資安通報:重大目標式勒索病毒攻擊通報
IOCs與病毒碼偵測

趨勢科技產品病毒碼版本16.341.00 已可偵測下列威脅,建議您使用以下IOCs 資訊進行普查,以確認環境是有相關紀錄,若發現遭駭客入侵情況,請立即針對可疑主機進行處理。

Detection

Sha1

Ransom.Win32.DOPPELPAYMER.ZTHK-A

c79b288c4d17de5bd69386c
5c022800559af1478

Trojan.Win32.DRIDEX.ZTHK-A

87919bdf11bdcd0ef8c0525a
d6ad33a90e9952f8

Trojan.Win32.DRIDEX.ZTHK-A

eabaee5a1af3117f6a0feecde
ec70bfd4b26fbb2

Backdoor.Win64.COBEACON.SMYXAK-A

D17E8A9A92CEC57A11750FC
D4F592D810D9DFB8C

Backdoor.Win64.COBEACON.SMYXAK-A

FB6D8F187D579CF9D75979F
66D7ADADC27594B7C

Backdoor.Win64.COBEACON.SMYXAK-A

C252E31043495A6C718EA83F
FBBAE689F467AC8A

Backdoor.Win64.COBEACON.SMYXAK-A

7E97498B2B8E62C84FE05AD2
C80B2B929228C285

Backdoor.Win64.COBEACON.SMYXAK-A

4F7E50F5744B9EE999BB11B4
2D2ECC0931466AE2

 
  • 中繼站清單 :

IP

Country

145.249.106.102

NL

145.249.106.99

NL

limitedhangout.wtf

N/A

www. limitedhangout.wtf

N/A

162[.]243[.]152[.]164

US

79[.]143[.]181[.]30

DE

77[.]220[.]64[.]36

IT

217[.]79[.]184[.]243

DE

 
  • 應立即修補CVE-2020-1472 (Zerologon 漏洞),並使用趨勢科技產品加強偵測與防護偵測相關規則如下:

  Product

Rule ID

Rule Name

Deep Discovery Inspector

4453

CVE-2020-1472 - Zerologon Privilege Escalation -
DCERPC (Request)

4455

CVE-2020-1472 - Zerologon Privilege Escalation -
SMB2 (Request)

4459

CVE-2020-1472 - Zerologon Privilege Escalation -
SMB (Request)

Deep Security

1010519 

Netlogon Elevation of Privilege Vulnerability
(CVE-2020-1472)

1010521 

Netlogon Elevation of Privilege Vulnerability Over SMB
(CVE-2020-1472)

1010539

Identified NTLM Brute Force Attempt (ZeroLogon)
(CVE-2020-1472)

Tipping Point

38166

MS-NRPC: Microsoft Windows Netlogon Zerologon
Authentication Bypass Attempt

38235

MS-NRPC: Microsoft Windows
NetrServerAuthenticate Request

 

CVE-2020-1472 弱點修補參考微軟說明, 參考連結 https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

關鍵字
勒索病毒