{"id":47565,"date":"2026-03-20T14:43:36","date_gmt":"2026-03-20T07:43:36","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=47565"},"modified":"2026-03-31T14:45:46","modified_gmt":"2026-03-31T07:45:46","slug":"telegram-gia-mao-phat-tan-ma-doc-nhieu-tang-chay-truc-tiep-trong-ram","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/telegram-gia-mao-phat-tan-ma-doc-nhieu-tang-chay-truc-tiep-trong-ram\/","title":{"rendered":"Telegram gi\u1ea3 m\u1ea1o ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c nhi\u1ec1u t\u1ea7ng, ch\u1ea1y tr\u1ef1c ti\u1ebfp trong RAM"},"content":{"rendered":"
D\u00f9 giao di\u1ec7n trang web v\u00e0 t\u1ec7p c\u00e0i \u0111\u1eb7t gi\u1ed1ng h\u1ec7t ph\u1ea7n m\u1ec1m th\u1eadt, nh\u01b0ng \u1ea9n sau \u0111\u00f3 l\u00e0 m\u1ed9t k\u1ecbch b\u1ea3n t\u1ea5n c\u00f4ng tinh vi, c\u00f3 kh\u1ea3 n\u0103ng v\u01b0\u1ee3t qua m\u1ecdi l\u1edbp b\u1ea3o m\u1eadt c\u1ee7a Windows \u0111\u1ec3 n\u1eb1m v\u00f9ng trong b\u1ed9 nh\u1edb m\u00e1y t\u00ednh. \u0110i\u1ec1u n\u00e0y cho th\u1ea5y ch\u1ec9 m\u1ed9t s\u01a1 su\u1ea5t nh\u1ecf c\u1ee7a ng\u01b0\u1eddi d\u00f9ng c\u0169ng c\u00f3 th\u1ec3 t\u1ea1o ra nguy c\u01a1 nghi\u00eam tr\u1ecdng.<\/b>\u200b<\/div>\n

\"telegram.png\"<\/p>\n

M\u1edbi \u0111\u00e2y, c\u00e1c chuy\u00ean gia t\u1eeb K7 Security Labs \u0111\u00e3 ph\u00e1t h\u00e0nh c\u1ea3nh b\u00e1o kh\u1ea9n c\u1ea5p v\u1ec1 chi\u1ebfn d\u1ecbch nh\u1eafm v\u00e0o ng\u01b0\u1eddi d\u00f9ng Telegram th\u00f4ng qua k\u1ef9 thu\u1eadt Typosquatting, t\u1ee9c gi\u1ea3 m\u1ea1o t\u00ean mi\u1ec1n. Ch\u1ec9 c\u1ea7n g\u00f5 sai m\u1ed9t ch\u1eef c\u00e1i trong \u0111\u1ecba ch\u1ec9, ng\u01b0\u1eddi d\u00f9ng c\u00f3 th\u1ec3 t\u1ea3i nh\u1ea7m malware m\u00e0 kh\u00f4ng h\u1ec1 hay bi\u1ebft.\u200b<\/div>\n

Sai m\u1ed9t li, \u0111i m\u1ed9t d\u1eb7m: C\u00e1i b\u1eaby t\u1eeb s\u1ef1 ch\u1ee7 quan\u200b<\/h3>\n

\u0110\u1ec3 b\u1eaft \u0111\u1ea7u chi\u1ebfn d\u1ecbch, tin t\u1eb7c \u0111\u00e3 k\u1ef3 c\u00f4ng x\u00e2y d\u1ef1ng m\u1ed9t “h\u1ec7 sinh th\u00e1i” gi\u1ea3 m\u1ea1o \u0111\u1ea7y thuy\u1ebft ph\u1ee5c. Ch\u00fang \u0111\u0103ng k\u00fd h\u00e0ng lo\u1ea1t t\u00ean mi\u1ec1n c\u00f3 ngo\u1ea1i h\u00ecnh “su\u00fdt so\u00e1t” v\u1edbi \u0111\u1ecba ch\u1ec9 ch\u00ednh th\u1ee9c c\u1ee7a Telegram nh\u01b0 telegrgam[.]com hay telefgram[.]com.
\n\"1773923889968.png\"<\/p>\n

