{"id":126255,"date":"2022-12-20T17:24:29","date_gmt":"2022-12-21T01:24:29","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=126255"},"modified":"2024-07-30T19:41:59","modified_gmt":"2024-07-31T02:41:59","slug":"trident-ursa","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/trident-ursa\/","title":{"rendered":"\u30a6\u30af\u30e9\u30a4\u30ca\u4fb5\u653b\u5f8c\u3082\u63fa\u308b\u304c\u306c\u30ed\u30b7\u30a2APT\u653b\u6483\u30b0\u30eb\u30fc\u30d7Trident Ursa (Gamaredon)\u306e\u30b5\u30a4\u30d0\u30fc\u7d1b\u4e89\u5de5\u4f5c"},"content":{"rendered":"<h2><a id=\"post-126255-_tpr49zn7jhzs\"><\/a><strong>\u6982\u8981<\/strong><\/h2>\n<p>2\u6708\u521d\u65ec\u306bAPT (Advanced Persistent Threat: \u6301\u7d9a\u7684\u6a19\u7684\u578b\u653b\u6483)\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3001<a href=\"https:\/\/unit42.paloaltonetworks.jp\/gamaredon-primitive-bear-ukraine-update-2021\/\">Trident Ursa (\u5225\u540d: Gamaredon\u3001UAC-0010\u3001Primitive Bear\u3001Shuckworm)<\/a>\u3092\u53d6\u308a\u4e0a\u3052\u305f\u524d\u7a3f\u4ee5\u6765\u3001\u30a6\u30af\u30e9\u30a4\u30ca\u3068\u305d\u306e\u30b5\u30a4\u30d0\u30fc\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3059\u308b\u30ed\u30b7\u30a2\u304b\u3089\u306e\u8105\u5a01\u306f\u9ad8\u307e\u308a\u3064\u3065\u3051\u3066\u3044\u307e\u3059\u3002<a href=\"https:\/\/ssu.gov.ua\/uploads\/files\/DKIB\/Technical%20report%20Armagedon.pdf\">\u30a6\u30af\u30e9\u30a4\u30ca\u4fdd\u5b89\u5c40<\/a>\u306f\u3001Trident Ursa\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3092\u30ed\u30b7\u30a2\u9023\u90a6\u4fdd\u5b89\u5c40\u306b\u5e30\u5c5e\u3055\u305b\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u5730\u4e0a\u3067\u3082\u30b5\u30a4\u30d0\u30fc\u7a7a\u9593\u3067\u3082\u7d1b\u4e89\u304c\u7d9a\u304f\u306a\u304b\u3001Trident Ursa\u306f\u3082\u3063\u3071\u3089\u30a2\u30af\u30bb\u30b9\u306e\u78ba\u4fdd\u3084\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u306e\u53ce\u96c6\u9762\u3067\u6d3b\u52d5\u3057\u3066\u3044\u307e\u3059\u3002Trident Ursa\u306f\u57f7\u62d7\u306b\u30a6\u30af\u30e9\u30a4\u30ca\u3092\u72d9\u3046APT\u306e1\u3064\u3067\u3001\u305d\u306e\u6d3b\u52d5\u306f\u6df1\u304f\u6d78\u900f\u3057\u3001\u4fb5\u8972\u7684\u304b\u3064\u7d99\u7d9a\u7684\u3067\u3059\u3002<\/p>\n<p>\u73fe\u5728\u9032\u884c\u4e2d\u306e\u5730\u653f\u5b66\u7684\u72b6\u6cc1\u3068\u540cAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306e\u7279\u5b9a\u6a19\u7684\u3078\u306e\u57f7\u5fc3\u3092\u8e0f\u307e\u3048\u3001Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306f\u3001\u5f7c\u3089\u306e\u6d3b\u52d5\u6307\u6a19\u3092\u7a4d\u6975\u7684\u306b\u76e3\u8996\u3057\u7d9a\u3051\u3066\u3044\u307e\u3059\u3002\u305d\u306e\u306a\u304b\u3067\u79c1\u305f\u3061\u306f\u3001\u904e\u53bb10\u30f6\u6708\u9593\u306b\u4f7f\u308f\u308c\u305f500\u500b\u4ee5\u4e0a\u306e\u65b0\u3057\u3044\u30c9\u30e1\u30a4\u30f3\u3001200\u500b\u306e\u30b5\u30f3\u30d7\u30eb\u3001\u305d\u306e\u4ed6\u306eIoC(Indicators of Compromise: \u4fb5\u5bb3\u6307\u6a19)\u3092\u30de\u30c3\u30d4\u30f3\u30b0\u3057\u307e\u3057\u305f\u3002Trident Ursa\u306f\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u3084\u30de\u30eb\u30a6\u30a7\u30a2\u306a\u3069\u306e\u3055\u307e\u3056\u307e\u306a\u76ee\u7684\u306b\u3053\u308c\u3089\u3092\u6d3b\u7528\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u672c\u7a3f\u306fTrident Ursa\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306b\u95a2\u3057\u3066\u73fe\u6642\u70b9\u3067\u79c1\u305f\u3061\u304c\u628a\u63e1\u3057\u3066\u3044\u308b\u5168\u4f53\u50cf\u3092\u4e2d\u5fc3\u3068\u3057\u3066<a href=\"https:\/\/github.com\/pan-unit42\/iocs\/blob\/master\/Gamaredon\/Gamaredon_IoCs_DEC2022.txt\">\u65e2\u77e5\u306eIoC<\/a>\u306b\u52a0\u3048\u305f\u6700\u65b0\u60c5\u5831\u3092\u304a\u5c4a\u3051\u3057\u307e\u3059\u3002<\/p>\n<p>\u5f53\u8a72\u30b5\u30a4\u30d0\u30fc\u30c9\u30e1\u30a4\u30f3\u3084\u30aa\u30fc\u30d7\u30f3\u30bd\u30fc\u30b9\u60c5\u5831\u3092\u76e3\u8996\u3059\u308b\u306a\u304b\u3067\u79c1\u305f\u3061\u306f\u6ce8\u76ee\u3059\u3079\u304d\u4e8b\u9805\u3092\u8907\u6570\u767a\u898b\u3057\u307e\u3057\u305f\u3002<\/p>\n<ul>\n<li>8\u670830\u65e5\u306bNATO\u52a0\u76df\u56fd\u5185\u306e\u3042\u308b\u77f3\u6cb9\u7cbe\u88fd\u5927\u624b\u4f01\u696d\u3078\u306e\u4fb5\u5bb3\u3092\u8a66\u307f\u308b\u3082\u5931\u6557<\/li>\n<li>Trident Ursa\u306e\u95a2\u4fc2\u8005\u3068\u601d\u308f\u308c\u308b\u4eba\u7269\u304c\u6700\u521d\u306e\u4fb5\u7565\u76f4\u5f8c\u306b\u3042\u308b\u30a6\u30af\u30e9\u30a4\u30ca\u306e\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306b\u5bfe\u3057\u3066\u5371\u5bb3\u3092\u52a0\u3048\u308b\u3068\u8105\u8feb<\/li>\n<li>\u6226\u8853\u3001\u6280\u8853\u3001\u624b\u9806(TTP)\u306e\u304b\u305a\u304b\u305a\u306e\u5909\u9077<\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306e\u304a\u5ba2\u69d8\u306f\u3001\u4ee5\u4e0b\u306e\u88fd\u54c1\u306b\u3088\u308a\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f\u7a2e\u985e\u306e\u8105\u5a01\u304b\u3089\u4fdd\u8b77\u3055\u308c\u3066\u3044\u307e\u3059: <\/span><a href=\"https:\/\/www.paloaltonetworks.jp\/cortex\/cortex-xdr\"><span style=\"font-weight: 400;\">Cortex XDR<\/span><\/a><span style=\"font-weight: 400;\">\u3001<\/span><a href=\"https:\/\/www.paloaltonetworks.jp\/products\/secure-the-network\/wildfire\"><span style=\"font-weight: 400;\">WildFire<\/span><\/a><span style=\"font-weight: 400;\">\u3001<\/span><a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/advanced-url-filtering\"><span style=\"font-weight: 400;\">\u9ad8\u5ea6\u306aURL\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0<\/span><\/a><span style=\"font-weight: 400;\">\u3001<\/span><a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/advanced-threat-prevention\"><span style=\"font-weight: 400;\">\u9ad8\u5ea6\u306a\u8105\u5a01\u9632\u5fa1<\/span><\/a><span style=\"font-weight: 400;\">\u3001<\/span><a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/dns-security\"><span style=\"font-weight: 400;\">DNS\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3<\/span><\/a><span style=\"font-weight: 400;\">\u30b5\u30d6\u30b9\u30af\u30ea\u30d7\u30b7\u30e7\u30f3\u30b5\u30fc\u30d3\u30b9<\/span> (<a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/next-generation-firewall\"><span style=\"font-weight: 400;\">\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb NGFW<\/span><\/a><span style=\"font-weight: 400;\">\u7528)\u3002<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><b>\u95a2\u9023\u3059\u308bUnit 42\u306e\u30c8\u30d4\u30c3\u30af<\/b><\/td>\n<td><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/russia-ja\/\"><span style=\"font-weight: 400;\">Russia<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/ukraine-ja\/\"><span style=\"font-weight: 400;\">Ukraine<\/span><\/a><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/gamaredon-ja\/\"><span style=\"font-weight: 400;\">Gamaredon<\/span><\/a><a href=\"https:\/\/unit42.paloaltonetworks.jp\/tag\/sandbox-ja\/\"><span style=\"font-weight: 400;\">\u00a0<\/span><\/a><\/td>\n<\/tr>\n<tr>\n<td><b>Trident UrsaAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306e\u5225\u540d<\/b><\/td>\n<td><span style=\"font-weight: 400;\">Gamaredon, UAC-0010, Primitive Bear, Shuckworm<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><a id=\"post-126255-_q4yt4t8e060w\"><\/a><strong>\u30a6\u30af\u30e9\u30a4\u30ca\u4ee5\u5916\u306e\u5730\u57df\u3082\u6a19\u7684\u306b<\/strong><\/h2>\n<p>\u5f93\u6765\u306eTrident Ursa\u306f\u30a6\u30af\u30e9\u30a4\u30ca\u306e\u56e3\u4f53\u3092\u6a19\u7684\u3068\u3057\u3066\u30a6\u30af\u30e9\u30a4\u30ca\u8a9e\u306e\u304a\u3068\u308a(\u30eb\u30a2\u30fc)\u3092\u4f7f\u3063\u3066\u3044\u307e\u3057\u305f\u3002\u540c\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306b\u3064\u3044\u3066\u306f\u3053\u306e\u30d1\u30bf\u30fc\u30f3\u304c\u3044\u307e\u3067\u3082\u4e00\u756a\u591a\u3044\u3067\u3059\u304c\u3001\u82f1\u8a9e\u306e\u30eb\u30a2\u30fc\u3092\u4f7f\u3063\u305f\u4f8b\u3082\u4f55\u5ea6\u304b\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u300c\u3053\u308c\u3089\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u30a6\u30af\u30e9\u30a4\u30ca\u3068NATO\u306e\u540c\u76df\u56fd\u306b\u5bfe\u3057\u3066Trident Ursa\u304c\u60c5\u5831\u53ce\u96c6\u3068\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a2\u30af\u30bb\u30b9\u3092\u5f37\u5316\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u793a\u3059\u3082\u306e\u300d\u3068\u79c1\u305f\u3061\u306f\u898b\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u540c\u76df\u56fd\u653f\u5e9c\u3092\u6a19\u7684\u3068\u3059\u308b\u3053\u308c\u3089\u306e\u53d6\u308a\u7d44\u307f\u306b\u6cbf\u3063\u3066\u30018\u670830\u65e5\u306b\u306f\u3001\u3042\u308bNATO\u52a0\u76df\u56fd\u306e\u5927\u624b\u77f3\u6cb9\u7cbe\u88fd\u4f1a\u793e\u3092\u4fb5\u5bb3\u3057\u3088\u3046\u3068\u3057\u3066\u5931\u6557\u3057\u305f\u3088\u3046\u3059\u304c\u3001\u540c\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306eIoC\u30ec\u30d3\u30e5\u30fc\u306e\u3055\u3044\u306b\u78ba\u8a8d\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n<table style=\"width: 100%; height: 304px;\">\n<tbody>\n<tr style=\"height: 56px;\">\n<td style=\"width: 61.1056%; height: 56px;\"><b>SHA256<\/b><\/td>\n<td style=\"width: 38.2034%; height: 56px;\"><b>\u30d5\u30a1\u30a4\u30eb\u540d<\/b><\/td>\n<\/tr>\n<tr style=\"height: 57px;\">\n<td style=\"width: 61.1056%; height: 57px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">b1bc659006938eb5912832eb8412c609d2d875c001ab411d1b69d343515291b7<\/span><\/td>\n<td style=\"width: 38.2034%; height: 57px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">MilitaryassistanceofUkraine.htm<\/span><\/td>\n<\/tr>\n<tr style=\"height: 57px;\">\n<td style=\"width: 61.1056%; height: 57px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">0b63f6e7621421de9968d46de243ef769a343b61597816615222387c45df80ae<\/span><\/td>\n<td style=\"width: 38.2034%; height: 57px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">Necessary_military_assistance.rar<\/span><\/td>\n<\/tr>\n<tr style=\"height: 134px;\">\n<td style=\"width: 61.1056%; height: 134px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">303abc6d8ab41cb00e3e7a2165ecc1e7fb4377ba46a9f4213a05f764567182e5<\/span><\/td>\n<td style=\"width: 38.2034%; height: 134px;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">List of necessary things for the provision of military humanitarian assistance to Ukraine.lnk <\/span><span style=\"font-weight: 400;\">(\u6ce8: \u4e0a\u8a18<\/span><span style=\"font-weight: 400;\">.<span style=\"font-family: 'courier new', courier, monospace;\">rar<\/span><\/span><span style=\"font-weight: 400;\">\u306b\u540c\u68b1\u3055\u308c\u3066\u3044\u308b\u30d5\u30a1\u30a4\u30eb)<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center;\"><span style=\"font-size: 10pt; color: #999999;\"><em>\u88681 Trident Ursa\u304c\u4f7f\u3063\u3066\u3044\u305f\u82f1\u8a9e\u306e\u30b5\u30f3\u30d7\u30eb<\/em><\/span><\/p>\n<h2><a id=\"post-126255-_iwizxp5feoux\"><\/a><strong>\u30cf\u30c3\u30ad\u30f3\u30b0\u306b\u3068\u3069\u307e\u3089\u306c\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30b3\u30df\u30e5\u30cb\u30c6\u30a3\u3078\u306e\u516c\u7136\u306e\u8105\u5a01<\/strong><\/h2>\n<p>\u79c1\u305f\u3061\u304c\u89b3\u6e2c\u3057\u305f\u306a\u304b\u3067\u3082\u3082\u3063\u3068\u3082\u9a5a\u3044\u305f\u3053\u3068\u306e\u3072\u3068\u3064\u306f\u3001Trident Ursa\u3068\u95a2\u4fc2\u3059\u308b\u3068\u898b\u3089\u308c\u308bAnton (\u30ad\u30ea\u30eb\u6587\u5b57\u3067\u0410\u043d\u0442\u043e\u043d)\u3068\u3044\u3046\u4eba\u7269\u304cTwitter\u4e0a\u3067\u3042\u308b\u5c11\u4eba\u6570\u306e\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u30b0\u30eb\u30fc\u30d7\u3092\u30ed\u30b7\u30a2\u306e\u30a6\u30af\u30e9\u30a4\u30ca\u4fb5\u653b\u3068\u540c\u65e5(2022\u5e742\u670824\u65e5)\u306b\u8105\u8feb\u3057\u305f\u3053\u3068\u3067\u3059\u3002Anton\u306f\u3001\u4fb5\u653b\u524d\u306e\u4f55\u65e5\u9593\u304b\u306bTrident Ursa\u306eIoC\u3092\u53d6\u308a\u4e0a\u3052\u305f\u30c4\u30a4\u30fc\u30c8\u304b\u3089\u3053\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u3092\u9078\u3093\u3060\u3088\u3046\u3067\u3059\u3002<\/p>\n<p>\u6700\u521d\u306e\u30c4\u30a4\u30fc\u30c8(\u56f31)\u306f\u3001\u4fb5\u653b\u304c\u9032\u3080\u306a\u304b\u3067Anton(@Anton15001398)\u304c\u30a6\u30af\u30e9\u30a4\u30ca\u5728\u4f4f\u306e\u8105\u5a01\u30ea\u30b5\u30fc\u30c1\u30e3\u30fcMikhail Kasimov(@500mk500)\u306b\u5bfe\u3057\u3066\u884c\u3063\u305f\u3082\u306e\u3067\u3059\u3002\u3044\u304f\u3064\u304b\u306e\u30c4\u30a4\u30fc\u30c8\u3067\u5f7c\u306f\u300crun, I'm coming for you. (\u9003\u3052\u308d\u3088\u3001\u8fce\u3048\u306b\u884c\u304f\u304b\u3089)\u300d\u3068\u767a\u8a00\u3057\u3066\u3044\u307e\u3059\u304c\u3001Kasimov\u6c0f\u3078\u306e\u6700\u521d\u306e\u30c4\u30a4\u30fc\u30c8\u304c\u3042\u307e\u308a\u306b\u6c17\u3065\u3044\u3066\u3082\u3089\u3048\u3066\u3044\u306a\u3044\u3068\u8003\u3048\u305f\u306e\u304b\u3001\u6700\u5f8c\u306e\u30c4\u30a4\u30fc\u30c8\u306b\u306f\u30cf\u30c3\u30b7\u30e5\u30bf\u30b0#Gamaredon\u3092\u4ed8\u3051\u3066\u4ed6\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306b\u767a\u898b\u3055\u308c\u3084\u3059\u3044\u3088\u3046\u306b\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_126210\" aria-describedby=\"caption-attachment-126210\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126210 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-71.png\" alt=\"\u753b\u50cf1\u306f\u3001Twitter\u30e6\u30fc\u30b6\u30fcAnton15001398\u304c\u30a6\u30af\u30e9\u30a4\u30ca\u5728\u4f4f\u306e\u8105\u5a01\u30ea\u30b5\u30fc\u30c1\u30e3\u30fcMikhail Kasimov (Twitter\u30a2\u30ab\u30a6\u30f3\u30c8\u540d: 500mk500)\u3092\u6a19\u7684\u3068\u3057\u3066\u884c\u3063\u305f\u4e00\u9023\u306e\u30c4\u30a4\u30fc\u30c8\u3002\u3053\u308c\u3089\u306e\u30c4\u30a4\u30fc\u30c8\u3067\u30a2\u30af\u30bf\u30fc\u306fGamaredon\u3068\u3044\u3046\u30cf\u30c3\u30b7\u30e5\u30bf\u30b0\u3092\u4f7f\u3063\u3066Mikhail\u6c0f\u306b\u5bfe\u3057\u300crun, I'm coming for you\u300d\u3068\u3044\u3046\u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u9001\u3063\u3066\u3044\u308b \" width=\"900\" height=\"194\" \/><figcaption id=\"caption-attachment-126210\" class=\"wp-caption-text\">\u56f31. Mikhail Kasimov\u6c0f\u3078\u306e\u8105\u8feb<\/figcaption><\/figure>\n<p>\u305d\u306e\u5f8c\u3053\u306eAnton\u306f\u5225\u306e\u30a2\u30ab\u30a6\u30f3\u30c8(@YumHSh2UdIkz64w)\u3092\u4f7f\u3063\u3066Shadow Chaser Group(@ShadowChasing1)\u3068TI Research(@tiresearch1)\u306b\u300clet's be friends. (\u4ef2\u826f\u304f\u3084\u308d\u3046) We do not want to fight, but we do it well! (\u4e89\u3044\u305f\u304f\u306f\u306a\u3044\u304c\u3084\u308b\u3068\u304d\u306f\u3084\u308b\u305c)\u300d\u300d\u3068\u3044\u3046\u4e0d\u5409\u306a\u30e1\u30c3\u30bb\u30fc\u30b8\u3092\u9001\u3063\u3066\u3044\u307e\u3059(\u56f32)\u3002<\/p>\n<figure id=\"attachment_126212\" aria-describedby=\"caption-attachment-126212\" style=\"width: 410px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126212 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-72.png\" alt=\"\u753b\u50cf2\u306f\u3001Twitter\u30e6\u30fc\u30b6\u30fcYumHSh2UdIkz64w\u304c\u3001Shadow Chaser Group\u306eTwitter\u30a2\u30ab\u30a6\u30f3\u30c8ShadowChasing1\u3068TI Research\u306eTwitter\u30a2\u30ab\u30a6\u30f3\u30c8tiresearch1\u3092\u30bf\u30b0\u4ed8\u3051\u3057\u3066\u884c\u3063\u305f\u30c4\u30a4\u30fc\u30c8\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u3059\u3002 \" width=\"410\" height=\"261\" \/><figcaption id=\"caption-attachment-126212\" class=\"wp-caption-text\">\u56f32. Shadow Chaser Group\u3068TI Research\u306b\u8b66\u544a\u3057\u3066\u3044\u308b<\/figcaption><\/figure>\n<p>\u305d\u306e2\u65e5\u5f8c\u306e2\u670826\u65e5\u3001Anton\u306f\u6700\u5f8c\u306e\u3001\u305d\u3057\u3066\u3053\u308c\u307e\u3067\u3067\u3082\u3063\u3068\u3082\u8105\u8feb\u7684\u306a\u30c4\u30a4\u30fc\u30c8\u3092\u9001\u308a\u307e\u3057\u305f(\u56f33)\u3002\u305d\u306e\u30c4\u30a4\u30fc\u30c8\u306b\u306fMikhail Kasimov\u306e\u30d5\u30eb\u30cd\u30fc\u30e0\u3001\u751f\u5e74\u6708\u65e5\u3001\u4f4f\u6240\u3068\u3068\u3082\u306b\u3001\u300cWe are already in the city, there is nowhere to run. You had a chance(\u3082\u3046\u5e02\u5185\u306b\u3044\u308b\u3002\u9003\u3052\u5834\u306f\u306a\u3044\u3002\u9003\u3052\u3089\u308c\u308b\u3046\u3061\u306b\u9003\u3052\u3066\u304a\u304f\u3093\u3060\u3063\u305f\u306a)\u300d\u3068\u3044\u3046\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u8a18\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_126214\" aria-describedby=\"caption-attachment-126214\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126214 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-73.png\" alt=\" \u753b\u50cf3\u306f\u3001Twitter\u30e6\u30fc\u30b6\u30fcYumHSh2UdIkz64w\u304c\u3001\u30a6\u30af\u30e9\u30a4\u30ca\u5728\u4f4f\u306e\u8105\u5a01\u30ea\u30b5\u30fc\u30c1\u30e3\u30fcMikhail Kasimov\u6c0f\u3092\u6a19\u7684\u3068\u3057\u3066\u884c\u3063\u305f\u30c4\u30a4\u30fc\u30c8\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3002\u300cWe are already in the city, there is nowhere to run. You had a chance(\u3082\u3046\u5e02\u5185\u306b\u3044\u308b\u3002\u9003\u3052\u5834\u306f\u306a\u3044\u3002\u9003\u3052\u3089\u308c\u308b\u3046\u3061\u306b\u9003\u3052\u3066\u304a\u304f\u3093\u3060\u3063\u305f\u306a)\u300d\u3068\u3044\u3046\u30e1\u30c3\u30bb\u30fc\u30b8\u3068\u3068\u3082\u306b\u500b\u4eba\u60c5\u5831\u3092\u6652\u3057\u3066\u3044\u308b(\u500b\u4eba\u60c5\u5831\u90e8\u5206\u306f\u524a\u9664\u51e6\u7406\u6e08\u307f)\u3002 \" width=\"800\" height=\"426\" \/><figcaption id=\"caption-attachment-126214\" class=\"wp-caption-text\">\u56f33. Mikhail Kasimov\u6c0f\u3092\u6652\u3057\u3066(doxxing)\u8105\u8feb\u3059\u308b\u30c4\u30a4\u30fc\u30c8(\u5143\u306e\u30c4\u30a4\u30fc\u30c8\u304b\u3089\u30d5\u30eb\u30cd\u30fc\u30e0\u3001\u751f\u5e74\u6708\u65e5\u3001\u4f4f\u6240\u3092\u52a0\u5de5\u6e08\u307f)<\/figcaption><\/figure>\n<p>\u3053\u306eTrident Ursa\u306e\u95a2\u4fc2\u8005\u3068\u79f0\u3059\u308b\u4eba\u7269\u304b\u3089\u306e\u76f4\u622a\u306a\u8105\u8feb\u30e1\u30c3\u30bb\u30fc\u30b8\u306f\u53d7\u4fe1\u8005(\u3068\u304f\u306b\u6226\u5730\u3067\u6d3b\u52d5\u3059\u308b\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u306eKasimov\u6c0f)\u3092\u4e0d\u5b89\u306b\u3055\u305b\u305f\u3053\u3068\u3067\u3057\u3087\u3046\u3002\u3057\u304b\u3057\u3001\u6a19\u7684\u3068\u3055\u308c\u305f\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u305f\u3061\u306f\u81c6\u3059\u308b\u3053\u3068\u306a\u304f\u3001\u3053\u308c\u3089\u8105\u8feb\u306e\u5f8c\u306e\u6570\u9031\u9593\u3001\u3055\u3089\u306bTrident Ursa\u306b\u95a2\u3059\u308bIoC\u3092\u30c4\u30a4\u30fc\u30c8\u3057\u3066\u3044\u307e\u3057\u305f\u3002Kasimov\u6c0f\u306f\u4e16\u754c\u4e2d\u306e\u591a\u304f\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u3068\u5171\u306b\u3001\u3053\u306eAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306e\u65b0\u305f\u306aIoC\u3092\u65e5\u5e38\u7684\u306b\u767a\u4fe1\u3057\u7d9a\u3051\u3066\u3044\u307e\u3059\u3002<\/p>\n<h2><a id=\"post-126255-_aeerhyd2lwk5\"><\/a><strong>DNS\u95a2\u9023\u306e\u4e0d\u6b63\u884c\u70ba<\/strong><\/h2>\n<p>Trident Ursa\u306f<a href=\"https:\/\/unit42.paloaltonetworks.jp\/fast-flux-101\/\">\u9ad8\u901f\u30d5\u30e9\u30c3\u30af\u30b9DNS<\/a> (\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30a2\u30ca\u30ea\u30b9\u30c8\u306b\u3088\u308b\u30a4\u30f3\u30d5\u30e9\u306e\u5206\u6790\u3092\u56f0\u96e3\u306b\u3059\u308b\u624b\u6cd5)\u3092\u4f7f\u3044\u3001\u81ea\u3089\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306e\u56de\u5fa9\u529b\u3092\u9ad8\u3081\u3088\u3046\u3068\u3057\u3066\u304d\u307e\u3057\u305f\u3002\u9ad8\u901f\u30d5\u30e9\u30c3\u30af\u30b9DNS\u3092\u4f7f\u3046\u30a4\u30f3\u30d5\u30e9\u306f\u3001\u65e5\u6b21\u3067\u591a\u6570\u306eIP\u3092\u30ed\u30fc\u30c6\u30fc\u30b7\u30e7\u30f3\u3057\u3001\u305d\u308c\u305e\u308c\u306eIP\u306f\u77ed\u6642\u9593\u3057\u304b\u4f7f\u3044\u307e\u305b\u3093\u3002\u3053\u308c\u306b\u3088\u308aIP\u30d9\u30fc\u30b9\u306e\u30d6\u30ed\u30c3\u30af\u30ea\u30b9\u30c8\u3084\u30c6\u30a4\u30af\u30c0\u30a6\u30f3\u51e6\u7406\u3001\u30d5\u30a9\u30ec\u30f3\u30b8\u30c3\u30af\u5206\u6790\u304c\u96e3\u3057\u304f\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>Unit 42\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u304cIP\u3067\u306f\u306a\u304fTrident Ursa\u306e\u30c9\u30e1\u30a4\u30f3\u306b\u6ce8\u76ee\u3059\u308b\u306e\u306f\u3001\u3053\u306e\u6280\u8853\u306e\u4f7f\u7528\u304c\u4e3b\u306a\u7406\u7531\u3067\u3059\u30022022\u5e746\u6708\u4ee5\u964d\u3001Trident Ursa\u306f\u9ad8\u901f\u30d5\u30e9\u30c3\u30af\u30b9\u4ee5\u5916\u306b\u3082\u3044\u304f\u3064\u304b\u306e\u624b\u6cd5\u3092\u99c6\u4f7f\u3057\u3066\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u52b9\u7387\u3092\u9ad8\u3081\u3066\u3044\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u591a\u6570\u306e\u6b63\u898f\u30c4\u30fc\u30eb\u3084\u30b5\u30fc\u30d3\u30b9\u3092\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306b\u4f7f\u3063\u3066\u304d\u307e\u3057\u305f\u3002\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u304c\u60aa\u610f\u3092\u3082\u3063\u3066\u6b63\u898f\u88fd\u54c1\u3092\u60aa\u7528\u30fb\u8ee2\u7528\u3059\u308b\u306e\u306f\u73cd\u3057\u3044\u3053\u3068\u3067\u306f\u306a\u304f\u3001\u60aa\u7528\u3055\u308c\u305f\u6b63\u898f\u88fd\u54c1\u306e\u5074\u306b\u5fc5\u305a\u3057\u3082\u306a\u306b\u304b\u554f\u984c\u3084\u60aa\u610f\u304c\u3042\u308b\u3068\u3044\u3046\u3053\u3068\u306f\u610f\u5473\u3057\u307e\u305b\u3093\u3002<\/p>\n<h3><a id=\"post-126255-_g33d78g041ss\"><\/a>\u6b63\u898f\u306eWeb\u30b5\u30fc\u30d3\u30b9\u3092\u4ecb\u3057\u305fDNS\u306e\u8fc2\u56de<\/h3>\n<p>\u79c1\u305f\u3061\u304c\u89b3\u6e2c\u3057\u305f\u65b0\u305f\u306aTTP\u306e1\u3064\u3081\u306f\u3001\u60aa\u610f\u306e\u3042\u308b\u30c9\u30e1\u30a4\u30f3\u306eIP\u5272\u308a\u5f53\u3066\u30af\u30a8\u30ea\u306b\u6b63\u898f\u30b5\u30fc\u30d3\u30b9\u3092\u4f7f\u3046\u3068\u3044\u3046\u3082\u306e\u3067\u3059\u3002\u6b63\u898f\u30b5\u30fc\u30d3\u30b9\u3092\u5229\u7528\u3059\u308b\u3053\u3068\u3067\u60aa\u610f\u306e\u3042\u308b\u30c9\u30e1\u30a4\u30f3\u306eDNS\u3068DNS\u30ed\u30ae\u30f3\u30b0\u3092\u3046\u307e\u304f\u56de\u907f\u3057\u3066\u3044\u308b\u306e\u3067\u3059\u3002\u305f\u3068\u3048\u3070SHA256\u304c<span style=\"font-family: 'courier new', courier, monospace;\">499b56f3809508fc3f06f0d342a330bcced94c040e843784998f1112c78422<\/span>\u306e\u30b5\u30f3\u30d7\u30eb\u306f\u3001\u6b63\u898f\u30b5\u30fc\u30d3\u30b9\u3067\u3042\u308b<span style=\"font-family: 'courier new', courier, monospace;\">ip-api[.]<\/span>\u3092\u547c\u3073\u51fa\u3057\u3066\u3001<span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/ip-api[.]com\/csv\/josephine71.alabarda.ru<\/span>\u3092\u7d4c\u7531\u3057\u3066<span style=\"font-family: 'courier new', courier, monospace;\">josephine71.alabarda[.]ru<\/span>\u306b\u5272\u308a\u5f53\u3066\u3089\u308c\u305fIP\u3092\u53d6\u5f97\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u672c\u7a3f\u57f7\u7b46\u6642\u70b9\u3067\u306f\u3053\u306e\u51e6\u7406\u306b\u3088\u308a\u6b21\u306e\u5fdc\u7b54\u304c\u5f97\u3089\u308c\u307e\u3059\u3002<\/p>\n<p><img  class=\"aligncenter wp-image-126216 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-74.png\" alt=\"\u753b\u50cf4\u306f2\u884c\u306e\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3002DNS\u3068DNS\u30ed\u30b0\u53d6\u5f97\u3092\u8fc2\u56de\u3059\u308b\u3088\u3046\u3059\u3092\u8868\u3057\u3066\u3044\u308b\" width=\"800\" height=\"39\" \/><\/p>\n<p>\u3053\u306e\u30de\u30eb\u30a6\u30a7\u30a2\u306f\u3053\u306e\u901a\u4fe1\u3067\u5f97\u305fIP\u3092\u4f7f\u3063\u3066\u60aa\u610f\u306e\u3042\u308b\u30c9\u30e1\u30a4\u30f3\u3068\u306e\u901a\u4fe1\u3092\u7d9a\u3051\u307e\u3059\u3002\u30ed\u30b0\u306b\u6b8b\u308b\u552f\u4e00\u306eDNS\u30af\u30a8\u30ea\u306f<span style=\"font-family: 'courier new', courier, monospace;\">ip-api[.]com<\/span>\u306b\u5bfe\u3059\u308b\u6700\u521d\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u307f\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-126255-_3cm3xnyqusni\"><\/a>\u30e1\u30c3\u30bb\u30fc\u30b8\u30f3\u30b0\u30b5\u30fc\u30d3\u30b9\u3092\u4ecb\u3057\u305fDNS\u306e\u8fc2\u56de<\/h3>\n<p>2\u3064\u3081\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u5834\u5408\u3001Trident Ursa\u306fTelegram Messenger\u306e\u30b3\u30f3\u30c6\u30f3\u30c4\u3092\u5229\u7528\u3057\u3066\u30b3\u30de\u30f3\u30c9\uff06\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb(C2)\u306b\u4f7f\u3046\u6700\u65b0IP\u3092\u8abf\u3079\u3066\u3044\u307e\u3059\u3002\u30a2\u30af\u30bf\u30fc\u306f\u3053\u306e\u65b9\u6cd5\u306b\u3088\u308a\u3001\u6a19\u7684\u304c\u60aa\u610f\u306e\u3042\u308b\u30c9\u30e1\u30a4\u30f3\u306e\u30d6\u30ed\u30c3\u30af\u306b\u6210\u529f\u3057\u305f\u5834\u5408\u306b\u305d\u306a\u3048\u3001DNS\u3092\u88dc\u5b8c\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u305f\u3068\u3048\u3070SHA256\u304c<span style=\"font-family: 'courier new', courier, monospace;\">3e72981a45dc4bdaa178a3013710873ad90634729ffdd4b2c79c9a3a00f76f43<\/span>\u306e\u30b5\u30f3\u30d7\u30eb\u306f<span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/t[.]me\/s\/dracarc<\/span>\u3092\u547c\u3073\u51fa\u3057\u307e\u3059\u304c\u300111\u670818\u65e5\u73fe\u5728\u3053\u306e\u30a2\u30ab\u30a6\u30f3\u30c8(@dracarc)\u306fTelegram\u306e\u6295\u7a3f<span style=\"font-family: 'courier new', courier, monospace;\">==104@248@36@191==<\/span>\u3092\u8fd4\u3057\u3066\u304d\u307e\u3059\u3002\u3053\u308c\u304cIP <span style=\"font-family: 'courier new', courier, monospace;\">104.248.36[.]191<\/span>\u306b\u5909\u63db\u3055\u308c\u3066\u305d\u306e\u5f8c\u306e\u901a\u4fe1\u306b\u4f7f\u308f\u308c\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-126255-_n76h3ctc4bc\"><\/a>\u30eb\u30fc\u30c8\u30c9\u30e1\u30a4\u30f3\u3068\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u306b\u5225\u306eIP\u3092\u5272\u308a\u5f53\u3066\u308b\u771f\u306eIP\u5272\u308a\u5f53\u3066\u306e\u96a0\u307a\u3044<\/h3>\n<p>11\u670815\u65e5\u3001\u79c1\u305f\u3061\u306fTrident Ursa\u306e\u30c9\u30e1\u30a4\u30f3<span style=\"font-family: 'courier new', courier, monospace;\">niobiumo[.]ru<\/span>\u304c\u7c73\u56fd\u56fd\u9632\u7dcf\u7701\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u60c5\u5831\u30bb\u30f3\u30bf\u30fc\u306eIP<span style=\"font-family: 'courier new', courier, monospace;\">147.159.180[.]73<\/span>\u306b\u5272\u308a\u5f53\u3066\u3089\u308c\u3066\u3044\u308b\u3053\u3068\u306b\u6c17\u3065\u304d\u307e\u3057\u305f\u3002\u305d\u306e\u5f8c\u3059\u3050\u79c1\u305f\u3061\u306fTrident Ursa\u306b\u306f\u305d\u306eIP\u3092\u904b\u7528\u7ba1\u7406\u3059\u308b\u3053\u3068\u3082\u4f7f\u3046\u3053\u3068\u3082\u3067\u304d\u306a\u3044\u3053\u3068\u3092\u7a81\u304d\u6b62\u3081\u307e\u3057\u305f\u3002<\/p>\n<p>Trident Ursa\u306f\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u3092\u6df7\u4e71\u3055\u305b\u3001\u771f\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u7528\u30a4\u30f3\u30d5\u30e9\u3092\u4fdd\u8b77\u3059\u308b\u305f\u3081\u3001\u30eb\u30fc\u30c8\u30c9\u30e1\u30a4\u30f3\u7528\u306e\u9ad8\u901f\u30d5\u30e9\u30c3\u30af\u30b9DNS\u30c6\u30fc\u30d6\u30eb\u306b\u30b4\u30df(junk) IP\u3092\u6492\u3044\u3066\u3044\u307e\u3057\u305f\u3002\u30eb\u30fc\u30c8\u30c9\u30e1\u30a4\u30f3\u3092\u4f7f\u3046\u304b\u308f\u308a\u306b\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u3092\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306b\u4f7f\u3063\u3066\u3044\u305f\u306e\u3067\u3059\u3002<\/p>\n<p>\u672c\u5f53\u306b\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306b\u4f7f\u3063\u3066\u3044\u308bIP\u306f\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u306b\u3064\u3044\u3066DNS\u306b\u30af\u30a8\u30ea\u3092\u51fa\u3057\u3066\u521d\u3081\u3066\u308f\u304b\u308b\u3068\u3044\u3046\u3057\u304f\u307f\u3067\u3059\u3002\u3053\u306e\u4e8b\u4f8b\u3067\u306f(\u56f34)\u3001\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3<span style=\"font-family: 'courier new', courier, monospace;\">aaa.niobiumo[.]ru<\/span>\u306b\u30af\u30a8\u30ea\u3092\u9001\u308b\u3068\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u7528\u306eIP <span style=\"font-family: 'courier new', courier, monospace;\">64.227.67[.]175<\/span>\u304c\u8fd4\u3055\u308c\u307e\u3057\u305f\u3002<\/p>\n<p><figure id=\"attachment_126218\" aria-describedby=\"caption-attachment-126218\" style=\"width: 897px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126219 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-75-ja.png\" alt=\"\u753b\u50cf4\u306fname\u3001class\u3001type\u3001data\u3001time to live (TTL)\u3092\u5217\u6319\u3057\u305f\u8868\u3002name\u306e\u4e0b\u306b\u5bfe\u8c61\u306e\u30c9\u30e1\u30a4\u30f3\u304c\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u3002 \" width=\"897\" height=\"530\" name=\"\" \/><figcaption id=\"caption-attachment-126218\" class=\"wp-caption-text\">\u56f34. <span style=\"font-family: 'courier new', courier, monospace;\">reg[.]ru<\/span>\u306e\u30cd\u30fc\u30e0\u30b5\u30fc\u30d0\u30fc\u306f\u30c9\u30e1\u30a4\u30f3\u306b\u3064\u3044\u3066\u306f\u507d\u30a2\u30c9\u30ec\u30b9\u3092\u9001\u308a\u3001\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u306b\u3064\u3044\u3066\u306f\u5b9f\u969b\u306e\u30a2\u30c9\u30ec\u30b9\u3092\u9001\u3063\u3066\u304f\u308b(\u6ce8: 11\u670815\u65e5\u73fe\u5728\u306e<span style=\"font-family: 'courier new', courier, monospace;\">aaa.niobium[.]ru<\/span>\u306eDNS\u540d\u524d\u89e3\u6c7a)\u3002<\/figcaption><\/figure>\u3053\u3053\u3067\u306f\u3001Trident Ursa\u306eDNS\u6d3b\u52d5\u3092\u5206\u6790\u3057\u3066\u5f97\u3089\u308c\u305f\u6b21\u306e2\u3064\u306e\u89b3\u6e2c\u7d50\u679c\u306b\u7740\u76ee\u3057\u305f\u3044\u3068\u601d\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u30ed\u30b7\u30a2\u56fd\u5916\u3067\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u7528\u30a4\u30f3\u30d5\u30e9\u3068\u3057\u3066Trident Ursa\u306fAS14061 (DigitalOcean, LLC)\u3068AS20473 (The Constant Company, LLC)\u3068\u3044\u30462\u3064\u306e\u81ea\u5f8b\u30b7\u30b9\u30c6\u30e0(AS)\u5185\u306eVPS\u30d7\u30ed\u30d0\u30a4\u30c0\u306b\u4e3b\u306b\u4f9d\u5b58\u3057\u3066\u3044\u307e\u3057\u305f\u3002\u904e\u53bb6\u9031\u9593\u306b\u308f\u305f\u308a\u30ed\u30b7\u30a2\u4ee5\u5916\u3067\u78ba\u8a8d\u3055\u308c\u305f122\u500b\u306eIP\u30a2\u30c9\u30ec\u30b9\u306e63%\u304cAS14061\u5185\u300129%\u304cAS20473\u5185\u3067\u3057\u305f\u3002\u6b8b\u308a\u306fUAB Cherry Servers\u304c\u6240\u6709\u3059\u308b\u8907\u6570\u306eAS\u306b\u5206\u6563\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/li>\n<li>Trident Ursa\u306e\u30c9\u30e1\u30a4\u30f3\u306e96%\u4ee5\u4e0a\u304c\u3001\u3042\u308b\u30ed\u30b7\u30a2\u4f01\u696d<span style=\"font-family: 'courier new', courier, monospace;\">reg[.]ru<\/span>\u306eDNS\u306b\u7d99\u7d9a\u3057\u3066\u767b\u9332\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u4f01\u696d\u306f\u4eca\u65e5\u306b\u3044\u305f\u308b\u307e\u3067\u3053\u306e\u60aa\u6027\u30a4\u30f3\u30d5\u30e9\u3092\u30d6\u30ed\u30c3\u30af\u306a\u3044\u3057\u62d2\u5426\u3059\u308b\u884c\u52d5\u3092\u53d6\u3063\u3066\u3044\u307e\u305b\u3093\u3002<\/li>\n<\/ul>\n<h2><a id=\"post-126255-_awm5c8jxjbq1\"><\/a><strong>\u4f7f\u308f\u308c\u3066\u3044\u305f\u3055\u307e\u3056\u307e\u306a\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u7a2e\u985e<\/strong><\/h2>\n<p>\u904e\u53bb\u6570\u30f6\u6708\u306b\u308f\u305f\u3063\u3066Trident Ursa\u306f\u3055\u307e\u3056\u307e\u306a\u6226\u8853\u3067\u88ab\u5bb3\u8005\u306e\u30c7\u30d0\u30a4\u30b9\u306b\u6700\u521d\u306e\u4fb5\u5165\u53e3\u3092\u958b\u3044\u3066\u304d\u307e\u3057\u305f\u3002\u305d\u306e\u3055\u3044\u306f\u30e9\u30f3\u30c0\u30e0\u306b\u751f\u6210\u3055\u308c\u305f\u5909\u6570\u540d\u3092\u6301\u3064VBScript\u3084\u6587\u5b57\u5217\u306e\u9023\u7d50\u306b\u3088\u308b\u96e3\u8aad\u5316\u304c\u884c\u308f\u308c\u3066\u3044\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u6226\u8853\u306f\u3044\u305a\u308c\u3082\u6700\u7d42\u7684\u306b\u306f\u30b9\u30d4\u30a2\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u306b\u3088\u308b\u60aa\u6027\u30b3\u30f3\u30c6\u30f3\u30c4\u914d\u4fe1\u306b\u4f9d\u5b58\u3057\u3066\u3044\u307e\u3057\u305f\u3002<\/p>\n<p>\u672c\u7a3f\u3067\u306f1\u3064\u3081\u306e\u914d\u4fe1\u65b9\u6cd5(<span style=\"font-family: 'courier new', courier, monospace;\">.html<\/span>\u30d5\u30a1\u30a4\u30eb\u3092\u4f7f\u3046\u65b9\u6cd5)\u3068\u30012\u3064\u3081\u306e\u914d\u4fe1\u65b9\u6cd5(Word\u6587\u66f8\u3092\u4f7f\u3046\u65b9\u6cd5)\u3092\u898b\u3066\u3044\u304d\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-126255-_s7uy118bddtw\"><\/a>HTML\u30d5\u30a1\u30a4\u30eb\u3092\u4f7f\u3063\u305f\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0<\/h3>\n<p>Trident Ursa\u306f\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u30e1\u30fc\u30eb\u306b\u76f4\u63a5\u6dfb\u4ed8\u3059\u308b\u304b\u3001\u30ea\u30f3\u30af\u3092\u4ecb\u3057\u3066<span style=\"font-family: 'courier new', courier, monospace;\">.html<\/span>\u30d5\u30a1\u30a4\u30eb\u3092\u914d\u4fe1\u3057\u3001\u30e1\u30fc\u30eb\u306e\u8105\u5a01\u30b9\u30ad\u30e3\u30f3\u3092\u56de\u907f\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002\u3053\u306e\u3055\u3044\u306f<span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/state-cip[.]org\/arhiv<\/span>\u3068\u3044\u3063\u305f\u4e00\u898b\u7121\u5bb3\u306aURL\u304c\u4f7f\u308f\u308c\u307e\u3059(\u56f35)\u3002\u672c\u7a3f\u57f7\u7b46\u6642\u70b9\u3067\u3053\u306e\u30b5\u30a4\u30c8\u306f\u307e\u3060\u30a2\u30af\u30c6\u30a3\u30d6\u306a\u3088\u3046\u3067\u3059\u3002<\/p>\n<figure id=\"attachment_126220\" aria-describedby=\"caption-attachment-126220\" style=\"width: 765px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126221 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-76-ja.png\" alt=\"\u753b\u50cf6\u306f\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u30e1\u30fc\u30eb\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3002\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u30dc\u30bf\u30f3\u304c\u3042\u308b\u3002\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u30dc\u30bf\u30f3\u306fTrident Ursa\u306e\u60aa\u610f\u306e\u3042\u308b\u30c9\u30e1\u30a4\u30f3\u306b\u30ea\u30f3\u30af\u3057\u3066\u3044\u308b \" width=\"765\" height=\"502\" \/><figcaption id=\"caption-attachment-126220\" class=\"wp-caption-text\">\u56f35. Trident Ursa\u304c\u4f7f\u3063\u305f\u30ea\u30f3\u30af\u4ed8\u304d\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u30e1\u30fc\u30eb\u306e\u30b5\u30f3\u30d7\u30eb<\/figcaption><\/figure>\n<p>\u3053\u308c\u3089\u306e<span style=\"font-family: 'courier new', courier, monospace;\">.html<\/span>\u30d5\u30a1\u30a4\u30eb\u306b\u306fBase64\u30a8\u30f3\u30b3\u30fc\u30c9\u3055\u308c\u305f<span style=\"font-family: 'courier new', courier, monospace;\">.rar<\/span>\u30a2\u30fc\u30ab\u30a4\u30d6\u304c\u542b\u307e\u308c\u3066\u3044\u3066\u3001\u3055\u3089\u306b\u305d\u306e\u306a\u304b\u306b\u60aa\u610f\u306e\u3042\u308b<span style=\"font-family: 'courier new', courier, monospace;\">.lnk<\/span>\u30d5\u30a1\u30a4\u30eb\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u30e6\u30fc\u30b6\u30fc\u304c\u3053\u308c\u3089\u306e<span style=\"font-family: 'courier new', courier, monospace;\">.lnk<\/span>\u30d5\u30a1\u30a4\u30eb\u3092\u30af\u30ea\u30c3\u30af\u3059\u308b\u3068\u3001Microsoft HTML Application<span style=\"font-family: 'courier new', courier, monospace;\">(mshta.exe<\/span>)\u3092\u4f7f\u3063\u3066\u305d\u306eURL\u7d4c\u7531\u3067\u8ffd\u52a0\u30d5\u30a1\u30a4\u30eb\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u307e\u3059(\u56f36)\u3002<\/p>\n<figure id=\"attachment_126222\" aria-describedby=\"caption-attachment-126222\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126223 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-77-ja-1.png\" alt=\"\u753b\u50cf7\u306f\u60aa\u610f\u306e\u3042\u308b.lnk\u30d5\u30a1\u30a4\u30eb\u3092\u4f7f\u3046\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u653b\u6483\u30d5\u30ed\u30fc\u56f3\u3002\u3053\u306e\u653b\u6483\u30d5\u30ed\u30fc\u306f\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u306b\u59cb\u307e\u308aVBScripts\u306b\u7d42\u308f\u308b\" width=\"900\" height=\"600\" \/><figcaption id=\"caption-attachment-126222\" class=\"wp-caption-text\">\u56f36. \u60aa\u610f\u306e\u3042\u308b<span style=\"font-family: 'courier new', courier, monospace;\">.lnk<\/span>\u30d5\u30a1\u30a4\u30eb\u3092\u4f7f\u3046\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u653b\u6483\u30d5\u30ed\u30fc<\/figcaption><\/figure>\n<p>\u6700\u8fd1\u306e<span style=\"font-family: 'courier new', courier, monospace;\">.lnk<\/span>\u30d5\u30a1\u30a4\u30eb( SHA256: <span style=\"font-family: 'courier new', courier, monospace;\">0d51b90457c85a0baa6304e1ffef2c3ea5dab3b9d27099551eef60389a34a89b<\/span>)\u3092\u8a73\u3057\u304f\u898b\u3066\u307f\u308b\u3068\u3001\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306f99.8KB\u3067\u5e73\u5747\u7684\u306a<span style=\"font-family: 'courier new', courier, monospace;\">.lnk<\/span>\u30d5\u30a1\u30a4\u30eb\u3088\u308a\u7d0498KB \u5927\u304d\u3044\u3053\u3068\u304c\u308f\u304b\u308a\u307e\u3059\u3002<\/p>\n<p>Trident Ursa\u306e\u4f7f\u3046\u60f3\u5b9a\u5916\u306b\u5927\u304d\u3044\u3053\u308c\u3089<span style=\"font-family: 'courier new', courier, monospace;\">.lnk<\/span>\u30d5\u30a1\u30a4\u30eb\u3092\u78ba\u8a8d\u3059\u308b\u3068\u3001\u30d5\u30a1\u30a4\u30eb\u306b\u306f\u30e9\u30f3\u30c0\u30e0\u306a10\u6587\u5b57\u306e\u6587\u5b57\u5217\u304c\u542b\u307e\u308c\u3066\u3044\u3066\u3001\u4f5c\u6210\u904e\u7a0b\u3067\u4ed8\u52a0\u3055\u308c\u305f\u3082\u306e\u3068\u8a55\u4fa1\u3067\u304d\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u6587\u5b57\u5217\u306f\u89e3\u6790\u59a8\u5bb3\u3092\u610f\u56f3\u3057\u305f\u3082\u306e\u3067\u3001Trident Ursa\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306b\u95a2\u9023\u3057\u305f\u76ee\u7684\u306f\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<p>\u3053\u306e<span style=\"font-family: 'courier new', courier, monospace;\">.lnk<\/span>\u30b7\u30e7\u30fc\u30c8\u30ab\u30c3\u30c8\u3092\u958b\u3044\u305f\u5834\u5408\u3001<span style=\"font-family: 'courier new', courier, monospace;\">mshta.exe<\/span>\u3092\u4f7f\u3063\u3066\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u5f15\u6570\u7d4c\u7531\u3067<span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/admou[.]org\/29.11_mou\/presented.rtf<\/span>\u306b\u30a2\u30af\u30bb\u30b9\u3057\u307e\u3059\u3002<\/p>\n<p>Trident Ursa\u306f\u3001\u3053\u306eURL\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u4eba\u3092\u5236\u9650\u3059\u308b\u305f\u3081\u306b\u3055\u307e\u3056\u307e\u306a\u6280\u8853\u3092\u4f7f\u3063\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002\u4ed6\u306e\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u3082\u6307\u6458\u3057\u3066\u3044\u308b\u3068\u304a\u308a\u3001Trident Ursa\u306f\u30b8\u30aa\u30d6\u30ed\u30c3\u30ad\u30f3\u30b0(\u5229\u7528\u8005\u306e\u5730\u7406\u7684\u4f4d\u7f6e\u60c5\u5831\u306b\u3082\u3068\u3065\u3044\u3066\u63d0\u4f9b\u3059\u308b\u30b3\u30f3\u30c6\u30f3\u30c4\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b)\u3092\u4f7f\u3063\u3066\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u306e\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3092\u7279\u5b9a\u306e\u5730\u57df\u306b\u9650\u5b9a\u3057\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002<\/p>\n<p>\u4eca\u56de\u306e\u4f8b\u3067\u306f\u3001\u3053\u306eURL\u3092\u7d4c\u7531\u3057\u3066<span style=\"font-family: 'courier new', courier, monospace;\">presented.rtf<\/span>\u3092\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3067\u304d\u308b\u306e\u306f\u30a6\u30af\u30e9\u30a4\u30ca\u306b\u9650\u5b9a\u3055\u308c\u308b\u3082\u306e\u3068\u8003\u3048\u3089\u308c\u307e\u3059\u3002\u305f\u3060\u3057\u3053\u308c\u306b\u306f\u4f8b\u5916\u3082\u3042\u308a\u307e\u3059\u3002<\/p>\n<p>\u3053\u308c\u3089\u306e\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306f\u73fe\u5728\u3001\u30a6\u30af\u30e9\u30a4\u30ca\u5185\u306eExpressVPN\u3068NordVPN\u306e\u30ce\u30fc\u30c9\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b\u3053\u3068\u3067\u3001\u8105\u5a01\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u3092\u59a8\u5bb3\u3057\u3088\u3046\u3068\u3057\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002\u3055\u3089\u306b\u540c\u30a2\u30af\u30bf\u30fc\u306f\u8ffd\u52a0\u306e\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u306b\u3088\u308a\u30da\u30a4\u30ed\u30fc\u30c9\u3078\u306e\u30a2\u30af\u30bb\u30b9\u5236\u9650\u3092\u5f37\u5316\u3057\u3066\u3044\u308b\u3088\u3046\u3067\u3059\u3002\u305f\u3068\u3048\u3070VirusTotal\u304c\u4e0a\u8a18URL\u3092\u30ea\u30af\u30a8\u30b9\u30c8\u3059\u308b\u3068\u6210\u529f\u3092\u793a\u3059HTTP\u30b9\u30c6\u30fc\u30bf\u30b9\u30b3\u30fc\u30c9\u306e200\u3092\u53d7\u3051\u53d6\u308a\u307e\u3059\u304c\u3001\u5fdc\u7b54\u3055\u308c\u308b\u30b3\u30f3\u30c6\u30f3\u30c4\u5168\u4f53\u306e\u9577\u3055\u306f0\u30d0\u30a4\u30c8\u3067\u3059\u3002<\/p>\n<p>\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0\u6761\u4ef6\u3092\u6e80\u305f\u3059\u5834\u5408\u3001\u6a19\u7684\u304c<span style=\"font-family: 'courier new', courier, monospace;\">.lnk<\/span>\u3092\u958b\u304f\u3068<span style=\"font-family: 'courier new', courier, monospace;\">presented.rtf<\/span> (SHA256<span style=\"font-family: 'courier new', courier, monospace;\">3990c6e9522e11b30354090cd919258aabef599de26fc4177397b59abaf395c3<\/span>) \u304c\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3055\u308c\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">presented.rtf<\/span>\u30d5\u30a1\u30a4\u30eb\u306f\u5b9f\u969b\u306b\u306fVBScript\u30b3\u30fc\u30c9\u3092\u542b\u3080HTA\u30d5\u30a1\u30a4\u30eb\u3067\u3059\u3002<\/p>\n<p>\u3053\u306eHTA\u30d5\u30a1\u30a4\u30eb\u306f\u4e2d\u306b\u57cb\u3081\u8fbc\u307e\u308c\u305f2\u3064\u306eBase64\u30a8\u30f3\u30b3\u30fc\u30c9\u6e08\u307fVBScript\u3092\u30c7\u30b3\u30fc\u30c9\u3057\u307e\u3059\u3002\u3053\u306e\u3046\u30611\u3064\u306f<span style=\"font-family: 'courier new', courier, monospace;\">%USERPROFILE%\\josephine<\/span>\u306b\u4fdd\u5b58\u3057\u3001\u3082\u30461\u3064\u306f<span style=\"font-family: 'courier new', courier, monospace;\">Execute<\/span>\u3092\u4f7f\u3063\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">presented.rtf<\/span>\u30d5\u30a1\u30a4\u30eb\u304c\u30c7\u30b3\u30fc\u30c9\u30fb\u5b9f\u884c\u3059\u308bVBScript\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u306e\u30ed\u30b0\u30a4\u30f3\u306e\u305f\u3073\u306b<span style=\"font-family: 'courier new', courier, monospace;\">josephine<\/span>\u30d5\u30a1\u30a4\u30eb\u306b\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308bVBScript\u3092\u5b9f\u884c\u3057\u3066\u6c38\u7d9a\u6027\u3092\u78ba\u4fdd\u3059\u308b\u5f79\u5272\u3092\u62c5\u3063\u3066\u3044\u307e\u3059\u3002<span style=\"font-family: 'courier new', courier, monospace;\">josephine<\/span>\u306b\u4fdd\u5b58\u3055\u308c\u305fVBScript\u30d5\u30a1\u30a4\u30eb\u306f\u3053\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30d7\u30ed\u30bb\u30b9\u6700\u5f8c\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3067\u3059\u3002<\/p>\n<p>1\u3064\u3081\u306eVBScript\u306e\u5f79\u5272\u306f\u30b7\u30b9\u30c6\u30e0\u3078\u306e\u6c38\u7d9a\u7684\u30a2\u30af\u30bb\u30b9\u306e\u6709\u52b9\u5316\u3067\u3059\u3002\u305d\u306e\u305f\u3081\u306bWindows\u306e\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u30bf\u30b9\u30af\u3068\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u3092\u4f5c\u6210\u3057\u307e\u3059\u304c\u3001\u3044\u305a\u308c\u3082Trident Ursa\u306e\u3088\u304f\u4f7f\u3046\u6280\u8853\u3067\u3059\u3002\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u56f37\u306e\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u30bf\u30b9\u30af\u60c5\u5831\u304c\u793a\u3059\u3088\u3046\u306b\u3001<span style=\"font-family: 'courier new', courier, monospace;\">josephine<\/span>\u30b9\u30af\u30ea\u30d7\u30c8\u30925\u5206\u3054\u3068\u306b\u5b9f\u884c\u3059\u308b<span style=\"font-family: 'courier new', courier, monospace;\">Filmora.Complete<\/span>\u3068\u3044\u3046\u540d\u524d\u306e\u65b0\u898f\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u30bf\u30b9\u30af\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_126224\" aria-describedby=\"caption-attachment-126224\" style=\"width: 829px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126224 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-78.png\" alt=\"\u753b\u50cf8\u306fVBscript\u304c\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u30bf\u30b9\u30af\u3092\u4f5c\u6210\u3057\u3001josephine\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u884c\u3059\u308b\u3088\u3046\u3059\u3092\u793a\u3057\u305f\u30b3\u30de\u30f3\u30c9\u30d7\u30ed\u30f3\u30d7\u30c8\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8 \" width=\"829\" height=\"532\" \/><figcaption id=\"caption-attachment-126224\" class=\"wp-caption-text\">\u56f37 <span style=\"font-family: 'courier new', courier, monospace;\">Filmora.Complete<\/span>\u3068\u3044\u3046\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u30bf\u30b9\u30af\u304c5\u5206\u304a\u304d\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u5b9f\u884c\u306b\u4f7f\u308f\u308c\u308b<\/figcaption><\/figure>\n<p>\u307e\u305f\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u30e6\u30fc\u30b6\u30fc\u30ed\u30b0\u30a4\u30f3\u6642\u306bVBScript <span style=\"font-family: 'courier new', courier, monospace;\">josephine<\/span>\u3092\u81ea\u52d5\u5b9f\u884c\u3059\u308b\u3088\u3046Autorun\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u3092\u4f5c\u6210\u3057\u307e\u3059\u3002\u56f38\u306f\u30b7\u30b9\u30c6\u30e0\u306b\u8ffd\u52a0\u3055\u308c\u305f<span style=\"font-family: 'courier new', courier, monospace;\">telemetry<\/span>\u3068\u3044\u3046\u540d\u524d\u306eAutorun\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u3067\u3001\u3053\u308c\u3067\u30e6\u30fc\u30b6\u30fc\u30ed\u30b0\u30a4\u30f3\u6642\u306bVBScript\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_126226\" aria-describedby=\"caption-attachment-126226\" style=\"width: 753px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126226 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-79.png\" alt=\"\u753b\u50cf9\u306f\u30b3\u30de\u30f3\u30c9\u30d7\u30ed\u30f3\u30d7\u30c8\u306e\u30a4\u30f3\u30bf\u30fc\u30d5\u30a7\u30a4\u30b9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3002telemetry\u3068\u3044\u3046\u540d\u524d\u3067\u30b7\u30b9\u30c6\u30e0\u306b\u8ffd\u52a0\u3055\u308c\u305fAutorun\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u3068\u3001\u30e6\u30fc\u30b6\u30fc\u30ed\u30b0\u30a4\u30f3\u6642\u306bVBScript\u3092\u5b9f\u884c\u3059\u308b\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc\u304c\u8ffd\u52a0\u3055\u308c\u305f\u7b87\u6240\u304c\u30cf\u30a4\u30e9\u30a4\u30c8\u8868\u793a\u3055\u308c\u3066\u3044\u308b\" width=\"753\" height=\"127\" \/><figcaption id=\"caption-attachment-126226\" class=\"wp-caption-text\">\u56f38. \u30e6\u30fc\u30b6\u30fc\u30ed\u30b0\u30a4\u30f3\u6642\u306bVBScript\u3092\u5b9f\u884c\u3059\u308bAutorun\u30ec\u30b8\u30b9\u30c8\u30ea\u30ad\u30fc<\/figcaption><\/figure>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">josephine<\/span>\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u30d0\u30c3\u30af\u30c9\u30a2\u6a5f\u80fd\u3092\u63d0\u4f9b\u3059\u308b\u30b3\u30fc\u30c9\u3067\u3001\u3053\u308c\u3092\u4f7f\u3063\u3066\u8105\u5a01\u30a2\u30af\u30bf\u30fc\u306fC2\u30b5\u30fc\u30d0\u30fc\u306e\u63d0\u4f9b\u3059\u308b\u8ffd\u52a0VBScript\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u306f2\u7a2e\u985e\u306e\u30e1\u30bd\u30c3\u30c9\u304c\u542b\u307e\u308c\u3066\u3044\u3066\u3001\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u76f4\u63a5\u901a\u4fe1\u3059\u308bC2\u30b5\u30fc\u30d0\u30fc\u306eIP\u30a2\u30c9\u30ec\u30b9\u3092\u6c7a\u3081\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>1\u3064\u3081\u306e\u30e1\u30bd\u30c3\u30c9\u306f\u3001\u4ee5\u4e0b\u306eWindows Management Instrumentation (WMI)\u30af\u30a8\u30ea\u3092\u4f7f\u3063\u3066\u30c9\u30e1\u30a4\u30f3<span style=\"font-family: 'courier new', courier, monospace;\">THEN&lt;random number&gt;.ua-cip[.]org&lt;\/random&gt;<\/span>\u306bping\u3092\u9001\u308a\u3001<span style=\"font-family: 'courier new', courier, monospace;\">ProtocolAddress<\/span>\u306e\u5024\u3092\u30c1\u30a7\u30c3\u30af\u3057\u3066C2\u306eIP\u30a2\u30c9\u30ec\u30b9\u3092\u6c7a\u3081\u308b\u3082\u306e\u3067\u3059\u3002<\/p>\n<p><img  class=\"wp-image-126228 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-80.png\" width=\"778\" height=\"48\" \/><br \/>\n\u5bfe\u8c61\u30c9\u30e1\u30a4\u30f3\u306b\u5230\u9054\u3067\u304d\u306a\u3051\u308c\u3070\u3001\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306fTelegram\u306eURL <span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/t[.]me\/s\/vzloms<\/span>\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066C2\u306eIP\u30a2\u30c9\u30ec\u30b9\u3092\u5f97\u3088\u3046\u3068\u3057\u307e\u3059\u3002\u305d\u308c\u306b\u306f<span style=\"font-family: 'courier new', courier, monospace;\">==([0-9\\@]+)==<\/span>\u3068\u3044\u3046\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u3063\u3066\u5fdc\u7b54\u5185\u5bb9\u3092\u30c1\u30a7\u30c3\u30af\u3057\u307e\u3059\u3002<\/p>\n<p>C2\u306eIP\u30a2\u30c9\u30ec\u30b9\u304c\u5f97\u3089\u308c\u305f\u3089\u72ec\u81ea\u306b\u4f5c\u6210\u3057\u305fHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u767a\u884c\u3057\u3066C2\u3068\u901a\u4fe1\u3057\u307e\u3059(\u56f39)\u3002HTTP\u30ea\u30af\u30a8\u30b9\u30c8\u5185\u3067\u5909\u66f4\u3055\u308c\u3066\u3044\u308b\u30ab\u30b9\u30bf\u30e0\u30d5\u30a3\u30fc\u30eb\u30c9\u306fuser-agent\u30d5\u30a3\u30fc\u30eb\u30c9\u3068Accept-Language\u30d5\u30a3\u30fc\u30eb\u30c9\u3067\u3059\u3002user-agent\u30d5\u30a3\u30fc\u30eb\u30c9\u306b\u306f\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3001\u30dc\u30ea\u30e5\u30fc\u30e0\u30b7\u30ea\u30a2\u30eb\u756a\u53f7\u3001\u6587\u5b57\u5217<span style=\"font-family: 'courier new', courier, monospace;\">::\/.josephine\/.<\/span>\u304c\u30a2\u30da\u30f3\u30c9\u3055\u308c\u3066\u3044\u3066\u3001Accept-Language\u30d5\u30a3\u30fc\u30eb\u30c9\u306b\u306f\u30cf\u30fc\u30c9\u30b3\u30fc\u30c9\u3055\u308c\u305f\u6587\u5b57\u5217\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<figure id=\"attachment_126230\" aria-describedby=\"caption-attachment-126230\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126230 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-81.png\" alt=\"\u753b\u50cf11\u306f\u3001C2\u30b5\u30fc\u30d0\u30fc\u306b\u9001\u4fe1\u3055\u308c\u305f\u30ab\u30b9\u30bf\u30e0HTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u793a\u3059\u8907\u6570\u884c\u306e\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3002\u30ab\u30b9\u30bf\u30e0\u30d5\u30a3\u30fc\u30eb\u30c9\u306f\u5909\u66f4\u3055\u308c\u3066\u3044\u308b \" width=\"900\" height=\"203\" \/><figcaption id=\"caption-attachment-126230\" class=\"wp-caption-text\">\u56f39 C2\u30b5\u30fc\u30d0\u30fc\u306b\u9001\u4fe1\u3055\u308c\u308bHTTP\u30ea\u30af\u30a8\u30b9\u30c8<\/figcaption><\/figure>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">josephine<\/span>\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u3053\u306eHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5bfe\u3059\u308b\u30ec\u30b9\u30dd\u30f3\u30b9\u3092\u8aad\u307f\u8fbc\u307f\u3001\u30ec\u30b9\u30dd\u30f3\u30b9\u5185\u306eBase64\u30c7\u30fc\u30bf\u3092\u30c7\u30b3\u30fc\u30c9\u3057\u3066VBScript\u3068\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002\u79c1\u305f\u3061\u306f\u3053\u308c\u307e\u3067\u306e\u3068\u3053\u308d<span style=\"font-family: 'courier new', courier, monospace;\">josephine<\/span>\u30b9\u30af\u30ea\u30d7\u30c8\u306eHTTP\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5fdc\u7b54\u3057\u3066VBScripts\u3092\u8fd4\u3059\u30a2\u30af\u30c6\u30a3\u30d6\u306aC2\u30b5\u30fc\u30d0\u30fc\u306f\u89b3\u6e2c\u3057\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<h3><a id=\"post-126255-_ouavjmpic8qk\"><\/a>Word\u6587\u66f8\u3092\u4f7f\u3063\u305f\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0<\/h3>\n<p>Trident Ursa\u306e\u4f7f\u3046\u6700\u8fd1\u306e\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u6587\u66f8\u306fVirusTotal\u3067\u306e\u691c\u51fa\u7387\u304c\u4f4e\u3044\u3067\u3059\u304c\u3001\u305d\u306e\u539f\u56e0\u306f\u6587\u66f8\u306e\u5358\u7d14\u3055\u306b\u3042\u308b\u3068\u601d\u308f\u308c\u307e\u3059\u3002\u305f\u3068\u3048\u3070SHA256\u304c<span style=\"font-family: 'courier new', courier, monospace;\">c22b20cee83b0802792a683ea7af86230288837bb3857c02e242fb6769fa8b0c<\/span>\u306e\u30b5\u30f3\u30d7\u30eb\u306f2022\u5e7412\u67088\u65e5\u6642\u70b9\u306761\u793e\u306e\u30d9\u30f3\u30c0\u306e\u3044\u305a\u308c\u3082\u691c\u51fa\u3057\u3066\u3044\u307e\u305b\u3093\u3002<\/p>\n<figure id=\"attachment_126234\" aria-describedby=\"caption-attachment-126234\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><img  class=\"wp-image-126234 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/word-image-82.png\" alt=\"\u753b\u50cf11\u306f\u540cSHA256\u306e\u691c\u51fa\u7d50\u679c\u3092\u793a\u3057\u305fVirusTotal\u306e\u753b\u9762\u3002\u3053\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3067\u306fVirusTotal\u304c\u540c\u30b5\u30f3\u30d7\u30eb\u306b\u60aa\u6027\u3068\u3044\u3046\u30d5\u30e9\u30b0\u3092\u7acb\u3066\u3066\u3044\u306a\u3044\" width=\"900\" height=\"171\" \/><figcaption id=\"caption-attachment-126234\" class=\"wp-caption-text\">\u56f310 VirusTotal\u306b\u3088\u308bSHA256\u304c<span style=\"font-family: 'courier new', courier, monospace;\">c22b20cee83b0802792a683ea7af86230288837bb3857c02e242fb6769fa8b0c<\/span>\u306e\u30b5\u30f3\u30d7\u30eb\u306e\u691c\u51fa\u30d9\u30f3\u30c0\u6570<\/figcaption><\/figure>\n<p>\u3053\u308c\u306f\u30a6\u30af\u30e9\u30a4\u30ca\u306eNational Academy of Security Service\u306e\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u6a5f\u5668\u8cfc\u5165\u306e\u5165\u672d\u3068\u79f0\u3059\u308b\u3082\u306e\u306b\u95a2\u9023\u3057\u305f\u30d5\u30a1\u30a4\u30eb\u3067\u3059\u3002\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u81ea\u4f53\u306b\u306f\u60aa\u610f\u306e\u3042\u308b\u30b3\u30fc\u30c9\u306f\u542b\u307e\u308c\u3066\u3044\u307e\u305b\u3093\u3002\u30d5\u30a1\u30a4\u30eb\u3092\u958b\u304f\u3068<span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/relax.salary48.minhizo[.]ru\/MAIL\/gloomily\/along.rcs<\/span>\u304b\u3089\u30ea\u30e2\u30fc\u30c8\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u30c0\u30a6\u30f3\u30ed\u30fc\u30c9\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30c6\u30f3\u30d7\u30ec\u30fc\u30c8<span style=\"font-family: 'courier new', courier, monospace;\">along.rcs<\/span> (SHA256:<span style=\"font-family: 'courier new', courier, monospace;\">007483ad49d90ac2cabe907eb5b3d7eef6a5473217c83b0fe99d087ee7b3f6b3<\/span>) \u306fOLE\u30d5\u30a1\u30a4\u30eb\u3067\u3001\u3053\u3053\u306b\u60aa\u610f\u306e\u3042\u308b\u30b3\u30fc\u30c9\u3092\u5b9f\u884c\u3059\u308b\u30de\u30af\u30ed\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30de\u30af\u30ed\u81ea\u4f53\u306f\u524d\u8ff0\u306eHTA\u30d5\u30a1\u30a4\u30eb\u5185\u306eVBScript\u30b3\u30fc\u30c9\u306b\u4f3c\u305f\u3082\u306e\u3067\u3001\u8ffd\u52a0\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u30ed\u30fc\u30c9\u306b\u4f7f\u308f\u308c\u307e\u3059\u3002<\/p>\n<p>\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u7528VBScript\u306f\u3001\u30da\u30a4\u30ed\u30fc\u30c9\u306eVBScript\u3092<span style=\"font-family: 'courier new', courier, monospace;\">%USERPROFILE%\\Downloads\\frontier\\decisive<\/span>\u306b\u4fdd\u5b58\u3057\u3001<span style=\"font-family: 'courier new', courier, monospace;\">GetSynchronization-USA<\/span>\u3068\u3044\u3046\u30b9\u30b1\u30b8\u30e5\u30fc\u30eb\u30bf\u30b9\u30af\u3092\u4f5c\u6210\u3057\u30665\u5206\u3054\u3068\u306b\u3053\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3092\u81ea\u52d5\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<p>\u30da\u30a4\u30ed\u30fc\u30c9\u306eVBScript\u306f\u524d\u8ff0\u306e\u30da\u30a4\u30ed\u30fc\u30c9\u3068\u540c\u3058\u3082\u306e\u3067\u3059\u3002\u540c\u30b9\u30af\u30ea\u30d7\u30c8\u306f<span style=\"font-family: 'courier new', courier, monospace;\">&lt;random number&gt;decisive.hungzo[.]ru<\/span>\u3078\u306eping\u3068\u3001\u7279\u5b9a\u306eTelegram URL (<span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/t[.]me\/s\/templ36)<\/span>\u304b\u3089\u306e\u5fdc\u7b54\u306b\u5bfe\u3059\u308b\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u3063\u3066C2\u306eIP\u30a2\u30c9\u30ec\u30b9\u53d6\u5f97\u3092\u8a66\u307f\u307e\u3059\u3002<\/p>\n<p>IP\u30a2\u30c9\u30ec\u30b9\u3092\u53d6\u5f97\u3057\u305f\u30b9\u30af\u30ea\u30d7\u30c8\u306f<span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/&lt;IP address of C2&gt;\/snhale&lt;random number&gt;\/index.html=?&lt;random number&gt;<\/span>\u3078\u306eHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u3066\u30ab\u30b9\u30bf\u30e0HTTP\u30d5\u30a3\u30fc\u30eb\u30c9\u306b\u6b21\u306e\u6d3b\u52d5\u5185\u5bb9\u3092\u633f\u5165\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u6539\u5909\u3055\u308c\u305fuser-agent\u30d5\u30a3\u30fc\u30eb\u30c9<span style=\"font-family: 'courier new', courier, monospace;\">(windows nt 6.1; win64; x64) applewebkit\/537.36 (khtml, like gecko) chrome\/90.0.4430.85 safari\/537.36)<\/span>\u306b\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3001\u30dc\u30ea\u30e5\u30fc\u30e0\u30b7\u30ea\u30a2\u30eb\u756a\u53f7\u3092\u30a2\u30da\u30f3\u30c9\u3059\u308b\u3002\u3053\u306e\u307b\u304b\u3001\u9759\u7684\u6587\u5b57\u5217\u306e<span style=\"font-family: 'courier new', courier, monospace;\">;;\/.insufficient\/<\/span>\u3082\u30a2\u30da\u30f3\u30c9\u3055\u308c\u308b<\/li>\n<li>\u30af\u30c3\u30ad\u30fc\u306e\u5024\u306b\u306f<span style=\"font-family: 'courier new', courier, monospace;\">frameS5V<\/span>\u3092\u4f7f\u3046<\/li>\n<li>Referrer\u3092<span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/developer.mozilla[.]org\/en-US\/docs\/Web\/JavaScript<\/span>\u306b\u8a2d\u5b9a\u3059\u308b<\/li>\n<li>Accept-Language\u3092<span style=\"font-family: 'courier new', courier, monospace;\">ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4<\/span>\u306b\u8a2d\u5b9a\u3059\u308b<\/li>\n<li>Content-Length\u3092<span style=\"font-family: 'courier new', courier, monospace;\">4649<\/span>\u306b\u8a2d\u5b9a\u3059\u308b<\/li>\n<\/ul>\n<p>\u6700\u5f8c\u306b\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3053\u306eURL\u306b\u5bfe\u3059\u308b\u30ec\u30b9\u30dd\u30f3\u30b9\u3092Base64\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002<\/p>\n<h3><a id=\"post-126255-_kwk9f3k7n6vn\"><\/a>\u6700\u8fd1\u89b3\u6e2c\u3055\u308c\u305f\u30c9\u30ed\u30c3\u30d1\u30fc<\/h3>\n<p>\u3053\u306e3\u30f6\u6708\u9593\u3001Trident Ursa\u306f2\u3064\u306e\u7570\u306a\u308b(\u305f\u3060\u3057\u975e\u5e38\u306b\u3088\u304f\u4f3c\u305f)\u30c9\u30ed\u30c3\u30d1\u30fc\u3092\u4f7f\u3046\u3088\u3046\u3059\u304c\u78ba\u8a8d\u3055\u308c\u3066\u3044\u307e\u3059\u30021\u3064\u3081\u306e\u30c9\u30ed\u30c3\u30d1\u30fc\u306f\u901a\u5e38<span style=\"font-family: 'courier new', courier, monospace;\">7ZSfxMod_x86.exe<\/span>\u3068\u3044\u3046\u540d\u524d\u3067\u3059\u3002\u3053\u306e\u6280\u8853\u306f\u540c\u30a2\u30af\u30bf\u30fc\u304c\u9577\u5e74\u8d14\u5c53\u306b\u3057\u3066\u304d\u305f7-Zip\u81ea\u5df1\u89e3\u51cd(SFX)\u30a2\u30fc\u30ab\u30a4\u30d6\u3092\u4f7f\u3044\u307e\u3059\u3002<\/p>\n<p>\u3053\u308c\u3089\u306eSFX\u30d5\u30a1\u30a4\u30eb\u3067\u306f\u3001Windows Script Host<span style=\"font-family: 'courier new', courier, monospace;\">(wscript.exe<\/span>)\u3092\u4f7f\u3044\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u69cb\u6210\u30b9\u30af\u30ea\u30d7\u30c8\u304c\u57cb\u3081\u8fbc\u307e\u308c\u305fVBScript\u3092\u5b9f\u884c\u3057\u307e\u3059\u30022\u3064\u3081\u306e\u30c9\u30ed\u30c3\u30d1\u30fc\u306f\u901a\u5e38<span style=\"font-family: 'courier new', courier, monospace;\">myfile.exe<\/span>\u3068\u3044\u3046\u540d\u524d\u3067\u3059(\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306e<span style=\"font-family: 'courier new', courier, monospace;\">RT_VERSION<\/span>\u30ea\u30bd\u30fc\u30b9\u3088\u308a)\u3002\u3053\u3061\u3089\u306e\u30c9\u30ed\u30c3\u30d1\u30fc\u306f\u4e8b\u5b9f\u4e0a\u306f\u30ed\u30fc\u30c0\u30fc\u3067\u3001\u6700\u7d42\u7684\u306b\u306f2\u3064\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30c9\u30ed\u30c3\u30d7\u3057\u3001wscript\u3092\u4f7f\u3063\u3066\u305d\u308c\u3089\u3092VBScript\u3068\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<h4><a id=\"post-126255-_1s6lv3r2u8pw\"><\/a>7ZSfxMod_x86.exe<\/h4>\n<p>\u6700\u8fd1\u306e\u30b5\u30f3\u30d7\u30eb(SHA256: <span style=\"font-family: 'courier new', courier, monospace;\">ac1f3a43447591c67159528d9c4245ce0b93b129845bed9597d1f39f68dbd72f<\/span>)\u306f\u3001\u958b\u304f\u3068\u4ee5\u4e0b\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<p><img  class=\"aligncenter wp-image-126242 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/Trident-Ursa-Code-Snip-2.png\" alt=\"\u753b\u50cf11\u306f\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u3002\u591a\u304f\u306e\u30b3\u30fc\u30c9\u884c\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u3002 \" width=\"718\" height=\"332\" \/><\/p>\n<p>\u3053\u306e\u30a2\u30fc\u30ab\u30a4\u30d6\u306b\u306f\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u306e\u307b\u304b\u3001\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u30b9\u30af\u30ea\u30d7\u30c8\u5185\u304b\u3089\u53c2\u7167\u3055\u308c\u308b<span style=\"font-family: 'courier new', courier, monospace;\">19698.mov<\/span> (SHA256: <span style=\"font-family: 'courier new', courier, monospace;\">f488bd406f1293f7881dd0ade8d08f2b1358ddaf7c4af4d27d95f6f047339b3a<\/span>)\u3068\u3044\u3046\u540d\u524d\u306eVBScript\u3082\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u4e0a\u8a18\u306e\u30b5\u30f3\u30d7\u30eb\u540c\u69d8\u3001\u3053\u306eVBScript\u306fC2\u306eIP\u3092\u53d6\u5f97\u3059\u308b\u305f\u3081\u306b2\u7a2e\u985e\u306e\u30e1\u30bd\u30c3\u30c9\u3092\u8a66\u3057\u307e\u3059\u3002<\/p>\n<p>\u307e\u305a\u3001\u540c\u30b9\u30af\u30ea\u30d7\u30c8\u306fWMI\u30af\u30a8\u30ea\u3092\u5b9f\u884c\u3057\u3001C2\u30c9\u30e1\u30a4\u30f3<span style=\"font-family: 'courier new', courier, monospace;\">&lt;random number&gt;delirium.sohrabt[.]ru<\/span>\u306bping\u3092\u9001\u4fe1\u3057\u307e\u3059\u3002\u3053\u308c\u304c\u5931\u6557\u3057\u305f\u5834\u5408\u306b\u305d\u306a\u3048\u30662\u3064\u3081\u306eC2\u30ed\u30b1\u30fc\u30b7\u30e7\u30f3\u30eb\u30fc\u30c1\u30f3\u3082\u542b\u307e\u308c\u3066\u3044\u3066\u3001\u3053\u308c\u306f<span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/t[.]me\/s\/vbs_run14<\/span>\u306eTelegram\u30da\u30fc\u30b8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u307e\u3059\u3002\u30a2\u30af\u30bb\u30b9\u5f8c\u306f<span style=\"font-family: 'courier new', courier, monospace;\">==([0-9@]+)==<\/span>\u3068\u3044\u3046\u6b63\u898f\u8868\u73fe\u3092\u4f7f\u3063\u3066\u30ec\u30b9\u30dd\u30f3\u30b9\u5185\u306eIP\u30a2\u30c9\u30ec\u30b9\u3092\u63a2\u3057\u307e\u3059\u3002<\/p>\n<p>\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3001\u6b63\u898f\u8868\u73fe\u306b\u30de\u30c3\u30c1\u3057\u305f\u90e8\u5206\u306e\"<span style=\"font-family: 'courier new', courier, monospace;\">@<\/span>\"\u6587\u5b57\u3092\".\"\u306b\u7f6e\u304d\u63db\u3048\u3066\u30c9\u30c3\u30c8\u8868\u8a18\u306eIPV4\u30a2\u30c9\u30ec\u30b9\u306b\u5909\u63db\u3057\u3001\u305d\u306eIP\u30a2\u30c9\u30ec\u30b9\u3092\u30d5\u30a1\u30a4\u30eb<span style=\"font-family: 'courier new', courier, monospace;\">%TEMP%\\prDK6<\/span>\u306b\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002<\/p>\n<p>IP\u30a2\u30c9\u30ec\u30b9\u3092\u53d6\u5f97\u3057\u305f\u30b9\u30af\u30ea\u30d7\u30c8\u306f<span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/&lt;IP address of C2&gt;\/snhale&lt;random number&gt;\/index.html=?&lt;random number&gt;<\/span>\u3078\u306eHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u3066\u30ab\u30b9\u30bf\u30e0HTTP\u30d5\u30a3\u30fc\u30eb\u30c9\u306b\u6b21\u306e\u6d3b\u52d5\u5185\u5bb9\u3092\u633f\u5165\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u6539\u5909\u3055\u308c\u305fuser-agent\u30d5\u30a3\u30fc\u30eb\u30c9<span style=\"font-family: 'courier new', courier, monospace;\">mozilla\/5.0 (windows nt 6.1; win64; x64) applewebkit\/537.36 (khtml, like gecko) chrome\/86.0.4240.193 safari\/537.36<\/span>\u306b\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3001\u30dc\u30ea\u30e5\u30fc\u30e0\u30b7\u30ea\u30a2\u30eb\u756a\u53f7\u3092\u30a2\u30da\u30f3\u30c9\u3059\u308b\u3002\u3053\u306e\u307b\u304b\u3001\u9759\u7684\u6587\u5b57\u5217\u306e<span style=\"font-family: 'courier new', courier, monospace;\">;;\/.snventor\/.<\/span>\u3082\u30a2\u30da\u30f3\u30c9\u3055\u308c\u308b<\/li>\n<li>Cookie\u306e\u5024\u306b\u306f<span style=\"font-family: 'courier new', courier, monospace;\">defective<\/span>\u3092\u4f7f\u3046<\/li>\n<li>Referrer\u3092<span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/www.unn.com[.]ua\/ru\/<\/span>\u306b\u8a2d\u5b9a\u3059\u308b<\/li>\n<li>Accept-Language\u3092<span style=\"font-family: 'courier new', courier, monospace;\">ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4<\/span>\u306b\u3059\u308b<\/li>\n<li>Content-Length\u3092<span style=\"font-family: 'courier new', courier, monospace;\">2031<\/span>\u306b\u8a2d\u5b9a\u3059\u308b<\/li>\n<\/ul>\n<p>\u524d\u8ff0\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u540c\u69d8\u3001\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u3082\u3053\u306e\u30d3\u30fc\u30b3\u30f3\u306b\u5bfe\u3059\u308b\u30ec\u30b9\u30dd\u30f3\u30b9\u3092\u8aad\u307f\u8fbc\u307f\u3001\u30ec\u30b9\u30dd\u30f3\u30b9\u5185\u306eBase64\u30c7\u30fc\u30bf\u3092\u30c7\u30b3\u30fc\u30c9\u3057\u3066\u305d\u306e\u7d50\u679c\u3092<span style=\"font-family: 'courier new', courier, monospace;\">Execute<\/span>\u30e1\u30bd\u30c3\u30c9\u3092\u4f7f\u3063\u3066VBScript\u3068\u3057\u3066\u5b9f\u884c\u3057\u307e\u3059\u3002\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u3082\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u7528URL\u304c\u3042\u308a\u3001HTTP\u30ec\u30b9\u30dd\u30f3\u30b9\u306e\u30b9\u30c6\u30fc\u30bf\u30b9\u304c200\u304b404\u4ee5\u5916\u306e\u5834\u5408\u306f\u3053\u306eURL\u3092\u4f7f\u3044\u307e\u3059\u3002\u3053\u306eURL\u306f<span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/&lt;IP address of C2&gt;\/snquiries&lt;random number&gt;\/index.html=?&lt;random number&gt;<\/span>\u3067\u3059\u3002<\/p>\n<h4><a id=\"post-126255-_j8xq9tuik8jp\"><\/a>Myfile.exe<\/h4>\n<p>\u6700\u8fd1\u306e\u30b5\u30f3\u30d7\u30eb(SHA256: <span style=\"font-family: 'courier new', courier, monospace;\">a79704074516589c8a6a20abd6a8bcbbcc5a39a5ddbca714fbbf5346d7035f42<\/span>)\u306f\u5b9f\u8cea\u7684\u306b\u306f\u30ed\u30fc\u30c0\u30fc\u3067\u3001\u3053\u308c\u306f\u30d5\u30a1\u30a4\u30eb\u30922\u3064\u30c9\u30ed\u30c3\u30d7\u3057\u307e\u3059\u3002\u307e\u305f\u3001\u6700\u7d42\u7684\u306b\u306fwscript\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3092\u4f7f\u3063\u3066VBScript\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/p>\n<p>\u307e\u305a\u3053\u306e\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306f\u81ea\u8eab\u306e\u30d5\u30a1\u30a4\u30eb\u30c7\u30fc\u30bf\u3092\u8aad\u307f\u3001Portable Executable(PE)\u30d5\u30a1\u30a4\u30eb\u306e\u672b\u5c3e\u307e\u3067\u30b8\u30e3\u30f3\u30d7\u3057\u3066\u3001\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306b\u30a2\u30da\u30f3\u30c9\u3055\u308c\u3066\u3044\u308b\u30aa\u30fc\u30d0\u30fc\u30ec\u30a4\u30c7\u30fc\u30bf\u306b\u30a2\u30af\u30bb\u30b9\u3057\u307e\u3059\u3002\u305d\u306e\u5f8c\u3001\u3053\u306e\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306f\u3001\u5404\u30d0\u30a4\u30c8\u3068\u305d\u306e\u524d\u306e\u30d0\u30a4\u30c8\u3068\u306eXOR\u3092\u3068\u308b\u3053\u3068\u3067\u3053\u306e\u30aa\u30fc\u30d0\u30fc\u30ec\u30a4\u30c7\u30fc\u30bf\u3092\u9006\u9806\u3067\u5fa9\u53f7\u3057\u307e\u3059\u3002\u3053\u306e\u30c7\u30fc\u30bf\u3092\u4f7f\u3044\u3001\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306f\u4ee5\u4e0b\u306e\u5834\u6240\u306b\u5e73\u6587\u3092\u66f8\u304d\u8fbc\u307f\u307e\u3059\u3002<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\&lt;username&gt;\\nutfgqsjs.fjyc<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">C:\\Users\\&lt;username&gt;\\16403.dll<\/span><\/li>\n<\/ul>\n<p>\u3053\u306e\u30d0\u30a4\u30ca\u30ea\u306f\u3053\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u30c7\u30a3\u30b9\u30af\u306b\u66f8\u304d\u8fbc\u3080\u524d\u306b<span style=\"font-family: 'courier new', courier, monospace;\">nutfgqsjs.fjyc<\/span>\u306b\u66f8\u304d\u8fbc\u307e\u308c\u308b\u5185\u5bb9\u306b\u3044\u304f\u3064\u304b\u6587\u5b57\u5217\u3092\u9023\u7d50\u3057\u307e\u3059\u3002\u3053\u306e\u6587\u5b57\u5217\u306b\u306f\u6700\u521d\u306e\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u30682\u3064\u306eVBScript\u30d5\u30a1\u30a4\u30eb\u3092\u524a\u9664\u3059\u308bVBScript\u30b3\u30fc\u30c9\u884c\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002\u5b9f\u884c\u30d5\u30a1\u30a4\u30eb\u306f\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u3067<span style=\"font-family: 'courier new', courier, monospace;\">CreateProcessA<\/span>\u3092\u547c\u3073\u51fa\u3057\u3001<span style=\"font-family: 'courier new', courier, monospace;\">nutfgqsjs.fjyc<\/span>\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u5b9f\u884c\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u7d42\u4e86\u3057\u307e\u3059\u3002<\/p>\n<p><img  class=\"aligncenter wp-image-126251 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/Screen-Shot-2022-12-19-at-4.31.35-PM.png\" alt=\"\u30b3\u30de\u30f3\u30c9\u30e9\u30a4\u30f3\u3067VBScript\u306e\u30b3\u30fc\u30c9\u304c\u5b9f\u884c\u3055\u308c\u3066\u3044\u308b\u306e\u3088\u3046\u3059\u3092\u8868\u3059\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\u3002\" width=\"600\" height=\"52\" \/><\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">nutfgqsjs.fjyc<\/span>\u306fVBScript\u30d5\u30a1\u30a4\u30eb\u3067\u3001\u30b3\u30e1\u30f3\u30c8\u3092\u305f\u304f\u3055\u3093\u66f8\u304d\u8fbc\u3080\u3053\u3068\u3067\u5b9f\u969b\u306e\u30b3\u30fc\u30c9\u3092\u96a0\u305d\u3046\u3068\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306b\u306f\u3001<span style=\"font-family: 'courier new', courier, monospace;\">16403.dll<\/span>\u3068\u3044\u3046VBScript\u3092\u5b9f\u884c\u3059\u308b\u4ee5\u4e0b\u306e\u6a5f\u80fd\u30b3\u30fc\u30c9\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p><img  class=\"aligncenter wp-image-126244 size-full lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/Trident-Ursa-Code-Snip-3.png\" alt=\"16403.dll\u3068\u3044\u3046VBScript\u3092\u8868\u3059\u8907\u6570\u884c\u306e\u30b3\u30fc\u30c9\u306e\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8\" width=\"772\" height=\"263\" \/><\/p>\n<p><span style=\"font-family: 'courier new', courier, monospace;\">16403.dll<\/span>\u3068\u3044\u3046\u30d5\u30a1\u30a4\u30eb\u306f\u5225\u306eVBScript\u3092\u30c7\u30b3\u30fc\u30c9\u30fb\u5b9f\u884c\u3059\u308b\u6a5f\u80fd\u30b3\u30fc\u30c9\u3092\u6301\u3064VBScript\u3067\u3059\u3002\u4f55\u91cd\u3082\u306e\u30c7\u30b3\u30fc\u30c9\u3068\u30c6\u30ad\u30b9\u30c8\u7f6e\u63db\u3092\u7d4c\u3066\u3088\u3046\u3084\u304f\u6700\u5f8c\u306eVBScript\u304c\u5b9f\u884c\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u6700\u5f8c\u306eVBScript\u306f\u524d\u8ff0\u306e<span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"#post-126255-_s7uy118bddtw\">.lnk<\/a> <\/span>\u3068 <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"#post-126255-_1s6lv3r2u8pw\">7ZSfxMod_x86.exe<\/a><\/span>\u306e\u8aac\u660e\u3068\u540c\u3058\u6280\u8853\u3092\u4f7f\u3044\u307e\u3059\u3002<\/p>\n<p>\u307e\u305a\u3001\u540c\u30b9\u30af\u30ea\u30d7\u30c8\u306fWMI\u30af\u30a8\u30ea\u3092\u5b9f\u884c\u3057\u3001C2\u30c9\u30e1\u30a4\u30f3<span style=\"font-family: 'courier new', courier, monospace;\">morbuso[.]ru<\/span>\u306bping\u3092\u9001\u4fe1\u3057\u307e\u3059\u3002\u3053\u308c\u304c\u5931\u6557\u3057\u305f\u5834\u5408\u306b\u305d\u306a\u3048\u30662\u3064\u3081\u306eC2\u30ed\u30b1\u30fc\u30b7\u30e7\u30f3\u30eb\u30fc\u30c1\u30f3\u3082\u542b\u307e\u308c\u3066\u3044\u3066\u3001\u3053\u308c\u306f<span style=\"font-family: 'courier new', courier, monospace;\">hxxps:\/\/t[.]me\/s\/dracarc<\/span>\u306eTelegram\u30da\u30fc\u30b8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u307e\u3059\u300211\u670818\u65e5\u73fe\u5728\u3053\u306e\u30a2\u30ab\u30a6\u30f3\u30c8(@dracarc)\u306f<span style=\"font-family: 'courier new', courier, monospace;\">==104@248@36@191==<\/span>\u3092\u8fd4\u3057\u3066\u304d\u307e\u3059\u3002\u3053\u308c\u3092\u6b63\u898f\u8868\u73fe<span style=\"font-family: 'courier new', courier, monospace;\">==([0-9\\@]+)==<\/span>\u3092\u4f7f\u3063\u3066IP <span style=\"font-family: 'courier new', courier, monospace;\">104.248.36[.]191<\/span>\u306b\u5909\u63db\u3057\u3066\u4ee5\u964d\u306e\u901a\u4fe1\u306b\u4f7f\u3044\u307e\u3059\u3002<\/p>\n<p>\u305d\u306e\u5f8c\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f<span style=\"font-family: 'courier new', courier, monospace;\">hxxp:\/\/&lt;IPV4&gt;\/justly\/CRONOS.icn?=Chr<\/span>\u306b\u5bfe\u3059\u308bHTTP GET\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u3001\u30ab\u30b9\u30bf\u30e0HTTP\u30d5\u30a3\u30fc\u30eb\u30c9\u306b\u6b21\u306e\u6d3b\u52d5\u5185\u5bb9\u3092\u633f\u5165\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u6539\u5909\u3055\u308c\u305fuser-agent\u30d5\u30a3\u30fc\u30eb\u30c9<span style=\"font-family: 'courier new', courier, monospace;\">mozilla\/5.0<\/span> (<span style=\"font-family: 'courier new', courier, monospace;\">macintosh<\/span>; <span style=\"font-family: 'courier new', courier, monospace;\">intel mac os x 10_15_3<\/span>) <span style=\"font-family: 'courier new', courier, monospace;\">applewebkit\/605.1.15<\/span> (<span style=\"font-family: 'courier new', courier, monospace;\">khtml<\/span>, <span style=\"font-family: 'courier new', courier, monospace;\">like gecko<\/span>) <span style=\"font-family: 'courier new', courier, monospace;\">version\/13.0.5 safari\/605.1.15;;<\/span>\u306b\u30b3\u30f3\u30d4\u30e5\u30fc\u30bf\u540d\u3001\u30dc\u30ea\u30e5\u30fc\u30e0\u30b7\u30ea\u30a2\u30eb\u756a\u53f7\u3092\u30a2\u30da\u30f3\u30c9\u3059\u308b\u3002\u3053\u306e\u307b\u304b\u3001\u9759\u7684\u6587\u5b57\u5217\u306e<span style=\"font-family: 'courier new', courier, monospace;\">;;\/.justice\/<\/span>\u3082\u30a2\u30da\u30f3\u30c9\u3055\u308c\u308b<\/li>\n<li>\u30af\u30c3\u30ad\u30fc\u306e\u5024\u306b\u306f<span style=\"font-family: 'courier new', courier, monospace;\">jealous<\/span>\u3092\u4f7f\u3046<\/li>\n<li>\u3053\u3061\u3089\u306e\u30b5\u30f3\u30d7\u30eb\u3067\u306fReferrer\u306f\u8a2d\u5b9a\u3055\u308c\u306a\u3044<\/li>\n<li>Accept-Language\u3092<span style=\"font-family: 'courier new', courier, monospace;\">ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4<\/span>\u306b\u3059\u308b<\/li>\n<li>Content-Length\u3092<span style=\"font-family: 'courier new', courier, monospace;\">5537<\/span>\u306b\u8a2d\u5b9a\u3059\u308b<\/li>\n<\/ul>\n<p>\u6700\u5f8c\u306b\u3053\u306e\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u3053\u306eURL\u306b\u5bfe\u3059\u308b\u30ec\u30b9\u30dd\u30f3\u30b9\u3092Base64\u3067\u30a8\u30f3\u30b3\u30fc\u30c9\u3057\u3066\u5b9f\u884c\u3057\u3088\u3046\u3068\u3057\u307e\u3059\u3002<\/p>\n<h2><a id=\"post-126255-_dyzu0g9z3zwx\"><\/a><strong>\u7d50\u8ad6<\/strong><\/h2>\n<p>Trident Ursa\u306f\u3001\u4fca\u654f\u3067\u9069\u5fdc\u529b\u306e\u9ad8\u3044APT\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3067\u3059\u3002\u305d\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u306b\u306f\u904e\u5ea6\u306b\u9ad8\u5ea6\u306a\u6280\u8853\u3084\u8907\u96d1\u306a\u6280\u8853\u306f\u4f7f\u308f\u308c\u307e\u305b\u3093\u3002\u307b\u3068\u3093\u3069\u306e\u5834\u5408\u3001\u4e00\u822c\u306b\u516c\u958b\u3055\u308c\u3066\u3044\u308b\u30c4\u30fc\u30eb\u3084\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u4f7f\u3044\u307e\u3059\u304c\u3001\u305d\u308c\u3089\u306f\u304b\u306a\u308a\u9ad8\u5ea6\u306b\u96e3\u8aad\u5316\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u5f7c\u3089\u306f\u65e5\u5e38\u7684\u306b\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u3092\u8a66\u307f\u3001\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u6210\u529f\u3055\u305b\u3088\u3046\u3068\u3057\u307e\u3059\u3002<\/p>\n<p>\u30ea\u30b5\u30fc\u30c1\u30e3\u30fc\u3084\u653f\u5e9c\u6a5f\u95a2\u306f\u540c\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306e\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u5b9a\u671f\u7684\u306b\u691c\u51fa\u3057\u3066\u3044\u307e\u3059\u304c\u3001\u5f7c\u3089\u306f\u6c17\u306b\u3082\u3068\u3081\u3066\u3044\u306a\u3044\u3088\u3046\u3067\u3001\u96e3\u8aad\u5316\u3001\u65b0\u305f\u306a\u30c9\u30e1\u30a4\u30f3\u3001\u65b0\u305f\u306a\u6280\u8853\u3092\u8ffd\u52a0\u3057\u3066\u3084\u308a\u306a\u304a\u3057\u3066\u304d\u307e\u3059\u3002\u305d\u306e\u3055\u3044\u904e\u53bb\u306b\u4f7f\u3063\u305f\u30b5\u30f3\u30d7\u30eb\u3092\u518d\u5229\u7528\u3059\u308b\u3053\u3068\u3059\u3089\u5c11\u306a\u304f\u3042\u308a\u307e\u305b\u3093\u3002<\/p>\n<p>\u5f7c\u3089\u306f\u3053\u3046\u3057\u3066\u5c11\u306a\u304f\u3068\u30822014\u5e74\u304b\u3089\u30aa\u30da\u30ec\u30fc\u30b7\u30e7\u30f3\u3092\u7d9a\u3051\u3066\u304a\u308a\u3001\u3053\u306e\u7d1b\u4e89\u671f\u9593\u4e2d\u3082\u624b\u3092\u7de9\u3081\u308b\u3053\u3068\u306a\u304f\u6210\u529f\u3092\u53ce\u3081\u7d9a\u3051\u3066\u3044\u307e\u3059\u3002\u4ee5\u4e0a\u306e\u7406\u7531\u306b\u304b\u3089Trident Ursa\u306f\u30a6\u30af\u30e9\u30a4\u30ca\u306b\u3068\u3063\u3066\u306e\u91cd\u5927\u8105\u5a01\u3067\u3042\u308a\u7d9a\u3051\u3066\u3044\u307e\u3059\u3057\u3001\u30a6\u30af\u30e9\u30a4\u30ca\u3068\u305d\u306e\u540c\u76df\u56fd\u306f\u7a4d\u6975\u7684\u306b\u9632\u5fa1\u3057\u3066\u3044\u304f\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<h2><a id=\"post-126255-_x089wim9p2l3\"><\/a><strong>\u4fdd\u8b77\u3068\u7de9\u548c\u7b56<\/strong><\/h2>\n<p>Trident Ursa\u306b\u5bfe\u3059\u308b\u6700\u5584\u306e\u9632\u5fa1\u306f\u4e88\u9632\u7b2c\u4e00\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u614b\u52e2\u3067\u3059\u3002\u5404\u7d44\u7e54\u306b\u306f\u4ee5\u4e0b\u306e\u3088\u3046\u306a\u5bfe\u7b56\u306e\u5b9f\u65bd\u3092\u63a8\u5968\u3057\u307e\u3059\u3002<\/p>\n<ul>\n<li>\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30ed\u30b0\u3001\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u30ed\u30b0\u3092\u691c\u7d22\u3057\u3001\u540c\u8105\u5a01\u30b0\u30eb\u30fc\u30d7\u3068\u95a2\u9023\u3059\u308bIoC(\u4fb5\u5bb3\u6307\u6a19)\u306e\u6709\u7121\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/li>\n<li>\u81ea\u793e\u306e\u30b5\u30a4\u30d0\u30fc\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u304c\u4e0a\u8a18\u3067\u7279\u5b9a\u3055\u308c\u305f\u30a2\u30af\u30c6\u30a3\u30d6\u306a\u30a4\u30f3\u30d5\u30e9\u306e<a href=\"https:\/\/github.com\/pan-unit42\/iocs\/blob\/master\/Gamaredon\/Gamaredon_IoCs_DEC2022.txt\" target=\"_blank\" rel=\"noopener\">\u4e00\u9023\u306eIoC<\/a>\u3092\u52b9\u679c\u7684\u306b\u30d6\u30ed\u30c3\u30af\u3067\u304d\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/li>\n<li>DNS\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30bd\u30ea\u30e5\u30fc\u30b7\u30e7\u30f3\u3092\u5c0e\u5165\u3057\u3001\u65e2\u77e5\u306eC2\u30a4\u30f3\u30d5\u30e9\u306b\u5bfe\u3059\u308bDNS\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u691c\u51fa\u30fb\u7de9\u548c\u3059\u308b\u3002Telegram\u3084\u30c9\u30e1\u30a4\u30f3\u691c\u7d22\u30c4\u30fc\u30eb\u306a\u3069\u306e\u30b5\u30fc\u30d3\u30b9\u3092\u81ea\u793e\u74b0\u5883\u3067\u4f7f\u3046\u7279\u6bb5\u306e\u7406\u7531\u304c\u306a\u3051\u308c\u3070\u3053\u308c\u3089\u306e\u30c9\u30e1\u30a4\u30f3\u3092\u7d44\u7e54\u306e\u30d6\u30ed\u30c3\u30af\u30ea\u30b9\u30c8\u306b\u8ffd\u52a0\u3059\u308b\u3002\u30bc\u30ed\u30c8\u30e9\u30b9\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u5834\u5408\u306f\u3001\u3053\u308c\u3089\u306e\u30b5\u30fc\u30d3\u30b9\u3092\u8a31\u53ef\u30ea\u30b9\u30c8\u306b\u8ffd\u52a0\u3057\u306a\u3044\u3002<\/li>\n<li>AS 197695(<span style=\"font-family: 'courier new', courier, monospace;\">Reg[.]ru<\/span>)\u3068\u901a\u4fe1\u3059\u308b\u3059\u3079\u3066\u306e\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u3055\u3089\u306b\u7cbe\u67fb\u3059\u308b\u3002<\/li>\n<\/ul>\n<p>\u4fb5\u5bb3\u306e\u61f8\u5ff5\u304c\u3042\u308a\u5f0a\u793e\u306b\u30a4\u30f3\u30b7\u30c7\u30f3\u30c8\u30ec\u30b9\u30dd\u30f3\u30b9\u306b\u95a2\u3059\u308b\u3054\u76f8\u8ac7\u3092\u306a\u3055\u308a\u305f\u3044\u5834\u5408\u306f\u3001<a href=\"https:\/\/start.paloaltonetworks.jp\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">infojapan@paloaltonetworks.com<\/a> \u307e\u3067\u96fb\u5b50\u30e1\u30fc\u30eb\u306b\u3066\u3054\u9023\u7d61\u3044\u305f\u3060\u304f\u304b\u3001\u4e0b\u8a18\u306e\u96fb\u8a71\u756a\u53f7\u307e\u3067\u304a\u554f\u3044\u5408\u308f\u305b\u304f\u3060\u3055\u3044(\u3054\u76f8\u8ac7\u306f\u5f0a\u793e\u88fd\u54c1\u306e\u304a\u5ba2\u69d8\u306b\u306f\u9650\u5b9a\u3055\u308c\u307e\u305b\u3093)\u3002<\/p>\n<ul>\n<li>\u5317\u7c73\u30d5\u30ea\u30fc\u30c0\u30a4\u30e4\u30eb: 866.486.4842 (866.4.UNIT42)<\/li>\n<li>\u6b27\u5dde: +31.20.299.3130<\/li>\n<li>\u30a2\u30b8\u30a2\u592a\u5e73\u6d0b: +65.6983.8730<\/li>\n<li>\u65e5\u672c: +81.50.1790.0200<\/li>\n<\/ul>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u88fd\u54c1\u3092\u3054\u5229\u7528\u306e\u304a\u5ba2\u69d8\u306f\u3001\u5f0a\u793e\u306e\u88fd\u54c1\u30fb\u30b5\u30fc\u30d3\u30b9\u306b\u3088\u308a\u672c\u653b\u6483\u30ad\u30e3\u30f3\u30da\u30fc\u30f3\u306b\u95a2\u9023\u3059\u308b\u4ee5\u4e0b\u306e\u5bfe\u7b56\u304c\u63d0\u4f9b\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<ul>\n<li><a href=\"https:\/\/www.paloaltonetworks.jp\/cortex\/cortex-xdr\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a>\u3092\u304a\u4f7f\u3044\u306e\u304a\u5ba2\u69d8\u306f\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u6280\u8853\u304b\u3089\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u4e0a\u3067\u4fdd\u8b77\u3092\u53d7\u3051\u3066\u3044\u307e\u3059\u3002<\/li>\n<li>\u30af\u30e9\u30a6\u30c9\u30d9\u30fc\u30b9\u306e\u8105\u5a01\u5206\u6790\u30b5\u30fc\u30d3\u30b9\u3067\u3042\u308b<a href=\"https:\/\/www.paloaltonetworks.jp\/products\/secure-the-network\/wildfire\">WildFire<\/a>\u306f\u3001\u672c\u7a3f\u3067\u53d6\u308a\u4e0a\u3052\u305f\u30de\u30eb\u30a6\u30a7\u30a2\u3092\u300c\u60aa\u610f\u306e\u3042\u308b\u3082\u306e(malicious)\u300d\u3068\u3057\u3066\u6b63\u78ba\u306b\u8b58\u5225\u3057\u307e\u3059\u3002<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\">\u9ad8\u5ea6\u306aURL\u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0<\/a>\u3068<a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/dns-security\" target=\"_blank\" rel=\"noopener\">DNS \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3<\/a>\u306f\u540c\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u306b\u95a2\u9023\u3059\u308b\u3059\u3079\u3066\u306e\u30d5\u30a3\u30c3\u30b7\u30f3\u30b0\u30c9\u30e1\u30a4\u30f3\u3068\u30de\u30eb\u30a6\u30a7\u30a2\u30c9\u30e1\u30a4\u30f3\u3092\u300c\u60aa\u610f\u306e\u3042\u308b\u3082\u306e(malicious)\u300d\u3068\u8b58\u5225\u3057\u307e\u3059\u3002<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/next-generation-firewall\"><span style=\"font-weight: 400;\">\u6b21\u4e16\u4ee3\u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb<\/span><\/a>\u3067<a href=\"https:\/\/www.paloaltonetworks.jp\/network-security\/advanced-threat-prevention\"><span style=\"font-weight: 400;\">\u9ad8\u5ea6\u306a\u8105\u5a01\u9632\u5fa1\u30b5\u30d6\u30b9\u30af\u30ea\u30d7\u30b7\u30e7\u30f3<\/span><\/a>\u3092\u5229\u7528\u3057\u3001\u30d9\u30b9\u30c8\u30d7\u30e9\u30af\u30c6\u30a3\u30b9\u306b\u5f93\u3063\u3066\u904b\u7528\u3055\u308c\u3066\u3044\u308b\u304a\u5ba2\u69d8\u306f\u3053\u308c\u3089\u306e\u653b\u6483\u3092\u30d6\u30ed\u30c3\u30af\u3067\u304d\u307e\u3059\u3002\u5bfe\u5fdc\u3059\u308b\u8105\u5a01\u9632\u5fa1\u30b7\u30b0\u30cd\u30c1\u30e3\u306f86694\u3067\u3059\u3002<\/li>\n<\/ul>\n<p>\u30d1\u30ed\u30a2\u30eb\u30c8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30b9\u306f\u30d5\u30a1\u30a4\u30eb\u30b5\u30f3\u30d7\u30eb\u3084\u4fb5\u5bb3\u306e\u5146\u5019\u306a\u3069\u3092\u3075\u304f\u3080\u3053\u308c\u3089\u306e\u8abf\u67fb\u7d50\u679c\u3092<a