{"id":46210,"date":"2025-05-29T17:18:16","date_gmt":"2025-05-29T10:18:16","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=46210"},"modified":"2025-06-10T17:19:27","modified_gmt":"2025-06-10T10:19:27","slug":"giai-ma-chien-dich-tan-cong-synchole-cua-nhom-tin-tac-apt-lazarus","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/giai-ma-chien-dich-tan-cong-synchole-cua-nhom-tin-tac-apt-lazarus\/","title":{"rendered":"Gi\u1ea3i m\u00e3 chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng SyncHole c\u1ee7a nh\u00f3m tin t\u1eb7c APT Lazarus"},"content":{"rendered":"<p class=\"mt-3 excerpt\">C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u t\u1ea1i h\u00e3ng b\u1ea3o m\u1eadt Kasperksy \u0111\u00e3 theo d\u00f5i chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1edbi nh\u1ea5t c\u1ee7a nh\u00f3m Lazarus k\u1ec3 t\u1eeb th\u00e1ng 11\/2024, khi nh\u00f3m tin t\u1eb7c n\u00e0y nh\u1eafm v\u00e0o c\u00e1c t\u1ed5 ch\u1ee9c t\u1ea1i H\u00e0n Qu\u1ed1c b\u1eb1ng s\u1ef1 k\u1ebft h\u1ee3p gi\u1eefa t\u1ea5n c\u00f4ng Watering Hole v\u00e0 khai th\u00e1c c\u00e1c l\u1ed7 h\u1ed5ng ph\u1ea7n m\u1ec1m. Chi\u1ebfn d\u1ecbch c\u00f3 t\u00ean g\u1ecdi \u201cSyncHole\u201d \u0111\u00e3 t\u00e1c \u0111\u1ed9ng \u0111\u1ebfn \u00edt nh\u1ea5t s\u00e1u t\u1ed5 ch\u1ee9c trong c\u00e1c ng\u00e0nh ph\u1ea7n m\u1ec1m, c\u00f4ng ngh\u1ec7 th\u00f4ng tin, t\u00e0i ch\u00ednh, s\u1ea3n xu\u1ea5t ch\u1ea5t b\u00e1n d\u1eabn v\u00e0 vi\u1ec5n th\u00f4ng t\u1ea1i H\u00e0n Qu\u1ed1c. B\u00e0i vi\u1ebft n\u00e0y s\u1ebd c\u00f9ng ph\u00e2n t\u00edch v\u00e0 kh\u00e1m ph\u00e1 ho\u1ea1t \u0111\u1ed9ng c\u1ee7a c\u00e1c tin t\u1eb7c Lazarus trong chi\u1ebfn d\u1ecbch SyncHole, d\u1ef1a tr\u00ean b\u00e1o c\u00e1o v\u00e0 ph\u00e2n t\u00edch c\u1ee7a Kaspersky, \u0111\u1ec3 nh\u00ecn th\u1ea5y s\u1ef1 tinh vi c\u1ee7a nh\u00f3m tin t\u1eb7c gi\u00e1n \u0111i\u1ec7p \u0111\u1ebfn t\u1eeb Tri\u1ec1u Ti\u00ean n\u00e0y.<\/p>\n<div id=\"relatedPost\" class=\"mt-3 mb-3\">\n<div class=\"\">\n<ul class=\"ms-2\">\n<li class=\"d-flex\">\n<ul class=\"d-flex flex-column gap-2\">\n<li class=\"title bullet\" title=\"V\u00e9n m\u00e0n s\u1ef1 ph\u00e1t tri\u1ec3n chu\u1ed7i l\u00e2y nhi\u1ec5m \u0111\u1ed9c h\u1ea1i c\u1ee7a nh\u00f3m tin t\u1eb7c Lazarus\">V\u00e9n m\u00e0n s\u1ef1 ph\u00e1t tri\u1ec3n chu\u1ed7i l\u00e2y nhi\u1ec5m \u0111\u1ed9c h\u1ea1i c\u1ee7a nh\u00f3m tin t\u1eb7c Lazarus<\/li>\n<\/ul>\n<\/li>\n<li class=\"d-flex\">\n<ul class=\"d-flex flex-column gap-2\">\n<li class=\"title bullet\" title=\"Gi\u1ea3i m\u00e3 chi\u1ebfn d\u1ecbch Operation Blacksmith: Nh\u00f3m tin t\u1eb7c Tri\u1ec1u Ti\u00ean Lazarus s\u1eed d\u1ee5ng ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i m\u1edbi d\u1ef1a tr\u00ean DLang\">Gi\u1ea3i m\u00e3 chi\u1ebfn d\u1ecbch Operation Blacksmith: Nh\u00f3m tin t\u1eb7c Tri\u1ec1u Ti\u00ean Lazarus s\u1eed d\u1ee5ng ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i m\u1edbi d\u1ef1a tr\u00ean DLang<\/li>\n<\/ul>\n<\/li>\n<li class=\"d-flex\">\n<ul class=\"d-flex flex-column gap-2\">\n<li class=\"title bullet\" title=\"Gi\u1ea3i m\u00e3 chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1ea1ng g\u1ea7n \u0111\u00e2y c\u1ee7a nh\u00f3m tin t\u1eb7c Tri\u1ec1u Ti\u00ean Lazarus\">Gi\u1ea3i m\u00e3 chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1ea1ng g\u1ea7n \u0111\u00e2y c\u1ee7a nh\u00f3m tin t\u1eb7c Tri\u1ec1u Ti\u00ean Lazarus<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<article id=\"content\" class=\"content gradient\"><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/1d91cbce-a56e-4e95-a628-d6a56a80c705\/hacker(256).png\" \/><\/p>\n<p><strong>T\u1ed4NG QUAN<\/strong><\/p>\n<p>Cu\u1ed9c t\u1ea5n c\u00f4ng ban \u0111\u1ea7u \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n v\u00e0o th\u00e1ng 11\/2024 khi c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ph\u00e1t hi\u1ec7n ra bi\u1ebfn th\u1ec3 c\u1ee7a backdoor ThreatNeedle, m\u1ed9t trong nh\u1eefng c\u00f4ng c\u1ee5 \u0111\u1ed9c h\u1ea1i h\u00e0ng \u0111\u1ea7u c\u1ee7a nh\u00f3m tin t\u1eb7c\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/nhom-tin-tac-lazarus-nham-muc-tieu-vao-vi-tien-dien-tu-bang-viec-su-dung-trinh-danh-cap-javascript\">Lazarus<\/a>, \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 nh\u1eafm v\u00e0o m\u1ed9t c\u00f4ng ty ph\u1ea7n m\u1ec1m H\u00e0n Qu\u1ed1c.<\/p>\n<p>Kaspersky ph\u00e1t hi\u1ec7n ra r\u1eb1ng ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i n\u00e0y \u0111ang ch\u1ea1y trong b\u1ed9 nh\u1edb c\u1ee7a m\u1ed9t ti\u1ebfn tr\u00ecnh SyncHost[.]exe h\u1ee3p ph\u00e1p v\u00e0 \u0111\u01b0\u1ee3c t\u1ea1o ra nh\u01b0 m\u1ed9t ti\u1ebfn tr\u00ecnh con c\u1ee7a Cross EX, ph\u1ea7n m\u1ec1m h\u1ee3p ph\u00e1p \u0111\u01b0\u1ee3c ph\u00e1t tri\u1ec3n t\u1ea1i\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/han-quoc-canh-bao-ve-cac-vu-lua-dao-truc-tuyen\">H\u00e0n Qu\u1ed1c<\/a>. \u0110\u00e2y c\u00f3 kh\u1ea3 n\u0103ng l\u00e0 \u0111i\u1ec3m kh\u1edfi \u0111\u1ea7u cho s\u1ef1 x\u00e2m ph\u1ea1m c\u1ee7a 5 t\u1ed5 ch\u1ee9c kh\u00e1c t\u1ea1i H\u00e0n Qu\u1ed1c.