Quy tr\u00ecnh l\u00e2y nhi\u1ec5m c\u1ee7a m\u00e3 \u0111\u1ed9c (theo K7 Security Labs)<\/i>\u200b<\/div>\n
Ch\u1ec9 c\u1ea7n ng\u01b0\u1eddi d\u00f9ng g\u00f5 thi\u1ebfu m\u1ed9t nh\u1ecbp ph\u00edm ho\u1eb7c l\u01b0\u1edbt qua c\u00e1c k\u1ebft qu\u1ea3 t\u00ecm ki\u1ebfm qu\u1ea3ng c\u00e1o, h\u1ecd s\u1ebd l\u1eadp t\u1ee9c l\u1ea1c v\u00e0o m\u1ed9t trang web c\u00f3 giao di\u1ec7n chuy\u00ean nghi\u1ec7p, b\u00f3ng b\u1ea9y kh\u00f4ng kh\u00e1c g\u00ec “h\u00e0ng th\u1eadt”. T\u1ea1i \u0111\u00e2y, n\u00fat t\u1ea3i xu\u1ed1ng m\u1eddi g\u1ecdi v\u1edbi t\u1ec7p tin mang t\u00ean tsetup-x64.6.exe. V\u1edbi bi\u1ec3u t\u01b0\u1ee3ng chu\u1ea9n x\u00e1c v\u00e0 quy tr\u00ecnh c\u00e0i \u0111\u1eb7t m\u01b0\u1ee3t m\u00e0, m\u00e3 \u0111\u1ed9c n\u00e0y d\u1ec5 d\u00e0ng v\u01b0\u1ee3t qua b\u00e0i ki\u1ec3m tra l\u00f2ng tin c\u1ee7a ngay c\u1ea3 nh\u1eefng ng\u01b0\u1eddi d\u00f9ng c\u00f3 kinh nghi\u1ec7m, khi\u1ebfn h\u1ecd tin r\u1eb1ng m\u00ecnh \u0111ang s\u1edf h\u1eefu \u1ee9ng d\u1ee5ng nh\u1eafn tin b\u1ea3o m\u1eadt h\u00e0ng \u0111\u1ea7u th\u1ebf gi\u1edbi m\u00e0 kh\u00f4ng h\u1ec1 bi\u1ebft r\u1eb1ng “t\u1eed th\u1ea7n” \u0111\u00e3 g\u00f5 c\u1eeda.\u200b<\/div>\n
\u201cK\u1ebb x\u00e2m nh\u1eadp t\u00e0ng h\u00ecnh\u201d v\u00e0 chu\u1ed7i h\u00e0nh \u0111\u1ed9ng tinh vi\u200b<\/div>\n
\u0110i\u1ec1u khi\u1ebfn m\u00e3 \u0111\u1ed9c n\u00e0y tr\u1edf n\u00ean \u0111\u1eb7c bi\u1ec7t nguy hi\u1ec3m kh\u00f4ng n\u1eb1m \u1edf giao di\u1ec7n, m\u00e0 \u1edf c\u00e1ch n\u00f3 x\u00e2m nh\u1eadp v\u00e0 chi\u1ebfm quy\u1ec1n ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng. Thay v\u00ec khai th\u00e1c l\u1ed7 h\u1ed5ng tr\u1ef1c ti\u1ebfp, n\u00f3 th\u1ef1c hi\u1ec7n m\u1ed9t chu\u1ed7i h\u00e0nh \u0111\u1ed9ng nhi\u1ec1u t\u1ea7ng \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 v\u00f4 hi\u1ec7u h\u00f3a c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o v\u1ec7 tr\u01b0\u1edbc khi th\u1ef1c thi payload cu\u1ed1i c\u00f9ng.<\/p>\n

\u0110\u1ea7u ti\u00ean, ch\u00fang th\u1ef1c thi m\u1ed9t l\u1ec7nh PowerShell \u0111\u01b0\u1ee3c obfuscate \u0111\u1ec3 t\u1ea1m th\u1eddi v\u00f4 hi\u1ec7u h\u00f3a Windows Defender, lo\u1ea1i tr\u1eeb to\u00e0n b\u1ed9 \u1ed5 \u0111\u0129a kh\u1ecfi qu\u00e9t th\u1eddi gian th\u1ef1c. \u0110i\u1ec1u n\u00e0y t\u01b0\u01a1ng \u0111\u01b0\u01a1ng v\u1edbi vi\u1ec7c v\u00f4 hi\u1ec7u h\u00f3a l\u1edbp ph\u00f2ng th\u1ee7 ch\u1ee7 \u0111\u1ed9ng c\u1ee7a h\u1ec7 th\u1ed1ng, t\u1ea1o \u0111i\u1ec1u ki\u1ec7n cho c\u00e1c b\u01b0\u1edbc ti\u1ebfp theo di\u1ec5n ra m\u00e0 kh\u00f4ng b\u1ecb ph\u00e1t hi\u1ec7n.\u200b<\/p><\/div>\n

