{"id":107817,"date":"2020-06-30T22:19:24","date_gmt":"2020-07-01T05:19:24","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=107817"},"modified":"2020-06-30T22:19:24","modified_gmt":"2020-07-01T05:19:24","slug":"lucifer-new-cryptojacking-and-ddos-hybrid-malware","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/","title":{"rendered":"Lucifer: \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u3092\u884c\u3046\u65b0\u3057\u3044\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u9ad8\u304a\u3088\u3073\u7dca\u6025\u30ec\u30d9\u30eb\u306e\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066Windows\u30c7\u30d0\u30a4\u30b9\u306b\u611f\u67d3"},"content":{"rendered":"<h2>\u6982\u8981<\/h2>\n<p>2020\u5e745\u670829\u65e5\u3001Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u5b9f\u969b\u306b\u884c\u308f\u308c\u3066\u3044\u308b<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-9081\">CVE-2019-9081<\/a>\u95a2\u9023\u306e\u591a\u6570\u306e\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u306e\u306a\u304b\u304b\u3089\u3001\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9 \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0 \u30de\u30eb\u30a6\u30a7\u30a2\u306e\u65b0\u3057\u3044\u4e9c\u7a2e\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002\u8a73\u3057\u304f\u8abf\u3079\u305f\u3068\u3053\u308d\u3001\u5f0a\u793e\u304c\u300cLucifer\u300d\u3068\u540d\u4ed8\u3051\u305f\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3001DDoS\u653b\u6483\u3092\u5b9f\u884c\u3059\u308b\u80fd\u529b\u3092\u6301\u3061\u3001\u8106\u5f31\u306aWindows\u30db\u30b9\u30c8\u306b\u5bfe\u3059\u308b\u3042\u3089\u3086\u308b\u7a2e\u985e\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u5099\u3048\u3066\u3044\u308b\u3053\u3068\u304c\u660e\u3089\u304b\u306b\u306a\u308a\u307e\u3057\u305f\u3002\u3053\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306e\u7b2c\u4e00\u6ce2\u306f\u30012020\u5e746\u670810\u65e5\u306b\u505c\u6b62\u3057\u307e\u3057\u305f\u3002\u305d\u306e\u5f8c\u30012020\u5e746\u670811\u65e5\u306b\u653b\u6483\u8005\u306f\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u3092\u518d\u958b\u3057\u3001\u30a2\u30c3\u30d7\u30b0\u30ec\u30fc\u30c9\u3057\u305f\u30d0\u30fc\u30b8\u30e7\u30f3\u306eLucifer\u3092\u62e1\u6563\u3057\u3066\u6df7\u4e71\u3092\u5f15\u304d\u8d77\u3053\u3057\u307e\u3057\u305f\u3002\u30b5\u30f3\u30d7\u30eb\u306f2020\u5e746\u670811\u65e5\u5348\u5f8c10\u664239\u520647\u79d2(\u5354\u5b9a\u4e16\u754c\u6642)\u306b\u30b3\u30f3\u30d1\u30a4\u30eb\u3055\u308c\u3001\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u3067\u6355\u6349\u3055\u308c\u307e\u3057\u305f\u3002\u672c\u7a3f\u306e\u57f7\u7b46\u6642\u70b9\u3067\u306f\u3001\u3053\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306f\u307e\u3060\u7d99\u7d9a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306f\u3001\u975e\u5e38\u306b\u5f37\u529b\u306a\u6a5f\u80fd\u3092\u5099\u3048\u3066\u3044\u307e\u3059\u3002Monero\u3092\u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3059\u308bXMRig\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3060\u3051\u3067\u306a\u304f\u3001\u30b3\u30de\u30f3\u30c9&amp;\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb(C2)\u3092\u904b\u7528\u3059\u308b\u80fd\u529b\u3084\u3001\u8907\u6570\u306e\u8106\u5f31\u6027\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3068\u8a8d\u8a3c\u60c5\u5831\u306e\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u3092\u901a\u3058\u3066\u81ea\u5df1\u5897\u6b96\u3059\u308b\u80fd\u529b\u3082\u5099\u3048\u3066\u3044\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u30a4\u30f3\u30c8\u30e9\u30cd\u30c3\u30c8\u306b\u611f\u67d3\u3059\u308b\u305f\u3081\u306b\u3001EternalBlue\u3001EternalRomance\u3001DoublePulsar\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u8106\u5f31\u306a\u6a19\u7684\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<p>\u5175\u5668\u5316\u3057\u305f\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u7db2\u7f85\u3057\u305f\u30ea\u30b9\u30c8\u306b\u306f\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2014-6287\">CVE-2014-6287<\/a>\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-1000861\">CVE-2018-1000861<\/a>\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-10271\">CVE-2017-10271<\/a>\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-20062\">ThinkPHP RCE\u8106\u5f31\u6027(CVE-2018-20062)<\/a>\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-7600\">CVE-2018-7600<\/a>\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-9791\">CVE-2017-9791<\/a>\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-9081\">CVE-2019-9081<\/a>\u3001<a href=\"https:\/\/www.exploit-db.com\/exploits\/48192\">PHPStudy Backdoor RCE<\/a>\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-0144\">CVE-2017-0144<\/a>\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-0145\">CVE-2017-0145<\/a>\u3001<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-8464\">CVE-2017-8464<\/a>\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u5bb9\u6613\u3068\u3044\u3046\u6027\u8cea\u304a\u3088\u3073\u88ab\u5bb3\u8005\u306b\u4e0e\u3048\u308b\u751a\u5927\u306a\u5f71\u97ff\u306e\u305f\u3081\u3001\u300c\u9ad8\u300d\u307e\u305f\u306f\u300c\u7dca\u6025\u300d\u306e\u3069\u3061\u3089\u304b\u306b\u8a55\u4fa1\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u305f\u653b\u6483\u8005\u306f\u3001\u8106\u5f31\u306a\u30c7\u30d0\u30a4\u30b9\u3067\u4efb\u610f\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3067\u304d\u307e\u3059\u3002\u3053\u306e\u5834\u5408\u3001\u653b\u6483\u8005\u304c\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u4f1d\u64ad\u3059\u308b\u305f\u3081\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3067<span style=\"font-family: 'courier new', courier, monospace;\">certutil<\/span>\u3092\u5229\u7528\u3057\u3066\u3044\u308b\u3053\u3068\u304b\u3089\u3001\u6a19\u7684\u306f\u30a4\u30f3\u30c8\u30e9\u30cd\u30c3\u30c8\u3068\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u306e\u4e21\u65b9\u306b\u5b58\u5728\u3059\u308bWindows\u30db\u30b9\u30c8\u3067\u3059\u3002\u5e78\u3044\u3001\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u306e\u30d1\u30c3\u30c1\u306f\u3059\u3050\u306b\u5165\u624b\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>Lucifer\u304c\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3059\u308b\u8106\u5f31\u6027\u3068\u5229\u7528\u3059\u308b\u653b\u6483\u6226\u8853\u306b\u3068\u304f\u3060\u3093\u306e\u72ec\u5275\u6027\u306f\u3042\u308a\u307e\u305b\u3093\u304c\u3001\u3067\u304d\u308b\u9650\u308a\u30b7\u30b9\u30c6\u30e0\u3092\u6700\u65b0\u306e\u72b6\u614b\u306b\u4fdd\u3061\u3001\u8ca7\u5f31\u306a\u8a8d\u8a3c\u60c5\u5831\u3092\u6392\u9664\u3057\u3001\u4fdd\u8a3c\u306e\u305f\u3081\u306b\u9632\u5fa1\u30ec\u30a4\u30e4\u30fc\u3092\u8a2d\u3051\u308b\u3053\u3068\u304c\u3044\u304b\u306b\u91cd\u8981\u3067\u3042\u308b\u304b\u3092\u3001\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3042\u3089\u305f\u3081\u3066\u3042\u3089\u3086\u308b\u7d44\u7e54\u306b\u601d\u3044\u8d77\u3053\u3055\u305b\u3066\u3044\u308b\u3068\u3044\u3048\u307e\u3059\u3002<\/p>\n<p>\u672c\u7a3f\u57f7\u7b46\u6642\u70b9\u3067\u3001XMR\u30a6\u30a9\u30ec\u30c3\u30c8\u306f<strong>0.493527<\/strong>XMR(\u7c73\u56fd\u30c9\u30eb\u63db\u7b97\u3067\u304a\u3088\u305d32\u30c9\u30eb\u3001\u65e5\u672c\u5186\u63db\u7b97\u3067\u304a\u3088\u305d3400\u5186)\u3092\u652f\u6255\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306f\u3001\u3053\u306e\u7a2e\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u30d5\u30a1\u30df\u30ea\u306b\u3088\u308b\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u8a66\u307f\u3092\u3059\u3079\u3066\u691c\u51fa\u3057\u3066\u30d6\u30ed\u30c3\u30af\u3067\u304d\u307e\u3059\u3002<\/p>\n<p>\u672c\u7a3f\u3067\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306b\u3064\u3044\u3066\u8a73\u7d30\u306b\u5206\u6790\u3057\u3001\u30d0\u30fc\u30b8\u30e7\u30f31\u3068\u30d0\u30fc\u30b8\u30e7\u30f32\u3092\u6bd4\u8f03\u3057\u307e\u3059\u3002<\/p>\n<h4>Lucifer: \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u306e\u30ad\u30e3\u30f3\u30da\u30fc\u30f3<\/h4>\n<p>\u307e\u305a\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u540d\u306b\u3064\u3044\u3066\u4e00\u8a00\u8aac\u660e\u3057\u3066\u304a\u304d\u307e\u3059\u3068\u3001\u4f5c\u8005\u306e\u547d\u540d\u306fSatan DDoS\u3060\u3063\u305f\u306e\u3067\u3059\u304c\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Satan Ransomware<\/span>\u3068\u3044\u3046\u3084\u306f\u308a\u80e1\u6563\u304f\u3055\u3044\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u3059\u3067\u306b\u5225\u306b\u5b58\u5728\u3057\u3066\u3044\u305f\u306e\u3067\u3001\u6df7\u4e71\u3092\u907f\u3051\u308b\u305f\u3081\u306b\u5225\u540d\u3092\u4ed8\u3051\u307e\u3057\u305f\u3002\u30d0\u30a4\u30ca\u30ea\u306b\u542b\u307e\u308c\u308b\u56fa\u6709\u6587\u5b57\u306b\u6cbf\u3063\u305f\u540d\u524d\u306b\u3057\u305f\u306e\u3067\u7d50\u679c\u7684\u306b<span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u3068\u3044\u3046\u540d\u524d\u304c\u4ed8\u304d\u307e\u3057\u305f\u3002<\/p>\n<p>\u8abf\u67fb\u306e\u904e\u7a0b\u3067\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306e2\u3064\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u3092\u7279\u5b9a\u3057\u307e\u3057\u305f\u3002\u3053\u3053\u3067\u306f\u307e\u305a\u30d0\u30fc\u30b8\u30e7\u30f31\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u3066\u3001\u6b21\u306e\u30bb\u30af\u30b7\u30e7\u30f3\u3067\u30d0\u30fc\u30b8\u30e7\u30f32\u3067\u884c\u308f\u308c\u3066\u3044\u308b\u5909\u66f4\u70b9\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306b\u306f\u30013\u3064\u306e\u30ea\u30bd\u30fc\u30b9\u30bb\u30af\u30b7\u30e7\u30f3\u304c\u3042\u308a\u3001\u305d\u308c\u305e\u308c\u306b\u7279\u5b9a\u306e\u76ee\u7684\u3092\u6301\u3064\u30d0\u30a4\u30ca\u30ea\u304c\u683c\u7d0d\u3055\u308c\u3066\u3044\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">X86<\/span>\u30ea\u30bd\u30fc\u30b9\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u306f\u3001UPX\u3067\u5727\u7e2e\u3055\u308c\u305fx86\u30d0\u30fc\u30b8\u30e7\u30f3\u306e<span style=\"font-family: 'courier new', courier, monospace;\">XMRig 5.5.0<\/span>\u304c\u683c\u7d0d\u3055\u308c\u3066\u3044\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">X64<\/span>\u30ea\u30bd\u30fc\u30b9\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u306f\u3001UPX\u3067\u5727\u7e2e\u3055\u308c\u305fx64\u30d0\u30fc\u30b8\u30e7\u30f3\u306e<span style=\"font-family: 'courier new', courier, monospace;\">XMRig<\/span> <span style=\"font-family: 'courier new', courier, monospace;\">5.5.0<\/span>\u304c\u683c\u7d0d\u3055\u308c\u3066\u3044\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">SMB<\/span>\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u683c\u7d0d\u3055\u308c\u3066\u3044\u308b\u30d0\u30a4\u30ca\u30ea\u306b\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Equation Group(\u30a4\u30af\u30a8\u30fc\u30b7\u30e7\u30f3\u30b0\u30eb\u30fc\u30d7)<\/span>\u306e\u5927\u91cf\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u542b\u307e\u308c\u3066\u304a\u308a\u3001<span style=\"font-family: 'courier new', courier, monospace;\">EternalBlue<\/span>\u3084<span style=\"font-family: 'courier new', courier, monospace;\">EternalRomance<\/span>\u3092\u306f\u3058\u3081\u3001\u60aa\u540d\u9ad8\u3044DoublePulsar\u30d0\u30c3\u30af\u30c9\u30a2\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u3082\u3082\u3061\u308d\u3093\u5165\u3063\u3066\u3044\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">X86: 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">X64: Ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">SMB: 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994<\/span><\/p>\n<p>Lucifer\u306f\u3001\u5b9f\u884c\u3092\u958b\u59cb\u3059\u308b\u3068\u3001\u307e\u305aXOR\u6f14\u7b97\u306b\u3088\u308b\u6697\u53f7\u5316\u3092\u4f7f\u7528\u3057\u3066C2\u306eIP\u30a2\u30c9\u30ec\u30b9\u3092\u5fa9\u53f7\u3057\u3001\u6b21\u306bC2\u306eIP\u30a2\u30c9\u30ec\u30b9\u3092\u540d\u524d\u3068\u3059\u308b\u30df\u30e5\u30fc\u30bf\u30f3\u30c8\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<p>\u5fa9\u53f7\u3055\u308c\u305fC2\u306eIP\u30a2\u30c9\u30ec\u30b9\u306f<span style=\"font-family: 'courier new', courier, monospace;\">122[.]112[.]179[.]189<\/span>\u3067\u3059\u3002<\/p>\n<p>\u30df\u30e5\u30fc\u30bf\u30f3\u30c8\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u306e\u540d\u524d\u306f<span style=\"font-family: 'courier new', courier, monospace;\">\\Sessions\\1\\BaseNamedObjects\\122[.]112[.]179[.]189<\/span>\u3067\u3059\u3002<\/p>\n<p>\u5fa9\u53f7\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u306e\u7591\u4f3c\u30b3\u30fc\u30c9\u3092\u4ee5\u4e0b\u306e\u56f3\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_107771\" aria-describedby=\"caption-attachment-107771\" style=\"width: 478px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2020\/06\/Figure-1.