \u0111\u1eb7t Lumma Stealer v\u00e0 t\u00e1c \u0111\u1ed9ng \u0111\u1ebfn h\u1ec7 th\u1ed1ng v\u00e0 b\u1ea3o m\u1eadt d\u1eef li\u1ec7u, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e3 ph\u00e2n t\u00edch m\u1eabu m\u00e3 \u0111\u1ed9c m\u00e0 h\u1ecd ph\u00e1t hi\u1ec7n. M\u1eabu n\u00e0y s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt ti\u00eam l\u1edbp ph\u1ee7. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 ph\u00e2n t\u00edch chi ti\u1ebft v\u1ec1 chu\u1ed7i l\u00e2y nhi\u1ec5m v\u00e0 c\u00e1c k\u1ef9 thu\u1eadt kh\u00e1c nhau \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 tri\u1ec3n khai v\u00e0 th\u1ef1c thi Lumma Stealer.<\/p>\n Th\u1ef1c hi\u1ec7n ban \u0111\u1ea7u v\u00e0 t\u1ef1 gi\u1ea3i n\u00e9n RAR (SFX)<\/strong><\/em><\/p>\n Payload ban \u0111\u1ea7u trong m\u1eabu n\u00e0y \u0111\u01b0\u1ee3c ph\u00e2n ph\u1ed1i d\u01b0\u1edbi d\u1ea1ng ti\u1ebfn tr\u00ecnh ProjectorNebraska[.]exe, bao g\u1ed3m m\u1ed9t t\u1ec7p h\u1ee3p l\u1ec7 b\u1ecb h\u1ecfng v\u00e0 ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i trong l\u1edbp ph\u1ee7, n\u00f3 \u0111\u01b0\u1ee3c n\u1ea1n nh\u00e2n th\u1ef1c thi. Sau \u0111\u00f3, t\u1ec7p gi\u1ea3i n\u00e9n v\u00e0 ch\u1ea1y m\u1ed9t t\u1ec7p l\u01b0u tr\u1eef RAR (SFX) t\u1ef1 gi\u1ea3i n\u00e9n. T\u1ec7p l\u01b0u tr\u1eef n\u00e0y ch\u1ee9a giai \u0111o\u1ea1n ti\u1ebfp theo c\u1ee7a qu\u00e1 tr\u00ecnh l\u00e2y nhi\u1ec5m: tr\u00ecnh c\u00e0i \u0111\u1eb7t Nullsoft Scriptable Install System (NSIS). NSIS l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i \u0111\u1ec3 t\u1ea1o tr\u00ecnh c\u00e0i \u0111\u1eb7t Windows.<\/p>\n C\u00e1c th\u00e0nh ph\u1ea7n c\u00e0i \u0111\u1eb7t NSIS<\/em><\/strong><\/p>\n H\u00ecnh 14. C\u00e1c th\u00e0nh ph\u1ea7n c\u00e0i \u0111\u1eb7t NSIS<\/em><\/p>\n Tr\u00ecnh c\u00e0i \u0111\u1eb7t NSIS lo\u1ea1i b\u1ecf m\u1ed9t s\u1ed1 th\u00e0nh ph\u1ea7n quan tr\u1ecdng \u0111\u1ed1i v\u1edbi vi\u1ec7c th\u1ef1c thi ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i. Ch\u00fang bao g\u1ed3m c\u00e1c th\u00e0nh ph\u1ea7n AutoIt v\u00e0 m\u1ed9t tr\u00ecnh t\u1ea3i t\u1eadp l\u1ec7nh h\u00e0ng lo\u1ea1t \u0111\u01b0\u1ee3c t\u1ed1i gi\u1ea3n h\u00f3a c\u00f3 t\u00ean l\u00e0 Hose[.]cmd. C\u00e1c th\u00e0nh ph\u1ea7n AutoIt sau \u0111\u00e2y b\u1ecb lo\u1ea1i b\u1ecf:<\/p>\n – C\u00e1c th\u00e0nh ph\u1ea7n c\u1ee7a m\u1ed9t t\u1ec7p th\u1ef1c thi AutoIt h\u1ee3p l\u1ec7: \u0110\u00e2y l\u00e0 c\u00e1c th\u00e0nh ph\u1ea7n c\u1ee7a m\u1ed9t t\u1ec7p th\u1ef1c thi AutoIt h\u1ee3p l\u1ec7 \u0111\u01b0\u1ee3c \u0111\u01b0a v\u00e0o h\u1ec7 th\u1ed1ng c\u1ee7a n\u1ea1n nh\u00e2n v\u00e0 sau \u0111\u00f3 \u0111\u01b0\u1ee3c s\u1eafp x\u1ebfp l\u1ea1i trong qu\u00e1 tr\u00ecnh l\u00e2y nhi\u1ec5m.