<\/p>\n<p>Trong m\u00f4i tr\u01b0\u1eddng Internet t\u1ea1i H\u00e0n Qu\u1ed1c, c\u00e1c trang web ng\u00e2n h\u00e0ng tr\u1ef1c tuy\u1ebfn v\u00e0 ch\u00ednh ph\u1ee7 th\u00f4ng th\u01b0\u1eddng y\u00eau c\u1ea7u c\u00e0i \u0111\u1eb7t ph\u1ea7n m\u1ec1m b\u1ea3o m\u1eadt c\u1ee5 th\u1ec3 \u0111\u1ec3 h\u1ed7 tr\u1ee3 c\u00e1c ch\u1ee9c n\u0103ng nh\u01b0 ch\u1ed1ng keylogger. Tuy nhi\u00ean, do b\u1ea3n ch\u1ea5t c\u1ee7a c\u00e1c g\u00f3i ph\u1ea7n m\u1ec1m n\u00e0y, ch\u00fang li\u00ean t\u1ee5c ch\u1ea1y \u1edf ch\u1ebf \u0111\u1ed9 n\u1ec1n \u0111\u1ec3 t\u01b0\u01a1ng t\u00e1c v\u1edbi tr\u00ecnh duy\u1ec7t. Nh\u00f3m tin t\u1eb7c Lazarus cho th\u1ea5y s\u1ef1 n\u1eafm b\u1eaft m\u1ea1nh m\u1ebd v\u1ec1 \u0111i\u1ec1u n\u00e0y v\u00e0 s\u1eed d\u1ee5ng m\u1ed9t chi\u1ebfn l\u01b0\u1ee3c nh\u1eafm v\u00e0o H\u00e0n Qu\u1ed1c k\u1ebft h\u1ee3p c\u00e1c l\u1ed7 h\u1ed5ng trong ph\u1ea7n m\u1ec1m nh\u01b0 v\u1eady v\u1edbi c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng Watering Hole (k\u1ebb t\u1ea5n c\u00f4ng s\u1ebd l\u00e2y nhi\u1ec5m v\u00e0o c\u00e1c trang web \u0111\u1ec3 x\u00e2m ph\u1ea1m m\u1ed9t nh\u00f3m ng\u01b0\u1eddi d\u00f9ng cu\u1ed1i c\u1ee5 th\u1ec3). Trung t\u00e2m An ninh m\u1ea1ng Qu\u1ed1c gia H\u00e0n Qu\u1ed1c \u0111\u00e3 c\u00f4ng b\u1ed1 khuy\u1ebfn c\u00e1o b\u1ea3o m\u1eadt v\u00e0o n\u0103m 2023 v\u1ec1 c\u00e1c s\u1ef1 c\u1ed1 nh\u01b0 v\u1eady v\u00e0 c\u0169ng \u0111\u00e3 c\u00f4ng b\u1ed1 c\u00e1c khuy\u1ebfn c\u00e1o b\u1ea3o m\u1eadt chung b\u1ed5 sung h\u1ee3p t\u00e1c v\u1edbi Ch\u00ednh ph\u1ee7 V\u01b0\u01a1ng qu\u1ed1c Anh.<\/p>\n<p>M\u1eb7c d\u00f9 c\u00e1ch th\u1ee9c l\u1ea1m d\u1ee5ng Cross EX \u0111\u1ec3 ph\u00e2n ph\u1ed1i ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i v\u1eabn ch\u01b0a r\u00f5 r\u00e0ng, nh\u01b0ng c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u nh\u1eadn \u0111\u1ecbnh r\u1eb1ng nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 leo thang c\u00e1c \u0111\u1eb7c quy\u1ec1n c\u1ee7a ch\u00fang trong qu\u00e1 tr\u00ecnh khai th\u00e1c. C\u00e1c s\u1ef1 ki\u1ec7n d\u01b0\u1edbi \u0111\u00e2y d\u1eabn \u0111\u1ebfn k\u1ebft lu\u1eadn r\u1eb1ng m\u1ed9t l\u1ed7 h\u1ed5ng trong ph\u1ea7n m\u1ec1m Cross EX r\u1ea5t c\u00f3 th\u1ec3 \u0111\u00e3 \u0111\u01b0\u1ee3c khai th\u00e1c trong chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng n\u00e0y:<\/p>\n<p>&#8211; Phi\u00ean b\u1ea3n m\u1edbi nh\u1ea5t c\u1ee7a Cross EX t\u1ea1i th\u1eddi \u0111i\u1ec3m x\u1ea3y ra s\u1ef1 c\u1ed1 \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t tr\u00ean c\u00e1c m\u00e1y t\u00ednh b\u1ecb nhi\u1ec5m.<\/p>\n<p>&#8211; Chu\u1ed7i th\u1ef1c thi b\u1eaft ngu\u1ed3n t\u1eeb ti\u1ebfn tr\u00ecnh Cross EX m\u00e0 c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u quan s\u00e1t th\u1ea5y tr\u00ean c\u00e1c t\u1ed5 ch\u1ee9c m\u1ee5c ti\u00eau \u0111\u1ec1u gi\u1ed1ng h\u1ec7t nhau.<\/p>\n<p>&#8211; C\u00e1c s\u1ef1 c\u1ed1 li\u00ean quan \u0111\u1ebfn vi\u1ec7c ti\u1ebfn tr\u00ecnh Synchost b\u1ecb l\u1ea1m d\u1ee5ng \u0111\u1ec3 nh\u00fang ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i v\u00e0o \u0111\u1ec1u t\u1eadp trung trong m\u1ed9t kho\u1ea3ng th\u1eddi gian ng\u1eafn: t\u1eeb th\u00e1ng 11\/2024 \u0111\u1ebfn th\u00e1ng 02\/2025.<\/p>\n<p>Trong cu\u1ed9c t\u1ea5n c\u00f4ng m\u1edbi nh\u1ea5t, nh\u00f3m Lazarus c\u0169ng khai th\u00e1c m\u1ed9t s\u1ea3n ph\u1ea9m ph\u1ea7n m\u1ec1m kh\u00e1c c\u1ee7a H\u00e0n Qu\u1ed1c l\u00e0 Innorix Agent, l\u1ee3i d\u1ee5ng l\u1ed7 h\u1ed5ng \u0111\u1ec3 t\u1ea1o \u0111i\u1ec1u ki\u1ec7n cho vi\u1ec7c di chuy\u1ec3n ngang h\u00e0ng, cho ph\u00e9p c\u00e0i \u0111\u1eb7t th\u00eam ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i tr\u00ean m\u00e1y ch\u1ee7 m\u1ee5c ti\u00eau theo l\u1ef1a ch\u1ecdn c\u1ee7a ch\u00fang. Ph\u1ea7n m\u1ec1m b\u1ecb khai th\u00e1c, Innorix Agent (phi\u00ean b\u1ea3n 9.2.18.450 tr\u1edf v\u1ec1 tr\u01b0\u1edbc), tr\u01b0\u1edbc \u0111\u00e2y \u0111\u00e3 b\u1ecb nh\u00f3m tin t\u1eb7c Andariel l\u1ea1m d\u1ee5ng, trong khi ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i m\u00e0 Kaspersky thu \u0111\u01b0\u1ee3c nh\u1eafm m\u1ee5c ti\u00eau v\u00e0o phi\u00ean b\u1ea3n m\u1edbi h\u01a1n l\u00e0 9.2.18.496.<\/p>\n<p>Trong khi ph\u00e2n t\u00edch h\u00e0nh vi, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e3 ph\u00e1t hi\u1ec7n ra m\u1ed9t l\u1ed7 h\u1ed5ng zero-day t\u1ea3i xu\u1ed1ng t\u1ec7p t\u00f9y \u00fd b\u1ed5 sung trong Innorix Agent. Kaspersky \u0111\u00e3 b\u00e1o c\u00e1o c\u00e1c v\u1ea5n \u0111\u1ec1 n\u00e0y cho Trung t\u00e2m \u0111i\u1ec1u ph\u1ed1i \u1ee9ng c\u1ee9u kh\u1ea9n c\u1ea5p m\u00e1y t\u00ednh H\u00e0n Qu\u1ed1c (KrCERT) v\u00e0 nh\u00e0 cung c\u1ea5p. Ph\u1ea7n m\u1ec1m \u0111\u00e3 \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt v\u1edbi c\u00e1c phi\u00ean b\u1ea3n v\u00e1 l\u1ed7i k\u1ec3 t\u1eeb \u0111\u00f3.<\/p>\n<p>C\u00e1c h\u00e0nh \u0111\u1ed9ng n\u00e0y l\u00e0 m\u1ed9t ph\u1ea7n quan tr\u1ecdng trong chi\u1ebfn l\u01b0\u1ee3c nh\u1eafm v\u00e0o c\u00e1c th\u1ef1c th\u1ec3 c\u1ee7a H\u00e0n Qu\u1ed1c c\u1ee7a nh\u00f3m Lazarus, tr\u01b0\u1edbc \u0111\u00e2y Kaspersky \u0111\u00e3 ti\u1ebft l\u1ed9 m\u1ed9t tr\u01b0\u1eddng h\u1ee3p t\u01b0\u01a1ng t\u1ef1 v\u00e0o n\u0103m 2023.<\/p>\n<p><strong>PH\u00c2N T\u00cdCH CHI\u1ebeN D\u1ecaCH<\/strong><\/p>\n<p><strong>Vect\u01a1 l\u00e2y nhi\u1ec5m ban \u0111\u1ea7u<\/strong><\/p>\n<p>Ti\u1ebfn tr\u00ecnh l\u00e2y nhi\u1ec5m b\u1eaft \u0111\u1ea7u khi n\u1ea1n nh\u00e2n truy c\u1eadp v\u00e0o m\u1ed9t s\u1ed1 trang web truy\u1ec1n th\u00f4ng tr\u1ef1c tuy\u1ebfn c\u1ee7a H\u00e0n Qu\u1ed1c. Khi truy c\u1eadp v\u00e0o m\u1ed9t trang web c\u1ee5 th\u1ec3, m\u00e1y t\u00ednh \u0111\u00e3 b\u1ecb ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i ThreatNeedle x\u00e2m nh\u1eadp, cho th\u1ea5y trang web n\u00e0y \u0111\u00f3ng vai tr\u00f2 quan tr\u1ecdng trong vi\u1ec7c ph\u00e2n ph\u1ed1i\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/hon-16000-thiet-bi-fortinet-bi-nhiem-symlink-backdoor\">backdoor<\/a>\u00a0ban \u0111\u1ea7u. Trong qu\u00e1 tr\u00ecnh ph\u00e2n t\u00edch, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ph\u00e1t hi\u1ec7n ra r\u1eb1ng h\u1ec7 th\u1ed1ng b\u1ecb l\u00e2y nhi\u1ec5m \u0111ang giao ti\u1ebfp v\u1edbi m\u1ed9t \u0111\u1ecba ch\u1ec9 IP \u0111\u00e1ng ng\u1edd. Ki\u1ec3m tra th\u00eam cho th\u1ea5y IP n\u00e0y tr\u1ecf \u0111\u1ebfn hai t\u00ean trang web, c\u1ea3 hai \u0111\u1ec1u c\u00f3 v\u1ebb l\u00e0 c\u00e1c trang web cho thu\u00ea xe \u0111\u01b0\u1ee3c t\u1ea1o v\u1ed9i v\u00e0ng b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng c\u00e1c m\u1eabu HTML c\u00f3 s\u1eb5n c\u00f4ng khai.