-Decryption-routine-1.jpg\" rel=\"wpdevart_lightbox\"><img  class=\"size-full wp-image-107771 lozad\"  data-src=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2020\/06\/Figure-1.-Decryption-routine-1.jpg\" alt=\"\u56f31.\u5fa9\u53f7\u30eb\u30fc\u30c1\u30f3\" width=\"478\" height=\"294\" \/><\/a><figcaption id=\"caption-attachment-107771\" class=\"wp-caption-text\">\u56f31.\u5fa9\u53f7\u30eb\u30fc\u30c1\u30f3<\/figcaption><\/figure>\n<p>Lucifer\u306f\u6b21\u306b\u3001\u4ee5\u4e0b\u306e\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u5024\u3092\u8a2d\u5b9a\u3057\u3066\u3001\u81ea\u8eab\u3092\u6c38\u7d9a\u5316\u3057\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %malware binary path%<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %malware binary path%<\/span><\/p>\n<p>\u3055\u3089\u306b\u3001<span style=\"font-family: 'courier new', courier, monospace;\">schtasks<\/span>\u3092\u4f7f\u7528\u3057\u3066\u3001\u81ea\u8eab\u3092\u5b9a\u671f\u7684\u306b\u52d5\u4f5c\u3059\u308b\u30bf\u30b9\u30af\u3068\u3057\u3066\u30bb\u30c3\u30c8\u30a2\u30c3\u30d7\u3057\u3001\u6c38\u7d9a\u5316\u30ec\u30a4\u30e4\u30fc\u3092\u8ffd\u52a0\u3057\u307e\u3059\u3002\u5b9f\u884c\u3055\u308c\u308b\u30b3\u30de\u30f3\u30c9\u3092\u3001\u56f32\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_107773\" aria-describedby=\"caption-attachment-107773\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-2.-Execution-of-schtasks.jpg\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107773 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-2.-Execution-of-schtasks.jpg\" alt=\"\u56f32.schtasks\u306e\u5b9f\u884c\" width=\"600\" height=\"60\" \/><\/a><figcaption id=\"caption-attachment-107773\" class=\"wp-caption-text\">\u56f32.schtasks\u306e\u5b9f\u884c<\/figcaption><\/figure>\n<p>\u81ea\u8eab\u3092\u6c38\u7d9a\u5316\u3057\u305fLucifer\u306f\u3001\u6b21\u306b\u4ee5\u4e0b\u306e\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u5024\u306bstratum\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u60c5\u5831\u304c\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr - %stratum info%<\/span><\/p>\n<p>\u3053\u306e\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u5024\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u60c5\u5831\u306f\u3001\u305d\u306e\u30c7\u30fc\u30bf\u304c\u5b58\u5728\u3057\u3066\u6b63\u5f53\u306a\u5834\u5408\u306f\u3001\u512a\u5148\u3055\u308c\u307e\u3059\u3002\u305d\u308c\u4ee5\u5916\u306e\u5834\u5408\u306f\u3001\u30d0\u30a4\u30ca\u30ea\u306b\u57cb\u3081\u8fbc\u307e\u308c\u3066\u3044\u308b\u30c7\u30d5\u30a9\u30eb\u30c8\u30c7\u30fc\u30bf\u304c\u4f7f\u7528\u3055\u308c\u307e\u3059\u3002<\/p>\n<p>Lucifer\u306f\u3001\u81ea\u8eab\u306e\u30c7\u30d0\u30c3\u30b0\u6a29\u9650\u3092\u6709\u52b9\u306b\u3057\u3066\u3001\u305d\u306e\u64cd\u4f5c\u3092\u540c\u6642\u5b9f\u884c\u3059\u308b\u305f\u3081\u306b\u8907\u6570\u306e\u30b9\u30ec\u30c3\u30c9\u3092\u8d77\u52d5\u3057\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u8868\u306b\u3001\u5404\u30b9\u30ec\u30c3\u30c9\u306e\u6a5f\u80fd\u3092\u8981\u7d04\u3057\u3066\u793a\u3057\u307e\u3059\u3002<\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td style=\"width: 17.8409%;\"><strong>\u95a2\u6570\u30a2\u30c9\u30ec\u30b9<\/strong><\/td>\n<td style=\"width: 81.4773%;\"><strong>\u8aac\u660e<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 17.8409%;\">0x0041C970<\/td>\n<td style=\"width: 81.4773%;\">\u30a4\u30d9\u30f3\u30c8\u30ed\u30b0\u3092\u6d88\u53bb\u3057\u3001\u30ed\u30b0\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\u3057\u3001\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u30d7\u30ed\u30bb\u30b9\u3092\u7d42\u4e86\u3057\u3001<span style=\"font-family: 'courier new', courier, monospace;\">18000<\/span>\u79d2\u9593\u9694\u3067\u30af\u30ea\u30fc\u30cb\u30f3\u30b0\u30eb\u30fc\u30c1\u30f3\u3092\u7e70\u308a\u8fd4\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 17.8409%;\">0x00414B60<\/td>\n<td style=\"width: 81.4773%;\">\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u60c5\u5831\u3092\u53ce\u96c6\u3057\u3001\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u30b9\u30c6\u30fc\u30bf\u30b9\u3092C2\u30b5\u30fc\u30d0\u30fc\u306b\u9001\u4fe1\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 17.8409%;\">0x00419BC0<\/td>\n<td style=\"width: 81.4773%;\">\u3059\u3079\u3066\u306eTCP\u63a5\u7d9a\u306e\u30ea\u30e2\u30fc\u30c8\u30a2\u30c9\u30ec\u30b9\u3068\u30ea\u30e2\u30fc\u30c8\u30dd\u30fc\u30c8\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002\u4e00\u81f4\u3059\u308b\u30c7\u30fc\u30bf\u304c\u3042\u308a\u3001\u63a5\u7d9a\u3092\u6240\u6709\u3059\u308b\u30d7\u30ed\u30bb\u30b9\u304cLucifer\u81ea\u8eab\u3067\u306f\u306a\u304f\u3001\u30d7\u30ed\u30bb\u30b9\u306e\u30e2\u30b8\u30e5\u30fc\u30eb\u30d1\u30b9\u304c<span style=\"font-family: 'courier new', courier, monospace;\">C:\\ProgramData\\spreadXfghij.exe<\/span>\u3067\u306f\u306a\u3044\u5834\u5408\u3001Lucifer\u306f\u305d\u306e\u30d7\u30ed\u30bb\u30b9\u3092\u5f37\u5236\u7d42\u4e86\u3057\u3066\u3001\u305d\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\u3057\u307e\u3059\u3002\u30db\u30ef\u30a4\u30c8\u30ea\u30b9\u30c8\u306e\u30dd\u30fc\u30c8\u3068IP\u30a2\u30c9\u30ec\u30b9\u306e\u30ea\u30b9\u30c8\u3092\u4ed8\u9332\u306b\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 17.8409%;\">0x0041A780<\/td>\n<td style=\"width: 81.4773%;\">\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u53d6\u5f97\u307e\u305f\u306f\u521d\u671f\u5316\u3057\u3001\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u3068\u5fc5\u8981\u306b\u5fdc\u3058\u3066\u30bf\u30b9\u30af\u30de\u30cd\u30fc\u30b8\u30e3\u30fc\u30d7\u30ed\u30bb\u30b9\u3092\u5f37\u5236\u7d42\u4e86\u3057\u3001\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30d0\u30a4\u30ca\u30ea\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3001\u30db\u30b9\u30c8\u306e\u30e1\u30e2\u30ea\u4f7f\u7528\u91cf\u306b\u57fa\u3065\u304f\u5024\u3092\u5f15\u6570\u3068\u3057\u3066\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30d0\u30a4\u30ca\u30ea\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e<span style=\"font-family: 'courier new', courier, monospace;\">x86<\/span>\u307e\u305f\u306f<span style=\"font-family: 'courier new', courier, monospace;\">x64<\/span>\u30d3\u30c3\u30c8\u30d0\u30fc\u30b8\u30e7\u30f3\u306f\u3069\u3061\u3089\u3082<span style=\"font-family: 'courier new', courier, monospace;\">C:\\\\ProgramData\\\\spreadXfghij.exe<\/span>\u3068\u3057\u3066\u4fdd\u5b58\u3055\u308c\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 17.8409%;\">0x00418DC0<\/td>\n<td style=\"width: 81.4773%;\">\u8a8d\u8a3c\u60c5\u5831\u306e\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u3068\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u3088\u308a\u4f1d\u64ad\u3057\u307e\u3059\u3002\u3055\u3089\u306b\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Equation Group(\u30a4\u30af\u30a8\u30fc\u30b7\u30e7\u30f3\u30b0\u30eb\u30fc\u30d7)<\/span>\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u8d77\u52d5\u3057\u3001\u4f55\u5e74\u3082\u4f7f\u308f\u308c\u3066\u3044\u308bSMB\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066\u4f1d\u64ad\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 17.8409%;\">0x0041C840<\/td>\n<td style=\"width: 81.4773%;\">Lucifer\u3092<span style=\"font-family: 'courier new', courier, monospace;\">C:\\\\ProgramData\\\\spread.txt<\/span>\u3068\u3057\u3066\u30b3\u30d4\u30fc\u3057\u3066\u4fdd\u5b58\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 10pt;\"><em>\u88681.\u30ef\u30fc\u30ab\u30fc\u30b9\u30ec\u30c3\u30c9\u306e\u8aac\u660e<\/em><\/span><\/p>\n<p>Lucifer\u306f\u3001\u3055\u307e\u3056\u307e\u306a\u4f1d\u64ad\u6226\u7565\u3092\u63a1\u7528\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u5185\u90e8\u3067\u3082\u5916\u90e8\u3067\u3082\u6a19\u7684\u306eTCP\u30dd\u30fc\u30c8\u306e<span style=\"font-family: 'courier new', courier, monospace;\">135<\/span> (RPC)\u3068<span style=\"font-family: 'courier new', courier, monospace;\">1433(MSSQL)<\/span>\u304c\u958b\u3044\u3066\u3044\u308b\u304b\u3069\u3046\u304b\u3092\u30b9\u30ad\u30e3\u30f3\u3057\u3066\u3001\u4e0d\u6b63\u306a\u30a2\u30af\u30bb\u30b9\u3092\u5f97\u308b\u305f\u3081\u306b\u8a8d\u8a3c\u60c5\u5831\u306e\u5f31\u70b9\u3092\u5fb9\u5e95\u7684\u306b\u8abf\u3079\u307e\u3059\u3002<\/p>\n<p>\u30bf\u30fc\u30b2\u30c3\u30c8\u306e<span style=\"font-family: 'courier new', courier, monospace;\">RPC<\/span>\u30dd\u30fc\u30c8\u304c\u958b\u3044\u3066\u3044\u308b\u5834\u5408\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30e6\u30fc\u30b6\u30fc\u540d\u306e<span style=\"font-family: 'courier new', courier, monospace;\">administrator<\/span>\u3068\u57cb\u3081\u8fbc\u307e\u308c\u3066\u3044\u308b\u30d1\u30b9\u30ef\u30fc\u30c9\u30ea\u30b9\u30c8\u3092\u4f7f\u7528\u3057\u3066\u30ed\u30b0\u30a4\u30f3\u306e\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u8a8d\u8a3c\u306b\u6210\u529f\u3059\u308b\u3068\u3001\u30ea\u30e2\u30fc\u30c8\u30db\u30b9\u30c8\u306b\u30de\u30eb\u30a6\u30a7\u30a2\u30d0\u30a4\u30ca\u30ea\u3092\u30b3\u30d4\u30fc\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<p>\u30bf\u30fc\u30b2\u30c3\u30c8\u306eTCP\u30dd\u30fc\u30c8<span style=\"font-family: 'courier new', courier, monospace;\">1433<\/span>\u304c\u958b\u3044\u3066\u3044\u308b\u3053\u3068\u3092\u691c\u51fa\u3057\u305f\u5834\u5408\u3001\u57cb\u3081\u8fbc\u307e\u308c\u3066\u3044\u308b\u30e6\u30fc\u30b6\u30fc\u540d\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u30ea\u30b9\u30c8\u3092\u4f7f\u7528\u3057\u3066\u3001\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u3092\u8a66\u3057\u307e\u3059\u3002\u30ed\u30b0\u30a4\u30f3\u306b\u6210\u529f\u3057\u305f\u5834\u5408\u3001\u30b7\u30a7\u30eb\u30b3\u30de\u30f3\u30c9\u3092\u767a\u884c\u3057\u3001\u88ab\u5bb3\u30de\u30b7\u30f3\u306bLucifer\u81ea\u8eab\u306e\u30ec\u30d7\u30ea\u30ab\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002\u524d\u8ff0\u306e\u30e6\u30fc\u30b6\u30fc\u540d\u3068\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u30ea\u30b9\u30c8\u3092\u4ed8\u9332\u306b\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>Lucifer\u306f\u3001\u8a8d\u8a3c\u60c5\u5831\u306e\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u306b\u52a0\u3048\u3066\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u5229\u7528\u3057\u305f\u81ea\u5df1\u5897\u6b96\u3092\u884c\u3044\u307e\u3059\u3002\u30a4\u30f3\u30c8\u30e9\u30cd\u30c3\u30c8\u3067\u611f\u67d3\u3059\u308b\u5834\u5408\u3001\u30bf\u30fc\u30b2\u30c3\u30c8\u306eTCP\u30dd\u30fc\u30c8<span