<\/p>\n – T\u1eadp l\u1ec7nh AutoIt \u0111\u00e3 bi\u00ean d\u1ecbch: T\u1eadp l\u1ec7nh \u0111\u00e3 bi\u00ean d\u1ecbch mang theo ch\u1ee9c n\u0103ng ch\u00ednh c\u1ee7a Lumma Stealer, bao g\u1ed3m c\u00e1c ho\u1ea1t \u0111\u1ed9ng nh\u01b0 \u0111\u00e1nh c\u1eafp th\u00f4ng tin \u0111\u0103ng nh\u1eadp v\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u.<\/p>\n C\u00e1c th\u00e0nh ph\u1ea7n n\u00e0y sau \u0111\u00f3 \u0111\u01b0\u1ee3c build l\u1ea1i th\u00e0nh t\u1ec7p th\u1ef1c thi cu\u1ed1i c\u00f9ng b\u1eb1ng c\u00e1c t\u1ec7p batch loader v\u00e0 th\u1ef1c thi nhi\u1ec1u \u0111o\u1ea1n kh\u00e1c nhau.<\/p>\n Hose[.]cmd c\u00f3 vai tr\u00f2 \u0111i\u1ec1u ph\u1ed1i c\u00e1c b\u01b0\u1edbc cu\u1ed1i c\u00f9ng c\u1ee7a qu\u00e1 tr\u00ecnh th\u1ef1c thi ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 ph\u00e2n t\u00edch c\u00e1c th\u00e0nh ph\u1ea7n ch\u00ednh c\u1ee7a n\u00f3 (sau khi gi\u1ea3i m\u00e3):<\/p>\n H\u00ecnh 16. T\u1eadp l\u1ec7nh batch \u0111\u00e3 \u0111\u01b0\u1ee3c gi\u1ea3i m\u00e3<\/em><\/p>\n H\u00ecnh 17. C\u00e2y ti\u1ebfn tr\u00ecnh sau khi th\u1ef1c thi t\u1eadp l\u1ec7nh batch<\/em><\/p>\n T\u1eadp l\u1ec7nh batch th\u1ef1c hi\u1ec7n c\u00e1c h\u00e0nh \u0111\u1ed9ng sau:<\/p>\n 1. Tr\u1ed1n tr\u00e1nh s\u1ea3n ph\u1ea9m b\u1ea3o m\u1eadt<\/p>\n T\u1eadp l\u1ec7nh qu\u00e9t s\u1ef1 hi\u1ec7n di\u1ec7n c\u1ee7a ph\u1ea7n m\u1ec1m b\u1ea3o m\u1eadt (SecureAnywhere v\u00e0 Quick Heal AntiVirus) b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng tasklist. N\u1ebfu ph\u00e1t hi\u1ec7n th\u1ea5y b\u1ea5t k\u1ef3 ph\u1ea7n m\u1ec1m n\u00e0o trong s\u1ed1 ch\u00fang, n\u00f3 s\u1ebd tr\u00ec ho\u00e3n vi\u1ec7c th\u1ef1c thi th\u00f4ng qua l\u1ec7nh ping -n 198, l\u1ec7nh n\u00e0y s\u1ebd ping localhost 198 l\u1ea7n. K\u1ef9 thu\u1eadt n\u00e0y \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 tr\u00e1nh ph\u00e1t hi\u1ec7n sandbox, v\u00ec sandbox th\u01b0\u1eddng tho\u00e1t tr\u01b0\u1edbc khi t\u1eadp l\u1ec7nh ho\u00e0n t\u1ea5t t\u00e1c v\u1ee5 ping.