????:1????????vx:??????

2?????wx

3????????2023

4?????

5?????????

????????????????

2024?12????18?,?????CNCERT???????????????????????(

????????

(??????????????????????????)?

??????Exchange?????????????????2?Exchange???,??????????????????????????,?????????,????????????????????????????

(????)?????

??,?????????2??,????????,????????????????????,????/owa/auth/xxx/xx.aspx??????????????/owa/auth/xxx/yy.aspx,???????????????????????????????????????,??????????,?????????

(?)??????????30?????

???,???????????????????,?,??????????SSH?SMB?30?????????????????????????????????????????;?????,?????????????????????????????????????????????????????????????????????????,????websocket+SSH?,??????????????????????,?WeChatxxxxxxxx.exe??2???????PIPE??,????????????????

??????????????????????????????

(???????)?????????????

???????,???????????????????????,?,?,?????,??????????????????

(???????????)?????????????????

??3????????????,?????,2023?5?????????2?,??????????(95.179.XX.XX)?,??????,?????????????,????????????????,?“?????????”?“????????????”?“????????”?“???????????????????(?????????????+???????????????????????????)”?“????IP????”?“?”???

(????????)???????

???????????????????,???,2023??????????????7???????26????,??????(65.21.XX.XX)?????,????,?????????????????,?,?1.03GB????????,?“????????????”??“tip4XXXXXXXX.php”?

(?????)???????????????????????

?,??????????????????,??????????????????????,?????????????????SSH????????????,???????????,?????????????????????????

????????

(???????????)?

????,?????22??????????????8????,??????????10??????????20?,??????????,????????????

(??)???????????????

2023?5?????????????????2023?????10????????????????????????????,??????????????????????30???,??IP????,??

(???????????????)????????????????????????????

?2??????PIPE??????????????????“c:\windows\system32\”??????????????????????,?.net????????,????????????????,?????KB,??????????????TLS????????????????????????????????????????,???????https???????????????????????,??????????websocket+SSH?????,??

?????????????????IP????????????

?????????????????????

2024?????????????12??????18?,?CNCERT?(

??????

(?????)????????????

2024??????8???19??????,???????????????????,?/??2024?8???21???????????????,??/???

(??????????????)????

2024?8?21??????????????12??????????,????,?,????,????/xxx/xxxx?flag=syn_user_policy???????,??????????????/xxx/xxxStats?

(??????)??????????

2024???????????????????11?6??2024???11??????????????8??????2024?????????????11?16???????,?????????276?????????????????????????????????????

?????????????????????????????

(??????????)?

???????????????IP???????????,????????????????????,????,??,??

(?)???????????

2024?11????6????11????????16???????,???3?????????????????????????????????IP????????????,????????????????,????,???????????,?,????????????4.98GB?

??????????????????????????????????

(???????????????)?????????

??????????????,??????????????????????????????????22????8?????????,?10???????????20?,???????????,??

(???????????????)??????????????

?????????5????IP??????,???????????,??

(???????????????????????????)??????????

??????????????????????????????,??????????,??

?,?,???????????????

(??)?????

???????????????????????????,??????,?,???????????????276?,??????????,?????????????????????

??????????????????IP????

????????????:???????