Winnit APT:攻击行动评估 - By nEINEI Time:2013-04-11 1) Winnti集团一直攻击在线视频游戏行业的公司,目前仍然处于活跃状态。 2) 目标是窃取合法软件供应商的数字证书以及知识产权盗窃,包括在线游戏项目的源代码。 3)2015年开始,Winnit被发现开始攻击制药类公司,也就是说未来还会扩展到哪些领域我们不得而知。 Symptoms 相关样本信息: 1b56416fefa2d2c863f3b46dfb6dc353 6ef66c2336b2b5aaa697c2d0ab2b66e2 5778178a1b259c3127b678a49cd23e53 006c4561499da562a4e337e2c146cf1a 024CC9872D9F413292D0F952920547CA 0613d67070679fb97ddefc5973c4d604 0630a443bd0102647ca1707cdf7f8c35 0751ca6f8b652cae6f2b650f0cf9036a 095a6a3b6eba996d2786b5ec919b1a7e 0af3761919bffa0019e7899333846b27 0f3c15de074f934499f5bbc095d5557f 11ed89f0ab17cf3973e2bf970879661a 128cb2a5de0d0422d69bab6d23ebb0aa 17c72e0cde2e4019a6b885f8188ac410 18813863417608b4ad14babebcafcb57 1a5da850993681e685893547d1aa2eaf 06d8b1468f09d10aa5c4b115544ccc6e 0cd07490fc02e2a602781bb939d0bc3d 2d0950f69e206486c5272f2b0fc3aa22 3358c54a22d186ec9de0f15bc4bb2698 35bdc5a2acf35bdf9fb9169e1a47d3e7 5778178a1b259c3127b678a49cd23e53 6dfcdc4c8edc77642f15592143f34569 最小闭合的攻击样本: 1d3b5c607bd32db223dad4f647b8fb5265ef89948ff349f2a1776094b2ba8671,size =122880 攻击能力计算: K = 2 (正常安全认知范围) a = 3 (无交互) s = 1 (鱼叉式网络钓鱼) m = 5 (代码注入,rootkit,高难度/复杂技术实现,特种木马,特定目标感染 ) p = 1 (攻击1种平台) x = 4+2 (盗用数字签名,N Day利用); 攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c AT = (3 + 1 + 5 + 1) ^ 2 * (1 + 6) ^ 2 + (122880)/1024 = 10^2 * (7^2)+ 376 = 4900 + 376 = 5276 ==>5276*1000/1279625(1T攻击力单位) = 4.123T 参考引用: 1.https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf 2.https://hitcon.org/2016/pacific/0composition/pdf/1201/1201%20R2%201610%20winnti%20polymorphism.pdf 3.https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf 4.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt