APT-C-28(ScarCruft)组织对韩国地区攻击活动分析
Tags
attack-pattern: Software - T1592.002 Trap - T1546.005 Trap - T1154
Show in Graph
Common Information
Type Value
UUID eb8037cc-d253-4d19-8314-1852379fa6d5
Fingerprint a365e27dfd87ed33
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 21, 2022, midnight
Added to db April 11, 2023, 2:16 p.m.
Last updated Nov. 17, 2024, 9:42 p.m.
Headline APT-C-28(ScarCruft)组织对韩国地区攻击活动分析
Title APT-C-28(ScarCruft)组织对韩国地区攻击活动分析
Detected Hints/Tags/Attributes 13/1/59
Source URLs
Redirection Url
Details Source https://mp.weixin.qq.com/s?__biz=MzA4MTg0MDQ4Nw==&mid=2247559605&idx=1&sn=beb93dac86297b1b61852727d70e8e7d&chksm=9f8d79bda8faf0abb6955536c62d357dfb2e3aa430405e613caef3dca595545ddbbda261319c&scene=58&subscene=0#rd
URL Provider
Details Provider Source level domain
Details qq.com mp.weixin.qq.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 265 360数字安全 https://wechat2rss.xlab.app/feed/85e7bf4fe192ded1a15f130aa43ac306d227f61b.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 2 
k22012.c1.biz
Details Domain 3 
4895750.c1.biz
Details File 1 
宏代码主要功能是继续下载cab文件并解压执行其中check.bat
Details File 2 
paypal.dot
Details File 1205 
index.php
Details File 1 
%temp%\fxsaaenpilogfile.txt
Details File 1 
最后利用expand对下载文件进行解压并执行其中的check.bat
Details File 1 
fxsaaenpilogfile.txt
Details File 1 
宏代码中下载的fxsaaenpilogfile.txt
Details File 1 
压缩包中的check.bat
Details File 14 
check.bat
Details File 1 
若存在直接执行trap.bat
Details File 1 
若是则执行wpnprv64.dll
Details File 1 
否则执行wpnprv32.dll
Details File 1 
文件调用wpnprv32.dll
Details File 1 
并传入参数num和trap.bat
Details File 1 
借助wusa.exe
Details File 1 
首先通过shellexecuteexw拉起wusa.exe
Details File 1 
由于wusa.exe
Details File 1 
api函数获取复制wusa.exe
Details File 1 
接着使用createprocesswithlogomw执行传入的trap.bat
Details File 1 
创建一个普通权限的winver.exe
Details File 1 
接着重新创建一个具有高完整性级别的taskmgr.exe
Details File 1 
用于执行传入的trap.bat
Details File 1 
通过wpnprv32.dll
Details File 1 
执行的trap.bat
Details File 1 
若是则将64位的dll文件和其相应dat文件复制到system32目录下并改名为rdssvc.dll
Details File 1 
及rdssvc.dat
Details File 1122 
svchost.exe
Details File 1 
其参数指向rdssvc.dll
Details File 1 
以32位系统下加载的rdssvc32.dll
Details File 1 
rdssvc32.dll
Details File 1 
通过读取解密rdssvc.dat
Details File 1 
其中rdssvc.dat
Details File 1 
如果rdssvc.dat
Details File 1 
则会读取rdssvc.ini
Details File 17 
up.php
Details File 8 
dn.php
Details File 1 
체제무너뜨릴까.docx
Details File 3 
template.dot
Details File 1 
其利用宏从自身解压出rels.xml
Details File 1 
再利用expand解压rels.xml
Details File 1 
并执行其中的check.bat
Details md5 2 
7b27586c4b332c5e87784c8d3e45a523
Details md5 1 
a6736c776d6d44cec7ec07b9fb628ec3
Details md5 1 
1ae5b24456d9751dbd15c5c4fccef261
Details md5 1 
079be709ce7e57f4015b0ca8347e8a29
Details md5 1 
8a37c1614aed81a2b9d1f44cf84e2515
Details md5 1 
8e50622992a4b4b33127c34ff3fdbd30
Details md5 1 
d3dbd7bb1299096441c5ebba6ce2675e
Details md5 2 
00e6e9ed4666623860686c123ed334f0
Details md5 2 
cf5f18032667bfb4c7373191e7fb1fbf
Details sha256 1 
3f96cd95327a8c801972620c7906dcfa9e6b76d3c1935b8648c5c24bfb2c21b8
Details Threat Actor Identifier - APT-C 15 
APT-C-28
Details Url 1 
http://k22012.c1.biz/paypal.dotm下载恶意宏模板文档
Details Url 1 
http://5645780.c1.biz//index.php?user_id=trap&auth=trap&pw=trap下载文件,并保存到%temp%\fxsaaenpilogfile.txt(md5:1ae5b24456d9751dbd15c5c4fccef261),最后利用expand对下载文件进行解压并执行其中的check.bat
Details Url 1 
http://4895750.c1.biz/up.php?name={hostname}
Details Url 1 
http://word2022.c1.biz/template.dotm下载恶意宏模板
Details Url 1 
http://k22012.c1.biz/paypal.dotmhttp://5645780.c1.biz/index.php?user_id=trap&auth=trap&pw=traphttp://word2022.c1.biz/template.dotmhttp://word2022.c1.biz/index.php?os={osversion}&name={hostname}&ip={ip}http://4895750.c1.biz/dn.php?name={hostname}&prefix=cc(count)http://4895750.c1.biz/up.php?name={hostname}http://rq7592.c1.biz/up.php?name={hostname}http://rq7592.c1.biz/dn.php?name={hostname}&prefix=cc