href=\"https:\/\/cert.gov.ua\/about-us\" target=\"_blank\" rel=\"noopener\">\u30a6\u30af\u30e9\u30a4\u30caCERT (Computer Emergency Response Team of Ukraine)<\/a>\u304a\u3088\u3073<a href=\"https:\/\/cyberthreatalliance.org\/\" target=\"_blank\" rel=\"noopener\">Cyber Threat Alliance (CTA \u30b5\u30a4\u30d0\u30fc\u8105\u5a01\u30a2\u30e9\u30a4\u30a2\u30f3\u30b9) <\/a>\u306e\u30e1\u30f3\u30d0\u30fc\u3068\u5171\u6709\u3057\u307e\u3057\u305f\u3002\u3053\u308c\u3089\u306e\u7d44\u7e54\u306e\u30e1\u30f3\u30d0\u30fc\u306f\u3053\u306e\u30a4\u30f3\u30c6\u30ea\u30b8\u30a7\u30f3\u30b9\u3092\u4f7f\u3044\u3001\u304a\u5ba2\u69d8\u306b\u4fdd\u8b77\u3092\u8fc5\u901f\u306b\u63d0\u4f9b\u3057\u3001\u60aa\u610f\u306e\u3042\u308b\u30b5\u30a4\u30d0\u30fc\u653b\u6483\u8005\u3092\u4f53\u7cfb\u7684\u306b\u963b\u5bb3\u3067\u304d\u307e\u3059\u3002<\/p>\n<h2><a id=\"post-126255-_aw4m7qmx0wme\"><\/a><strong>IoC<\/strong><\/h2>\n<p>\u30c9\u30e1\u30a4\u30f3\u3001IP\u30a2\u30c9\u30ec\u30b9\u3001\u30de\u30eb\u30a6\u30a7\u30a2\u306e\u30cf\u30c3\u30b7\u30e5\u306e\u30ea\u30b9\u30c8\u306f\u3001<a href=\"https:\/\/github.com\/pan-unit42\/iocs\/blob\/master\/Gamaredon\/Gamaredon_IoCs_DEC2022.txt\">Unit 42\u306eGitHub<\/a>\u3067\u516c\u958b\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<h2><strong><a id=\"additionalresources\"><\/a>\u8ffd\u52a0\u30ea\u30bd\u30fc\u30b9<\/strong><\/h2>\n<p><a href=\"https:\/\/unit42.paloaltonetworks.jp\/gamaredon-primitive-bear-ukraine-update-2021\/\">[2022-06-22\u66f4\u65b0] \u30a6\u30af\u30e9\u30a4\u30ca\u3092\u6a19\u7684\u306b\u6d3b\u52d5\u3092\u5f37\u3081\u308b\u30ed\u30b7\u30a2Gamaredon (\u5225\u540dPrimitive Bear) APT\u30b0\u30eb\u30fc\u30d7<\/a><br \/>\n<a href=\"https:\/\/www.bbc.com\/news\/world-europe-60506682\">Ukraine in maps: Tracking the war with Russia<\/a><br \/>\n<a href=\"https:\/\/www.wired.com\/story\/russia-ukraine-cyberattacks-mandiant\/\">Russia\u2019s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6982\u8981 2\u6708\u521d\u65ec\u306bAPT (Advanced Persistent Threat: \u6301\u7d9a\u7684\u6a19\u7684\u578b\u653b\u6483)\u653b\u6483\u30b0\u30eb\u30fc\u30d7\u3001Trident Ursa (\u5225\u540d: Gamaredon\u3001UAC-0010\u3001Primitive Bear\u3001S<\/p>\n","protected":false},"author":23,"featured_media":126233,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4433,4431],"tags":[4499,5309,4519,5311,4815,5313,5315,5317,4591],"product_categories":[4441,4442,4443,4444,4448,4456],"coauthors":[1025],"class_list":["post-126255","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-nation-state-cyberattacks-ja","category-threat-actor-groups-ja","tag-advanced-persistent-threat-ja","tag-gamaredon-ja","tag-phishing-ja","tag-primitive-bear-ja","tag-russia-ja","tag-shuckworm-ja","tag-trident-ursa-ja","tag-uac-0010-ja","tag-ukraine-ja","product_categories-advanced-dns-security-ja","product_categories-advanced-threat-prevention-ja","product_categories-advanced-url-filtering-ja","product_categories-advanced-wildfire-ja","product_categories-cortex-xdr-ja","product_categories-next-generation-firewall-ja"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>\u30a6\u30af\u30e9\u30a4\u30ca\u4fb5\u653b\u5f8c\u3082\u63fa\u308b\u304c\u306c\u30ed\u30b7\u30a2APT\u653b\u6483\u30b0\u30eb\u30fc\u30d7Trident Ursa (Gamaredon)\u306e\u30b5\u30a4\u30d0\u30fc\u7d1b\u4e89\u5de5\u4f5c<\/title>\n<meta name=\"description\" content=\"\u30a6\u30af\u30e9\u30a4\u30ca\u3068\u540c\u56fd\u30b5\u30a4\u30d0\u30fc\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3059\u308b\u30ed\u30b7\u30a2\u306e\u8105\u5a01\u306f\u4fb5\u5bb3\u4ee5\u964d\u9ad8\u307e\u308a\u3064\u3065\u3051\u3066\u3044\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30ed\u30b7\u30a2\u306eAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Trident Ursa (\u5225\u540dGamaredon)\u306e\u6700\u65b0\u306eTTP\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u5171\u6709\u3057\u307e\u3059\u3002\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/\" \/>\n<meta property=\"og:locale\" content=\"ja_JP\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u30a6\u30af\u30e9\u30a4\u30ca\u4fb5\u653b\u5f8c\u3082\u63fa\u308b\u304c\u306c\u30ed\u30b7\u30a2APT\u653b\u6483\u30b0\u30eb\u30fc\u30d7Trident Ursa (Gamaredon)\u306e\u30b5\u30a4\u30d0\u30fc\u7d1b\u4e89\u5de5\u4f5c\" \/>\n<meta property=\"og:description\" content=\"\u30a6\u30af\u30e9\u30a4\u30ca\u3068\u540c\u56fd\u30b5\u30a4\u30d0\u30fc\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3059\u308b\u30ed\u30b7\u30a2\u306e\u8105\u5a01\u306f\u4fb5\u5bb3\u4ee5\u964d\u9ad8\u307e\u308a\u3064\u3065\u3051\u3066\u3044\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30ed\u30b7\u30a2\u306eAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Trident Ursa (\u5225\u540dGamaredon)\u306e\u6700\u65b0\u306eTTP\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u5171\u6709\u3057\u307e\u3059\u3002\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2022-12-21T01:24:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-31T02:41:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/PA-Unit42-TAC-Trident-URSA_-Landscape.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1505\" \/>\n\t<meta property=\"og:image:height\" content=\"922\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Unit 42\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"\u30a6\u30af\u30e9\u30a4\u30ca\u4fb5\u653b\u5f8c\u3082\u63fa\u308b\u304c\u306c\u30ed\u30b7\u30a2APT\u653b\u6483\u30b0\u30eb\u30fc\u30d7Trident Ursa (Gamaredon)\u306e\u30b5\u30a4\u30d0\u30fc\u7d1b\u4e89\u5de5\u4f5c","description":"\u30a6\u30af\u30e9\u30a4\u30ca\u3068\u540c\u56fd\u30b5\u30a4\u30d0\u30fc\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3059\u308b\u30ed\u30b7\u30a2\u306e\u8105\u5a01\u306f\u4fb5\u5bb3\u4ee5\u964d\u9ad8\u307e\u308a\u3064\u3065\u3051\u3066\u3044\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30ed\u30b7\u30a2\u306eAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Trident Ursa (\u5225\u540dGamaredon)\u306e\u6700\u65b0\u306eTTP\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u5171\u6709\u3057\u307e\u3059\u3002","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/","og_locale":"ja_JP","og_type":"article","og_title":"\u30a6\u30af\u30e9\u30a4\u30ca\u4fb5\u653b\u5f8c\u3082\u63fa\u308b\u304c\u306c\u30ed\u30b7\u30a2APT\u653b\u6483\u30b0\u30eb\u30fc\u30d7Trident Ursa (Gamaredon)\u306e\u30b5\u30a4\u30d0\u30fc\u7d1b\u4e89\u5de5\u4f5c","og_description":"\u30a6\u30af\u30e9\u30a4\u30ca\u3068\u540c\u56fd\u30b5\u30a4\u30d0\u30fc\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3059\u308b\u30ed\u30b7\u30a2\u306e\u8105\u5a01\u306f\u4fb5\u5bb3\u4ee5\u964d\u9ad8\u307e\u308a\u3064\u3065\u3051\u3066\u3044\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30ed\u30b7\u30a2\u306eAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Trident Ursa (\u5225\u540dGamaredon)\u306e\u6700\u65b0\u306eTTP\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u5171\u6709\u3057\u307e\u3059\u3002","og_url":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/","og_site_name":"Unit 42","article_published_time":"2022-12-21T01:24:29+00:00","article_modified_time":"2024-07-31T02:41:59+00:00","og_image":[{"width":1505,"height":922,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/PA-Unit42-TAC-Trident-URSA_-Landscape.jpg","type":"image\/jpeg"}],"author":"Unit 42","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/"},"author":{"name":"Unit 42","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"headline":"\u30a6\u30af\u30e9\u30a4\u30ca\u4fb5\u653b\u5f8c\u3082\u63fa\u308b\u304c\u306c\u30ed\u30b7\u30a2APT\u653b\u6483\u30b0\u30eb\u30fc\u30d7Trident Ursa (Gamaredon)\u306e\u30b5\u30a4\u30d0\u30fc\u7d1b\u4e89\u5de5\u4f5c","datePublished":"2022-12-21T01:24:29+00:00","dateModified":"2024-07-31T02:41:59+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/"},"wordCount":9659,"commentCount":0,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/PA-Unit42-TAC-Trident-URSA_-Landscape.jpg","keywords":["Advanced Persistent Threat","Gamaredon","phishing","primitive bear","Russia","Shuckworm","Trident Ursa","UAC-0010","Ukraine"],"articleSection":["\u56fd\u5bb6\u652f\u63f4\u578b\u30b5\u30a4\u30d0\u30fc\u653b\u6483","\u8105\u5a01\u30a2\u30af\u30bf\u30fc \u30b0\u30eb\u30fc\u30d7"],"inLanguage":"ja","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/","url":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/","name":"\u30a6\u30af\u30e9\u30a4\u30ca\u4fb5\u653b\u5f8c\u3082\u63fa\u308b\u304c\u306c\u30ed\u30b7\u30a2APT\u653b\u6483\u30b0\u30eb\u30fc\u30d7Trident Ursa (Gamaredon)\u306e\u30b5\u30a4\u30d0\u30fc\u7d1b\u4e89\u5de5\u4f5c","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/PA-Unit42-TAC-Trident-URSA_-Landscape.jpg","datePublished":"2022-12-21T01:24:29+00:00","dateModified":"2024-07-31T02:41:59+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"description":"\u30a6\u30af\u30e9\u30a4\u30ca\u3068\u540c\u56fd\u30b5\u30a4\u30d0\u30fc\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3059\u308b\u30ed\u30b7\u30a2\u306e\u8105\u5a01\u306f\u4fb5\u5bb3\u4ee5\u964d\u9ad8\u307e\u308a\u3064\u3065\u3051\u3066\u3044\u307e\u3059\u3002\u672c\u7a3f\u3067\u306f\u30ed\u30b7\u30a2\u306eAPT\u653b\u6483\u30b0\u30eb\u30fc\u30d7 Trident Ursa (\u5225\u540dGamaredon)\u306e\u6700\u65b0\u306eTTP\u306b\u95a2\u3059\u308b\u60c5\u5831\u3092\u5171\u6709\u3057\u307e\u3059\u3002","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/#breadcrumb"},"inLanguage":"ja","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/"]}]},{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/#primaryimage","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/PA-Unit42-TAC-Trident-URSA_-Landscape.jpg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2022\/12\/PA-Unit42-TAC-Trident-URSA_-Landscape.jpg","width":1505,"height":922,"caption":"A P"},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/ja\/trident-ursa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/ja\/"},{"@type":"ListItem","position":2,"name":"\u30a6\u30af\u30e9\u30a4\u30ca\u4fb5\u653b\u5f8c\u3082\u63fa\u308b\u304c\u306c\u30ed\u30b7\u30a2APT\u653b\u6483\u30b0\u30eb\u30fc\u30d7Trident Ursa (Gamaredon)\u306e\u30b5\u30a4\u30d0\u30fc\u7d1b\u4e89\u5de5\u4f5c"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ja"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63","name":"Unit 42","image":{"@type":"ImageObject","inLanguage":"ja","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/5b5a1c33b73a577ebaf42f25081b0ebd","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/Insights_headshot-placeholder-300x300.jpg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/Insights_headshot-placeholder-300x300.jpg","caption":"Unit 42"},"url":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/author\/unit42\/"}]}},"_links":{"self":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/126255","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/comments?post=126255"}],"version-history":[{"count":10,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/126255\/revisions"}],"predecessor-version":[{"id":136020,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/posts\/126255\/revisions\/136020"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media\/126233"}],"wp:attachment":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/media?parent=126255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/categories?post=126255"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/tags?post=126255"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/product_categories?post=126255"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/ja\/wp-json\/wp\/v2\/coauthors?post=126255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}