<\/p>\n T\u1eadp l\u1ec7nh ki\u1ec3m tra s\u1ef1 hi\u1ec7n di\u1ec7n c\u1ee7a b\u1ea5t k\u1ef3 m\u1ee5c n\u00e0o sau \u0111\u00e2y: Avast, AVG, McAfee, Bitdefender, Sophos b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng danh s\u00e1ch c\u00e1c t\u00e1c v\u1ee5. N\u1ebfu ph\u00e1t hi\u1ec7n th\u1ea5y m\u1ed9t trong s\u1ed1 ch\u00fang, n\u00f3 s\u1ebd gi\u1eef t\u00ean th\u1ef1c thi cho AutoIt l\u00e0 AutoIt3[.]exe; n\u1ebfu kh\u00f4ng, n\u00f3 s\u1ebd \u0111\u1ed5i t\u00ean th\u00e0nh Suggests[.]pif.<\/p>\n 2. Thi\u1ebft l\u1eadp m\u00f4i tr\u01b0\u1eddng v\u00e0 chu\u1ea9n b\u1ecb payload<\/p>\n T\u1ec7p l\u1ec7nh s\u1ebd thi\u1ebft l\u1eadp c\u00e1c bi\u1ebfn m\u00f4i tr\u01b0\u1eddng cho t\u1ec7p th\u1ef1c thi AutoIt v\u00e0 payload cu\u1ed1i c\u00f9ng. Ngo\u00e0i ra, n\u00f3 c\u0169ng t\u1ea1o m\u1ed9t th\u01b0 m\u1ee5c l\u00e0m vi\u1ec7c c\u00f3 t\u00ean l\u00e0 195402 trong th\u01b0 m\u1ee5c Temp \u0111\u1ec3 l\u01b0u tr\u1eef c\u00e1c th\u00e0nh ph\u1ea7n \u0111\u1ed9c h\u1ea1i.<\/p>\n 3. L\u00e0m t\u1ed1i ngh\u0129a v\u00e0 tr\u00edch xu\u1ea5t<\/p>\n T\u1eadp l\u1ec7nh l\u1ecdc v\u00e0 d\u1ecdn d\u1eb9p m\u1ed9t t\u1ec7p c\u00f3 t\u00ean Sitting t\u1eeb tr\u00ecnh c\u00e0i \u0111\u1eb7t NSIS b\u1eb1ng c\u00e1ch x\u00f3a chu\u1ed7i OptimumSlipProfessionalsPerspective v\u00e0 l\u01b0u tr\u1eef k\u1ebft qu\u1ea3 d\u01b0\u1edbi d\u1ea1ng Suggests[.]pif. Sau \u0111\u00f3, s\u1eed d\u1ee5ng l\u1ec7nh copy \/b \u0111\u1ec3 h\u1ee3p nh\u1ea5t Suggests[.]pif v\u1edbi m\u1ed9t th\u00e0nh ph\u1ea7n b\u1ed5 sung t\u1eeb tr\u00ecnh c\u00e0i \u0111\u1eb7t NSIS c\u00f3 t\u00ean Oclc v\u00e0o t\u1ec7p th\u1ef1c thi AutoIt, l\u01b0u l\u1ea1i d\u01b0\u1edbi d\u1ea1ng Suggests[.]pif.<\/p>\n 4. Payload assembly<\/p>\n T\u1eadp l\u1ec7nh k\u1ebft h\u1ee3p nhi\u1ec1u t\u1ec7p t\u1eeb tr\u00ecnh c\u00e0i \u0111\u1eb7t NSIS: Italy, Holmes, True,\u2026 \u0111\u1ec3 t\u1ea1o t\u1ec7p th\u1ef1c thi cu\u1ed1i c\u00f9ng c\u00f3 t\u00ean h[.]a3x, \u0111\u00e2y l\u00e0 m\u1ed9t t\u1eadp l\u1ec7nh AutoIt.<\/p>\n 5. Th\u1ef1c thi Lumma Stealer<\/p>\n Cu\u1ed1i c\u00f9ng, t\u1eadp l\u1ec7nh ch\u1ea1y Suggests[.]pif v\u00e0 sau \u0111\u00f3 l\u00e0 h[.]a3x v\u00e0 k\u00edch ho\u1ea1t th\u1ef1c thi Lumma Stealer d\u1ef1a tr\u00ean AutoIt.<\/p>\n Ph\u00e2n t\u00edch t\u1eadp l\u1ec7nh AutoIt<\/strong><\/em><\/p>\n Trong qu\u00e1 tr\u00ecnh ph\u00e2n t\u00edch, ti\u1ec7n \u00edch AutoIt Extractor \u0111\u00e3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 gi\u1ea3i m\u00e3 v\u00e0 tr\u00edch xu\u1ea5t t\u1eadp l\u1ec7nh t\u1eeb t\u1ec7p h[.]a3x. T\u1eadp l\u1ec7nh \u0111\u00e3 \u0111\u01b0\u1ee3c t\u1ed1i \u01b0u h\u00f3a r\u1ea5t nhi\u1ec1u v\u00e0 c\u1ea7n ph\u1ea3i gi\u1ea3i m\u00e3 th\u00eam \u0111\u1ec3 c\u00f3 \u0111\u01b0\u1ee3c t\u1eadp l\u1ec7nh au3 s\u1ea1ch v\u00e0 c\u00f3 th\u1ec3 ph\u00e2n t\u00edch \u0111\u01b0\u1ee3c. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 ph\u00e2n t\u00edch v\u1ec1 h\u00e0nh vi c\u1ee7a tr\u00ecnh t\u1ea3i AutoIt.<\/p>\n H\u00ecnh 18. Tr\u00edch xu\u1ea5t t\u1eadp l\u1ec7nh AutoIt<\/em><\/p>\n Ki\u1ec3m tra ch\u1ed1ng ph\u00e2n t\u00edch<\/strong><\/em><\/p>\n T\u1eadp l\u1ec7nh b\u1eaft \u0111\u1ea7u b\u1eb1ng c\u00e1ch x\u00e1c th\u1ef1c m\u00f4i tr\u01b0\u1eddng \u0111\u1ec3 ph\u00e1t hi\u1ec7n c\u00e1c c\u00f4ng c\u1ee5 ph\u00e2n t\u00edch ho\u1eb7c m\u00f4i tr\u01b0\u1eddng sandbox, n\u00f3 ki\u1ec3m tra t\u00ean m\u00e1y t\u00ednh v\u00e0 t\u00ean ng\u01b0\u1eddi d\u00f9ng c\u1ee5 th\u1ec3 th\u01b0\u1eddng li\u00ean quan \u0111\u1ebfn m\u00f4i tr\u01b0\u1eddng th\u1eed nghi\u1ec7m.<\/p>\n H\u00ecnh 19. X\u00e1c th\u1ef1c m\u00f4i tr\u01b0\u1eddng<\/em><\/p>\n Sau \u0111\u00f3, t\u1eadp l\u1ec7nh ki\u1ec3m tra c\u00e1c ti\u1ebfn tr\u00ecnh t\u1eeb c\u00e1c c\u00f4ng c\u1ee5 anti-virus ph\u1ed5 bi\u1ebfn nh\u01b0 Avast Bitdefenderv\u00e0 Kaspersky.<\/p>\n H\u00ecnh 20. Ki\u1ec3m tra anti-virus<\/em><\/p>\n N\u1ebfu b\u1ea5t k\u1ef3 \u0111i\u1ec1u ki\u1ec7n n\u00e0o trong s\u1ed1 n\u00e0y \u0111\u01b0\u1ee3c \u0111\u00e1p \u1ee9ng, t\u1eadp l\u1ec7nh s\u1ebd d\u1eebng th\u1ef1c thi \u0111\u1ec3 tr\u00e1nh b\u1ecb ph\u00e1t hi\u1ec7n.<\/p>\n Th\u1ef1c thi shellcode c\u1ee7a tr\u00ecnh t\u1ea3i<\/em><\/strong><\/p>\n N\u1ebfu ki\u1ec3m tra ch\u1ed1ng ph\u00e2n t\u00edch \u0111\u01b0\u1ee3c th\u00f4ng qua, t\u1eadp l\u1ec7nh s\u1ebd t\u1ef1 \u0111\u1ed9ng ch\u1ecdn shellcode 32 bit ho\u1eb7c 64 bit d\u1ef1a tr\u00ean ki\u1ebfn \u200b\u200btr\u00fac h\u1ec7 th\u1ed1ng, n\u1eb1m trong bi\u1ebfn $vinylcigaretteau b\u00ean trong t\u1eadp l\u1ec7nh. \u0110\u1ec3 th\u1ef1c hi\u1ec7n vi\u1ec7c n\u00e0y, n\u00f3 ph\u00e2n b\u1ed5 b\u1ed9 nh\u1edb th\u1ef1c thi v\u00e0 \u0111\u01b0a shellcode v\u00e0o \u0111\u00f3. Sau \u0111\u00f3, shellcode kh\u1edfi t\u1ea1o m\u00f4i tr\u01b0\u1eddng th\u1ef1c thi v\u00e0 chu\u1ea9n b\u1ecb cho payload giai \u0111o\u1ea1n ti\u1ebfp theo.<\/p>\n H\u00ecnh 21. M\u1ed9t ph\u1ea7n c\u1ee7a tr\u00ecnh t\u1ea3i AutoIt ch\u1ecbu tr\u00e1ch nhi\u1ec7m th\u1ef1c thi shellcode<\/em><\/p>\n X\u1eed l\u00fd payload $dayjoy<\/em><\/strong><\/p>\n Sau khi th\u1ef1c thi shellcode c\u1ee7a tr\u00ecnh t\u1ea3i, t\u1eadp l\u1ec7nh s\u1ebd x\u1eed l\u00fd payload giai \u0111o\u1ea1n th\u1ee9 hai n\u1eb1m trong bi\u1ebfn $dayjoy. Payload \u0111\u01b0\u1ee3c gi\u1ea3i m\u00e3 b\u1eb1ng RC4 v\u1edbi kh\u00f3a \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a c\u1ee9ng 1246403907690944.<\/p>\n H\u00ecnh 22. Payload \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a<\/em><\/p>\n \u0110\u1ec3 gi\u1ea3i m\u00e3 d\u1eef li\u1ec7u m\u1ed9t c\u00e1ch \u0111\u1ed9c l\u1eadp, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e3 vi\u1ebft m\u1ed9t t\u1eadp l\u1ec7nh Python t\u00f9y ch\u1ec9nh nh\u01b0 H\u00ecnh 23 d\u01b0\u1edbi \u0111\u00e2y.<\/p>\n H\u00ecnh 23. T\u1eadp l\u1ec7nh Python \u0111\u1ec3 gi\u1ea3i m\u00e3 payload<\/em><\/p>\n Payload gi\u1ea3i m\u00e3 \u0111\u01b0\u1ee3c gi\u1ea3i n\u00e9n b\u1eb1ng thu\u1eadt to\u00e1n LZNT1.<\/p>\n Th\u1ef1c hi\u1ec7n payload cu\u1ed1i c\u00f9ng<\/strong><\/em><\/p>\n Sau khi gi\u1ea3i m\u00e3 v\u00e0 gi\u1ea3i n\u00e9n, payload $dayjoy \u0111\u01b0\u1ee3c th\u1ef1c thi trong b\u1ed9 nh\u1edb. T\u1eadp l\u1ec7nh s\u1eed d\u1ee5ng DllCallAddress \u0111\u1ec3 g\u1ecdi payload tr\u1ef1c ti\u1ebfp trong b\u1ed9 nh\u1edb \u0111\u01b0\u1ee3c ph\u00e2n b\u1ed5. \u0110i\u1ec1u n\u00e0y \u0111\u1ea3m b\u1ea3o payload \u0111\u01b0\u1ee3c th\u1ef1c thi m\u1ed9t c\u00e1ch b\u00ed m\u1eadt m\u00e0 kh\u00f4ng \u0111\u01b0\u1ee3c ghi v\u00e0o \u0111\u0129a.<\/p>\n H\u00ecnh 24. Th\u1ef1c hi\u1ec7n payload cu\u1ed1i c\u00f9ng<\/em><\/p>\n Payload cu\u1ed1i c\u00f9ng n\u00e0y ch\u00ednh l\u00e0 tr\u00ecnh \u0111\u00e1nh c\u1eafp th\u00f4ng tin. Kh\u1ea3 n\u0103ng \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u to\u00e0n di\u1ec7n c\u1ee7a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i nh\u1eafm v\u00e0o nhi\u1ec1u lo\u1ea1i th\u00f4ng tin nh\u1ea1y c\u1ea3m, bao g\u1ed3m:<\/p>\n – Th\u00f4ng tin x\u00e1c th\u1ef1c v\u00ed ti\u1ec1n \u0111i\u1ec7n t\u1eed (v\u00ed d\u1ee5: Binance, Ethereum) v\u00e0 ti\u1ec7n \u00edch m\u1edf r\u1ed9ng tr\u00ecnh duy\u1ec7t li\u00ean quan (v\u00ed d\u1ee5: MetaMask).<\/p>\n – D\u1eef li\u1ec7u x\u00e1c th\u1ef1c hai y\u1ebfu t\u1ed1 (2FA) v\u00e0\u00a0ti\u1ec7n \u00edch m\u1edf r\u1ed9ng.<\/a><\/p>\n – Th\u00f4ng tin \u0111\u0103ng nh\u1eadp v\u00e0 cookie \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef tr\u00ean tr\u00ecnh duy\u1ec7t.<\/p>\n – Th\u00f4ng tin \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef t\u1eeb c\u00e1c c\u00f4ng c\u1ee5 truy c\u1eadp t\u1eeb xa nh\u01b0 AnyDesk.<\/p>\n – Th\u00f4ng tin \u0111\u0103ng nh\u1eadp \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef t\u1eeb c\u00e1c tr\u00ecnh qu\u1ea3n l\u00fd m\u1eadt kh\u1ea9u nh\u01b0 KeePass.