\"1773923768623.png\"<\/p>\n

V\u01b0\u1ee3t qua l\u1edbp b\u1ea3o v\u1ec7 Defender (Ngu\u1ed3n: K7 Security Labs)<\/i>\u200b<\/div>\n
Sau \u0111\u00f3, m\u00e3 \u0111\u1ed9c t\u00e1i t\u1ea1o v\u00e0 th\u1ef1c thi payload tr\u1ef1c ti\u1ebfp trong RAM th\u00f4ng qua k\u1ef9 thu\u1eadt Reflective Loading. Thay v\u00ec ghi file th\u1ef1c thi ra \u1ed5 \u0111\u0129a, d\u1eef li\u1ec7u nh\u1ecb ph\u00e2n \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a trong m\u1ed9t file trung gian (v\u00ed d\u1ee5 GPUCache.xml) \u0111\u01b0\u1ee3c \u0111\u1ecdc, gi\u1ea3i m\u00e3 v\u00e0 d\u1ef1ng l\u1ea1i th\u00e0nh m\u1ed9t Portable Executable (PE) ho\u00e0n ch\u1ec9nh ngay trong b\u1ed9 nh\u1edb. Payload ch\u1ea1y ho\u00e0n to\u00e0n trong RAM, g\u1eafn v\u00e0o ti\u1ebfn tr\u00ecnh h\u1ee3p ph\u00e1p c\u1ee7a Windows nh\u01b0 rundll32.exe, do \u0111\u00f3 kh\u00f4ng \u0111\u1ec3 l\u1ea1i file tr\u00ean \u1ed5 c\u1ee9ng v\u00e0 g\u1ea7n nh\u01b0 kh\u00f4ng th\u1ec3 b\u1ecb ph\u00e1t hi\u1ec7n b\u1edfi c\u00e1c c\u00f4ng c\u1ee5 qu\u00e9t d\u1ef1a tr\u00ean file.<\/p>\n

Nh\u1edd c\u01a1 ch\u1ebf n\u00e0y, m\u00e3 \u0111\u1ed9c v\u1eeba \u1ea9n m\u00ecnh trong ti\u1ebfn tr\u00ecnh h\u1ee3p ph\u00e1p, v\u1eeba duy tr\u00ec quy\u1ec1n ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng v\u00e0 c\u00f3 th\u1ec3 nh\u1eadn l\u1ec7nh t\u1eeb m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n C2 m\u00e0 ng\u01b0\u1eddi d\u00f9ng kh\u00f4ng h\u1ec1 hay bi\u1ebft.\u200b<\/p><\/div>\n

M\u00e1y t\u00ednh tr\u1edf th\u00e0nh \u201ctr\u1ea1m ph\u00e1t\u201d cho tin t\u1eb7c\u200b<\/div>\n
Khi \u0111\u00e3 b\u00e1m r\u1ec5 s\u00e2u v\u00e0o h\u1ec7 th\u1ed1ng, m\u00e3 \u0111\u1ed9c \u0111\u00e3 m\u1edf m\u1ed9t c\u1eeda h\u1eadu \u0111\u1ec3 k\u1ebft n\u1ed1i v\u1edbi m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n (C2) t\u1ea1i 27[.]50[.]59[.]77. T\u1eeb \u0111\u00e2y, tin t\u1eb7c c\u00f3 to\u00e0n quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n m\u00e1y t\u00ednh, bao g\u1ed3m \u0111\u00e1nh c\u1eafp m\u1eadt kh\u1ea9u, theo d\u00f5i tin nh\u1eafn v\u00e0 th\u1eadm ch\u00ed bi\u1ebfn thi\u1ebft b\u1ecb th\u00e0nh m\u1ed9t ph\u1ea7n c\u1ee7a m\u1ea1ng l\u01b0\u1edbi t\u1ea5n c\u00f4ng l\u1edbn h\u01a1n.<\/p>\n

\u0110\u1ec3 \u0111\u00e1nh l\u1ea1c h\u01b0\u1edbng ng\u01b0\u1eddi d\u00f9ng, tr\u00ecnh c\u00e0i \u0111\u1eb7t v\u1eabn tri\u1ec3n khai \u0111\u1ed3ng th\u1eddi m\u1ed9t phi\u00ean b\u1ea3n Telegram ch\u00ednh th\u1ee9c. Nh\u1edd \u0111\u00f3, n\u1ea1n nh\u00e2n v\u1eabn s\u1eed d\u1ee5ng \u1ee9ng d\u1ee5ng b\u00ecnh th\u01b0\u1eddng m\u00e0 kh\u00f4ng nh\u1eadn ra m\u00e3 \u0111\u1ed9c \u0111\u00e3 ho\u1ea1t \u0111\u1ed9ng tr\u00ean h\u1ec7 th\u1ed1ng.\u200b<\/p><\/div>\n