style=\"font-family: 'courier new', courier, monospace;\">445 (SMB)<\/span>\u304c\u958b\u3044\u3066\u3044\u308c\u3070\u3001<span style=\"font-family: 'courier new', courier, monospace;\">EternalBlue<\/span>\u3001<span style=\"font-family: 'courier new', courier, monospace;\">EternalRomance<\/span>\u3001\u304a\u3088\u3073<span style=\"font-family: 'courier new', courier, monospace;\">DoublePulsar<\/span>\u30d0\u30c3\u30af\u30c9\u30a2\u3092\u30bf\u30fc\u30b2\u30c3\u30c8\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u6210\u529f\u3059\u308b\u3068\u3001<span style=\"font-family: 'courier new', courier, monospace;\">certutil<\/span>\u3092\u4f7f\u7528\u3057\u3066Lucifer\u3092\u4f1d\u64ad\u3057\u307e\u3059\u3002<\/p>\n<p>\u4ee5\u4e0b\u306e\u56f3\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3068\u30d0\u30c3\u30af\u30c9\u30a2\u30a4\u30f3\u30d7\u30e9\u30f3\u30c8\u3092\u8d77\u52d5\u3059\u308b\u305f\u3081\u306b\u6e21\u3059\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u793a\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_107775\" aria-describedby=\"caption-attachment-107775\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-3.-EternalBlue-and-DoublePulsar-combo-for-non-XP-targets.jpg\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107775 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-3.-EternalBlue-and-DoublePulsar-combo-for-non-XP-targets.jpg\" alt=\"\u56f33.EternalBlue\u3068DoublePulsar\u306e\u7d44\u307f\u5408\u308f\u305b(XP\u4ee5\u5916\u306e\u6a19\u7684\u306e\u5834\u5408)\" width=\"600\" height=\"79\" \/><\/a><figcaption id=\"caption-attachment-107775\" class=\"wp-caption-text\">\u56f33.EternalBlue\u3068DoublePulsar\u306e\u7d44\u307f\u5408\u308f\u305b (XP\u4ee5\u5916\u306e\u6a19\u7684\u306e\u5834\u5408)<\/figcaption><\/figure>\n<figure id=\"attachment_107777\" aria-describedby=\"caption-attachment-107777\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-4.-EternalBlue-and-DoublePulsar-combo-for-XP-targets.jpg\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107777 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-4.-EternalBlue-and-DoublePulsar-combo-for-XP-targets.jpg\" alt=\"\u56f34.EternalBlue\u3068DoublePulsar\u306e\u7d44\u307f\u5408\u308f\u305b(XP\u306e\u6a19\u7684\u306e\u5834\u5408)\" width=\"600\" height=\"64\" \/><\/a><figcaption id=\"caption-attachment-107777\" class=\"wp-caption-text\">\u56f34.EternalBlue\u3068DoublePulsar\u306e\u7d44\u307f\u5408\u308f\u305b(XP\u306e\u6a19\u7684\u306e\u5834\u5408)<\/figcaption><\/figure>\n<figure id=\"attachment_107779\" aria-describedby=\"caption-attachment-107779\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-5.-EternalRomance-and-DoublePulsar-combo-all-targets.jpg\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107779 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-5.-EternalRomance-and-DoublePulsar-combo-all-targets.jpg\" alt=\"\u56f35.EternalRomance\u3068DoublePulsar\u306e\u7d44\u307f\u5408\u308f\u305b(\u3059\u3079\u3066\u306e\u6a19\u7684)\" width=\"600\" height=\"82\" \/><\/a><figcaption id=\"caption-attachment-107779\" class=\"wp-caption-text\">\u56f35.EternalRomance\u3068DoublePulsar\u306e\u7d44\u307f\u5408\u308f\u305b(\u3059\u3079\u3066\u306e\u6a19\u7684)<\/figcaption><\/figure>\n<p>Lucifer\u306f\u3001\u5916\u90e8\u30db\u30b9\u30c8\u306b\u611f\u67d3\u3059\u308b\u305f\u3081\u306b\u3001\u307e\u305a\u30d7\u30e9\u30a4\u30d9\u30fc\u30c8\u3067\u306f\u306a\u3044IP\u30a2\u30c9\u30ec\u30b9\u3092\u751f\u6210\u3057\u3066\u3001\u6b21\u306b\u591a\u6570\u306e\u30dd\u30fc\u30c8\u306bHTTP\u8981\u6c42\u3092\u9001\u4fe1\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u30e9\u30f3\u30c0\u30e0\u306b\u9078\u629e\u3057\u305f\u88ab\u5bb3\u30de\u30b7\u30f3\u3092\u8a73\u3057\u304f\u63a2\u67fb\u3057\u307e\u3059\u3002\u30dd\u30fc\u30c8\u306e\u30ea\u30b9\u30c8\u3092\u4ed8\u9332\u306b\u793a\u3057\u3066\u3044\u307e\u3059\u3002\u88ab\u5bb3\u30de\u30b7\u30f3\u304b\u3089\u6709\u52b9\u306aHTTP\u5fdc\u7b54\u3092\u53d7\u4fe1\u3057\u305f\u5834\u5408\u3001\u4ee5\u4e0b\u306e\u8868\u306b\u793a\u3059\u6761\u4ef6\u306b\u57fa\u3065\u3044\u3066\u6a19\u7684\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u8a66\u307f\u307e\u3059\u3002<\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><strong>\u6761\u4ef6<\/strong><\/td>\n<td><strong>\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8<\/strong><\/td>\n<\/tr>\n<tr>\n<td>HTTP\u5fdc\u7b54\u3067HFS\u304c\u898b\u3064\u304b\u3063\u305f<\/td>\n<td>CVE-2014-6287<\/td>\n<\/tr>\n<tr>\n<td>HTTP\u5fdc\u7b54\u3067Jetty\u304c\u898b\u3064\u304b\u3063\u305f<\/td>\n<td>CVE-2018-1000861<\/td>\n<\/tr>\n<tr>\n<td>HTTP\u5fdc\u7b54\u3067Servlet\u304c\u898b\u3064\u304b\u3063\u305f<\/td>\n<td>CVE-2017-10271<\/td>\n<\/tr>\n<tr>\n<td>HTTP\u5fdc\u7b54\u3067\u30ad\u30fc\u30ef\u30fc\u30c9\u304c\u898b\u3064\u304b\u3089\u306a\u304b\u3063\u305f<\/td>\n<td>ThinkPHP\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c(RCE)\u306e\u8106\u5f31\u6027<\/p>\n<p>CVE-2018-7600<\/p>\n<p>CVE-2017-9791<\/p>\n<p>CVE-2019-9081<\/p>\n<p>PHPStudy\u30d0\u30c3\u30af\u30c9\u30a2\u306e\u30ea\u30e2\u30fc\u30c8\u30b3\u30fc\u30c9\u5b9f\u884c(RCE)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 10pt;\"><em>\u88682.\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306e\u6761\u4ef6\u3068CVE<\/em><\/span><\/p>\n<p>\u3055\u307e\u3056\u307e\u306a\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8(\u3055\u307e\u3056\u307e\u306aURL)\u3067\u540c\u3058\u8106\u5f31\u6027(\u4f8b: ThinkPHP RCE)\u304c\u30c8\u30ea\u30ac\u30fc\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308b\u306e\u3067\u3001Lucifer\u306f\u3001\u88ab\u5bb3\u30de\u30b7\u30f3\u306b\u5bfe\u3057\u3066\u8106\u5f31\u6027\u3054\u3068\u306b\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u3066\u3044\u308b\u3059\u3079\u3066\u306eURL\u3092\u8a66\u3057\u3066\u304b\u3089\u3001\u6b21\u306e\u6a19\u7684\u307e\u305f\u306f\u6b21\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3092\u8a66\u3059\u4f5c\u696d\u306b\u9032\u307f\u307e\u3059\u3002<\/p>\n<p>\u3059\u3079\u3066\u306e\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u306b\u3001<span style=\"font-family: 'courier new', courier, monospace;\">certutil<\/span>\u3092\u4f7f\u7528\u3057\u3066\u88ab\u5bb3\u30de\u30b7\u30f3\u306bLucifer\u306e\u30ec\u30d7\u30ea\u30ab\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3059\u308b\u30da\u30a4\u30ed\u30fc\u30c9\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u4ee5\u4e0b\u306e\u56f3\u306b\u3001\u653b\u6483\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u306e\u4f8b\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure style=\"width: 600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-6.-CVE-2019-9081-traffic.jpg\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107710 aligncenter lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-6.-CVE-2019-9081-traffic.jpg\" alt=\"\" width=\"600\" height=\"147\" \/><\/a><figcaption class=\"wp-caption-text\">\u56f36.CVE-2019-9081\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af<\/figcaption><\/figure>\n<figure style=\"width: 600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-7.-ThinkPHP-RCE-traffic.jpg\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107712 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-7.-ThinkPHP-RCE-traffic.jpg\" alt=\"\" width=\"600\" height=\"123\" \/><\/a><figcaption class=\"wp-caption-text\">\u56f37.ThinkPHP RCE\u306e\u30c8\u30e9\u30d5\u30a3\u30c3\u30af<\/figcaption><\/figure>\n<p>Lucifer\u306f\u3001\u305d\u306e\u3059\u3079\u3066\u306e\u30ef\u30fc\u30ab\u30fc\u30b9\u30ec\u30c3\u30c9\u3092\u958b\u59cb\u3057\u305f\u5f8c\u3067\u7121\u9650\u30eb\u30fc\u30d7\u306b\u5165\u308a\u3001C2\u904b\u7528\u3092\u51e6\u7406\u3057\u3066\u306f5\u79d2\u9593\u30b9\u30ea\u30fc\u30d7\u3059\u308b\u3053\u3068\u3092\u7e70\u308a\u8fd4\u3057\u307e\u3059\u3002<\/p>\n<p>C2\u30b5\u30fc\u30d0\u30fc\u3078\u306e\u521d\u671f\u8981\u6c42\u306e\u4f8b\u3092\u56f38\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure style=\"width: 615px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2020\/06\/word-image-29-1.png\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107714 size-full lozad\"  data-src=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2020\/06\/word-image-29-1.png\" alt=\"\" width=\"615\" height=\"226\" \/><\/a><figcaption class=\"wp-caption-text\">\u56f38.C2\u30b5\u30fc\u30d0\u30fc\u3078\u306e\u521d\u671f\u8981\u6c42<\/figcaption><\/figure>\n<p>Lucifer\u306f\u3001C2\u30b5\u30fc\u30d0\u30fc\u3068\u30dd\u30fc\u30c8<span style=\"font-family: 'courier new', courier, monospace;\">15888<\/span>\u3067TCP\u63a5\u7d9a\u3092\u78ba\u7acb\u3057\u305f\u5f8c\u3001\u305d\u306e\u30bd\u30b1\u30c3\u30c8\u3092\u4fdd\u5b58\u3057\u3066\u3001\u305d\u308c\u4ee5\u964d\u306eC2\u5236\u5fa1\u304a\u3088\u3073\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30b9\u30c6\u30fc\u30bf\u30b9\u30ec\u30dd\u30fc\u30c8\u3067\u4f7f\u7528\u3067\u304d\u308b\u3088\u3046\u306b\u3057\u307e\u3059\u3002<\/p>\n<p>C2\u3078\u306e\u521d\u671f\u8981\u6c42\u306b\u306f\u3001\u30de\u30b8\u30c3\u30af\u30d8\u30c3\u30c0\u30fc\u306e<span style=\"font-family: 'courier new', courier, monospace;\">\\x04\\x02\\x02<\/span>\u3001\u304a\u3088\u3073\u30db\u30b9\u30c8IP\u30a2\u30c9\u30ec\u30b9\u3001\u30b7\u30b9\u30c6\u30e0\u30bf\u30a4\u30d7\u3001\u30b7\u30b9\u30c6\u30e0\u30a2\u30fc\u30ad\u30c6\u30af\u30c1\u30e3\u3001\u30e6\u30fc\u30b6\u30fc\u540d\u3001\u30d7\u30ed\u30bb\u30c3\u30b5\u6570\u3001\u30d7\u30ed\u30bb\u30c3\u30b5\u5468\u6ce2\u6570\u306a\u3069\u306e\u6697\u53f7\u5316\u3055\u308c\u305f\u30b7\u30b9\u30c6\u30e0\u60c5\u5831\u304c\u683c\u7d0d\u3055\u308c\u3066\u3044\u307e\u3059\u3002Lucifer\u306f\u3001\u3053\u308c\u3089\u306e\u60c5\u5831\u3092XOR\u6e1b\u7b97\u3067\u6697\u53f7\u5316\u3057\u3066\u304b\u3089\u3001\u6697\u53f7\u5316\u3057\u305f\u30c7\u30fc\u30bf\u3092\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u7d4c\u7531\u3067\u9001\u4fe1\u3057\u307e\u3059\u3002\u6697\u53f7\u5316\u3055\u308c\u305f\u30c7\u30fc\u30bf\u306f\u3001\u56f31\u3067\u8aac\u660e\u3057\u305f\u5fa9\u53f7\u30eb\u30fc\u30c1\u30f3\u3092\u4f7f\u7528\u3057\u3066\u5fa9\u53f7\u3067\u304d\u307e\u3059\u3002\u305f\u3068\u3048\u3070\u3001\u56f38\u306e\u30db\u30b9\u30c8IP\u30a2\u30c9\u30ec\u30b9\u3092\u5fa9\u53f7\u3059\u308b\u3068\u3001<span style=\"font-family: 'courier new', courier, monospace;\">192.168.56[.]52<\/span>\u306b\u306a\u308a\u307e\u3059\u3002\u5fa9\u53f7\u3055\u308c\u305fWindows\u30b7\u30b9\u30c6\u30e0\u306f<span style=\"font-family: 'courier new', courier, monospace;\">Windows 7 64Bit<\/span>\u3067\u3042\u308a\u3001\u5fa9\u53f7\u3055\u308c\u305f\u30e6\u30fc\u30b6\u30fc\u540d\u306f<span style=\"font-family: 'courier new', courier, monospace;\">Lebron James<\/span>\u3067\u3059\u3002<\/p>\n<p>\u6700\u521d\u306eC2\u8981\u6c42\u30e1\u30c3\u30bb\u30fc\u30b8\u3068\u9055\u3063\u3066\u3001\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30b9\u30c6\u30fc\u30bf\u30b9 \u30ec\u30dd\u30fc\u30c8 \u30e1\u30c3\u30bb\u30fc\u30b8\u306e\u6b8b\u308a\u306e\u90e8\u5206\u306f\u3001\u5b9f\u969b\u306b\u306f\u30af\u30ea\u30a2\u30c6\u30ad\u30b9\u30c8\u3067\u3059\u3002\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30b9\u30c6\u30fc\u30bf\u30b9\u30ec\u30dd\u30fc\u30c8\u306e\u30d1\u30b1\u30c3\u30c8\u306e\u4f8b\u3092\u3001\u4ee5\u4e0b\u306e\u56f39\u306b\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure style=\"width: 601px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2020\/06\/Figure-9.-Miner\u2019s-status-report-sent-to-C2-Server.jpg\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107716 size-full lozad\"  data-src=\"https:\/\/unit42-preview.paloaltonetworks.com\/wp-content\/uploads\/2020\/06\/Figure-9.-Miner\u2019s-status-report-sent-to-C2-Server.jpg\" alt=\"\" width=\"601\" height=\"67\" \/><\/a><figcaption class=\"wp-caption-text\">\u56f39.C2\u30b5\u30fc\u30d0\u30fc\u306b\u9001\u4fe1\u3055\u308c\u308b\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30b9\u30c6\u30fc\u30bf\u30b9\u30ec\u30dd\u30fc\u30c8<\/figcaption><\/figure>\n<p>\u88683\u306b\u3001C2\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u53d7\u4fe1\u3059\u308b\u5236\u5fa1\u30b3\u30fc\u30c9\u3068\u5bfe\u5fdc\u3059\u308b\u6a5f\u80fd\u3092\u8981\u7d04\u3057\u3066\u793a\u3057\u307e\u3059\u3002<\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td style=\"width: 20.2161%;\"><strong>C2\u30b3\u30de\u30f3\u30c9<\/strong><\/td>\n<td style=\"width: 79.0123%;\"><strong>\u8aac\u660e<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 20.2161%;\">4<\/td>\n<td style=\"width: 79.0123%;\">TCP\/UDP\/HTTP DoS\u653b\u6483\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 20.2161%;\">5<\/td>\n<td style=\"width: 79.0123%;\">DoS\u653b\u6483\u3092\u518d\u6709\u52b9\u5316\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 20.2161%;\">6<\/td>\n<td style=\"width: 79.0123%;\">C2\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb\u306f<span style=\"font-family: 'courier new', courier, monospace;\">%TEMP%\\&lt;\u30e9\u30f3\u30c0\u30e0\u306a4\u6587\u5b57\u306e\u5c0f\u6587\u5b57&gt;.exe<\/span>\u3068\u3044\u3046\u540d\u524d\u3092\u4ed8\u3051\u3066\u4fdd\u5b58\u3055\u308c\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 20.2161%;\">7<\/td>\n<td style=\"width: 79.0123%;\">C2\u30b5\u30fc\u30d0\u30fc\u304b\u3089\u53d7\u4fe1\u3057\u305f\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 20.2161%;\">8<\/td>\n<td style=\"width: 79.0123%;\">\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30b9\u30c6\u30fc\u30bf\u30b9\u30ec\u30dd\u30fc\u30c8\u6a5f\u80fd\u3092\u7121\u52b9\u5316\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 20.2161%;\">9<\/td>\n<td style=\"width: 79.0123%;\">\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30b9\u30c6\u30fc\u30bf\u30b9\u30ec\u30dd\u30fc\u30c8\u6a5f\u80fd\u3092\u6709\u52b9\u5316\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 20.2161%;\">10<\/td>\n<td style=\"width: 79.0123%;\">\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u5024<span style=\"font-family: 'courier new', courier, monospace;\">HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr<\/span>\u306e\u30c7\u30fc\u30bf\u3092\u8a2d\u5b9a\u3057\u3001\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u30d7\u30ed\u30bb\u30b9\u3092\u7d42\u4e86\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 20.2161%;\">11<\/td>\n<td style=\"width: 79.0123%;\"><span style=\"font-family: 'courier new', courier, monospace;\">is_miner_killed\u3068start_fresh<\/span>\u306b\u95a2\u9023\u3059\u308b\u30d5\u30e9\u30b0\u3092\u4e21\u65b9\u3068\u3082\u6709\u52b9\u5316\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 20.2161%;\">12<\/td>\n<td style=\"width: 79.0123%;\">\u30d5\u30e9\u30b0\u3092\u30ea\u30bb\u30c3\u30c8\u3057\u3066\u3001\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u30d7\u30ed\u30bb\u30b9\u3092\u7d42\u4e86\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 10pt;\"><em>\u88683.C2\u306e\u8aac\u660e<\/em><\/span><\/p>\n<p>\u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u30dc\u30c3\u30c8\u3068\u305d\u306e\u30de\u30a4\u30cb\u30f3\u30b0\u30b5\u30fc\u30d0\u30fc\u306e\u9593\u306e\u901a\u4fe1\u306f\u3001\u30dd\u30fc\u30c8<span style=\"font-family: 'courier new', courier, monospace;\">10001<\/span>\u3067Stratum\u30d7\u30ed\u30c8\u30b3\u30eb\u306b\u3088\u3063\u3066\u884c\u308f\u308c\u3001<span style=\"font-family: 'courier new', courier, monospace;\">spreadXfghij.exe<\/span>\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u5236\u5fa1\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30d7\u30ed\u30b0\u30e9\u30e0\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u540d\u3001\u30d1\u30b9\u30ef\u30fc\u30c9\u3001CPU\u4f7f\u7528\u7387\u3001\u512a\u5148\u5ea6\u3001\u30b9\u30ec\u30c3\u30c9\u3001<a href=\"https:\/\/github.com\/xmrig\/xmrig\/blob\/master\/doc\/ALGORITHMS.md\">\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u540d<\/a>\u306a\u3069\u3001\u5b9f\u884c\u4e2d\u306e\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u69cb\u6210\u8a2d\u5b9a\u3092\u5236\u5fa1\u3059\u308b\u3055\u307e\u3056\u307e\u306a\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u53d7\u3051\u53d6\u308a\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_107781\" aria-describedby=\"caption-attachment-107781\" style=\"width: 600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-10.-XMRig-Command-Line-parameters.jpg\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107781 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-10.-XMRig-Command-Line-parameters.jpg\" alt=\"\u56f310.XMRig\u306e\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u30d1\u30e9\u30e1\u30fc\u30bf\" width=\"600\" height=\"51\" \/><\/a><figcaption id=\"caption-attachment-107781\" class=\"wp-caption-text\">\u56f310.XMRig\u306e\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u30d1\u30e9\u30e1\u30fc\u30bf<\/figcaption><\/figure>\n<p>Stratum\u30d7\u30ed\u30c8\u30b3\u30eb\u306f\u3001\u4e3b\u306b\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2 \u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u304c\u4e2d\u592e\u30b5\u30fc\u30d0\u30fc\u306b\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3057\u307e\u3059\u3002\u4e2d\u592e\u30b5\u30fc\u30d0\u30fc\u306f\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u9593\u3067\u30ef\u30fc\u30af\u30ed\u30fc\u30c9\u3092\u8abf\u6574\u3057\u307e\u3059\u3002\u3053\u306e\u30d7\u30ed\u30c8\u30b3\u30eb\u306f\u3001JSON RPC 2.0\u4ed5\u69d8\u306e\u8981\u4ef6\u3092\u6e80\u305f\u3057\u3066\u3044\u307e\u3059\u3002\u56f311\u306b\u3001JSON-RPC\u306e\u8981\u6c42\u3068\u5fdc\u7b54\u3092\u793a\u3057\u307e\u3059\u3002<\/p>\n<figure style=\"width: 600px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-11.-Lucifer-bot-exchanging-the-mining-information..jpg\" rel=\"wpdevart_lightbox\"><img  class=\"wp-image-107718 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/\/2020\/06\/Figure-11.-Lucifer-bot-exchanging-the-mining-information..jpg\" alt=\"\" width=\"600\" height=\"309\" \/><\/a><figcaption class=\"wp-caption-text\">\u56f311.Lucifer\u30dc\u30c3\u30c8\u306b\u3088\u308b\u30de\u30a4\u30cb\u30f3\u30b0\u60c5\u5831\u306e\u4ea4\u63db<\/figcaption><\/figure>\n<h4>Lucifer: \u30d0\u30fc\u30b8\u30e7\u30f32<\/h4>\n<p>\u30d0\u30fc\u30b8\u30e7\u30f32\u306e<span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306f\u3001\u5168\u4f53\u7684\u306a\u6a5f\u80fd\u3068\u52d5\u4f5c\u306f\u30d0\u30fc\u30b8\u30e7\u30f31\u3068\u540c\u3058\u3067\u3001\u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u306b\u4f7f\u7528\u3059\u308bXMRig\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3001C2\u904b\u7528\u3092\u51e6\u7406\u3057\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3068\u8a8d\u8a3c\u60c5\u5831\u306e\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u306b\u3088\u3063\u3066\u81ea\u5df1\u5897\u6b96\u3057\u307e\u3059\u3002<\/p>\n<p>\u30d0\u30fc\u30b8\u30e7\u30f32\u3068\u30d0\u30fc\u30b8\u30e7\u30f31\u306f\u591a\u304f\u306e\u52d5\u4f5c\u304c\u985e\u4f3c\u3057\u3066\u3044\u307e\u3059\u304c\u3001\u30d0\u30fc\u30b8\u30e7\u30f32\u306b\u306f\u7279\u7b46\u3059\u3079\u304d\u9055\u3044\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>Lucifer\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u540d\u304a\u3088\u3073\u611f\u67d3\u3057\u305f\u30db\u30b9\u30c8\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3092\u30c1\u30a7\u30c3\u30af\u3059\u308b\u3053\u3068\u306b\u3088\u308b\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u5bfe\u6297\u6a5f\u80fd\u3092\u5099\u3048\u3066\u3044\u307e\u3059\u3002\u88684\u306b\u793a\u3059\u4e8b\u524d\u5b9a\u7fa9\u3055\u308c\u305f\u30ea\u30b9\u30c8\u306b\u542b\u307e\u308c\u308b\u540d\u524d\u3068\u4e00\u81f4\u3059\u308b\u3082\u306e\u304c\u898b\u3064\u304b\u3063\u305f\u5834\u5408\u3001Lucifer\u306f\u51e6\u7406\u3092\u505c\u6b62\u3057\u3066\u3001\u305d\u308c\u4ee5\u4e0a\u5148\u306b\u9032\u307f\u307e\u305b\u3093\u3002<\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">NMSDBOX<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">Avira<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">WILBERT-SC<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">COMPUTERNAME<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">XPAMASTC<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">CWSX<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">Kappa<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">VBOX<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">XXXX-OS<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">cuckoo<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">cwsx-<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">nmsdbox<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">qemu<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">sandbox<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">virtual<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">wilbert-sc<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">xpamast-sc<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">xxxx - ox<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">cuckoosandbox<\/span><\/td>\n<td><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 10pt;\"><em>\u88684.\u540d\u524d\u306e\u30ea\u30b9\u30c8<\/em><\/span><\/p>\n<p>Lucifer\u306f\u3001\u4ee5\u4e0b\u306e\u30c7\u30d0\u30a4\u30b9\u30c9\u30e9\u30a4\u30d0\u3001DLL\u3001\u304a\u3088\u3073\u4eee\u60f3\u30c7\u30d0\u30a4\u30b9\u306e\u5b58\u5728\u3082\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002\u3044\u305a\u308c\u304b\u306e\u30aa\u30d6\u30b8\u30a7\u30af\u30c8\u3092\u691c\u51fa\u3059\u308b\u3068\u3001\u7121\u9650\u30eb\u30fc\u30d7\u306b\u5165\u3063\u3066\u3001\u305d\u308c\u4ee5\u4e0a\u51e6\u7406\u3092\u5b9f\u884c\u3057\u307e\u305b\u3093\u3002<\/p>\n<table style=\"height: 0px; width: 100%;\">\n<tbody>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">SbieDrv.sys<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">Sandboxie.sys<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">SbieDll.dll<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">VBoxHook.dll<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">\\\\.