DarkHole APT:攻击行动评估 - By nEINEI Time:2014-11-10 1) Darkhole是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。 2) 标基本锁定在韩国、中国、俄罗斯和日本。 Symptoms 相关样本信息: 0183bac55ebfad2850a360d6cd93d941 0396f7af9842dc5c8c0df1a44c01068c 03a611a8c2f84e26c7b089d3f1640687 03d35ef3fdf353fe4dc65f3d11137172 043d308bfda76e35122567cf933e1b2a 04461ee7c724b6805820df79e343aa49 05059c5a5e388e36eed09a9f8093db92 061e3d50125dc78c86302b7cfa7e4935 06206fe97fed0f338fd02cb39ed63174 08a41624e624d8fb26eeed7a3b1f5009 08b04d6ef94d2764bfafd1457eb0d2a0 08e08522066a8cd7b494ca64de46d4f7 091e4364f50addd6c849f4399a771409 09e7b0ecd5530b8e87190dee0f362e13 0bd1677c0691c8a3c7327bf93b0a9e59 0bfbd26a1a6e3349606d37a8ece04627 最小闭合的攻击样本: 母体文件缺失,估算补上100k swf漏洞:310ad237e4b5a8de66d73e152dfa290a87d1ef02608bd711ae5631e03eb51b63,size = 52042 downloader:00ca5c0558dc9eba1a8a4dd639e74899 , size =35112 攻击能力计算: K = 2 (正常安全认知范围) a = 3 (无交互) s = 2 (鱼叉式网络钓鱼,精准传播) m = 5 (代码注入,rootkit,特种木马,武器集合,特定目标感染 ) p = 1 (攻击1种平台) x = 2+5+4 (0day漏洞的利用,cve-2014-0497, Nday漏洞使用cve-2010-0188,入侵渗透,盗用数字签名); 攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3 + 2 + 5 + 1) ^ 2 * (1 + 2 + 5+ 4) ^ 2 + (52042+35112)/1024 +100 = 11^2 * (12^2)+ 185 = 17424+ 185 = 17609 ==> 17609 *1000/613623(1T攻击力单位) = 13.761T 参考引用: 1.https://securelist.com/the-darkhotel-apt/66779/ 2.https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf 3.https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070901/darkhotelappendixindicators_kl.pdf 4.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt