{"id":221,"date":"2026-05-07T16:10:23","date_gmt":"2026-05-07T08:10:23","guid":{"rendered":"https:\/\/www.gswsfh2021.site\/?p=221"},"modified":"2026-05-07T16:10:23","modified_gmt":"2026-05-07T08:10:23","slug":"%e6%b7%b1%e5%ba%a6%e8%a7%a3%e6%9e%90%ef%bc%9alibrarian-ghouls-apt-%e7%bb%84%e7%bb%87-%e5%a4%9c%e9%97%b4%e5%94%a4%e9%86%92%e7%94%b5%e8%84%91%e7%aa%83%e5%8f%96","status":"publish","type":"post","link":"https:\/\/www.gswsfh2021.site\/?p=221","title":{"rendered":"\u6df1\u5ea6\u89e3\u6790\uff1aLibrarian Ghouls APT \u7ec4\u7ec7\u2014\u2014\u591c\u95f4\u201c\u5524\u9192\u201d\u7535\u8111\u7a83\u53d6\u6570\u636e\u5e76\u6316\u77ff"},"content":{"rendered":"\n<p>\u6570\u636e\u6765\u6e90\uff1a<a href=\"https:\/\/securelist.com\/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto\/116536\/\">Librarian Ghouls APT carries out attacks with data theft and crypto miner deployment | Securelist<\/a> \uff082025\u5e746\u67089\u65e5\uff09<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"%E4%BA%8B%E4%BB%B6%E6%A6%82%E8%BF%B0%EF%BC%9A%E4%B8%80%E4%B8%AA%E2%80%9C%E4%B8%8D%E5%BC%80%E5%8F%91%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6%E2%80%9D%E7%9A%84apt%E7%BB%84%E7%BB%87\"><strong>\u4e8b\u4ef6\u6982\u8ff0\uff1a\u4e00\u4e2a\u201c\u4e0d\u5f00\u53d1\u6076\u610f\u8f6f\u4ef6\u201d\u7684APT\u7ec4\u7ec7<\/strong><\/h2>\n\n\n\n<p>\u5728\u9ad8\u7ea7\u6301\u7eed\u6027\u5a01\u80c1\uff08APT\uff09\u7684\u4e16\u754c\u4e2d\uff0c\u5927\u591a\u6570\u653b\u51fb\u7ec4\u7ec7\u503e\u5411\u4e8e\u5f00\u53d1\u9ad8\u5ea6\u9690\u853d\u7684\u5b9a\u5236\u5316\u6728\u9a6c\u3002\u7136\u800c\uff0c<strong>Librarian Ghouls<\/strong>\uff08\u53c8\u540d\u201cRare Werewolf\u201d\u6216\u201cRezet\u201d\uff09\u5374\u8d70\u4e86\u4e00\u6761\u622a\u7136\u4e0d\u540c\u7684\u9053\u8def\u2014\u2014\u4ed6\u4eec\u51e0\u4e4e<strong>\u4e0d\u7f16\u5199\u81ea\u5df1\u7684\u6076\u610f\u4e8c\u8fdb\u5236\u7a0b\u5e8f<\/strong>\uff0c\u800c\u662f\u5de7\u5999\u5730\u7ec4\u5408\u4f7f\u7528<strong>\u5927\u91cf\u5408\u6cd5\u7b2c\u4e09\u65b9\u5de5\u5177<\/strong>\u6765\u5b9e\u73b0\u653b\u51fb\u76ee\u6807\u3002<\/p>\n\n\n\n<p>\u8be5\u7ec4\u7ec7\u81ea2024\u5e74\u5e95\u6d3b\u8dc3\u81f3\u4eca\uff0c\u622a\u81f32025\u5e745\u6708\u4ecd\u5728\u6301\u7eed\u653b\u51fb\u4fc4\u7f57\u65af\u53ca\u72ec\u8054\u4f53\u56fd\u5bb6\uff08CIS\uff09\u7684\u4f01\u4e1a\u7528\u6237\uff0c\u5c24\u5176\u662f<strong>\u5de5\u4e1a\u4f01\u4e1a\u3001\u5de5\u7a0b\u9662\u6821\u548c\u653f\u5e9c\u76f8\u5173\u673a\u6784<\/strong>\u3002\u5176\u653b\u51fb\u76ee\u7684\u660e\u786e\uff1a<strong>\u7a83\u53d6\u654f\u611f\u6570\u636e\u3001\u957f\u671f\u8fdc\u7a0b\u63a7\u5236\u3001\u90e8\u7f72\u52a0\u5bc6\u8d27\u5e01\u6316\u77ff\u7a0b\u5e8f<\/strong>\u3002<\/p>\n\n\n\n<p>\u6700\u4ee4\u4eba\u9707\u60ca\u7684\u662f\uff0c\u8be5\u7ec4\u7ec7\u4f1a\u901a\u8fc7\u5b9a\u65f6\u4efb\u52a1<strong>\u5728\u51cc\u6668\u201c\u5524\u9192\u201d\u4f11\u7720\u7684\u7535\u8111<\/strong>\uff0c\u8fdb\u884c\u6570\u636e\u7a83\u53d6\u548c\u6316\u77ff\uff0c\u5f97\u624b\u540e\u518d\u81ea\u52a8\u5173\u673a\uff0c\u6781\u5177\u9690\u853d\u6027\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"%E6%94%BB%E5%87%BB%E9%93%BE%E5%85%A8%E6%99%AF%EF%BC%9A%E4%BB%8E%E9%92%93%E9%B1%BC%E9%82%AE%E4%BB%B6%E5%88%B0%E5%A4%9C%E9%97%B4%E6%8C%96%E7%9F%BF\"><strong>\u653b\u51fb\u94fe\u5168\u666f\uff1a\u4ece\u9493\u9c7c\u90ae\u4ef6\u5230\u591c\u95f4\u6316\u77ff<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1.-%E5%88%9D%E5%A7%8B%E5%85%A5%E4%BE%B5%EF%BC%9A%E4%BC%AA%E8%A3%85%E6%88%90%E4%BB%98%E6%AC%BE%E5%8D%95%E7%9A%84%E9%92%93%E9%B1%BC%E9%82%AE%E4%BB%B6\"><strong>1. \u521d\u59cb\u5165\u4fb5\uff1a\u4f2a\u88c5\u6210\u4ed8\u6b3e\u5355\u7684\u9493\u9c7c\u90ae\u4ef6<\/strong><\/h3>\n\n\n\n<p>\u653b\u51fb\u59cb\u4e8e\u5178\u578b\u7684<strong>\u9c7c\u53c9\u5f0f\u9493\u9c7c\u90ae\u4ef6<\/strong>\uff0c\u5185\u5bb9\u4f2a\u88c5\u6210\u6765\u81ea\u6b63\u89c4\u673a\u6784\u7684\u201c\u4ed8\u6b3e\u901a\u77e5\u201d\u6216\u201c\u8d22\u52a1\u6587\u4ef6\u201d\uff0c\u9644\u4ef6\u4e3a\u4e00\u4e2a<strong>\u5bc6\u7801\u4fdd\u62a4\u7684\u538b\u7f29\u5305<\/strong>\uff0c\u5bc6\u7801\u901a\u5e38\u76f4\u63a5\u5199\u5728\u90ae\u4ef6\u6b63\u6587\u4e2d\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u6587\u4ef6\u540d\u591a\u4e3a\u4fc4\u8bed\uff0c\u5982\u201c\u041f\u043b\u0430\u0442\u0435\u0436\u043d\u043e\u0435 \u043f\u043e\u0440\u0443\u0447\u0435\u043d\u0438\u0435 \u2116131.pdf\u201d\uff08\u4ed8\u6b3e\u5355131\u53f7\uff09\uff1b<\/li>\n\n\n\n<li>\u5b9e\u9645\u5185\u5bb9\u662f\u4e00\u4e2a<strong>\u81ea\u89e3\u538b\u5b89\u88c5\u5305<\/strong>\uff08\u4f7f\u7528 Smart Install Maker \u5236\u4f5c\uff09\uff0c\u5185\u542b\u591a\u4e2a\u5408\u6cd5\u5de5\u5177\u548c\u811a\u672c\uff1b<\/li>\n\n\n\n<li>\u7528\u6237\u4e00\u65e6\u89e3\u538b\u5e76\u8fd0\u884c\uff0c\u611f\u67d3\u94fe\u5373\u88ab\u89e6\u53d1\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u8fd9\u79cd\u624b\u6cd5\u6210\u672c\u4f4e\u3001\u6210\u529f\u7387\u9ad8\uff0c\u4e14\u56e0\u4f7f\u7528\u201c\u5408\u6cd5\u8f6f\u4ef6\u201d\u800c\u96be\u4ee5\u88ab\u4f20\u7edf\u6740\u6bd2\u8f6f\u4ef6\u8bc6\u522b\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2.-%E6%A4%8D%E5%85%A5%E9%98%B6%E6%AE%B5%EF%BC%9A%E5%88%A9%E7%94%A8%E5%90%88%E6%B3%95%E5%B7%A5%E5%85%B7%E6%9E%84%E5%BB%BA%E6%94%BB%E5%87%BB%E7%8E%AF%E5%A2%83\"><strong>2. \u690d\u5165\u9636\u6bb5\uff1a\u5229\u7528\u5408\u6cd5\u5de5\u5177\u6784\u5efa\u653b\u51fb\u73af\u5883<\/strong><\/h3>\n\n\n\n<p>\u653b\u51fb\u8005\u7684\u6838\u5fc3\u7b56\u7565\u662f\u201c<strong>\u767d\u52a0\u9ed1<\/strong>\u201d\u2014\u2014\u7528\u5408\u6cd5\u8f6f\u4ef6\u505a\u574f\u4e8b\u3002\u5b89\u88c5\u5305\u91ca\u653e\u540e\uff0c\u4f1a\u5c06\u591a\u4e2a\u6587\u4ef6\u90e8\u7f72\u5230 <code>C:\\Intel<\/code> \u76ee\u5f55\uff0c\u5e76\u901a\u8fc7\u6279\u5904\u7406\u811a\u672c\uff08<code>.cmd<\/code> \u548c <code>.bat<\/code>\uff09\u4e32\u8054\u6574\u4e2a\u653b\u51fb\u6d41\u7a0b\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"%E5%85%B3%E9%94%AE%E7%BB%84%E4%BB%B6%E4%B8%80%E8%A7%88%EF%BC%9A\"><strong>\u5173\u952e\u7ec4\u4ef6\u4e00\u89c8\uff1a<\/strong><\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th><strong>\u5de5\u5177<\/strong><\/th><th><strong>\u7528\u9014<\/strong><\/th><th><strong>\u662f\u5426\u5408\u6cd5<\/strong><\/th><\/tr><tr><td><strong>4t Tray Minimizer<\/strong><\/td><td>\u5c06\u7a0b\u5e8f\u6700\u5c0f\u5316\u81f3\u7cfb\u7edf\u6258\u76d8\uff0c\u9690\u85cf\u653b\u51fb\u75d5\u8ff9<\/td><td>\u2705 \u5408\u6cd5<\/td><\/tr><tr><td><strong>curl.exe<\/strong><\/td><td>\u4e0b\u8f7d\u540e\u7eed\u8f7d\u8377<\/td><td>\u2705 \u5408\u6cd5<\/td><\/tr><tr><td><strong>Defender Control (dc.exe)<\/strong><\/td><td>\u7981\u7528 Windows Defender<\/td><td>\u2705 \u5408\u6cd5<\/td><\/tr><tr><td><strong>Blat<\/strong><\/td><td>\u901a\u8fc7 SMTP \u53d1\u9001\u7a83\u53d6\u7684\u6570\u636e<\/td><td>\u2705 \u5408\u6cd5<\/td><\/tr><tr><td><strong>AnyDesk<\/strong><\/td><td>\u5b9e\u73b0\u8fdc\u7a0b\u684c\u9762\u63a7\u5236<\/td><td>\u2705 \u5408\u6cd5<\/td><\/tr><tr><td><strong>WinRAR 3.80\uff08\u5b9a\u5236\u7248\uff09<\/strong><\/td><td>\u6253\u5305\u7a83\u53d6\u7684\u6570\u636e<\/td><td>\u26a0\ufe0f \u88ab\u4fee\u6539<\/td><\/tr><tr><td><strong>XMRig \u6316\u77ff\u7a0b\u5e8f<\/strong><\/td><td>\u6316\u53d6\u95e8\u7f57\u5e01\uff08Monero\uff09<\/td><td>\u274c \u6076\u610f<\/td><\/tr><tr><td><strong>WebBrowserPassView \/ Mipko Monitor<\/strong><\/td><td>\u7a83\u53d6\u6d4f\u89c8\u5668\u5bc6\u7801\u3001\u76d1\u63a7\u952e\u76d8<\/td><td>\u26a0\ufe0f \u88ab\u6ee5\u7528<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>\u653b\u51fb\u54f2\u5b66<\/strong>\uff1a<br>Librarian Ghouls \u51e0\u4e4e\u4e0d\u5f00\u53d1\u6076\u610f\u4ee3\u7801\uff0c\u800c\u662f<strong>\u50cf\u642d\u79ef\u6728\u4e00\u6837\u62fc\u63a5\u73b0\u6709\u5de5\u5177<\/strong>\uff0c\u89c4\u907f\u6740\u6bd2\u8f6f\u4ef6\u68c0\u6d4b\uff0c\u6781\u5927\u964d\u4f4e\u4e86\u5f00\u53d1\u548c\u7ef4\u62a4\u6210\u672c\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"3.-%E6%8C%81%E4%B9%85%E5%8C%96%E4%B8%8E%E9%9A%90%E8%94%BD%E6%8E%A7%E5%88%B6%EF%BC%9A%E5%AE%9A%E6%97%B6%E2%80%9C%E5%94%A4%E9%86%92%E2%80%9D%E7%94%B5%E8%84%91\"><strong>3. \u6301\u4e45\u5316\u4e0e\u9690\u853d\u63a7\u5236\uff1a\u5b9a\u65f6\u201c\u5524\u9192\u201d\u7535\u8111<\/strong><\/h3>\n\n\n\n<p>\u8fd9\u662f\u672c\u6b21\u653b\u51fb\u4e2d\u6700\u5bcc\u521b\u610f\u7684\u4e00\u73af\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"%E6%94%BB%E5%87%BB%E8%80%85%E8%AE%BE%E7%BD%AE%E4%BA%86%E4%B8%A4%E4%B8%AA%E5%85%B3%E9%94%AE%E5%AE%9A%E6%97%B6%E4%BB%BB%E5%8A%A1%EF%BC%9A\"><strong>\u653b\u51fb\u8005\u8bbe\u7f6e\u4e86\u4e24\u4e2a\u5173\u952e\u5b9a\u65f6\u4efb\u52a1\uff1a<\/strong><\/h4>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u6bcf\u5929\u51cc\u66681\u70b9\u5524\u9192\u7535\u8111<\/strong>\n<ul class=\"wp-block-list\">\n<li>\u901a\u8fc7 PowerShell \u811a\u672c <code>wol.ps1<\/code> \u521b\u5efa\u4efb\u52a1\uff0c\u8c03\u7528 <code>Microsoft Edge<\/code> \u6d4f\u89c8\u5668\u542f\u52a8\uff1b<\/li>\n\n\n\n<li>Edge \u672c\u8eab\u672a\u88ab\u7be1\u6539\uff0c\u4f46\u5b83\u7684\u542f\u52a8\u4f1a\u5524\u9192\u5904\u4e8e\u7761\u7720\u72b6\u6001\u7684\u7cfb\u7edf\uff1b<\/li>\n\n\n\n<li>\u653b\u51fb\u8005\u501f\u6b64\u83b7\u5f97\u4e00\u4e2a<strong>4\u5c0f\u65f6\u7684\u8fdc\u7a0b\u64cd\u4f5c\u7a97\u53e3<\/strong>\uff081:00\u20135:00\uff09\u3002<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>\u6bcf\u5929\u65e9\u4e0a5\u70b9\u81ea\u52a8\u5173\u673a<\/strong>\n<ul class=\"wp-block-list\">\n<li>\u521b\u5efa\u540d\u4e3a <code>ShutdownAt5AM<\/code> \u7684\u8ba1\u5212\u4efb\u52a1\uff1b<\/li>\n\n\n\n<li>\u9632\u6b62\u7528\u6237\u53d1\u73b0\u7535\u8111\u201c\u81ea\u5df1\u5f00\u673a\u201d\u6216\u6301\u7eed\u9ad8\u8d1f\u8f7d\u8fd0\u884c\uff1b<\/li>\n\n\n\n<li>\u63a9\u76d6\u6316\u77ff\u548c\u6570\u636e\u5916\u4f20\u7684\u75d5\u8ff9\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>\u8fd9\u79cd\u201c<strong>\u591c\u95f4\u4f5c\u4e1a\u3001\u6e05\u6668\u6536\u5de5<\/strong>\u201d\u7684\u6a21\u5f0f\uff0c\u6781\u96be\u88ab\u666e\u901a\u7528\u6237\u5bdf\u89c9\uff0c\u582a\u79f0\u201c\u6570\u5b57\u5c0f\u5077\u201d\u7684\u5b8c\u7f8e\u4f5c\u6848\u65f6\u95f4\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"4.-%E6%95%B0%E6%8D%AE%E7%AA%83%E5%8F%96%EF%BC%9A%E7%B2%BE%E5%87%86-targeting-%E5%8A%A0%E5%AF%86%E9%92%B1%E5%8C%85%E4%B8%8E%E7%B3%BB%E7%BB%9F%E5%87%AD%E8%AF%81\"><strong>4. \u6570\u636e\u7a83\u53d6\uff1a\u7cbe\u51c6 targeting \u52a0\u5bc6\u94b1\u5305\u4e0e\u7cfb\u7edf\u51ed\u8bc1<\/strong><\/h3>\n\n\n\n<p><code>bat.bat<\/code> \u811a\u672c\u6267\u884c\u540e\uff0c\u4f1a\u4e3b\u52a8\u641c\u7d22\u5e76\u6253\u5305\u4ee5\u4e0b\u654f\u611f\u4fe1\u606f\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u52a0\u5bc6\u8d27\u5e01\u94b1\u5305\u6587\u4ef6<\/strong>\uff1a\u5982 <code>wallet.dat<\/code>\u3001<code>keystore.json<\/code>\uff1b<\/li>\n\n\n\n<li><strong>\u94b1\u5305\u76f8\u5173\u5173\u952e\u8bcd\u6587\u4ef6<\/strong>\uff1a\u5305\u542b\u201c\u043a\u043e\u0448\u0435\u043b\u044c\u043a\u201d\uff08\u94b1\u5305\uff09\u3001\u201cseed\u201d\uff08\u52a9\u8bb0\u8bcd\uff09\u3001\u201cbitcoin\u201d\u3001\u201cusdt\u201d\u7b49\u7684\u6587\u6863\uff1b<\/li>\n\n\n\n<li><strong>\u7cfb\u7edf\u6ce8\u518c\u8868\u5907\u4efd<\/strong>\uff1a\u901a\u8fc7 <code>reg save<\/code> \u547d\u4ee4\u5bfc\u51fa <code>HKLM\\SAM<\/code> \u548c <code>HKLM\\SYSTEM<\/code>\uff0c\u7528\u4e8e\u79bb\u7ebf\u7834\u89e3\u672c\u5730\u8d26\u6237\u5bc6\u7801\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u8fd9\u4e9b\u6570\u636e\u88ab\u6253\u5305\u6210\u52a0\u5bc6\u538b\u7f29\u5305\uff0c\u901a\u8fc7 <strong>Blat \u5de5\u5177\u53d1\u9001\u81f3\u653b\u51fb\u8005\u63a7\u5236\u7684\u90ae\u7bb1<\/strong>\uff0c\u5b8c\u6210\u6570\u636e\u5916\u6cc4\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"5.-%E6%8C%96%E7%9F%BF%E9%83%A8%E7%BD%B2%EF%BC%9A%E5%85%A8%E8%87%AA%E5%8A%A8%E5%AE%89%E8%A3%85-xmrig-%E7%9F%BF%E6%9C%BA\"><strong>5. \u6316\u77ff\u90e8\u7f72\uff1a\u5168\u81ea\u52a8\u5b89\u88c5 XMRig \u77ff\u673a<\/strong><\/h3>\n\n\n\n<p>\u5728\u5b8c\u6210\u6570\u636e\u7a83\u53d6\u540e\uff0c\u653b\u51fb\u8005\u4f1a\u90e8\u7f72\u4e00\u4e2a\u529f\u80fd\u5b8c\u6574\u7684\u6316\u77ff\u7cfb\u7edf\uff1a<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\u4e0b\u8f7d <code>install.exe<\/code>\uff08\u77ff\u673a\u5b89\u88c5\u5668\uff09\uff1b<\/li>\n\n\n\n<li>\u83b7\u53d6\u914d\u7f6e\u6587\u4ef6 <code>bm.json<\/code>\uff0c\u5305\u542b\u77ff\u6c60\u5730\u5740\u548c\u653b\u51fb\u8005\u94b1\u5305ID\uff1b<\/li>\n\n\n\n<li>\u4e0b\u8f7d\u5305\u542b XMRig \u7684\u538b\u7f29\u5305\uff0c\u5e76\u89e3\u538b\u81f3\u672c\u5730\uff1b<\/li>\n\n\n\n<li>\u5b89\u88c5 <code>bmcontrol.exe<\/code> \u63a7\u5236\u5668\uff0c\u5b9e\u73b0\uff1a\n<ul class=\"wp-block-list\">\n<li>\u4e3b\u8fdb\u7a0b\uff08master\uff09\u76d1\u63a7\u5b50\u8fdb\u7a0b\uff08worker\uff09\uff1b<\/li>\n\n\n\n<li>\u5b50\u8fdb\u7a0b\u6839\u636eCPU\u3001GPU\u3001\u5185\u5b58\u81ea\u52a8\u8c03\u6574\u6316\u77ff\u5f3a\u5ea6\uff1b<\/li>\n\n\n\n<li>\u6bcf60\u79d2\u5411\u77ff\u6c60\u53d1\u9001\u5fc3\u8df3\uff0c\u786e\u4fdd\u6301\u7eed\u6316\u77ff\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>\u6700\u7ec8\uff0c<code>run.exe<\/code> \u88ab\u52a0\u5165\u5f00\u673a\u81ea\u542f\uff0c\u5b9e\u73b0<strong>\u6301\u4e45\u5316\u6316\u77ff<\/strong>\uff0c\u800c\u6240\u6709\u4e34\u65f6\u811a\u672c\u5219\u88ab\u5220\u9664\uff0c\u4e0d\u7559\u75d5\u8ff9\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"%E6%8A%80%E6%9C%AF%E7%89%B9%E7%82%B9%E4%B8%8E%E6%88%98%E6%9C%AF%E5%88%86%E6%9E%90\"><strong>\u6280\u672f\u7279\u70b9\u4e0e\u6218\u672f\u5206\u6790<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"%E6%A0%B8%E5%BF%83%E6%88%98%E6%9C%AF%E4%BA%AE%E7%82%B9%EF%BC%9A\"><strong>\u6838\u5fc3\u6218\u672f\u4eae\u70b9\uff1a<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>\u7279\u70b9<\/td><td>\u8bf4\u660e<\/td><\/tr><tr><td><strong>\u4f9d\u8d56\u5408\u6cd5\u5de5\u5177\uff08Living-off-the-Land\uff09<\/strong><\/td><td>\u4f7f\u7528 AnyDesk\u3001Blat\u3001curl \u7b49\u6b63\u5e38\u8f6f\u4ef6\uff0c\u7ed5\u8fc7EDR\u68c0\u6d4b<\/td><\/tr><tr><td><strong>\u65e0\u81ea\u7814\u6076\u610f\u4e8c\u8fdb\u5236<\/strong><\/td><td>\u653b\u51fb\u903b\u8f91\u7531\u811a\u672c\uff08CMD\/PS1\uff09\u9a71\u52a8\uff0c\u964d\u4f4eIOC\u63d0\u53d6\u96be\u5ea6<\/td><\/tr><tr><td><strong>\u9ad8\u5ea6\u81ea\u52a8\u5316<\/strong><\/td><td>\u6574\u4e2a\u6d41\u7a0b\u65e0\u9700\u4eba\u5de5\u5e72\u9884\uff0c\u9002\u5408\u5927\u89c4\u6a21\u6295\u653e<\/td><\/tr><tr><td><strong>\u65f6\u95f4\u89c4\u907f\u7b56\u7565<\/strong><\/td><td>\u5229\u7528\u591c\u95f4\u5524\u9192\u673a\u5236\uff0c\u907f\u5f00\u7528\u6237\u6d3b\u52a8\u9ad8\u5cf0<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"%E6%94%BB%E5%87%BB%E7%9B%AE%E6%A0%87%E7%94%BB%E5%83%8F%EF%BC%9A\"><strong>\u653b\u51fb\u76ee\u6807\u753b\u50cf\uff1a<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5730\u57df\uff1a\u4fc4\u7f57\u65af\u3001\u767d\u4fc4\u7f57\u65af\u3001\u54c8\u8428\u514b\u65af\u5766\u4e3a\u4e3b\uff1b<\/li>\n\n\n\n<li>\u884c\u4e1a\uff1a\u5de5\u4e1a\u5236\u9020\u3001\u5de5\u7a0b\u6559\u80b2\u3001\u653f\u5e9c\u5173\u8054\u5355\u4f4d\uff1b<\/li>\n\n\n\n<li>\u8bed\u8a00\uff1a\u6240\u6709\u9493\u9c7c\u6750\u6599\u5747\u4e3a\u4fc4\u8bed\uff0c\u8868\u660e\u76ee\u6807\u9ad8\u5ea6\u672c\u5730\u5316<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"%E4%B8%8E%E4%B8%AD%E5%9B%BD%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E7%9A%84%E5%85%B3%E8%81%94%E4%B8%8E%E8%AD%A6%E7%A4%BA\"><strong>\u4e0e\u4e2d\u56fd\u7f51\u7edc\u5b89\u5168\u7684\u5173\u8054\u4e0e\u8b66\u793a<\/strong><\/h2>\n\n\n\n<p>\u867d\u7136\u76ee\u524d\u6ca1\u6709\u8bc1\u636e\u663e\u793a Librarian Ghouls \u76f4\u63a5\u653b\u51fb\u4e2d\u56fd\u5927\u9646\u5b9e\u4f53\uff0c\u4f46\u5176\u6218\u672f\u5bf9\u56fd\u5185\u4f01\u4e1a\u6781\u5177\u53c2\u8003\u4ef7\u503c\uff1a<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"%E9%A3%8E%E9%99%A9%E7%82%B9%EF%BC%9A\"><strong>\u98ce\u9669\u70b9\uff1a<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u5408\u6cd5\u8f6f\u4ef6\u6ee5\u7528\u96be\u4ee5\u68c0\u6d4b<\/strong><br>\u4f20\u7edf\u5b89\u5168\u4ea7\u54c1\u4f9d\u8d56\u201c\u9ed1\u767d\u540d\u5355\u201d\uff0c\u4f46 <code>AnyDesk<\/code>\u3001<code>curl<\/code>\u3001<code>PowerShell<\/code> \u90fd\u662f\u6b63\u5e38\u5de5\u5177\uff0c\u884c\u4e3a\u5f02\u5e38\u624d\u5e94\u88ab\u5173\u6ce8\u3002<\/li>\n\n\n\n<li><strong>\u5b9a\u65f6\u4efb\u52a1\u6210\u540e\u95e8\u65b0\u5ba0<\/strong><br>\u8bb8\u591a\u4f01\u4e1a\u5ffd\u89c6\u5bf9\u8ba1\u5212\u4efb\u52a1\u7684\u5ba1\u8ba1\uff0c\u653b\u51fb\u8005\u53ef\u501f\u6b64\u5b9e\u73b0\u6301\u4e45\u5316\u3002<\/li>\n\n\n\n<li><strong>\u6316\u77ff\u653b\u51fb\u8f6c\u5411\u9690\u853d\u5316<\/strong><br>\u4e0d\u518d\u662f\u7b80\u5355\u7684CPU\u98d9\u5347\uff0c\u800c\u662f\u7ed3\u5408\u201c\u7761\u7720\u5524\u9192\u201d\u3001\u4f4e\u5f3a\u5ea6\u6316\u77ff\uff0c\u957f\u671f\u69a8\u53d6\u8d44\u6e90\u3002<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"%E9%98%B2%E5%BE%A1%E5%BB%BA%E8%AE%AE%EF%BC%9A%E5%A6%82%E4%BD%95%E5%BA%94%E5%AF%B9%E8%BF%99%E7%B1%BB%E2%80%9C%E7%99%BD%E5%88%A9%E7%94%A8%E2%80%9D%E6%94%BB%E5%87%BB%EF%BC%9F\"><strong>\u9632\u5fa1\u5efa\u8bae\uff1a\u5982\u4f55\u5e94\u5bf9\u8fd9\u7c7b\u201c\u767d\u5229\u7528\u201d\u653b\u51fb\uff1f<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>\u63aa\u65bd<\/td><td>\u8bf4\u660e<\/td><\/tr><tr><td><strong>\u7981\u7528\u4e0d\u5fc5\u8981\u7684\u8fdc\u7a0b\u63a7\u5236\u8f6f\u4ef6<\/strong><\/td><td>\u5982\u975e\u5fc5\u8981\uff0c\u7981\u6b62\u5458\u5de5\u5b89\u88c5 AnyDesk\u3001TeamViewer \u7b49\u5de5\u5177<\/td><\/tr><tr><td><strong>\u9650\u5236PowerShell\u548cCMD\u7684\u4f7f\u7528<\/strong><\/td><td>\u901a\u8fc7AppLocker\u6216Intune\u7b56\u7565\u9650\u5236\u811a\u672c\u6267\u884c<\/td><\/tr><tr><td><strong>\u542f\u7528\u8ba1\u5212\u4efb\u52a1\u5ba1\u8ba1<\/strong><\/td><td>\u76d1\u63a7\u5f02\u5e38\u4efb\u52a1\u521b\u5efa\uff0c\u5c24\u5176\u662f\u6d89\u53ca\u5524\u9192\u3001\u5173\u673a\u3001\u6d4f\u89c8\u5668\u542f\u52a8\u7684\u884c\u4e3a<\/td><\/tr><tr><td><strong>\u90e8\u7f72EDR\/XDR\u89e3\u51b3\u65b9\u6848<\/strong><\/td><td>\u68c0\u6d4b\u811a\u672c\u94fe\u5f0f\u8c03\u7528\u3001Blat\u5916\u53d1\u90ae\u4ef6\u3001\u6ce8\u518c\u8868\u5bfc\u51fa\u7b49\u53ef\u7591\u884c\u4e3a<\/td><\/tr><tr><td><strong>\u52a0\u5f3a\u90ae\u4ef6\u7f51\u5173\u8fc7\u6ee4<\/strong><\/td><td>\u62e6\u622a\u5e26\u5bc6\u7801\u538b\u7f29\u5305\u7684\u90ae\u4ef6\uff0c\u5c24\u5176\u662f\u6765\u81ea\u975e\u53ef\u4fe1\u57df\u540d\u7684\u9644\u4ef6<\/td><\/tr><tr><td><strong>\u5b9a\u671f\u68c0\u67e5DNS\u548cSMTP\u65e5\u5fd7<\/strong><\/td><td>\u53d1\u73b0Blat\u7b49\u5de5\u5177\u5916\u8054\u884c\u4e3a<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"%E4%B8%AA%E4%BA%BA%E7%94%A8%E6%88%B7%E5%BB%BA%E8%AE%AE%EF%BC%9A\"><strong>\u4e2a\u4eba\u7528\u6237\u5efa\u8bae\uff1a<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4e0d\u6253\u5f00\u6765\u6e90\u4e0d\u660e\u7684\u201c.exe\u201d\u6216\u201c.zip\u201d\u9644\u4ef6\uff1b<\/li>\n\n\n\n<li>\u4e0d\u968f\u610f\u8fd0\u884c\u81ea\u89e3\u538b\u7a0b\u5e8f\uff1b<\/li>\n\n\n\n<li>\u5b9a\u671f\u68c0\u67e5\u201c\u4efb\u52a1\u8ba1\u5212\u7a0b\u5e8f\u201d\u4e2d\u662f\u5426\u6709\u964c\u751f\u4efb\u52a1\uff1b<\/li>\n\n\n\n<li>\u4f7f\u7528\u6740\u6bd2\u8f6f\u4ef6\u5e76\u4fdd\u6301\u66f4\u65b0\u3002<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"%E8%B6%8B%E5%8A%BF%E6%B4%9E%E5%AF%9F%EF%BC%9Aapt%E6%94%BB%E5%87%BB%E7%9A%84%E2%80%9C%E5%B9%B3%E6%B0%91%E5%8C%96%E2%80%9D%E4%B8%8E%E2%80%9C%E8%87%AA%E5%8A%A8%E5%8C%96%E2%80%9D\"><strong>\u8d8b\u52bf\u6d1e\u5bdf\uff1aAPT\u653b\u51fb\u7684\u201c\u5e73\u6c11\u5316\u201d\u4e0e\u201c\u81ea\u52a8\u5316\u201d<\/strong><\/h2>\n\n\n\n<p>Librarian Ghouls \u7684\u51fa\u73b0\uff0c\u6807\u5fd7\u7740APT\u653b\u51fb\u6b63\u5728\u53d1\u751f\u6df1\u523b\u53d8\u5316\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>\u8d8b\u52bf<\/td><td>\u8868\u73b0<\/td><\/tr><tr><td><strong>\u4ece\u201c\u7cbe\u82f1\u5316\u201d\u5230\u201c\u5e73\u6c11\u5316\u201d<\/strong><\/td><td>\u4e0d\u9700\u8981\u9ad8\u8d85\u7f16\u7a0b\u80fd\u529b\uff0c\u4e5f\u80fd\u901a\u8fc7\u7ec4\u5408\u5de5\u5177\u5b9e\u65bd\u9ad8\u7ea7\u653b\u51fb<\/td><\/tr><tr><td><strong>\u4ece\u201c0day\u9a71\u52a8\u201d\u5230\u201c\u793e\u4f1a\u5de5\u7a0b\u9a71\u52a8\u201d<\/strong><\/td><td>\u66f4\u4f9d\u8d56\u9493\u9c7c\u90ae\u4ef6\u548c\u7528\u6237\u8bef\u64cd\u4f5c<\/td><\/tr><tr><td><strong>\u4ece\u201c\u7834\u574f\u6027\u201d\u5230\u201c\u7ecf\u6d4e\u6027\u201d<\/strong><\/td><td>\u76ee\u6807\u4e0d\u518d\u662f\u60c5\u62a5\u7a83\u53d6\uff0c\u800c\u662f\u76f4\u63a5\u53d8\u73b0\uff08\u6316\u77ff\u3001\u52d2\u7d22\uff09<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>\u8fd9\u7c7b\u7ec4\u7ec7\u53ef\u80fd\u5e76\u975e\u56fd\u5bb6\u7ea7APT\uff0c\u800c\u66f4\u63a5\u8fd1<strong>\u6709\u7ec4\u7ec7\u7684\u7f51\u7edc\u72af\u7f6a\u56e2\u4f19<\/strong>\uff0c\u4f46\u5176\u6218\u672f\u6210\u719f\u5ea6\u5df2\u4e0d\u4e9a\u4e8e\u4f20\u7edfAPT\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"%E7%BB%93%E8%AF%AD\"><strong>\u7ed3\u8bed<\/strong><\/h2>\n\n\n\n<p>Librarian Ghouls \u7684\u653b\u51fb\u65b9\u5f0f\u770b\u4f3c\u201c\u7c97\u7cd9\u201d\uff0c\u5b9e\u5219<strong>\u6781\u5176\u9ad8\u6548\u4e14\u9690\u853d<\/strong>\u3002\u5b83\u63d0\u9192\u6211\u4eec\uff1a<\/p>\n\n\n\n<p><strong>\u201c\u771f\u6b63\u7684\u5a01\u80c1\uff0c\u672a\u5fc5\u662f\u590d\u6742\u76840day\u6f0f\u6d1e\uff0c\u800c\u53ef\u80fd\u662f\u4f60\u7535\u8111\u91cc\u90a3\u4e2a\u201c\u5408\u6cd5\u201d\u7684\u8fdc\u7a0b\u63a7\u5236\u8f6f\u4ef6\uff0c\u6b63\u5728\u51cc\u6668\u6084\u6084\u5524\u9192\u4f60\u7684\u673a\u5668\uff0c\u4e3a\u9ed1\u5ba2\u6316\u77ff\u3002\u201d<\/strong><\/p>\n\n\n\n<p>\u9762\u5bf9\u8fd9\u7c7b\u201c\u767d\u52a0\u9ed1\u201d\u653b\u51fb\uff0c\u6211\u4eec\u5fc5\u987b\u4ece<strong>\u201c\u8bc6\u522b\u6076\u610f\u6587\u4ef6\u201d\u8f6c\u5411\u201c\u76d1\u63a7\u5f02\u5e38\u884c\u4e3a\u201d<\/strong><strong>\uff0c\u6784\u5efa\u4ee5\u884c\u4e3a\u5206\u6790\u3001\u65e5\u5fd7\u5ba1\u8ba1\u548c\u81ea\u52a8\u5316\u54cd\u5e94<\/strong>\u4e3a\u6838\u5fc3\u7684\u73b0\u4ee3\u9632\u5fa1\u4f53\u7cfb\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u6570\u636e\u6765\u6e90\uff1aLibrarian Ghouls APT carries out attacks with data [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[3],"tags":[],"class_list":["post-221","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=\/wp\/v2\/posts\/221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=221"}],"version-history":[{"count":1,"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=\/wp\/v2\/posts\/221\/revisions"}],"predecessor-version":[{"id":222,"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=\/wp\/v2\/posts\/221\/revisions\/222"}],"wp:attachment":[{"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gswsfh2021.site\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}