\\VBoxMiniRdrDN<\/span><\/td>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">Dir_watch.dll<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-family: 'courier new', courier, monospace;\">\\\\.\\pipe\\cuckoo<\/span><\/td>\n<td><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 10pt;\"><em>\u88685.\u30c9\u30e9\u30a4\u30d0\u540d\u306e\u30ea\u30b9\u30c8<\/em><\/span><\/p>\n<p>\u30d0\u30fc\u30b8\u30e7\u30f32\u306eLucifer\u306f\u3001\u305d\u306e\u30b5\u30f3\u30c9\u30dc\u30c3\u30af\u30b9\u5bfe\u6297\u624b\u6cd5\u306b\u52a0\u3048\u3066\u3001\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u6587\u5b57\u5217\u3092<span style=\"font-family: 'courier new', courier, monospace;\">OutputDebugStringA()<\/span>\u306b\u6e21\u3057\u3066\u30c7\u30d0\u30c3\u30ac\u3092\u30af\u30e9\u30c3\u30b7\u30e5\u3055\u305b\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u5206\u6790\u3092\u59a8\u5bb3\u3067\u304d\u308b\u30c7\u30d0\u30c3\u30ac\u5bfe\u6297\u624b\u6cd5\u3082\u5099\u3048\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306f\u3001\u3059\u3079\u3066\u306e\u30c1\u30a7\u30c3\u30af\u3092\u5b8c\u4e86\u3057\u305f\u5f8c\u3001C2\u306eURL\u3092\u5fa9\u53f7\u3057\u3066\u3001\u305d\u308c\u306b\u57fa\u3065\u3044\u305f\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u65b0\u3057\u3044C2\u306eURL\u306f<span style=\"font-family: 'courier new', courier, monospace;\">qf2020[.]top<\/span>\u3067\u3059\u3002\u5fa9\u53f7\u30a2\u30eb\u30b4\u30ea\u30ba\u30e0\u306f\u56f31\u306b\u793a\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u30d0\u30fc\u30b8\u30e7\u30f32\u3067\u306f<span style=\"font-family: 'courier new', courier, monospace;\">LNK<\/span>\u30ea\u30bd\u30fc\u30b9\u30bb\u30af\u30b7\u30e7\u30f3\u304c\u8ffd\u52a0\u3055\u308c\u3001\u611f\u67d3\u306b\u4f7f\u7528\u3059\u308bCVE-2017-8464\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u683c\u7d0d\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30ea\u30bd\u30fc\u30b9\u30bb\u30af\u30b7\u30e7\u30f3\u306e\u30d0\u30a4\u30ca\u30ea\u306f\u3001\u524d\u8ff0\u306eXOR\u52a0\u7b97\u306b\u3088\u308b\u6697\u53f7\u5316\u3092\u4f7f\u7528\u3057\u3066\u6697\u53f7\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u5fa9\u53f7\u3055\u308c\u305f<span style=\"font-family: 'courier new', courier, monospace;\">X86\u3001X64<\/span>\u3001\u304a\u3088\u3073<span style=\"font-family: 'courier new', courier, monospace;\">SMB<\/span>\u306e\u30d0\u30a4\u30ca\u30ea\u306f\u3001\u30d0\u30fc\u30b8\u30e7\u30f31\u306e<span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306b\u57cb\u3081\u8fbc\u307e\u308c\u3066\u3044\u308b\u30d0\u30a4\u30ca\u30ea\u3068\u540c\u3058\u3067\u3059\u3002<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">LNK(\u6697\u53f7\u5316): 84b0f2e4d222b0a2e34224e60b66340071e0d03c5f1a2af53b6005a3d739915f<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">LNK(\u5fa9\u53f7\u6e08\u307f): 4c729b343ed3186dffdf80a8e3adfea7c2d56a7a06081333030fb4635e09d540<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">SMB(\u6697\u53f7\u5316): F2d9d7703a5983ae3b7767c33ae79de1db093ea30f97d6b16bb5b62f03e99638<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">SMB(\u5fa9\u53f7\u6e08\u307f): 5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">X64(\u6697\u53f7\u5316): 4365c2ba5505afeab2c479a9c546ed3cbc07ace184fe5019947823018feb4265<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">X64(\u5fa9\u53f7\u6e08\u307f): ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">X86(\u6697\u53f7\u5316): b6d4b4ef2880238dc8e322c7438f57b69cec6d44c0599875466a1edb8d093e15<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"font-family: 'courier new', courier, monospace;\">X86(\u5fa9\u53f7\u6e08\u307f): 8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8<\/span><\/p>\n<p>\u30d0\u30fc\u30b8\u30e7\u30f31\u304b\u3089\u5909\u5316\u3057\u305f\u70b9\u3068\u3057\u3066\u3001\u30d0\u30fc\u30b8\u30e7\u30f32\u306e<span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306f\u3001CVE-2017-8464\u3092\u6b66\u5668\u306e1\u3064\u306b\u8ffd\u52a0\u3057\u3066\u3001CVE-2018-1000861\u3001CVE-2017-10271\u3001\u304a\u3088\u3073CVE-2017-9791\u3092\u524a\u9664\u3057\u307e\u3057\u305f\u3002<\/p>\n<p>\u6a19\u7684\u306b\u611f\u67d3\u3059\u308b\u305f\u3081\u306b\u3001MSSQL\u3001RPC\u3001\u304a\u3088\u3073\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u5171\u6709\u306b\u5bfe\u3057\u3066\u8a8d\u8a3c\u60c5\u5831\u306e\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483\u3092\u5b9f\u884c\u3057\u3066\u3044\u307e\u3057\u305f\u304c\u3001\u305d\u3053\u306bIPC\u3001WMI\u3001SMB\u3001\u304a\u3088\u3073FTP\u304c\u8ffd\u52a0\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u30de\u30a4\u30cb\u30f3\u30b0\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u540d\u524d\u3082\u3001<span style=\"font-family: 'courier new', courier, monospace;\">C:\\\\ProgramData\\\\spreadXfghij.exe<\/span>\u304b\u3089<span style=\"font-family: 'courier new', courier, monospace;\"> C:\\\\ProgramData\\\\Svchocpu.exe<\/span>\u306b\u5909\u66f4\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306f\u3001C2\u904b\u7528\u306b\u9032\u3080\u76f4\u524d\u306b\u3001\u30db\u30b9\u30c8\u306e\u30c7\u30d5\u30a9\u30eb\u30c8\u8a00\u8a9e\u304c0x804 (zh-CN)\u304b\u3069\u3046\u304b\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u30020x804 (zh-CN)\u306e\u5834\u5408\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Internet Explorer<\/span>\u306e\u300c\u30b9\u30bf\u30fc\u30c8\u30da\u30fc\u30b8\u300d\u3092\u300c<span style=\"font-family: 'courier new', courier, monospace;\">www[.]yzzswt[.]com<\/span>\u300d\u306b\u8a2d\u5b9a\u3057\u3001<span style=\"font-family: 'courier new', courier, monospace;\">Internet Explorer<\/span>\u3067\u305d\u306eURL\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u306f\u5f37\u5236\u7d42\u4e86\u3057\u7d9a\u3051\u308b\u30b9\u30ec\u30c3\u30c9\u3092\u958b\u59cb\u3057\u307e\u3059\u3002\u30c8\u30ea\u30ac\u30fc\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u306e\u30a2\u30a4\u30c9\u30eb\u6642\u9593\u306b\u4f9d\u5b58\u3057\u307e\u3059\u3002<\/p>\n<p>\u30d0\u30fc\u30b8\u30e7\u30f32\u306e<span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">qf2020[.]top:19370<\/span>\u306b\u3042\u308b\u65b0\u3057\u3044C2\u3092\u4f7f\u7528\u3057\u307e\u3059\u304c\u3001C2\u904b\u7528\u306f\u30d0\u30fc\u30b8\u30e7\u30f31\u3068\u5909\u308f\u308a\u307e\u305b\u3093\u3002<\/p>\n<h2>\u7d50\u8ad6<\/h2>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">Lucifer<\/span>\u306f\u3001\u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u306e\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u65b0\u3057\u3044\u5909\u7a2e\u3067\u3042\u308a\u3001\u53e4\u3044\u8106\u5f31\u6027\u3092\u5229\u7528\u3057\u3066Windows\u30d7\u30e9\u30c3\u30c8\u30d5\u30a9\u30fc\u30e0\u306b\u62e1\u6563\u3057\u3066\u60aa\u610f\u306e\u3042\u308b\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u5f71\u97ff\u3092\u53d7\u3051\u308b\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306b\u66f4\u65b0\u3068\u30d1\u30c3\u30c1\u3092\u9069\u7528\u3059\u308b\u3053\u3068\u3092\u5f37\u304f\u304a\u52e7\u3081\u3057\u307e\u3059\u3002\u8106\u5f31\u306a\u30bd\u30d5\u30c8\u30a6\u30a7\u30a2\u306b\u306f\u3001Rejetto HTTP File Server\u3001Jenkins\u3001Oracle Weblogic\u3001Drupal\u3001Apache Struts\u3001Laravel\u30d5\u30ec\u30fc\u30e0\u30ef\u30fc\u30af\u3001Microsoft Windows\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u8f9e\u66f8\u653b\u6483\u3092\u9632\u3050\u305f\u3081\u306b\u3001\u5f37\u529b\u306a\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u4f7f\u7528\u3059\u308b\u3053\u3068\u3082\u304a\u52e7\u3081\u3057\u307e\u3059\u3002<\/p>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001\u4ee5\u4e0b\u306e\u88fd\u54c1\u3068\u30b5\u30fc\u30d3\u30b9\u3067\u653b\u6483\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul style=\"list-style-type: disc;\">\n<li>\u8105\u5a01\u9632\u5fa1\u30e9\u30a4\u30bb\u30f3\u30b9\u3092\u542b\u3080\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb\u306f\u3001\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9\u69cb\u6210\u306b\u3088\u3063\u3066\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3068C2\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u30d6\u30ed\u30c3\u30af\u3067\u304d\u307e\u3059\u3002<\/li>\n<li>WildFire\u306f\u3001\u9759\u7684\u30b7\u30b0\u30cd\u30c1\u30e3\u3092\u691c\u51fa\u3057\u3066\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u963b\u6b62\u3057\u307e\u3059\u3002<\/li>\n<li>AutoFocus\u306e\u304a\u5ba2\u69d8\u306f\u3001Lucifer\u30bf\u30b0\u3067\u3001\u3053\u306e\u30a2\u30af\u30c6\u30a3\u30d3\u30c6\u30a3\u3092\u8ffd\u8de1\u3067\u304d\u307e\u3059\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><strong>IoC (Lucifer\u30d0\u30fc\u30b8\u30e7\u30f31)<\/strong><\/h3>\n<h4>NBI<\/h4>\n<h5>\u30de\u30eb\u30a6\u30a7\u30a2 \u30db\u30b9\u30c6\u30a3\u30f3\u30b0 \u30b5\u30a4\u30c8:<\/h5>\n<ul>\n<li>180[.]126[.]161[.]27<\/li>\n<li>210[.]112[.]41[.]71<\/li>\n<li>Mining Protocol<\/li>\n<li>1. stratum+tcp:\/\/pool.supportxmr.com:3333<\/li>\n<li>2. stratum+tcp:\/\/gulf.moneroocean.stream:10001<\/li>\n<\/ul>\n<h4>C2<\/h4>\n<ul>\n<li>122[.]112[.]179[.]189:15888 (version 1)<\/li>\n<\/ul>\n<h3>HBI<\/h3>\n<h4>SHA256 - \u30de\u30eb\u30a6\u30a7\u30a2<\/h4>\n<ul>\n<li>94f0e2aa41e1703e37341cba0601441b2d9fa2e11615cad81ba5c93042c8f58c spread.txt (\u30d0\u30fc\u30b8\u30e7\u30f31)<\/li>\n<li>SHA256 - \u30ea\u30bd\u30fc\u30b9\u30bb\u30af\u30b7\u30e7\u30f3\u306e\u57cb\u3081\u8fbc\u307f\u30d0\u30a4\u30ca\u30ea<\/li>\n<li>8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8 X86<\/li>\n<li>Ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301 X64<\/li>\n<li>5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994 SMB<\/li>\n<li>SHA256 - SMB.exe\u304b\u3089\u62bd\u51fa\u3055\u308c\u305f\u30d0\u30a4\u30ca\u30ea<\/li>\n<li>ff8c9d8c6f16a466d8e598c25829ec0c2fb4503b74d17f307e13c28fd2e99b93 Shellcode.ini<\/li>\n<li>7417daf85e6215dedfd85ca8bfafcfd643c8afe0debcf983ad4bacdb4d1a6dbc X64.dll<\/li>\n<li>de23da87e7fbecb2eaccbb85eeff465250dbca7c0aba01a2766761e0538f90b6 X86.dll<\/li>\n<li>f06d02359666b763e189402b7fbf9dfa83ba6f4da2e7d037b3f9aebefd2d5a45 adfw-2.dll<\/li>\n<li>c51bce247bee4a6f4cd2d7d45483b5b1d9b53f8cc0e04fb4f4221283e356959d adfw.dll<\/li>\n<li>d3db1e56360b25e7f36abb822e03c18d23a19a9b5f198e16c16e06785fc8c5fa cnli-0.dll<\/li>\n<li>db0831e19a4e3a736ea7498dadc2d6702342f75fd8f7fbae1894ee2e9738c2b4 cnli-1.dll<\/li>\n<li>0439628816cabe113315751e7113a9e9f720d7e499ffdd78acbac1ed8ba35887 coli-0.dll<\/li>\n<li>b556b5c077e38dcb65d21a707c19618d02e0a65ff3f9887323728ec078660cc3 crli-0.dll<\/li>\n<li>9b8ec5d0c10ccdd3933b7712ba40065d1b0dd3ffa7968fb28ad426cd5eee5001 dmgd-1.dll<\/li>\n<li>50f329e034db96ba254328cd1e0f588af6126c341ed92ddf4aeb96bc76835937 dmgd-4.dll<\/li>\n<li>19690e5b862042d9011dbdd92504f5012c08d51efca36828a5e9bdfe27d88842 esco-0.dll<\/li>\n<li>3fcffe9eae90ec365efb361674613ac95de50b2ccfd634c24491923f85c309a5 etch-0.dll<\/li>\n<li>fe4640fefa4bef02041a771a206f9184adb38de051f0d8726c4579736fe13bb6 etchCore-0.x64.dll<\/li>\n<li>3596e8fa5e19e860a2029fa4ab7a4f95fadf073feb88e4f82b19a093e1e2737c etchCore-0.x86.dll<\/li>\n<li>7ddbade1f4fcb48f254e7defa1ab5ec568e8ff0403693860b76870e11816aee6 eteb-2.dll<\/li>\n<li>8a5cce25f1bf60e716709c724b96630b95e55cc0e488d74d60ea50ffba7d6946 etebCore-2.x64.dll<\/li>\n<li>609ed51631da2defa34d58f60dc2a0f38e1574d8cf07647b844fc8b95de4bd8c etebCore-2.x86.dll<\/li>\n<li>15292172a83f2e7f07114693ab92753ed32311dfba7d54fe36cc7229136874d9 exma-1.dll<\/li>\n<li>c977ac10aa3d2250a1af39630f532184a5185f505bcd5f03ea7083a3a701a969 exma.dll<\/li>\n<li>b1d48e8185d9d366dce8c723ba765d6c593b7873cb43d77335084b58bbc7cb4d iconv.dll<\/li>\n<li>d3c6985d965cad5bff6075677ed8c2cafee4c3a048fb5af81b442665c76dff7b libcurl.dll<\/li>\n<li>5f30aa2fe338191b972705412b8043b0a134cdb287d754771fc225f2309e82ee libeay32.dll<\/li>\n<li>36b0fa6c0da7434707e7e330f40316458c0c1edc39b80e2fe58745cd77955eb3 libiconv-2.dll<\/li>\n<li>aceb27720115a63b9d47e737fd878a61c52435ea4ec86ba8e58ee744bc85c4f3 libxml2.dll<\/li>\n<li>df9200ba0d967487b9eb9627078d7faa88072c493b6d9e2b68211c14b06e9f4e pcla-0.dll<\/li>\n<li>17d6dde8a6715b9311734cb557b76160a22e340785b3950eae23aae67b0af6a8 pcre-0.dll<\/li>\n<li>93f0a1fe486ad222b742e451f25f4c9219b1e0f5b4273a15ce08dd714827745a pcrecpp-0.dll<\/li>\n<li>1c8100aca288483d5c29dcf33df887e72513f9b1cb6d0c96045401981351307c pcreposix-0.dll<\/li>\n<li>cde45f7ff05f52b7215e4b0ea1f2f42ad9b42031e16a3be9772aa09e014bacdb posh-0.dll<\/li>\n<li>47e16f7db53d9adf24d193ff4d523b1bc7ae59ff8520cfa012365bdb947c96f9 posh.dll<\/li>\n<li>f8ee4c00a3a53206d8d37abe5ed9f4bfc210a188cd5b819d3e1f77b34504061e riar-2.dll<\/li>\n<li>55039ab48c0916a38f1ceee08ba9f9cf5f292064cf3ee6631f22becde5e74b2d riar.dll<\/li>\n<li>15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13 serverlong.exe<\/li>\n<li>a46481cdb4a9fc1dbdcccc49c3deadbf18c7b9f274a0eb5fdf73766a03f19a7f serverlong.fb<\/li>\n<li>cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de serverlong.xml<\/li>\n<li>be8eb97d8171b8c91c6bc420346f7a6d2d2f76809a667ade03c990feffadaad5 ssleay32.dll<\/li>\n<li>85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5 svchostlong.exe<\/li>\n<li>ad3c0b153d5b5ba4627daa89cd2adbb18ee5831cb67feeb7394c51ebc1660f41 svchostlong.fb<\/li>\n<li>756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380 svchostlong.xml<\/li>\n<li>b99c3cc1acbb085c9a895a8c3510f6daaf31f0d2d9ccb8477c7fb7119376f57b svchostromance.exe<\/li>\n<li>6c55b736646135c0acbad702fde64574a0a55a77be3f39287774c7e518de3da9 svchostromance.xml<\/li>\n<li>52e88433f2106cc9a3a961cd8c3d0a8939d8de28f2ef3ee8ea648534a8b036a4 tibe-1.dll<\/li>\n<li>ca63dbb99d9da431bf23aca80dc787df67bb01104fb9358a7813ed2fce479362 tibe-2.dll<\/li>\n<li>a418edc5f1fb14fbf9398051225f649810fa75514ca473610be44264bf3c663c tibe.dll<\/li>\n<li>6775d627d99733f3f02494db7e13935b505132f43c56e7f8850c54e6627691de trch-0.dll<\/li>\n<li>0259d41720f7084716a3b2bbe34ac6d3021224420f81a4e839b0b3401e5ef29f trch-1.dll<\/li>\n<li>06c031f0d905cdeb0d9c172c27ae0c2d25bbf0d08db27a4aa98ec540a15306e7 trch.dll<\/li>\n<li>a4c460b27d03daf7828f6b6db87e0ff3ee851fdb1b8654b0a778b4c34953a3dc trfo-0.dll<\/li>\n<li>b2a3172a1d676f00a62df376d8da805714553bb3221a8426f9823a8a5887daaa trfo-2.dll<\/li>\n<li>96edea8d08ab10eee86776cfb9e32b4701096d21c39dbffeb49bd638f09d726a trfo.dll<\/li>\n<li>cf25bdc6711a72713d80a4a860df724a79042be210930dcbfc522da72b39bb12 tucl-1.dll<\/li>\n<li>36107f74be98f15a45ff716e37dad70f1ff9515bc72a0a1ec583b803c220aa92 tucl.dll<\/li>\n<li>f0df80978b3a563077def7ba919e2f49e5883d24176e6b3371a8eef1efe2b06a ucl.dll<\/li>\n<li>b7d8fcc3fb533e5e0069e00bc5a68551479e54a990bb1b658e1bd092c0507d68 xdvl-0.dll<\/li>\n<li>70dbb0b5562cd034c6b70a4a86a346b0f0039acf1b09f5814c42895963e12ea0 zibe.dll<\/li>\n<li>aa8adf96fc5a7e249a6a487faaf0ed3e00c40259fdae11d4caf47a24a9d3aaed zlib1.dll<\/li>\n<\/ul>\n<h4>\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9<\/h4>\n<ul>\n<li>\\Sessions\\1\\BaseNamedObjects\\122.112.179.189<\/li>\n<li>4AfAd5hsdMWbuNyGbFJVZjcMLeKHvrXnT155DWh8qGkYRPbVGKBT9q1Z5gcFXqmwUuh2Kh6t2sTnHXPysYrGf2m9KqBwz9e<\/li>\n<\/ul>\n<h4>\u8ffd\u52a0\/\u5909\u66f4\u3055\u308c\u308b\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u5024<\/h4>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %\u30de\u30eb\u30a6\u30a7\u30a2 \u30d0\u30a4\u30ca\u30ea \u30d1\u30b9%<\/li>\n<li>HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %\u30de\u30eb\u30a6\u30a7\u30a2 \u30d0\u30a4\u30ca\u30ea \u30d1\u30b9%<\/li>\n<li>HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr - %stratum\u60c5\u5831%<\/li>\n<\/ul>\n<h4>\u524a\u9664\u3055\u308c\u308b\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc<\/h4>\n<ul>\n<li>HKCU\\Software\\RealVNC\\vncviewer\\KnownHosts<\/li>\n<li>HKCU\\Software\\RealVNC\\vncviewer\\MRU<\/li>\n<\/ul>\n<h4>\u4f5c\u6210\u3055\u308c\u308b\u30d5\u30a1\u30a4\u30eb<\/h4>\n<ul>\n<li>C:\\\\ProgramData\\\\spread.txt<\/li>\n<li>C:\\\\ProgramData\\\\index.html<\/li>\n<li>C:\\\\ProgramData\\\\spreadXfghij.exe<\/li>\n<li>C:\\\\ProgramData\\\\SMB.exe<\/li>\n<li>C:\\\\ProgramData\\\\svchostlong.exe<\/li>\n<li>C:\\\\ProgramData\\\\X86.dll<\/li>\n<li>C:\\\\ProgramData\\\\X64.dll<\/li>\n<li>%TEMP%\\\\&lt;4-random-lower-case-characters&gt;.exe<\/li>\n<\/ul>\n<h4>\u524a\u9664\u3055\u308c\u308b\u30d5\u30a1\u30a4\u30eb<\/h4>\n<ul>\n<li>C:\\\\Windows\\\\SysWOW64\\\\rserver30\\\\Radm_log.htm<\/li>\n<li>C:\\\\ProgramData\\\\X86.dll<\/li>\n<li>C:\\\\ProgramData\\\\X64.dll<\/li>\n<\/ul>\n<h3><strong>IoCs (Lucifer Version2)<\/strong><\/h3>\n<h4>NBI<\/h4>\n<h5>\u30de\u30eb\u30a6\u30a7\u30a2 \u30db\u30b9\u30c6\u30a3\u30f3\u30b0 \u30b5\u30a4\u30c8:<\/h5>\n<ul>\n<li>121[.]206[.]143[.]140<\/li>\n<\/ul>\n<h5>\u30de\u30a4\u30cb\u30f3\u30b0\u30d7\u30ed\u30c8\u30b3\u30eb<\/h5>\n<ol>\n<li>stratum+tcp:\/\/pool.supportxmr.com:8080<\/li>\n<li>stratum+tcp:\/\/gulf.moneroocean.stream:10001<\/li>\n<\/ol>\n<h5>C2<\/h5>\n<ul>\n<li>qf2020[.]top:19370<\/li>\n<\/ul>\n<h3><a id=\"post-107692-_vvaej8m5arf5\"><\/a>HBI<\/h3>\n<h4>SHA256 - \u30de\u30eb\u30a6\u30a7\u30a2<\/h4>\n<ul>\n<li>66d619ca5e848ce0e4bcb1252ff8a4f0a060197a94810de85873c76fa3826c1e spread.txt<\/li>\n<\/ul>\n<h4>SHA256 - \u30ea\u30bd\u30fc\u30b9\u30bb\u30af\u30b7\u30e7\u30f3\u306e\u57cb\u3081\u8fbc\u307f\u30d0\u30a4\u30ca\u30ea<\/h4>\n<ul>\n<li>84b0f2e4d222b0a2e34224e60b66340071e0d03c5f1a2af53b6005a3d739915f LNK\u6697\u53f7\u5316<\/li>\n<li>4c729b343ed3186dffdf80a8e3adfea7c2d56a7a06081333030fb4635e09d540 LNK\u5fa9\u53f7\u6e08\u307f<\/li>\n<li>f2d9d7703a5983ae3b7767c33ae79de1db093ea30f97d6b16bb5b62f03e99638 SMB\u6697\u53f7\u5316<\/li>\n<li>5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994 SMB\u5fa9\u53f7\u6e08\u307f<\/li>\n<li>4365c2ba5505afeab2c479a9c546ed3cbc07ace184fe5019947823018feb4265 X64\u6697\u53f7\u5316<\/li>\n<li>ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301 X64\u5fa9\u53f7\u6e08\u307f<\/li>\n<li>b6d4b4ef2880238dc8e322c7438f57b69cec6d44c0599875466a1edb8d093e15 X86\u6697\u53f7\u5316<\/li>\n<li>8edbcd63def33827bfd63bffce4a15ba83e88908f9ac9962f10431f571ba07a8 X86\u5fa9\u53f7\u6e08\u307f<\/li>\n<\/ul>\n<h4>SHA256 - SMB.exe\u304b\u3089\u62bd\u51fa\u3055\u308c\u305f\u30d0\u30a4\u30ca\u30ea<\/h4>\n<ul>\n<li>&lt;\u30d0\u30fc\u30b8\u30e7\u30f31\u3068\u540c\u3058&gt;<\/li>\n<\/ul>\n<h4>SHA256 - \u5fa9\u53f7\u3055\u308c\u305fLNK\u304b\u3089\u62bd\u51fa\u3055\u308c\u305f\u30d5\u30a1\u30a4\u30eb<\/h4>\n<ul>\n<li>45d943c1a4e3615a52f7561791c331cd7d996dd6ddc5421fab78c2d734fed6b6 AIGrEPvEOTXqjEaw_O.lnk<\/li>\n<li>478021e127232f6c6bad31b342486c88d58ab299e6c1336bbf3da00f3c38f1c8 CJqsRymyTEMnBoEC_T.lnk<\/li>\n<li>42e1a05ab55d4a209d6198454718e6aaf0ac63b1778ccfc648b7791d06eddc44 DNfOzAatoSkUAZpM_E.lnk<\/li>\n<li>5d181f72ca116b2925151416d5cc6d8f7ab29242be9030ec927e7175c764f56f FNqWxGJfjXHWtsOf_S.lnk<\/li>\n<li>00f49b9f5e2d0156017dd5421c9301cf62b0a023d45f36455cf1d287c7f061cb FavqRrpXeqruoJwm_M.lnk<\/li>\n<li>5c75ac1a0f824cb3b14a84b5b2dba0a52ed150e2e410850eafa08338dd596198 LdhMQIbWZpcSeVNj_Z.lnk<\/li>\n<li>fe9f693a81ceed943854896543406edd1a6e4c2ee6a84abf196659fc8617f22e LqFWHUlZTWlULatC_G.lnk<\/li>\n<li>8b4b3f131d70922502e61e7ef294f69916d289f72fe3dcccca7e2ebb904de018 MkGTeIIFLYOjZclX_I.lnk<\/li>\n<li>d690b048e3984f9f8305ba0d3fb4eeea490a1461796b6927a31d0beffdafbc8b NfMIupIogETQsWra_V.lnk<\/li>\n<li>d05609b368bc35d4795cc220ef42ea06d9ac8284e49b218c64789876ccdacb2e OuWZjtdbLqFVMSLF.dll<\/li>\n<li>52da4c4c3ac7237ee803a5aa3250d9ca1b571876d46d725135079a866b4a554d QZwHXICgEbiMtEwe_S.lnk<\/li>\n<li>3a3344f89ce8c459c11b7d480db274e8ea438cacedfe60332b1b2b65e82dfab1 QjcZPYwkZKEVQvgs_W.lnk<\/li>\n<li>64af944e3ca7dec9a5673df3043d24064351de33a6ecc61ad2d288956a570bff SAmbRRbbdmzXwBQm_J.lnk<\/li>\n<li>0be5db462b912cc4207e47c7fe0a80153e1f15a327a486fb2ba3e0c1efa2978a SDtTgoPxAguJyxBw_T.lnk<\/li>\n<li>686eb63c8b5c07040f22e6fee0cc76baabe283fcffc0926df1bf3b802aeb8cfe TFjoAQJOJqTTlynz_W.lnk<\/li>\n<li>39e8a25b0875e2ba1906b83b2d0c2cfd0762a5f1a670e6d736cc3873125b807c TeNENqdfbnkTNers_O.lnk<\/li>\n<li>2dfd7a838abcf46e420e418af04413ba53cc5592ec18b8a6fe35cab161baeb48 TpzgiaCNXaSnzlKx_K.lnk<\/li>\n<li>ab0c0471fd57e3ed03bbb5c5e4564c3843d62d0b7b88a15a18cd2d057a22a9f6 TywZFloXXLcMoUVP_P.lnk<\/li>\n<li>ab8511ed01a0601e974809c8f3f92094ebf6669679228ce6daea6027ab59e554 VhfYGmTcCCcrfTaY_Y.lnk<\/li>\n<li>32d18553602309c19b5f88a1761bc1598f346124915c2c38e1129b7c5cf94a42 WmOXSshkpQfaLVED.dll<\/li>\n<li>0a4d0fb773e9251bd420e3998605500881bca21119d7af44f06b002de2cdc8fe YSfBenPxsQHppZuM_E.lnk<\/li>\n<li>ab9e4c3c4827896a309a16b289e97ae848113590c8db2a62b931833ab83d9099 ZMLUEPWbhtajeFvU_F.lnk<\/li>\n<li>5ae7d87b81db21da2b6212ff1229264093b5954f2d6ffb273420f898141c611d aQRlCerEgjVIRYLQ_N.lnk<\/li>\n<li>d29841ebebeb48fc3da7e23ce4a0a4d3e48c1602485e9fbe913cb2ff8eb9d0dd bzimVhTxVSVAvqWW_H.lnk<\/li>\n<li>b64712d39bd2ce26bb24f6cd5877554bee39240bd5994a1a6143bba660c34e2b cRTvZQMkUULYLGmW_F.lnk<\/li>\n<li>02981319f54847a5587fc9cb4e32c54a76bdcfe583bc3059ee79a40c4a4409d7 emeDxGEdARUmzHYN_X.lnk<\/li>\n<li>b585e210997e38741c4842979472b38e704c187a11565e32d549d0aab181ad3a fXtYTHUBPuuoBWrl_P.lnk<\/li>\n<li>5def9f81ea8187a2716c77fe21a709b9c760762973fc3bbe62203e2b5897f1cc gBsceXqQIqhXHySi_N.lnk<\/li>\n<li>74254df16012b0ffee18f02c96820e507b961cc6a7bcb5cc2a5f43064291d0a4 gXRyeJymkCbmiXIR_H.lnk<\/li>\n<li>b8a24d8aa9b936413be925091ff551a9e872c634e9aef28df0f19363645e1224 gyhbcKquCWLSOUSd_U.lnk<\/li>\n<li>04d17a702b485ae343287239b0b6201ebcaea3dd24188579800d21a16f9b35c6 gzTXwmTukBDryAPx_L.lnk<\/li>\n<li>fc0997022f3b02556362ff87c59ba6db6751070aa7e73a42ac634af0eaab6ca5 hRAVeKFdQFfUWWqf_D.lnk<\/li>\n<li>7a08530d46fd2bd0e61cb5ebeae8a32b6020cda5555290d5e7d8b2838127d0f6 iWYfETBuIkffMlgp_Z.lnk<\/li>\n<li>b13cb42cb21efe404a88501e9ecca74f695b527a42934e62625ddf11fefcea9a joJczkptYQtfkMNm_J.lnk<\/li>\n<li>57d1f4287e36c4b109afb797d50d693329d92e6d9ee69822242e55cac3c422f7 juHLixrdaEoaGDcL_I.lnk<\/li>\n<li>5e8bfc88a5643c40d6efd4462cd918573e9be6fd934222a0bccc64d3e789fdfc lHGRXkTVRihDzkjl_R.lnk<\/li>\n<li>21167b8443213332b519140e364cf25043b2b9171ac8ab3ce4b591e62c3b5f89 lPfkoJiWxgsoSrsD_V.lnk<\/li>\n<li>7857ecefa14ab3d86a699700b313c85d6d3b106fe5375f5a5e938784271fb1dd laTnMsKakEOKsJHf_R.lnk<\/li>\n<li>6791024c02a9045b237f9bf09e2ca7a7e3503d81a59f4691e5442670be21b0c1 lvdfRmNKdkMexTNn_G.lnk<\/li>\n<li>8995c73fe107b3c4dad829db8e7a6b9b2bee29811d73909a9bf67ad5bd5acacb nChCLwgSBXaEiwIR_Q.lnk<\/li>\n<li>4a928ff8904640733cff08bd5f70e23ee2466cb8f925a1764e9ad61bbf006efd qIeuxAOnUEVJWOEe_K.lnk<\/li>\n<li>18267b8425c9dbcf4de44b22c80712ac58ddff7e3fa54839252bd5337778859f rxTDIbsrdXcyLvYA_Y.lnk<\/li>\n<li>24437f92578b3632452e1e9a97341c781d36dae544d4d6827e5831c71e0f34db sHEofvMNSNPGPxnI_X.lnk<\/li>\n<li>782d840f3dc7f648f8404de3e4039882e05fcf8cd2cba1509136835f6cb547d0 uZfBVEFQdlRgsvpT_D.lnk<\/li>\n<li>437064714d5b080673fbdeae792a5376fbd8be361a6783a8bda78d944975f055 vnvlkoVTAEtCfPYX_Q.lnk<\/li>\n<li>c735098987b555b3aa3adb58e0691d9280c2b593307072d7d731e02cd338d7ac wDxKJhyBflVPXlwA_L.lnk<\/li>\n<li>33c14ef70be64290bcd9bd5abc72f2e39f50bfa567c5f521ee5d3406deb80a93 xWiOFoWnpbAxeKSr_U.lnk<\/li>\n<li>3c9b80de476f842c4325580ab628ddebae4a7261ffaee52c3df0514a368d3c11 xXIRjCUwUvcECnmO_M.lnk<\/li>\n<\/ul>\n<h4>\u30df\u30e5\u30fc\u30c6\u30c3\u30af\u30b9<\/h4>\n<ul>\n<li>qf2020.top<\/li>\n<\/ul>\n<h4>\u8ffd\u52a0\/\u5909\u66f4\u3055\u308c\u308b\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u5024<\/h4>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %\u30de\u30eb\u30a6\u30a7\u30a2 \u30d0\u30a4\u30ca\u30ea \u30d1\u30b9%<\/li>\n<li>HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic - %\u30de\u30eb\u30a6\u30a7\u30a2 \u30d0\u30a4\u30ca\u30ea \u30d1\u30b9%<\/li>\n<li>HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr - %stratum\u60c5\u5831%<\/li>\n<li>HKCU\\Software\\Microsoft\\Internet Explorer\\MAIN\\Start Page - http:\/\/www[.]yzzswt[.]com<\/li>\n<li>HKLM\\Software\\Microsoft\\Internet Explorer\\MAIN\\Start Page - http:\/\/www[.]yzzswt[.]com<\/li>\n<\/ul>\n<h4>\u524a\u9664\u3055\u308c\u308b\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc<\/h4>\n<ul>\n<li>&lt;\u30d0\u30fc\u30b8\u30e7\u30f31\u3068\u540c\u3058&gt;<\/li>\n<\/ul>\n<h4>\u4f5c\u6210\u3055\u308c\u308b\u30d5\u30a1\u30a4\u30eb<\/h4>\n<ul>\n<li>C:\\\\ProgramData\\\\spread.txt<\/li>\n<li>C:\\\\ProgramData\\\\index.html<\/li>\n<li>C:\\\\ProgramData\\\\spreadXfghij.exe<\/li>\n<li>C:\\\\ProgramData\\\\SMB.exe<\/li>\n<li>C:\\\\ProgramData\\\\svchostlong.exe<\/li>\n<li>C:\\\\ProgramData\\\\X86.dll<\/li>\n<li>C:\\\\ProgramData\\\\X64.dll<\/li>\n<li>%TEMP%\\\\&lt;4-random-lower-case-characters&gt;.exe<\/li>\n<li>K:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\spread.exe<\/li>\n<li>K:\\\\Users\\\\Administrator\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\spread.exe<\/li>\n<li>%ROOT PATH%\\\\OuWZjtdbLqFVMSLF.dll<\/li>\n<li>C:\\\\ProgramData\\\\CVE147159.exe<\/li>\n<li>C:\\\\CVE\\\\<\/li>\n<\/ul>\n<h4>\u524a\u9664\u3055\u308c\u308b\u30d5\u30a1\u30a4\u30eb<\/h4>\n<ul>\n<li>C:\\\\Windows\\\\SysWOW64\\\\rserver30\\\\Radm_log.htm<\/li>\n<li>C:\\\\ProgramData\\\\X86.dll<\/li>\n<li>C:\\\\ProgramData\\\\X64.dll<\/li>\n<li>K:\\\\spread.txt<\/li>\n<li>C:\\\\ProgramData\\\\CVE147159.exe<\/li>\n<li>C:\\\\CVE\\\\<\/li>\n<\/ul>\n<h2><a id=\"post-107692-_fp24smz92dc5\"><\/a><strong>\u4ed8\u9332<\/strong><\/h2>\n<h3>\u30db\u30ef\u30a4\u30c8\u30ea\u30b9\u30c8\u306e\u30ea\u30e2\u30fc\u30c8IP\u30a2\u30c9\u30ec\u30b9\u306e\u30ea\u30b9\u30c8<\/h3>\n<ul>\n<li>94.23.23.52<\/li>\n<li>91.121.140.167<\/li>\n<li>149.202.83.171<\/li>\n<li>139.99.124.170<\/li>\n<li>37.187.95.110<\/li>\n<li>94.23.247.226<\/li>\n<li>139.99.125.38<\/li>\n<li>18.180.72.219<\/li>\n<li>3.0.193.200<\/li>\n<li>139.180.131.153<\/li>\n<li>45.32.24.80<\/li>\n<li>116.203.73.240<\/li>\n<li>44.202.105.45<\/li>\n<li>95.179.220.100<\/li>\n<li>139.99.100.250<\/li>\n<li>149.28.17.136<\/li>\n<li>45.76.206.51<\/li>\n<li>142.44.240.132<\/li>\n<li>94.23.23.52<\/li>\n<li>139.99.123.196<\/li>\n<li>94.130.12.27<\/li>\n<li>178.63.100.197<\/li>\n<li>107.178.104.10<\/li>\n<li>92.110.160.114<\/li>\n<li>94.130.12.30<\/li>\n<li>37.59.52.83<\/li>\n<li>104.140.201.102<\/li>\n<li>95.216.46.125<\/li>\n<li>3.253.40.188<\/li>\n<li>3.253.40.189<\/li>\n<li>45.125.194.18<\/li>\n<li>45.125.194.34<\/li>\n<li>78.47.158.234<\/li>\n<li>47.101.30.124<\/li>\n<li>203.107.32.162<\/li>\n<li>47.102.39.92<\/li>\n<li>47.102.251.102<\/li>\n<li>47.110.199.70<\/li>\n<li>139.224.168.24<\/li>\n<li>47.110.190.245<\/li>\n<li>139.224.219.119<\/li>\n<li>139.224.20.173<\/li>\n<li>203.107.40.49<\/li>\n<li>116.211.169.162<\/li>\n<li>218.11.2.44<\/li>\n<li>107.191.99.221<\/li>\n<li>107.191.99.95<\/li>\n<li>3.112.214.88<\/li>\n<li>47.241.2.137<\/li>\n<li>206.189.33.65<\/li>\n<li>161.117.192.8<\/li>\n<li>47.244.176.59<\/li>\n<li>210.1.226.51<\/li>\n<li>116.203.61.78<\/li>\n<li>35.163.175.186<\/li>\n<li>178.128.107.204<\/li>\n<li>45.77.31.97<\/li>\n<li>172.104.91.217<\/li>\n<li>103.101.30.10<\/li>\n<li>139.99.72.56<\/li>\n<li>176.9.4.26<\/li>\n<li>149.202.214.40<\/li>\n<li>37.59.43.136<\/li>\n<li>37.59.44.193<\/li>\n<li>37.59.43.131<\/li>\n<li>88.99.242.92<\/li>\n<li>88.99.193.240<\/li>\n<li>94.130.165.85<\/li>\n<li>94.130.165.87<\/li>\n<li>91.121.2.76<\/li>\n<li>37.59.54.205<\/li>\n<li>37.59.55.60<\/li>\n<li>37.59.44.93<\/li>\n<li>37.187.154.79<\/li>\n<li>37.59.45.174<\/li>\n<li>176.9.53.68<\/li>\n<li>78.46.91.134<\/li>\n<li>94.23.41.130<\/li>\n<li>176.9.2.144<\/li>\n<li>178.63.48.196<\/li>\n<li>78.46.89.102<\/li>\n<li>37.59.56.102<\/li>\n<li>94.23.212.204<\/li>\n<li>188.165.254.85<\/li>\n<li>46.105.103.169<\/li>\n<li>76.9.50.126<\/li>\n<li>37.59.51.212<\/li>\n<li>91.121.87.10<\/li>\n<li>94.130.206.79<\/li>\n<li>188.165.199.78<\/li>\n<li>176.31.117.82<\/li>\n<li>188.165.214.95<\/li>\n<li>94.23.206.130<\/li>\n<li>176.9.63.166<\/li>\n<li>94.130.164.60<\/li>\n<li>78.46.91.171<\/li>\n<li>188.165.214.76<\/li>\n<li>37.59.44.68<\/li>\n<li>94.23.8.105<\/li>\n<li>37.59.49.7<\/li>\n<li>183.201.229.131<\/li>\n<li>117.139.17.68<\/li>\n<li>223.167.166.51<\/li>\n<li>111.7.68.222<\/li>\n<\/ul>\n<h3>\u30db\u30ef\u30a4\u30c8\u30ea\u30b9\u30c8\u306e\u30ea\u30e2\u30fc\u30c8\u30dd\u30fc\u30c8\u306e\u30ea\u30b9\u30c8<\/h3>\n<ul>\n<li>3333<\/li>\n<li>5555<\/li>\n<li>7777<\/li>\n<li>45700<\/li>\n<li>45560<\/li>\n<li>13531<\/li>\n<li>2222<\/li>\n<\/ul>\n<h3>\u30e6\u30fc\u30b6\u30fc\u540d\u306e\u30ea\u30b9\u30c8 - \u8a8d\u8a3c\u60c5\u5831\u306e\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483<\/h3>\n<ul>\n<li>sa<\/li>\n<li>SA<\/li>\n<li>su<\/li>\n<li>kisadmin<\/li>\n<li>SQLDebugger<\/li>\n<li>mssql<\/li>\n<li>Chred1433<\/li>\n<\/ul>\n<h3>\u30d1\u30b9\u30ef\u30fc\u30c9\u306e\u30ea\u30b9\u30c8 - \u8a8d\u8a3c\u60c5\u5831\u306e\u30d6\u30eb\u30fc\u30c8\u30d5\u30a9\u30fc\u30b9\u653b\u6483<\/h3>\n<ul>\n<li>\u201c\\x20\u201d<\/li>\n<li>administrator<\/li>\n<li>sa<\/li>\n<li>SA<\/li>\n<li>123456<\/li>\n<li>1<\/li>\n<li>123<\/li>\n<li>123123<\/li>\n<li>112233<\/li>\n<li>1234<\/li>\n<li>12345<\/li>\n<li>1234567<\/li>\n<li>12345678<\/li>\n<li>123456789<\/li>\n<li>1234567890<\/li>\n<li>0123456789<\/li>\n<li>a123456<\/li>\n<li>admin<\/li>\n<li>qaz123<\/li>\n<li>1sanjose<\/li>\n<li>123.com<\/li>\n<li>525464<\/li>\n<li>123.qwe<\/li>\n<li>process<\/li>\n<li>temp<\/li>\n<li>1234qwer<\/li>\n<li>123asd<\/li>\n<li>Chred1433<\/li>\n<li>admin888<\/li>\n<li>1qaz3edc<\/li>\n<li>1qaz4rfv<\/li>\n<li>3edc4rfv<\/li>\n<li>4rfv5tgb<\/li>\n<li>5tgb6yhn<\/li>\n<li>6yhn7ujm<\/li>\n<li>7ujm8ik,<\/li>\n<li>aaa123!@#<\/li>\n<li>test1234<\/li>\n<li>1qaz@wsx#edc<\/li>\n<li>admin123456789<\/li>\n<li>qazwsx123<\/li>\n<li>qaz123wsx<\/li>\n<li>admin123<\/li>\n<li>password<\/li>\n<li>qwe123<\/li>\n<li>qweqwe<\/li>\n<li>aaa123<\/li>\n<li>pass@word1<\/li>\n<li>Password1234<\/li>\n<li>asd@123<\/li>\n<li>Sa@123<\/li>\n<li>!QAZxsw2<\/li>\n<li>masterkey<\/li>\n<li>sa123!@#<\/li>\n<li>abc@123<\/li>\n<li>!QAZ1qaz<\/li>\n<li>123@abcd<\/li>\n<li>111<\/li>\n<li>111111<\/li>\n<li>11111111<\/li>\n<li>11111111111<\/li>\n<li>1111<\/li>\n<li>888<\/li>\n<li>888888<\/li>\n<li>8888<\/li>\n<li>88888888<\/li>\n<li>666<\/li>\n<li>6666<\/li>\n<li>666666<\/li>\n<li>66666666<\/li>\n<li>abc123<\/li>\n<li>123abc<\/li>\n<li>1ab2c3<\/li>\n<li>zxcvbn<\/li>\n<li>zxcvbnm<\/li>\n<li>asdasd<\/li>\n<li>asdfghjkl<\/li>\n<li>asd123<\/li>\n<li>qweasd<\/li>\n<li>qweasdzxc<\/li>\n<li>QAZWSX<\/li>\n<li>123qwe@#<\/li>\n<li>admin@123<\/li>\n<li>123abc!@#<\/li>\n<li>1qaz2ws<\/li>\n<li>zaq12wsx<\/li>\n<li>P@SSW0rd<\/li>\n<li>a123<\/li>\n<li>a111111<\/li>\n<li>a123456789<\/li>\n<li>a1234<\/li>\n<li>p@ssw0rd<\/li>\n<li>P@ssW0rd<\/li>\n<li>P@ssw0rd<\/li>\n<li>aa123456<\/li>\n<li>1234abcd<\/li>\n<li>qwer1234!@#$<\/li>\n<li>159357<\/li>\n<li>336699<\/li>\n<li>1qaz2wsx<\/li>\n<li>paSSword<\/li>\n<li>password1<\/li>\n<li>654321<\/li>\n<li>qwerty<\/li>\n<li>123456a<\/li>\n<li>pa$$word<\/li>\n<li>passw0rd<\/li>\n<li>PasswOrd<\/li>\n<li>qwe.123<\/li>\n<li>zxc123!@#<\/li>\n<li>root<\/li>\n<li>a1b2c3<\/li>\n<li>admin123456<\/li>\n<li>pass<\/li>\n<li>pass123<\/li>\n<li>zxc123<\/li>\n<li>user<\/li>\n<li>11223344<\/li>\n<li>asd123456<\/li>\n<li>password123<\/li>\n<li>121212<\/li>\n<li>monkey<\/li>\n<li>princess<\/li>\n<li>guest<\/li>\n<li>123123123<\/li>\n<li>qazwsx<\/li>\n<li>computer<\/li>\n<li>12345a<\/li>\n<li>1111222<\/li>\n<li>111222<\/li>\n<li>123456789a<\/li>\n<li>000000<\/li>\n<li>1qazXSW@<\/li>\n<li>1qaz@WSX<\/li>\n<li>123!@#qwe<\/li>\n<li>1q2w3e4r5t<\/li>\n<li>qwertyuiop<\/li>\n<li>q1w2e3<\/li>\n<li>123321<\/li>\n<li>123qwe<\/li>\n<li>1q2w3e4r<\/li>\n<li>7777777<\/li>\n<li>987654321<\/li>\n<li>qwerty1<\/li>\n<li>222222<\/li>\n<li>1g2w3e4r<\/li>\n<li>zag12wsx<\/li>\n<li>system<\/li>\n<li>555555<\/li>\n<li>1q2w3e<\/li>\n<li>admin123!@#<\/li>\n<li>P@$$w0rd<\/li>\n<li>123698745<\/li>\n<li>asdfjkl<\/li>\n<li>21212121<\/li>\n<li>456852<\/li>\n<li>a12345678<\/li>\n<li>money123<\/li>\n<li>1qazxsw2<\/li>\n<li>1234rewq<\/li>\n<li>12qwaszx<\/li>\n<li>22222222<\/li>\n<li>zxcvbnm123<\/li>\n<li>password11<\/li>\n<li>zxcv<\/li>\n<li>a1b2c3d4<\/li>\n<li>qqqqqq<\/li>\n<li>aaa111<\/li>\n<li>111aaa<\/li>\n<li>369369369<\/li>\n<li>369369<\/li>\n<li>123454321<\/li>\n<li>qw123321<\/li>\n<li>asdasdasd<\/li>\n<li>111222333<\/li>\n<li>asdfghj<\/li>\n<li>ypbwkfyjhyhgzj<\/li>\n<li>ly1234<\/li>\n<li>vice_1433 vice<\/li>\n<li>sa@123<\/li>\n<li>Admin123<\/li>\n<li>123qweASD<\/li>\n<li>Abc123<\/li>\n<li>Sa123456<\/li>\n<li>sa123456<\/li>\n<li>sa123<\/li>\n<li>target123<\/li>\n<li>root123<\/li>\n<li>mssql<\/li>\n<li>sqlserver<\/li>\n<li>server<\/li>\n<li>client<\/li>\n<li>login<\/li>\n<li>test<\/li>\n<li>qq123456<\/li>\n<li>a123123<\/li>\n<li>18n28n24a5<\/li>\n<li>test1<\/li>\n<li>QAZ123<\/li>\n<li>Aa123456.<\/li>\n<li>test123<\/li>\n<li>super<\/li>\n<li>text<\/li>\n<li>vice<\/li>\n<li>ifuckyounow<\/li>\n<li>zXJl@mwZ<\/li>\n<li>!qaz1QAZ<\/li>\n<li>!qaz2WSX<\/li>\n<li>!qaz3wsx<\/li>\n<li>!qaz@WSX<\/li>\n<li>qqaazz<\/li>\n<li>z123456<\/li>\n<li>zaqwsx<\/li>\n<li>1qwerty<\/li>\n<li>musica<\/li>\n<li>!QAZ2wsx<\/li>\n<li>abcd1234<\/li>\n<li>123456aa<\/li>\n<li>1234321<\/li>\n<li>123zxc<\/li>\n<li>123321a<\/li>\n<li>123qaz<\/li>\n<li>qwer123<\/li>\n<li>qwerty123<\/li>\n<li>zxcvbnm,.\/<\/li>\n<li>q1w2Q!W@<\/li>\n<li>1qazxcvbnm,.\/<\/li>\n<li>bw99588399<\/li>\n<li>huweishen.com<\/li>\n<li>huweishen<\/li>\n<li>zkeys<\/li>\n<li>piress<\/li>\n<li>letmein<\/li>\n<li>Master<\/li>\n<li>master<\/li>\n<li>model<\/li>\n<li>tempdb<\/li>\n<li>zjsxidc123<\/li>\n<li>0okmnji9<\/li>\n<li>msdb<\/li>\n<li>superman<\/li>\n<li>sql123456<\/li>\n<li>baseball<\/li>\n<li>welcome<\/li>\n<li>sa@qaz<\/li>\n<li>sa@qazwsx<\/li>\n<li>123qweasd<\/li>\n<li>welcometo<\/li>\n<li>mypassword<\/li>\n<li>caonima<\/li>\n<li>147258<\/li>\n<li>qwe!@#123<\/li>\n<li>123qwe!@#<\/li>\n<li>qaz#@!321<\/li>\n<li>qwe123123<\/li>\n<li>a123.321<\/li>\n<li>a321.123<\/li>\n<li>a123.123<\/li>\n<li>a321.321<\/li>\n<li>zaq1xsw2<\/li>\n<li>qwert12345<\/li>\n<li>PassWord<\/li>\n<li>zxcasd<\/li>\n<li>qaswed<\/li>\n<li>1qaz@2wsx<\/li>\n<li>qaz1wsx2<\/li>\n<li>qwaszx!@#<\/li>\n<li>qazwsx!@#<\/li>\n<li>qwe123456<\/li>\n<li>1314520<\/li>\n<li>147258369<\/li>\n<li>idc123456<\/li>\n<li>123.654<\/li>\n<li>123.456<\/li>\n<li>123.456.789<\/li>\n<li>123.456.789a<\/li>\n<li>123.456a<\/li>\n<li>PASSWORD<\/li>\n<li>1qw23er4<\/li>\n<li>aaaaaa<\/li>\n<li>zaq!