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/744cb6a2-70d8-4458-a3ff-db2d76ee2a7c\/operation-synchole-watering2-740x543.png\" \/><\/p>\n<p><em>H\u00ecnh 1. Giao di\u1ec7n c\u1ee7a trang web www[.]smartmanagerex[.]com<\/em><\/p>\n<p>Trang web \u0111\u1ea7u ti\u00ean l\u00e0 www[.]smartmanagerex [.] com, c\u00f3 v\u1ebb nh\u01b0 \u0111ang ng\u1ee5y trang th\u00e0nh m\u1ed9t ph\u1ea7n m\u1ec1m h\u1ee3p ph\u00e1p. D\u1ef1a tr\u00ean nh\u1eefng ph\u00e1t hi\u1ec7n n\u00e0y, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e3 x\u00e2y d\u1ef1ng l\u1ea1i k\u1ecbch b\u1ea3n t\u1ea5n c\u00f4ng sau (H\u00ecnh 2).<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/be9834ae-a824-4c1f-9696-2cc2526e0cc5\/2(2250).jpg\" \/><\/p>\n<p><em>H\u00ecnh 2. Lu\u1ed3ng t\u1ea5n c\u00f4ng trong qu\u00e1 tr\u00ecnh x\u00e2m ph\u1ea1m ban \u0111\u1ea7u<\/em><\/p>\n<p>Do c\u00e1c trang web truy\u1ec1n th\u00f4ng th\u01b0\u1eddng \u0111\u01b0\u1ee3c nhi\u1ec1u ng\u01b0\u1eddi d\u00f9ng truy c\u1eadp, c\u00e1c tin t\u1eb7c Lazarus l\u1ecdc kh\u00e1ch truy c\u1eadp b\u1eb1ng m\u1ed9t t\u1eadp l\u1ec7nh ph\u00eda m\u00e1y ch\u1ee7 v\u00e0 chuy\u1ec3n h\u01b0\u1edbng m\u1ee5c ti\u00eau mong mu\u1ed1n \u0111\u1ebfn m\u1ed9t trang web do k\u1ebb t\u1ea5n c\u00f4ng ki\u1ec3m so\u00e1t.<\/p>\n<p>C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e1nh gi\u00e1 r\u1eb1ng trang web \u0111\u01b0\u1ee3c chuy\u1ec3n h\u01b0\u1edbng c\u00f3 th\u1ec3 \u0111\u00e3 th\u1ef1c thi m\u1ed9t t\u1eadp l\u1ec7nh \u0111\u1ed9c h\u1ea1i, nh\u1eafm v\u00e0o m\u1ed9t l\u1ed7 h\u1ed5ng trong Cross EX \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t tr\u00ean m\u00e1y t\u00ednh m\u1ee5c ti\u00eau v\u00e0 kh\u1edfi ch\u1ea1y ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i. Sau \u0111\u00f3, t\u1eadp l\u1ec7nh cu\u1ed1i c\u00f9ng \u0111\u00e3 th\u1ef1c thi ti\u1ebfn tr\u00ecnh SyncHost[.]exe h\u1ee3p ph\u00e1p v\u00e0 \u0111\u01b0a m\u1ed9t l\u1ec7nh shell t\u1ea3i m\u1ed9t bi\u1ebfn th\u1ec3 c\u1ee7a ThreatNeedle v\u00e0o ti\u1ebfn tr\u00ecnh \u0111\u00f3. Cu\u1ed1i c\u00f9ng, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c ch\u00e8n v\u00e0o ti\u1ebfn tr\u00ecng SyncHost [.]exe. Theo Kaspersky, nh\u00f3m Lazarus \u0111\u00e3 ti\u1ebfn h\u00e0nh c\u00e1c ho\u1ea1t \u0111\u1ed9ng r\u1ed9ng r\u00e3i nh\u1eafm v\u00e0o c\u00e1c th\u1ef1c th\u1ec3 l\u1ea1i H\u00e0n Qu\u1ed1c trong v\u00e0i th\u00e1ng qua v\u1edbi c\u00f9ng m\u1ed9t l\u1ed7 h\u1ed5ng v\u00e0 c\u00f9ng m\u1ed9t c\u00e1ch th\u1ee9c khai th\u00e1c.<\/p>\n<p><strong>Lu\u1ed3ng th\u1ef1c hi\u1ec7n<\/strong><\/p>\n<p>Kaspersky \u0111\u00e3 ph\u00e2n t\u00edch th\u00e0nh hai giai \u0111o\u1ea1n d\u1ef1a tr\u00ean ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng. Giai \u0111o\u1ea1n \u0111\u1ea7u ti\u00ean t\u1eadp trung ch\u1ee7 y\u1ebfu v\u00e0o chu\u1ed7i th\u1ef1c thi li\u00ean quan \u0111\u1ebfn ThreatNeedle v\u00e0 wAgent. Sau \u0111\u00f3 l\u00e0 giai \u0111o\u1ea1n th\u1ee9 hai li\u00ean quan \u0111\u1ebfn vi\u1ec7c s\u1eed d\u1ee5ng SIGNBT v\u00e0 COPPERHEDGE.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/04d14c49-4b5b-4b48-b92b-00796b6c7867\/3(1408).jpg\" \/><\/p>\n<p><em>H\u00ecnh 3. C\u00e1c giai \u0111o\u1ea1n t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c ph\u00e2n t\u00edch<\/em><\/p>\n<p>Trong tr\u01b0\u1eddng h\u1ee3p l\u00e2y nhi\u1ec5m \u0111\u1ea7u ti\u00ean, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e3 t\u00ecm th\u1ea5y m\u1ed9t bi\u1ebfn th\u1ec3 c\u1ee7a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i ThreatNeedle, nh\u01b0ng trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u1ebfp theo, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i SIGNBT \u0111\u00e3 thay th\u1ebf, do \u0111\u00f3 kh\u1edfi \u0111\u1ed9ng giai \u0111o\u1ea1n th\u1ee9 hai.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/c82fefcf-d458-46ff-a908-20f638c48ff7\/4(1145).jpg\" \/><\/p>\n<p><em>H\u00ecnh 4. Chu\u1ed7i l\u00e2y nhi\u1ec5m trong to\u00e0n b\u1ed9 ho\u1ea1t \u0111\u1ed9ng<\/em><\/p>\n<p><strong>Ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i giai \u0111o\u1ea1n \u0111\u1ea7u<\/strong><\/p>\n<p>Trong chu\u1ed7i l\u00e2y nhi\u1ec5m \u0111\u1ea7u ti\u00ean, nhi\u1ec1u phi\u00ean b\u1ea3n c\u1eadp nh\u1eadt c\u1ee7a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i tr\u01b0\u1edbc \u0111\u00f3 \u0111\u01b0\u1ee3c nh\u00f3m Lazarus s\u1eed d\u1ee5ng \u0111\u00e3 \u0111\u01b0\u1ee3c th\u1ef1c thi.<\/p>\n<p><em><strong>Bi\u1ebfn th\u1ec3 c\u1ee7a ThreatNeedle<\/strong><\/em><\/p>\n<p>M\u1eabu ThreatNeedle \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong chi\u1ebfn d\u1ecbch n\u00e0y c\u0169ng \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 \u201cThreatNeedleTea\u201d, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u cho bi\u1ebft \u0111\u00e2y l\u00e0 phi\u00ean b\u1ea3n c\u1eadp nh\u1eadt c\u1ee7a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i ThreatNeedle. Tuy nhi\u00ean, ThreatNeedle trong cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y \u0111\u00e3 \u0111\u01b0\u1ee3c s\u1eeda \u0111\u1ed5i v\u1edbi c\u00e1c t\u00ednh n\u0103ng b\u1ed5 sung.<\/p>\n<p>Theo \u0111\u00f3, ThreatNeedle \u0111\u01b0\u1ee3c chia th\u00e0nh c\u00e1c m\u1eabu Loader v\u00e0 Core. Phi\u00ean b\u1ea3n Core l\u1ea5y n\u0103m t\u1ec7p c\u1ea5u h\u00ecnh t\u1eeb C_27098[.]NLS \u0111\u1ebfn C_27102[.]NLS v\u00e0 ch\u1ee9a t\u1ed5ng c\u1ed9ng 37 t\u1eadp l\u1ec7nh. Trong khi \u0111\u00f3, phi\u00ean b\u1ea3n Loader ch\u1ec9 tham chi\u1ebfu \u0111\u1ebfn hai t\u1ec7p c\u1ea5u h\u00ecnh v\u00e0 ch\u1ec9 tri\u1ec3n khai b\u1ed1n t\u1eadp l\u1ec7nh.<\/p>\n<p>Th\u00e0nh ph\u1ea7n Core nh\u1eadn \u0111\u01b0\u1ee3c l\u1ec7nh c\u1ee5 th\u1ec3 t\u1eeb m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n v\u00e0 ra l\u1ec7nh (C2), d\u1eabn \u0111\u1ebfn vi\u1ec7c t\u1ea1o th\u00eam m\u1ed9t t\u1ec7p loader cho m\u1ee5c \u0111\u00edch duy tr\u00ec. T\u1ec7p n\u00e0y c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c ng\u1ee5y trang th\u00e0nh gi\u00e1 tr\u1ecb ServiceDLL c\u1ee7a m\u1ed9t d\u1ecbch v\u1ee5 h\u1ee3p l\u1ec7 trong nh\u00f3m netsvcs, d\u1ecbch v\u1ee5 IKEEXT ho\u1eb7c \u0111\u01b0\u1ee3c \u0111\u0103ng k\u00fd l\u00e0 nh\u00e0 cung c\u1ea5p d\u1ecbch v\u1ee5 b\u1ea3o m\u1eadt (SSP). Cu\u1ed1i c\u00f9ng, n\u00f3 t\u1ea3i th\u00e0nh ph\u1ea7n ThreatNeedle Loader.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/f8444015-84f3-47e3-9ecc-d60198f737cb\/5(1289).jpg\" \/><\/p>\n<p><em>H\u00ecnh 5. Lu\u1ed3ng h\u00e0nh vi \u0111\u1ec3 t\u1ea3i ThreatNeedle Loader theo d\u1ecbch v\u1ee5 m\u1ee5c ti\u00eau<\/em><\/p>\n<p>ThreatNeedle \u0111\u01b0\u1ee3c c\u1eadp nh\u1eadt t\u1ea1o ra m\u1ed9t c\u1eb7p kh\u00f3a ng\u1eabu nhi\u00ean d\u1ef1a tr\u00ean thu\u1eadt to\u00e1n Curve25519, g\u1eedi kh\u00f3a c\u00f4ng khai \u0111\u1ebfn m\u00e1y ch\u1ee7 C2, sau \u0111\u00f3 nh\u1eadn kh\u00f3a c\u00f4ng khai c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng. Cu\u1ed1i c\u00f9ng, kh\u00f3a b\u00ed m\u1eadt \u0111\u01b0\u1ee3c t\u1ea1o ra v\u00e0 kh\u00f3a c\u00f4ng khai c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng \u0111\u01b0\u1ee3c v\u1eadn h\u00e0nh theo ph\u01b0\u01a1ng ph\u00e1p v\u00f4 h\u01b0\u1edbng \u0111\u1ec3 t\u1ea1o ra m\u1ed9t kh\u00f3a chung, sau \u0111\u00f3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng l\u00e0m kh\u00f3a cho thu\u1eadt to\u00e1n\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/he-ma-dong-co-xac-thuc-chacha20-poly1305\">ChaCha20<\/a>\u00a0\u0111\u1ec3 m\u00e3 h\u00f3a d\u1eef li\u1ec7u. D\u1eef li\u1ec7u \u0111\u01b0\u1ee3c g\u1eedi v\u00e0 nh\u1eadn \u1edf \u0111\u1ecbnh d\u1ea1ng JSON.<\/p>\n<p><em><strong>LPEClient<\/strong><\/em><\/p>\n<p>LPEClient l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn v\u1edbi ch\u1ee9c n\u0103ng ph\u00e2n ph\u1ed1i payload \u0111\u00e3 t\u1eebng \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng nh\u1eafm v\u00e0o c\u00e1c nh\u00e0 th\u1ea7u qu\u1ed1c ph\u00f2ng v\u00e0 ng\u00e0nh c\u00f4ng nghi\u1ec7p\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/tin-tac-ep-youtuber-phat-tan-ma-doc-dao-tien-dien-tu\">ti\u1ec1n \u0111i\u1ec7n t\u1eed<\/a>. C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e3 ti\u1ebft l\u1ed9 r\u1eb1ng c\u00f4ng c\u1ee5 n\u00e0y \u0111\u00e3 \u0111\u01b0\u1ee3c SIGNBT t\u1ea3i khi h\u1ecd l\u1ea7n \u0111\u1ea7u ti\u00ean ghi nh\u1eadn ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i SIGNBT.<\/p>\n<p><strong><em>Bi\u1ebfn th\u1ec3 c\u1ee7a wAgent<\/em><\/strong><\/p>\n<p>Ngo\u00e0i ThreatNeedle, m\u1ed9t bi\u1ebfn th\u1ec3 c\u1ee7a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i wAgent c\u0169ng \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong c\u00e1c t\u1ed5 ch\u1ee9c m\u1ee5c ti\u00eau. Theo \u0111\u00f3, wAgent l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 \u0111\u1ed9c h\u1ea1i m\u00e0 Kaspersky \u0111\u00e3 ghi nh\u1eadn v\u00e0o n\u0103m 2020 v\u00e0 m\u1ed9t phi\u00ean b\u1ea3n t\u01b0\u01a1ng t\u1ef1 \u0111\u00e3 \u0111\u01b0\u1ee3c \u0111\u1ec1 c\u1eadp trong chi\u1ebfn d\u1ecbch GoldGoblin. Ngu\u1ed3n g\u1ed1c t\u1ea1o ra n\u00f3 v\u1eabn c\u00f2n l\u00e0 m\u1ed9t b\u00ed \u1ea9n, nh\u01b0ng c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ph\u00e1t hi\u1ec7n ra r\u1eb1ng loader wAgent \u0111\u00e3 \u0111\u01b0\u1ee3c ng\u1ee5y trang th\u00e0nh liblzma[.]dll v\u00e0 \u0111\u01b0\u1ee3c th\u1ef1c thi th\u00f4ng qua d\u00f2ng l\u1ec7nh rundll32[.]exe c:\\Programdata\\intel\\util[.]dat, afunix 1W2-UUE-ZNO-B99Z. H\u00e0m export s\u1ebd truy xu\u1ea5t t\u00ean t\u1ec7p \u0111\u00e3 cho 1W2-UUE-ZNO-B99Z trong th\u01b0 m\u1ee5c C:\\ProgramData, \u0111\u1ed3ng th\u1eddi c\u0169ng \u0111\u00f3ng vai tr\u00f2 l\u00e0 kh\u00f3a gi\u1ea3i m\u00e3.<\/p>\n<p>Sau khi chuy\u1ec3n \u0111\u1ed5i t\u00ean t\u1ec7p n\u00e0y th\u00e0nh \u0111\u1ecbnh d\u1ea1ng byte, n\u00f3 s\u1eed d\u1ee5ng 16 byte cao nh\u1ea5t c\u1ee7a gi\u00e1 tr\u1ecb k\u1ebft qu\u1ea3 l\u00e0m kh\u00f3a cho thu\u1eadt to\u00e1n AES-128-CBC v\u00e0 gi\u1ea3i m\u00e3 n\u1ed9i dung c\u1ee7a t\u1ec7p n\u1eb1m trong th\u01b0 m\u1ee5c C:\\ProgramData. B\u1ed1n byte tr\u00ean c\u00f9ng c\u1ee7a d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c gi\u1ea3i m\u00e3 sau \u0111\u00f3 bi\u1ec3u th\u1ecb k\u00edch th\u01b0\u1edbc c\u1ee7a payload, m\u00e0 c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u x\u00e1c \u0111\u1ecbnh l\u00e0 phi\u00ean b\u1ea3n c\u1eadp nh\u1eadt c\u1ee7a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i wAgent.<\/p>\n<p>Bi\u1ebfn th\u1ec3 wAgent c\u00f3 kh\u1ea3 n\u0103ng nh\u1eadn d\u1eef li\u1ec7u \u1edf c\u1ea3 \u0111\u1ecbnh d\u1ea1ng form-data v\u00e0 JSON, t\u00f9y thu\u1ed9c v\u00e0o m\u00e1y ch\u1ee7 C2 m\u00e0 n\u00f3 ti\u1ebfp c\u1eadn \u0111\u01b0\u1ee3c. \u0110\u00e1ng ch\u00fa \u00fd, n\u00f3 bao g\u1ed3m kh\u00f3a __Host-next-auth-token trong tr\u01b0\u1eddng Cookie \u1edf header request trong qu\u00e1 tr\u00ecnh giao ti\u1ebfp, mang theo chu\u1ed7i giao ti\u1ebfp \u0111\u01b0\u1ee3c th\u00eam v\u00e0o b\u1eb1ng c\u00e1c ch\u1eef s\u1ed1 ng\u1eabu nhi\u00ean.<\/p>\n<p>Trong phi\u00ean b\u1ea3n n\u00e0y, thay \u0111\u1ed5i m\u1edbi \u0111\u01b0\u1ee3c quan s\u00e1t th\u1ea5y l\u00e0 th\u01b0 vi\u1ec7n GNU Multiple-Precision (GMP) \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 th\u1ef1c hi\u1ec7n c\u00e1c ph\u00e9p t\u00ednh m\u00e3 h\u00f3a RSA, \u0111\u00e2y l\u00e0 m\u1ed9t th\u01b0 vi\u1ec7n ch\u01b0a t\u1eebng th\u1ea5y tr\u01b0\u1edbc \u0111\u00e2y trong ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c nh\u00f3m Lazarus s\u1eed d\u1ee5ng. Theo t\u1ec7p c\u1ea5u h\u00ecnh wAgent, n\u00f3 \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh l\u00e0 phi\u00ean b\u1ea3n x64_2[.]1. Phi\u00ean b\u1ea3n n\u00e0y qu\u1ea3n l\u00fd c\u00e1c payload b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng C++ STL map, t\u1eadp trung v\u00e0o vi\u1ec7c nh\u1eadn c\u00e1c payload b\u1ed5 sung t\u1eeb C2 v\u00e0 t\u1ea3i ch\u00fang tr\u1ef1c ti\u1ebfp v\u00e0o b\u1ed9 nh\u1edb, c\u00f9ng v\u1edbi vi\u1ec7c t\u1ea1o m\u1ed9t \u0111\u1ed1i t\u01b0\u1ee3ng \u0111\u01b0\u1ee3c chia s\u1ebb. V\u1edbi \u0111\u1ed1i t\u01b0\u1ee3ng n\u00e0y, m\u00f4-\u0111un ch\u00ednh c\u00f3 th\u1ec3 trao \u0111\u1ed5i c\u00e1c tham s\u1ed1 l\u1ec7nh v\u00e0 k\u1ebft qu\u1ea3 th\u1ef1c thi v\u1edbi c\u00e1c plugin \u0111\u00e3 ph\u00e2n ph\u1ed1i.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/a637eb4e-e385-46b6-b4a1-1e62fabac997\/6(781).jpg\" \/><\/p>\n<p><em>H\u00ecnh 6. C\u1ea5u tr\u00fac ho\u1ea1t \u0111\u1ed9ng c\u1ee7a bi\u1ebfn th\u1ec3 wAgent<\/em><\/p>\n<p><strong><em>Bi\u1ebfn th\u1ec3 c\u1ee7a Agamemnon<\/em><\/strong><\/p>\n<p>Tr\u00ecnh t\u1ea3i xu\u1ed1ng Agamemnon c\u0169ng ch\u1ecbu tr\u00e1ch nhi\u1ec7m t\u1ea3i xu\u1ed1ng v\u00e0 th\u1ef1c thi c\u00e1c payload b\u1ed5 sung nh\u1eadn \u0111\u01b0\u1ee3c t\u1eeb m\u00e1y ch\u1ee7 C2. M\u1eb7c d\u00f9 c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u kh\u00f4ng l\u1ea5y \u0111\u01b0\u1ee3c t\u1ec7p c\u1ea5u h\u00ecnh c\u1ee7a Agamemnon, nh\u01b0ng n\u00f3 nh\u1eadn l\u1ec7nh t\u1eeb C2 v\u00e0 th\u1ef1c thi payload b\u1eb1ng c\u00e1ch ph\u00e2n t\u00edch c\u00e1c l\u1ec7nh v\u00e0 tham s\u1ed1 d\u1ef1a tr\u00ean c\u00e1c k\u00fd t\u1ef1 ; ;, \u0111\u00f3ng vai tr\u00f2 l\u00e0 d\u1ea5u ph\u00e2n c\u00e1ch l\u1ec7nh v\u00e0 tham s\u1ed1. Gi\u00e1 tr\u1ecb c\u1ee7a ch\u1ebf \u0111\u1ed9 response \u0111\u01b0\u1ee3c truy\u1ec1n b\u1eb1ng l\u1ec7nh 2 (H\u00ecnh 7) x\u00e1c \u0111\u1ecbnh c\u00e1ch th\u1ef1c thi payload b\u1ed5 sung, \u0111\u01b0\u1ee3c ph\u00e2n ph\u1ed1i c\u00f9ng v\u1edbi l\u1ec7nh 3 (H\u00ecnh 7). C\u00f3 hai ph\u01b0\u01a1ng ph\u00e1p th\u1ef1c thi: Ph\u01b0\u01a1ng ph\u00e1p \u0111\u1ea7u ti\u00ean l\u00e0 t\u1ea3i payload, th\u01b0\u1eddng \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i, trong khi ph\u01b0\u01a1ng ph\u00e1p th\u1ee9 hai l\u00e0 s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt Tartarus-TpAllocInject ngu\u1ed3n m\u1edf, m\u00e0 c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ch\u01b0a t\u1eebng th\u1ea5y tr\u01b0\u1edbc \u0111\u00e2y trong ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i t\u1eeb nh\u00f3m Lazarus.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/46b1c1d0-c22a-4e32-8d61-cc6a7c8b08ef\/7-740x307.jpg\" \/><\/p>\n<p><em>H\u00ecnh 7. C\u1ea5u tr\u00fac c\u1ee7a c\u00e1c l\u1ec7nh n\u01a1i d\u1eef li\u1ec7u b\u1ed5 sung \u0111\u01b0\u1ee3c truy\u1ec1n qua<\/em><\/p>\n<p>Tartarus-TpAllocInject \u0111\u01b0\u1ee3c x\u00e2y d\u1ef1ng tr\u00ean m\u1ed9t b\u1ed9 loader m\u00e3 ngu\u1ed3n m\u1edf kh\u00e1c c\u00f3 t\u00ean l\u00e0 Tartarus&#8217; Gate. Tartarus&#8217; Gate d\u1ef1a tr\u00ean Halo&#8217;s Gate, Halo&#8217;s Gate l\u1ea1i d\u1ef1a tr\u00ean Hell&#8217;s Gate. T\u1ea5t c\u1ea3 c\u00e1c k\u1ef9 thu\u1eadt n\u00e0y \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 bypass c\u00e1c s\u1ea3n ph\u1ea9m b\u1ea3o m\u1eadt nh\u01b0 ph\u1ea7n m\u1ec1m anti-virus v\u00e0 gi\u1ea3i ph\u00e1p EDR, nh\u01b0ng ch\u00fang t\u1ea3i payload theo nh\u1eefng c\u00e1ch kh\u00e1c nhau.<\/p>\n<p><em><strong>Innorix Agent khai th\u00e1c \u0111\u1ec3 di chuy\u1ec3n ngang<\/strong><\/em><\/p>\n<p>Kh\u00f4ng gi\u1ed1ng nh\u01b0 c\u00e1c c\u00f4ng c\u1ee5 \u0111\u00e3 \u0111\u1ec1 c\u1eadp tr\u01b0\u1edbc \u0111\u00f3, Innorix abuser \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 di chuy\u1ec3n ngang, n\u00f3 \u0111\u01b0\u1ee3c t\u1ea3i xu\u1ed1ng b\u1edfi tr\u00ecnh t\u1ea3i xu\u1ed1ng Agamemnon v\u00e0 khai th\u00e1c m\u1ed9t phi\u00ean b\u1ea3n c\u1ee5 th\u1ec3 c\u1ee7a c\u00f4ng c\u1ee5 ph\u1ea7n m\u1ec1m chuy\u1ec3n t\u1ec7p \u0111\u01b0\u1ee3c ph\u00e1t tri\u1ec3n t\u1ea1i H\u00e0n Qu\u1ed1c, Innorix Agent, \u0111\u1ec3 t\u1ea3i th\u00eam ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i tr\u00ean c\u00e1c m\u00e1y ch\u1ee7 n\u1ed9i b\u1ed9.<\/p>\n<p>Innorix Agent c\u00f3 kh\u1ea3 n\u0103ng \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t tr\u00ean nhi\u1ec1u m\u00e1y t\u00ednh c\u1ee7a c\u1ea3 c\u00f4ng ty v\u00e0 c\u00e1 nh\u00e2n t\u1ea1i H\u00e0n Qu\u1ed1c, c\u00f9ng b\u1ea5t k\u1ef3 ng\u01b0\u1eddi d\u00f9ng n\u00e0o c\u00f3 phi\u00ean b\u1ea3n d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng \u0111\u1ec1u c\u00f3 kh\u1ea3 n\u0103ng tr\u1edf th\u00e0nh m\u1ee5c ti\u00eau. Ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i nh\u00fang m\u1ed9t kh\u00f3a c\u1ea5p ph\u00e9p \u0111\u01b0\u1ee3c cho l\u00e0 li\u00ean k\u1ebft v\u1edbi phi\u00ean b\u1ea3n 9.2.18.496, cho ph\u00e9p n\u00f3 th\u1ef1c hi\u1ec7n di chuy\u1ec3n ngang h\u00e0ng, b\u1eb1ng c\u00e1ch t\u1ea1o l\u01b0u l\u01b0\u1ee3ng \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c ng\u1ee5y trang th\u00e0nh l\u01b0u l\u01b0\u1ee3ng h\u1ee3p ph\u00e1p \u0111\u1ed1i v\u1edbi c\u00e1c m\u00e1y t\u00ednh m\u1ee5c ti\u00eau.<\/p>\n<p>Innorix abuser \u0111\u01b0\u1ee3c cung c\u1ea5p c\u00e1c tham s\u1ed1 t\u1eeb tr\u00ecnh t\u1ea3i xu\u1ed1ng Agamemnon: IP m\u1ee5c ti\u00eau, URL \u0111\u1ec3 t\u1ea3i xu\u1ed1ng t\u1ec7p v\u00e0 k\u00edch th\u01b0\u1edbc t\u1ec7p. Sau \u0111\u00f3, n\u00f3 g\u1eedi y\u00eau c\u1ea7u \u0111\u1ebfn IP m\u1ee5c ti\u00eau \u0111\u00f3 \u0111\u1ec3 ki\u1ec3m tra xem Innorix Agent \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t v\u00e0 \u0111ang ch\u1ea1y hay ch\u01b0a. N\u1ebfu ph\u1ea3n h\u1ed3i th\u00e0nh c\u00f4ng \u0111\u01b0\u1ee3c tr\u1ea3 v\u1ec1, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i s\u1ebd cho r\u1eb1ng ph\u1ea7n m\u1ec1m \u0111ang ch\u1ea1y \u0111\u00fang tr\u00ean m\u00e1y ch\u1ee7 m\u1ee5c ti\u00eau, \u0111\u1ed3ng th\u1eddi g\u1eedi l\u01b0u l\u01b0\u1ee3ng cho ph\u00e9p m\u1ee5c ti\u00eau t\u1ea3i xu\u1ed1ng c\u00e1c t\u1ec7p b\u1ed5 sung t\u1eeb URL \u0111\u00e3 cho.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/dulieu.antoanthongtin.gov.vn\/tapchiantoanthongtin\/4210d3df-be09-4fee-a731-715c4f9e5ba0\/8-740x629.jpg\" \/><\/p>\n<p><em>H\u00ecnh 8. C\u00e1c b\u01b0\u1edbc tri\u1ec3n khai ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i b\u1ed5 sung th\u00f4ng qua Innorix abuser<\/em><\/p>\n<p>K\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 t\u1ea1o m\u1ed9t t\u1ec7p AppVShNotify[.]exe h\u1ee3p l\u1ec7 v\u00e0 m\u1ed9t t\u1ec7p USERENV[.]dll \u0111\u1ed9c h\u1ea1i trong c\u00f9ng m\u1ed9t \u0111\u01b0\u1eddng d\u1eabn th\u00f4ng qua Innorix abuser, sau \u0111\u00f3 th\u1ef1c thi t\u1ec7p AppVShNotify[.]exe b\u1eb1ng m\u1ed9t t\u00ednh n\u0103ng h\u1ee3p l\u1ec7 c\u1ee7a ph\u1ea7n m\u1ec1m, cu\u1ed1i c\u00f9ng d\u1eabn \u0111\u1ebfn vi\u1ec7c th\u1ef1c thi ThreatNeedle v\u00e0 LPEClient tr\u00ean c\u00e1c m\u00e1y ch\u1ee7 m\u1ee5c ti\u00eau, do \u0111\u00f3 kh\u1edfi ch\u1ea1y chu\u1ed7i l\u00e2y nhi\u1ec5m tr\u00ean c\u00e1c m\u00e1y tr\u01b0\u1edbc \u0111\u00f3 kh\u00f4ng b\u1ecb \u1ea3nh h\u01b0\u1edfng.<\/p>\n<p>Ngo\u00e0i ra, khi ph\u00e2n t\u00edch v\u00e0o h\u00e0nh vi c\u1ee7a ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i, Kaspersky \u0111\u00e3 x\u00e1c \u0111\u1ecbnh \u0111\u01b0\u1ee3c m\u1ed9t l\u1ed7 h\u1ed5ng t\u1ea3i xu\u1ed1ng t\u1ec7p t\u00f9y \u00fd kh\u00e1c \u00e1p d\u1ee5ng cho c\u00e1c phi\u00ean b\u1ea3n l\u00ean \u0111\u1ebfn 9[.]2[.]18[.]538. \u0110\u01b0\u1ee3c theo d\u00f5i l\u00e0 KVE-2025-0014 v\u00e0 c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u v\u1eabn ch\u01b0a t\u00ecm th\u1ea5y b\u1ea5t k\u1ef3 b\u1eb1ng ch\u1ee9ng n\u00e0o v\u1ec1 vi\u1ec7c s\u1eed d\u1ee5ng n\u00f3 trong th\u1ef1c t\u1ebf. KVE l\u00e0 s\u1ed1 nh\u1eadn d\u1ea1ng l\u1ed7 h\u1ed5ng do KrCERT c\u1ea5p.<\/p>\n<p><strong>Ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i giai \u0111o\u1ea1n th\u1ee9 hai<\/strong><\/p>\n<p>Giai \u0111o\u1ea1n th\u1ee9 hai c\u1ee7a chi\u1ebfn d\u1ecbch c\u0169ng gi\u1edbi thi\u1ec7u c\u00e1c phi\u00ean b\u1ea3n m\u1edbi h\u01a1n c\u1ee7a c\u00e1c c\u00f4ng c\u1ee5 \u0111\u1ed9c h\u1ea1i tr\u01b0\u1edbc \u0111\u00e2y t\u1eebng xu\u1ea5t hi\u1ec7n trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng c\u1ee7a Lazarus.<\/p>\n<p><em><strong>SIGNBT<\/strong><\/em><\/p>\n<p>SIGNBT m\u00e0 Kaspersky ghi nh\u1eadn v\u00e0o n\u0103m 2023 l\u00e0 phi\u00ean b\u1ea3n 1.0, nh\u01b0ng trong cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y, phi\u00ean b\u1ea3n 0.0.1 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u1edf v\u1ecb tr\u00ed tr\u00ean c\u00f9ng. Ngo\u00e0i ra, c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e3 x\u00e1c \u0111\u1ecbnh \u0111\u01b0\u1ee3c m\u1ed9t phi\u00ean b\u1ea3n m\u1edbi h\u01a1n l\u00e0 SIGNBT 1.2. Kh\u00f4ng gi\u1ed1ng nh\u01b0 c\u00e1c phi\u00ean b\u1ea3n 1.0 v\u00e0 0.0.1, phi\u00ean b\u1ea3n 1.2 c\u00f3 kh\u1ea3 n\u0103ng \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa v\u00e0 t\u1eadp trung v\u00e0o vi\u1ec7c th\u1ef1c hi\u1ec7n c\u00e1c payload b\u1ed5 sung. C\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i \u0111\u1eb7t t\u00ean cho phi\u00ean b\u1ea3n n\u00e0y l\u00e0\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/hang-tram-khoa-registry-bi-anh-huong-boi-hinh-thuc-tan-cong-com-hijacking\">Hijacking<\/a>.<\/p>\n<p>Trong giai \u0111o\u1ea1n th\u1ee9 hai c\u1ee7a chi\u1ebfn d\u1ecbch n\u00e0y, SIGNBT 0.0.1 l\u00e0 b\u1ea3n l\u00e2y nhi\u1ec5m ban \u0111\u1ea7u \u0111\u01b0\u1ee3c th\u1ef1c thi trong b\u1ed9 nh\u1edb trong SyncHost[.]exe \u0111\u1ec3 b\u1ed5 sung ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i. Trong phi\u00ean b\u1ea3n n\u00e0y, m\u00e1y ch\u1ee7 C2 \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a c\u1ee9ng m\u00e0 kh\u00f4ng tham chi\u1ebfu \u0111\u1ebfn b\u1ea5t k\u1ef3 t\u1ec7p c\u1ea5u h\u00ecnh n\u00e0o.