L\u00e0m th\u1ebf n\u00e0o \u0111\u1ec3 t\u1ef1 b\u1ea3o v\u1ec7 m\u00ecnh?\u200b<\/div>\n
Nh\u00ecn v\u00e0o m\u1ee9c \u0111\u1ed9 tinh vi c\u1ee7a chi\u1ebfn d\u1ecbch, c\u00e1c chuy\u00ean gia khuy\u1ebfn c\u00e1o ng\u01b0\u1eddi d\u00f9ng c\u1ea7n k\u1ebft h\u1ee3p nhi\u1ec1u bi\u1ec7n ph\u00e1p ph\u00f2ng ng\u1eeba. Tr\u01b0\u1edbc h\u1ebft, ki\u1ec3m tra k\u1ef9 URL tr\u01b0\u1edbc khi t\u1ea3i b\u1ea5t k\u1ef3 t\u1ec7p n\u00e0o, \u0111\u1ea3m b\u1ea3o \u0111\u1ecba ch\u1ec9 l\u00e0 telegram.org, v\u00e0 c\u1ea9n tr\u1ecdng v\u1edbi c\u00e1c k\u1ebft qu\u1ea3 qu\u1ea3ng c\u00e1o tr\u00ean Google.<\/p>\n

B\u00ean c\u1ea1nh \u0111\u00f3, c\u1ea3nh gi\u00e1c v\u1edbi c\u00e1c y\u00eau c\u1ea7u l\u1ea1 l\u00e0 c\u1ea7n thi\u1ebft: n\u1ebfu t\u1ec7p c\u00e0i \u0111\u1eb7t \u0111\u00f2i quy\u1ec1n qu\u1ea3n tr\u1ecb cao ho\u1eb7c m\u1edf c\u00e1c c\u1eeda s\u1ed5 l\u1ec7nh b\u1ea5t th\u01b0\u1eddng, h\u00e3y d\u1eebng l\u1ea1i ngay l\u1eadp t\u1ee9c.B\u00ean c\u1ea1nh \u0111\u00f3 vi\u1ec7c c\u00e0i ph\u1ea7n m\u1ec1m b\u1ea3o m\u1eadt \u0111\u00e1ng tin c\u1eady s\u1ebd gi\u00fap ph\u00e1t hi\u1ec7n v\u00e0 ng\u0103n ch\u1eb7n c\u00e1c h\u00e0nh vi nguy hi\u1ec3m tr\u01b0\u1edbc khi ch\u00fang g\u00e2y h\u1ea1i.<\/p>\n

Nh\u00ecn chung, s\u1ef1 tinh vi c\u1ee7a tin t\u1eb7c ng\u00e0y c\u00e0ng t\u0103ng cao, nh\u01b0ng v\u0169 kh\u00ed m\u1ea1nh nh\u1ea5t c\u1ee7a h\u1ecd v\u1eabn l\u00e0 s\u1ef1 thi\u1ebfu quan s\u00e1t c\u1ee7a ng\u01b0\u1eddi d\u00f9ng. Do \u0111\u00f3, vi\u1ec7c lu\u00f4n t\u1ec9nh t\u00e1o v\u00e0 ki\u1ec3m tra k\u1ef9 tr\u01b0\u1edbc khi nh\u1ea5n n\u00fat \u201cDownload\u201d l\u00e0 b\u01b0\u1edbc b\u1ea3o v\u1ec7 \u0111\u01a1n gi\u1ea3n nh\u01b0ng hi\u1ec7u qu\u1ea3 nh\u1ea5t.
\n\u200b<\/p><\/div>\n

Theo Cyber Security News<\/i><\/b><\/div>\n","protected":false},"excerpt":{"rendered":"

D\u00f9 giao di\u1ec7n trang web v\u00e0 t\u1ec7p c\u00e0i \u0111\u1eb7t gi\u1ed1ng h\u1ec7t ph\u1ea7n m\u1ec1m th\u1eadt, nh\u01b0ng \u1ea9n sau \u0111\u00f3 l\u00e0 m\u1ed9t k\u1ecbch b\u1ea3n t\u1ea5n c\u00f4ng tinh vi, c\u00f3 kh\u1ea3 n\u0103ng v\u01b0\u1ee3t qua m\u1ecdi l\u1edbp b\u1ea3o m\u1eadt c\u1ee7a Windows \u0111\u1ec3 n\u1eb1m v\u00f9ng trong b\u1ed9 nh\u1edb m\u00e1y t\u00ednh. \u0110i\u1ec1u n\u00e0y cho th\u1ea5y ch\u1ec9 m\u1ed9t s\u01a1 su\u1ea5t nh\u1ecf c\u1ee7a […]<\/p>\n","protected":false},"author":20,"featured_media":47566,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[3,24,35],"tags":[],"class_list":["post-47565","post","type-post","status-publish","format-standard","has-post-thumbnail","category-canh-bao-khuyen-nghi","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47565","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=47565"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47565\/revisions"}],"predecessor-version":[{"id":47567,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47565\/revisions\/47567"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/47566"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=47565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=47565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=47565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}