@wsx<\/li>\n<li>aabbcc<\/li>\n<li>a12345<\/li>\n<li>zxcmnb<\/li>\n<li>zxcv1234<\/li>\n<li>2wsxdr5<\/li>\n<li>2wsx3edc<\/li>\n<li>2w3e4r<\/li>\n<li>234fd<\/li>\n<li>enkj.1qazxdr5<\/li>\n<li>123!@#<\/li>\n<li>idc123!@#<\/li>\n<li>3dgidc@))*<\/li>\n<li>ywinidc56#@!<\/li>\n<li>aini<\/li>\n<li>gjp<\/li>\n<li>aini1314520<\/li>\n<li>caonimagebi<\/li>\n<li>football<\/li>\n<li>football123<\/li>\n<li>administrator<\/li>\n<\/ul>\n<h3>\u8106\u5f31\u6027\u3092\u30b9\u30ad\u30e3\u30f3\u304a\u3088\u3073\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3059\u308b\u30dd\u30fc\u30c8\u306e\u30ea\u30b9\u30c8<\/h3>\n<ul>\n<li>80<\/li>\n<li>81<\/li>\n<li>88<\/li>\n<li>89<\/li>\n<li>8080<\/li>\n<li>8081<\/li>\n<li>8088<\/li>\n<li>8090<\/li>\n<li>8888<\/li>\n<li>8899<\/li>\n<li>8989<\/li>\n<li>9999<\/li>\n<li>7001<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 2020\u5e745\u670829\u65e5\u3001Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u304c\u5b9f\u969b\u306b\u884c\u308f\u308c\u3066\u3044\u308bCVE-2019-9081\u95a2\u9023\u306e\u591a\u6570\u306e\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u306e\u306a\u304b\u304b\u3089\u3001\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9 \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0 \u30de\u30eb\u30a6\u30a7\u30a2\u306e\u65b0\u3057\u3044\u4e9c\u7a2e\u3092\u767a\u898b<\/p>\n","protected":false},"author":312,"featured_media":134280,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4469,4428,4470],"tags":[4685,4889,5769,6290],"product_categories":[4340,4444,4456],"coauthors":[1359,1360,836,2423],"class_list":["post-107817","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerabilities","category-threat-research-ja","category-vulnerabilities-ja","tag-cryptocurrency-mining-ja","tag-cryptojacking-ja","tag-ddos-ja","tag-lucifer","product_categories-advanced-wildfire","product_categories-advanced-wildfire-ja","product_categories-next-generation-firewall-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Lucifer: \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u3092\u884c\u3046\u65b0\u3057\u3044\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u9ad8\u304a\u3088\u3073\u7dca\u6025\u30ec\u30d9\u30eb\u306e\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066Windows\u30c7\u30d0\u30a4\u30b9\u306b\u611f\u67d3<\/title>\n<meta name=\"description\" content=\"\u975e\u5e38\u306b\u591a\u5f69\u306a\u6a5f\u80fd\u3092\u6301\u3064\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u767a\u898b\u3055\u308c\u307e\u3057\u305f\u3002Lucifer\u3068\u540d\u4ed8\u3051\u3089\u308c\u305f\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u306f\u3001DDoS\u653b\u6483\u3001Monero\u3092\u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30af\u3059\u308bXMRig\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3001C2\u904b\u7528\u3001\u81ea\u5df1\u5897\u6b96\u306a\u3069\u591a\u304f\u306e\u6a5f\u80fd\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30d0\u30fc\u30b8\u30e7\u30f31\u30682\u3068\u3092\u6bd4\u8f03\u5206\u6790\u3057\u307e\u3059\u3002\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Lucifer: \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u3092\u884c\u3046\u65b0\u3057\u3044\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u9ad8\u304a\u3088\u3073\u7dca\u6025\u30ec\u30d9\u30eb\u306e\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066Windows\u30c7\u30d0\u30a4\u30b9\u306b\u611f\u67d3\" \/>\n<meta property=\"og:description\" content=\"\u975e\u5e38\u306b\u591a\u5f69\u306a\u6a5f\u80fd\u3092\u6301\u3064\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u767a\u898b\u3055\u308c\u307e\u3057\u305f\u3002Lucifer\u3068\u540d\u4ed8\u3051\u3089\u308c\u305f\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u306f\u3001DDoS\u653b\u6483\u3001Monero\u3092\u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30af\u3059\u308bXMRig\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3001C2\u904b\u7528\u3001\u81ea\u5df1\u5897\u6b96\u306a\u3069\u591a\u304f\u306e\u6a5f\u80fd\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30d0\u30fc\u30b8\u30e7\u30f31\u30682\u3068\u3092\u6bd4\u8f03\u5206\u6790\u3057\u307e\u3059\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-01T05:19:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/11_Cybercrime_Category_1920x900.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ken Hsu, Durgesh Sangvikar, Zhibin Zhang, Chris Navarrete\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Lucifer: \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u3092\u884c\u3046\u65b0\u3057\u3044\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u9ad8\u304a\u3088\u3073\u7dca\u6025\u30ec\u30d9\u30eb\u306e\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066Windows\u30c7\u30d0\u30a4\u30b9\u306b\u611f\u67d3","description":"\u975e\u5e38\u306b\u591a\u5f69\u306a\u6a5f\u80fd\u3092\u6301\u3064\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u767a\u898b\u3055\u308c\u307e\u3057\u305f\u3002Lucifer\u3068\u540d\u4ed8\u3051\u3089\u308c\u305f\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u306f\u3001DDoS\u653b\u6483\u3001Monero\u3092\u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30af\u3059\u308bXMRig\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3001C2\u904b\u7528\u3001\u81ea\u5df1\u5897\u6b96\u306a\u3069\u591a\u304f\u306e\u6a5f\u80fd\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30d0\u30fc\u30b8\u30e7\u30f31\u30682\u3068\u3092\u6bd4\u8f03\u5206\u6790\u3057\u307e\u3059\u3002","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/","og_locale":"ja_JP","og_type":"article","og_title":"Lucifer: \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u3092\u884c\u3046\u65b0\u3057\u3044\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u9ad8\u304a\u3088\u3073\u7dca\u6025\u30ec\u30d9\u30eb\u306e\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066Windows\u30c7\u30d0\u30a4\u30b9\u306b\u611f\u67d3","og_description":"\u975e\u5e38\u306b\u591a\u5f69\u306a\u6a5f\u80fd\u3092\u6301\u3064\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u767a\u898b\u3055\u308c\u307e\u3057\u305f\u3002Lucifer\u3068\u540d\u4ed8\u3051\u3089\u308c\u305f\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u306f\u3001DDoS\u653b\u6483\u3001Monero\u3092\u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30af\u3059\u308bXMRig\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3001C2\u904b\u7528\u3001\u81ea\u5df1\u5897\u6b96\u306a\u3069\u591a\u304f\u306e\u6a5f\u80fd\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30d0\u30fc\u30b8\u30e7\u30f31\u30682\u3068\u3092\u6bd4\u8f03\u5206\u6790\u3057\u307e\u3059\u3002","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/","og_site_name":"Unit 42","article_published_time":"2020-07-01T05:19:24+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/11_Cybercrime_Category_1920x900.jpg","type":"image\/jpeg"}],"author":"Ken Hsu, Durgesh Sangvikar, Zhibin Zhang, Chris Navarrete","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/"},"author":{"name":"Ken Hsu","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/80e3bba67119ddeae5571b8ff795eec6"},"headline":"Lucifer: \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u3092\u884c\u3046\u65b0\u3057\u3044\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u9ad8\u304a\u3088\u3073\u7dca\u6025\u30ec\u30d9\u30eb\u306e\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066Windows\u30c7\u30d0\u30a4\u30b9\u306b\u611f\u67d3","datePublished":"2020-07-01T05:19:24+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/"},"wordCount":3337,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/11_Cybercrime_Category_1920x900.jpg","keywords":["Cryptocurrency mining","cryptojacking","DDoS","Lucifer"],"articleSection":["Vulnerabilities","\u8105\u5a01\u30ea\u30b5\u30fc\u30c1","\u8106\u5f31\u6027"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/","name":"Lucifer: \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u3092\u884c\u3046\u65b0\u3057\u3044\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u9ad8\u304a\u3088\u3073\u7dca\u6025\u30ec\u30d9\u30eb\u306e\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066Windows\u30c7\u30d0\u30a4\u30b9\u306b\u611f\u67d3","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/11_Cybercrime_Category_1920x900.jpg","datePublished":"2020-07-01T05:19:24+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/80e3bba67119ddeae5571b8ff795eec6"},"description":"\u975e\u5e38\u306b\u591a\u5f69\u306a\u6a5f\u80fd\u3092\u6301\u3064\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u578b\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u767a\u898b\u3055\u308c\u307e\u3057\u305f\u3002Lucifer\u3068\u540d\u4ed8\u3051\u3089\u308c\u305f\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306b\u306f\u3001DDoS\u653b\u6483\u3001Monero\u3092\u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30af\u3059\u308bXMRig\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3001C2\u904b\u7528\u3001\u81ea\u5df1\u5897\u6b96\u306a\u3069\u591a\u304f\u306e\u6a5f\u80fd\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30d0\u30fc\u30b8\u30e7\u30f31\u30682\u3068\u3092\u6bd4\u8f03\u5206\u6790\u3057\u307e\u3059\u3002","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/#primaryimage","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/11_Cybercrime_Category_1920x900.jpg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2024\/06\/11_Cybercrime_Category_1920x900.jpg","width":1920,"height":900,"caption":"A glowing red padlock illuminated by ambient light sits on a wet surface with red particles floating around it, creating a mystical or high-tech atmosphere. The padlock appears sturdy and closed, symbolizing security or protection."},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/lucifer-new-cryptojacking-and-ddos-hybrid-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"Lucifer: \u30af\u30ea\u30d7\u30c8\u30b8\u30e3\u30c3\u30ad\u30f3\u30b0\u3068DDoS\u3092\u884c\u3046\u65b0\u3057\u3044\u30cf\u30a4\u30d6\u30ea\u30c3\u30c9\u30de\u30eb\u30a6\u30a7\u30a2\u304c\u9ad8\u304a\u3088\u3073\u7dca\u6025\u30ec\u30d9\u30eb\u306e\u8106\u5f31\u6027\u3092\u30a8\u30af\u30b9\u30d7\u30ed\u30a4\u30c8\u3057\u3066Windows\u30c7\u30d0\u30a4\u30b9\u306b\u611f\u67d3"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/80e3bba67119ddeae5571b8ff795eec6","name":"Ken Hsu","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/9213e49ea48b7676660bac40d05c9e3e","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Ken Hsu"},"url":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/author\/ken-hsu\/"}]}},"_links":{"self":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/107817","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/312"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=107817"}],"version-history":[{"count":13,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/107817\/revisions"}],"predecessor-version":[{"id":107830,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/107817\/revisions\/107830"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/134280"}],"wp:attachment":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=107817"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=107817"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=107817"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=107817"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=107817"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}