<\/p>\n<p>\u0110\u1ed1i v\u1edbi phi\u00ean b\u1ea3n 1.2, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i s\u1ebd thu th\u1eadp \u0111\u01b0\u1eddng d\u1eabn \u0111\u1ebfn t\u1ec7p c\u1ea5u h\u00ecnh t\u1eeb c\u00e1c t\u00e0i nguy\u00ean c\u1ee7a n\u00f3 v\u00e0 th\u00f4ng tin t\u1ec7p \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh \u0111\u1ecba ch\u1ec9 m\u00e1y ch\u1ee7 C2. C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u \u0111\u00e3 c\u00f3 th\u1ec3 tr\u00edch xu\u1ea5t hai \u0111\u01b0\u1eddng d\u1eabn t\u1ec7p c\u1ea5u h\u00ecnh t\u1eeb m\u1ed7i m\u1eabu SIGNBT 1.2 \u0111\u00e3 x\u00e1c \u0111\u1ecbnh:<\/p>\n<p>&#8211; \u0110\u01b0\u1eddng d\u1eabn t\u1ec7p c\u1ea5u h\u00ecnh 1: C:\\ProgramData\\Samsung\\SamsungSettings\\settings[.]dat<\/p>\n<p>&#8211; \u0110\u01b0\u1eddng d\u1eabn t\u1ec7p c\u1ea5u h\u00ecnh 2: C:\\ProgramData\\Microsoft\\DRM\\Server\\drm[.]ver<\/p>\n<p>M\u1ed9t thay \u0111\u1ed5i kh\u00e1c trong SIGNBT 1.2 l\u00e0 s\u1ed1 l\u01b0\u1ee3ng ti\u1ec1n t\u1ed1 b\u1eaft \u0111\u1ea7u b\u1eb1ng SIGN \u0111\u01b0\u1ee3c gi\u1ea3m xu\u1ed1ng ch\u1ec9 c\u00f2n ba: SIGNBTLG, SIGNBTRC v\u00e0 SIGNBTSR. Ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i nh\u1eadn kh\u00f3a c\u00f4ng khai RSA t\u1eeb C2 v\u00e0 m\u00e3 h\u00f3a kh\u00f3a AES \u0111\u01b0\u1ee3c t\u1ea1o ng\u1eabu nhi\u00ean b\u1eb1ng kh\u00f3a c\u00f4ng khai. T\u1ea5t c\u1ea3 l\u01b0u l\u01b0\u1ee3ng \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a b\u1eb1ng kh\u00f3a AES \u0111\u00e3 t\u1ea1o.<\/p>\n<p><em><strong>COPPERHEDGE<\/strong><\/em><\/p>\n<p>COPPERHEDGE l\u00e0 m\u1ed9t ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c xu\u1ea5t hi\u1ec7n l\u1ea7n \u0111\u1ea7u v\u00e0o n\u0103m 2020. \u0110\u00e2y l\u00e0 m\u1ed9t bi\u1ebfn th\u1ec3 Manuscrypt v\u00e0 ch\u1ee7 y\u1ebfu \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng DeathNote cluster. Kh\u00f4ng gi\u1ed1ng nh\u01b0 c\u00e1c ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i kh\u00e1c \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong chi\u1ebfn d\u1ecbch n\u00e0y, COPPERHEDGE kh\u00f4ng thay \u0111\u1ed5i \u0111\u00e1ng k\u1ec3, ch\u1ec9 c\u00f3 m\u1ed9t s\u1ed1 l\u1ec7nh \u0111\u01b0\u1ee3c thay \u0111\u1ed5i so v\u1edbi c\u00e1c phi\u00ean b\u1ea3n c\u0169 h\u01a1n.<\/p>\n<p>Tuy nhi\u00ean, COPPERHEDGE truy xu\u1ea5t th\u00f4ng tin c\u1ea5u h\u00ecnh nh\u01b0 \u0111\u1ecba ch\u1ec9 m\u00e1y ch\u1ee7 C2. Sau \u0111\u00f3, ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i s\u1ebd g\u1eedi l\u01b0u l\u01b0\u1ee3ng HTTP \u0111\u1ebfn C2 v\u1edbi ba ho\u1eb7c b\u1ed1n tham s\u1ed1 cho m\u1ed7i request, trong \u0111\u00f3 t\u00ean tham s\u1ed1 \u0111\u01b0\u1ee3c ch\u1ecdn ng\u1eabu nhi\u00ean trong s\u1ed1 ba t\u00ean theo b\u1ea5t k\u1ef3 th\u1ee9 t\u1ef1 n\u00e0o.<\/p>\n<p>&#8211; T\u00ean tham s\u1ed1 HTTP \u0111\u1ea7u ti\u00ean: bih, aqs, org.<\/p>\n<p>&#8211; T\u00ean tham s\u1ed1 HTTP th\u1ee9 hai: wib, rlz, uid.<\/p>\n<p>&#8211; T\u00ean tham s\u1ed1 HTTP th\u1ee9 ba: tib, hash, lang.<\/p>\n<p>&#8211; T\u00ean tham s\u1ed1 HTTP th\u1ee9 t\u01b0: ei, ie, oq.<\/p>\n<p>K\u1ebb t\u1ea5n c\u00f4ng ch\u1ee7 y\u1ebfu s\u1eed d\u1ee5ng ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i COPPERHEDGE \u0111\u1ec3 ti\u1ebfn h\u00e0nh trinh s\u00e1t n\u1ed9i b\u1ed9 trong chi\u1ebfn d\u1ecbch. C\u00f3 t\u1ed5ng c\u1ed9ng 30 l\u1ec7nh t\u1eeb 0x2003 \u0111\u1ebfn 0x2032 v\u00e0 11 m\u00e3 response t\u1eeb 0x2040 \u0111\u1ebfn 0x2050 b\u00ean trong backdoor COPPERHEDGE.<\/p>\n<p><strong>C\u01a0 S\u1ede H\u1ea0 T\u1ea6NG<\/strong><\/p>\n<p>Trong su\u1ed1t qu\u00e1 tr\u00ecnh chi\u1ebfn d\u1ecbch n\u00e0y, h\u1ea7u h\u1ebft c\u00e1c m\u00e1y ch\u1ee7 C2 \u0111\u1ec1u l\u00e0 c\u00e1c trang web h\u1ee3p ph\u00e1p nh\u01b0ng b\u1ecb x\u00e2m ph\u1ea1m t\u1ea1i H\u00e0n Qu\u1ed1c, cho th\u1ea5y th\u00eam r\u1eb1ng chi\u1ebfn d\u1ecbch t\u1eadp trung nhi\u1ec1u v\u00e0o qu\u1ed1c gia \u0110\u00f4ng \u00c1 n\u00e0y. Trong giai \u0111o\u1ea1n \u0111\u1ea7u, c\u00e1c trang web truy\u1ec1n th\u00f4ng kh\u00e1c \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng l\u00e0m m\u00e1y ch\u1ee7 C2 \u0111\u1ec3 tr\u00e1nh ph\u00e1t hi\u1ec7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng Watering Hole. Tuy nhi\u00ean, khi chu\u1ed7i l\u00e2y nhi\u1ec5m chuy\u1ec3n sang giai \u0111o\u1ea1n th\u1ee9 hai, c\u00e1c trang web h\u1ee3p ph\u00e1p trong nhi\u1ec1u l\u0129nh v\u1ef1c kh\u00e1c c\u0169ng b\u1ecb khai th\u00e1c.<\/p>\n<p>Kh\u00f4ng gi\u1ed1ng nh\u01b0 c\u00e1c tr\u01b0\u1eddng h\u1ee3p kh\u00e1c, m\u00e1y ch\u1ee7 C2 c\u1ee7a LPEClient \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef b\u1edfi c\u00f9ng m\u1ed9t \u0111\u1ecba ch\u1ec9 nh\u01b0 www[.]smartmanagerex[.]com, \u0111\u01b0\u1ee3c t\u1ea1o ra m\u1ed9t c\u00e1ch c\u00f3 ch\u1ee7 \u0111\u00edch \u0111\u1ec3 x\u00e2m ph\u1ea1m ban \u0111\u1ea7u. V\u00ec LPEClient \u0111\u01b0\u1ee3c nh\u00f3m Lazarus d\u1ef1a v\u00e0o r\u1ea5t nhi\u1ec1u \u0111\u1ec3 ph\u00e2n ph\u1ed1i c\u00e1c payload b\u1ed5 sung, n\u00ean c\u00f3 kh\u1ea3 n\u0103ng nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 c\u1ed1 t\u00ecnh thu\u00ea v\u00e0 c\u1ea5u h\u00ecnh m\u00e1y ch\u1ee7, ch\u1ec9 \u0111\u1ecbnh m\u1ed9t t\u00ean mi\u1ec1n d\u01b0\u1edbi s\u1ef1 ki\u1ec3m so\u00e1t c\u1ee7a ch\u00fang \u0111\u1ec3 duy tr\u00ec t\u00ednh linh ho\u1ea1t ho\u1ea1t \u0111\u1ed9ng \u0111\u1ea7y \u0111\u1ee7.