<\/p>\n – D\u1eef li\u1ec7u h\u1ec7 th\u1ed1ng v\u00e0 \u1ee9ng d\u1ee5ng.<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/1fbe724a-992f-48e8-aae8-1a6b3aee2d7a\/lumma-fake2-1024x483.png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/b7281fde-8127-470f-baf1-55fe30ba1c82\/22(130).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/69864142-88a1-4527-b2bf-7c058de8cb12\/3(1413).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/d6f215d4-3265-4c52-9fb6-c18fdb9bab5d\/4(1148).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/7f23a26c-9788-4224-b8f2-44159b46b7ee\/5(1292).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/d3bb626d-3196-43fa-bd42-940dbb337812\/6(785).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/a13f3637-727e-4fa4-a351-638e869f66c4\/7(663).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/a370fbd5-9eb4-4c2d-bfc4-b85f683a3c95\/8(547).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/9dfd7690-1d43-480d-a92e-7aa784181933\/9(529).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/06f01ded-bdc4-4315-9b15-25110d4291e7\/10(462).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/cc8fa821-9455-4647-935e-2af8d6982a68\/11(364).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/a3790ca2-100f-4916-a614-5b3e69f2b6bb\/12(495).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/e33b094a-6e5c-40fa-b7e9-16efcf442cd5\/13(148).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/e729f140-2eda-4a57-8468-3506ed3acd98\/lumma-fake15-991x350.png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/88f26e99-2a00-477f-ab65-5136297e6e49\/lumma-fake16-1024x583.png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/4a1ee3eb-da4b-4a57-9e61-949be2b6f00c\/17(97).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/ef3daf1c-5355-4ff9-ae09-8972d015bfc1\/18(155).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/0fe6b01c-d00c-46c9-ba2e-a79f29285bd9\/19(77).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/97141490-2e98-4fce-8bac-af7e49afbc25\/20(265).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/b8b5d264-0893-4e56-8cb0-63fdafab0da1\/21(99).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/0f096116-762f-49fc-ab9c-4abd1e12d8e7\/22222(2).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/dabb2c41-80af-47db-8d34-5a7dc9337928\/23(85).png\")
<\/p>\n![](\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/f5da369b-32c2-4c81-9d91-d37458f81f6d\/24(54).png\")
<\/p>\n