Talent-Jump Technologies, Inc
Technical Blog
We got a new variant of XLoader via a link http://wrssa[.]xyz from scam SMS message in mid-March 2020. It is a new version of XLoader using Blogspot and Pinterest to deliver C&C address and phishing sites.
我們在三月中旬經由詐騙簡訊的連結 http://wrssa[.]xyz 獲得了一個 XLoader 的新變種樣本,這個新變種利用 Blogspot 和 Pinterest 來隱藏 C&C 位址以及釣魚網站。
In July 2019, one of our customer’s company suffering the APT attack and we start the investigation immediately. During the investigation we found a brand new backdoor sample, which implements lots of features by using Dropbox API, using Dropbox like a C&C server. After the reverse engineering, we extract the Dropbox token used by the sample, dig into Dropbox folder, and reveal the whole functional structure.
2019 年 7 月,我們發現一個合作的客戶疑似遭受 APT 攻擊並立刻著手調查。調查過程中發現了一種全新的後門樣本,該樣本的特殊之處在於攻擊者 Dropbox API 實現了一個具備多種功能的後門惡意程式,並且完美地將 C&C 伺服器建構在 Dropbox 上。透過惡意程式分析,我們獲得了樣本所使用的 Dropbox API Token 並且能夠進一步的深入探討整個架構的運作原理。