<\/p>\n<p>Kaspersky x\u00e1c nh\u1eadn r\u1eb1ng t\u00ean mi\u1ec1n thek-portal[.]com thu\u1ed9c v\u1ec1 m\u1ed9t ISP c\u1ee7a H\u00e0n Qu\u1ed1c cho \u0111\u1ebfn n\u0103m 2020 v\u00e0 l\u00e0 t\u00ean mi\u1ec1n h\u1ee3p ph\u00e1p c\u1ee7a m\u1ed9t c\u00f4ng ty b\u1ea3o hi\u1ec3m \u0111\u00e3 \u0111\u01b0\u1ee3c m\u1ed9t c\u00f4ng ty kh\u00e1c mua l\u1ea1i. K\u1ec3 t\u1eeb \u0111\u00f3, t\u00ean mi\u1ec1n n\u00e0y \u0111\u01b0\u1ee3c duy tr\u00ec v\u00e0 tr\u1ea1ng th\u00e1i c\u1ee7a n\u00f3 \u0111\u00e3 thay \u0111\u1ed5i v\u00e0o th\u00e1ng 02\/2025, cho th\u1ea5y nh\u00f3m Lazarus \u0111\u00e3 \u0111\u0103ng k\u00fd l\u1ea1i t\u00ean mi\u1ec1n \u0111\u1ec3 t\u1eadn d\u1ee5ng n\u00f3 trong chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng n\u00e0y.<\/p>\n<p><strong>N\u1ea0N NH\u00c2N<\/strong><\/p>\n<p>Kaspersky \u0111\u00e3 x\u00e1c \u0111\u1ecbnh \u0111\u01b0\u1ee3c \u00edt nh\u1ea5t 6 t\u1ed5 ch\u1ee9c ph\u1ea7n m\u1ec1m, c\u00f4ng ngh\u1ec7 th\u00f4ng tin, t\u00e0i ch\u00ednh, s\u1ea3n xu\u1ea5t\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/nhat-ban-dau-tu-dai-han-cho-linh-vuc-chat-ban-dan\">ch\u1ea5t b\u00e1n d\u1eabn<\/a>\u00a0v\u00e0 vi\u1ec5n th\u00f4ng t\u1ea1i H\u00e0n Qu\u1ed1c l\u00e0 n\u1ea1n nh\u00e2n c\u1ee7a Chi\u1ebfn d\u1ecbch SyncHole. Tuy nhi\u00ean, h\u00e3ng b\u1ea3o m\u1eadt n\u00e0y nh\u1eadn \u0111\u1ecbnh r\u1eb1ng c\u00f3 nhi\u1ec1u t\u1ed5 ch\u1ee9c kh\u00e1c b\u1ecb \u1ea3nh h\u01b0\u1edfng trong nhi\u1ec1u ng\u00e0nh c\u00f4ng nghi\u1ec7p kh\u00e1c nhau, x\u00e9t \u0111\u1ebfn m\u1ee9c \u0111\u1ed9 ph\u1ed5 bi\u1ebfn c\u1ee7a ph\u1ea7n m\u1ec1m b\u1ecb Lazarus khai th\u00e1c trong chi\u1ebfn d\u1ecbch n\u00e0y.<\/p>\n<p><strong>K\u1ebeT LU\u1eacN<\/strong><\/p>\n<p>\u0110\u00e2y kh\u00f4ng ph\u1ea3i l\u00e0 l\u1ea7n \u0111\u1ea7u ti\u00ean nh\u00f3m tin t\u1eb7c Lazarus khai th\u00e1c t\u1ea5n c\u00f4ng chu\u1ed7i cung \u1ee9ng v\u1edbi s\u1ef1 hi\u1ec3u bi\u1ebft \u0111\u1ea7y \u0111\u1ee7 v\u1ec1 h\u1ec7 sinh th\u00e1i ph\u1ea7n m\u1ec1m t\u1ea1i H\u00e0n Qu\u1ed1c. Kaspersky \u0111\u00e3 m\u00f4 t\u1ea3 c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng t\u01b0\u01a1ng t\u1ef1 trong c\u00e1c b\u00e1o c\u00e1o ph\u00e2n t\u00edch v\u1ec1 Bookcode cluster n\u0103m 2020, DeathNote cluster n\u0103m 2022 v\u00e0 ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i SIGNBT n\u0103m 2023. T\u1ea5t c\u1ea3 c\u00e1c tr\u01b0\u1eddng h\u1ee3p n\u00e0y \u0111\u1ec1u nh\u1eafm v\u00e0o ph\u1ea7n m\u1ec1m do c\u00e1c nh\u00e0 cung c\u1ea5p H\u00e0n Qu\u1ed1c ph\u00e1t tri\u1ec3n, y\u00eau c\u1ea7u c\u00e0i \u0111\u1eb7t cho c\u00e1c d\u1ecbch v\u1ee5 ng\u00e2n h\u00e0ng tr\u1ef1c tuy\u1ebfn v\u00e0 ch\u00ednh ph\u1ee7. C\u1ea3 hai s\u1ea3n ph\u1ea9m ph\u1ea7n m\u1ec1m b\u1ecb khai th\u00e1c trong tr\u01b0\u1eddng h\u1ee3p n\u00e0y \u0111\u1ec1u ph\u00f9 h\u1ee3p v\u1edbi c\u00e1c tr\u01b0\u1eddng h\u1ee3p tr\u01b0\u1edbc \u0111\u00f3, ngh\u0129a l\u00e0 nh\u00f3m Lazarus \u0111ang li\u00ean t\u1ee5c \u00e1p d\u1ee5ng m\u1ed9t chi\u1ebfn l\u01b0\u1ee3c hi\u1ec7u qu\u1ea3 d\u1ef1a tr\u00ean c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng chu\u1ed7i cung \u1ee9ng.<\/p>\n<p>C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng chuy\u00ean bi\u1ec7t c\u1ee7a nh\u00f3m Lazarus nh\u1eafm v\u00e0o chu\u1ed7i cung \u1ee9ng t\u1ea1i H\u00e0n Qu\u1ed1c d\u1ef1 ki\u1ebfn \u200b\u200bs\u1ebd ti\u1ebfp t\u1ee5c trong t\u01b0\u01a1ng lai. Nghi\u00ean c\u1ee9u c\u1ee7a Kaspersky trong v\u00e0i n\u0103m qua \u0111\u00e3 cung c\u1ea5p b\u1eb1ng ch\u1ee9ng cho th\u1ea5y nhi\u1ec1u nh\u00e0 cung c\u1ea5p ph\u00e1t tri\u1ec3n ph\u1ea7n m\u1ec1m t\u1ea1i H\u00e0n Qu\u1ed1c \u0111\u00e3 b\u1ecb t\u1ea5n c\u00f4ng v\u00e0 n\u1ebfu m\u00e3 ngu\u1ed3n c\u1ee7a s\u1ea3n ph\u1ea9m b\u1ecb x\u00e2m ph\u1ea1m, c\u00e1c l\u1ed7 h\u1ed5ng\u00a0<a href=\"https:\/\/antoanthongtin.vn\/tin\/google-canh-bao-lo-hong-nghiem-trong-tren-chrome\">zero-day<\/a>\u00a0kh\u00e1c c\u00f3 th\u1ec3 ti\u1ebfp t\u1ee5c \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n. Nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng c\u0169ng \u0111ang n\u1ed7 l\u1ef1c gi\u1ea3m thi\u1ec3u vi\u1ec7c ph\u00e1t hi\u1ec7n b\u1eb1ng c\u00e1ch ph\u00e1t tri\u1ec3n ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i m\u1edbi ho\u1eb7c c\u1ea3i ti\u1ebfn ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i hi\u1ec7n c\u00f3. C\u1ee5 th\u1ec3, ch\u00fang \u0111\u01b0a ra c\u00e1c thay \u0111\u1ed5i giao ti\u1ebfp v\u1edbi m\u00e1y ch\u1ee7 C2, c\u1ea5u tr\u00fac l\u1ec7nh v\u00e0 c\u00e1ch ch\u00fang g\u1eedi v\u00e0 nh\u1eadn d\u1eef li\u1ec7u.<\/p>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u t\u1ea1i h\u00e3ng b\u1ea3o m\u1eadt Kasperksy \u0111\u00e3 theo d\u00f5i chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1edbi nh\u1ea5t c\u1ee7a nh\u00f3m Lazarus k\u1ec3 t\u1eeb th\u00e1ng 11\/2024, khi nh\u00f3m tin t\u1eb7c n\u00e0y nh\u1eafm v\u00e0o c\u00e1c t\u1ed5 ch\u1ee9c t\u1ea1i H\u00e0n Qu\u1ed1c b\u1eb1ng s\u1ef1 k\u1ebft h\u1ee3p gi\u1eefa t\u1ea5n c\u00f4ng Watering Hole v\u00e0 khai th\u00e1c c\u00e1c l\u1ed7 h\u1ed5ng ph\u1ea7n m\u1ec1m. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":46211,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[24,35],"tags":[],"class_list":["post-46210","post","type-post","status-publish","format-standard","has-post-thumbnail","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/46210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=46210"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/46210\/revisions"}],"predecessor-version":[{"id":46212,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/46210\/revisions\/46212"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/46211"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=46210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=46210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=46210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}