?????????????????!???????????????

?????????????????

2024?12??????????18??,????CNCERT??????????????(

???????????????????

(??????)?

??Exchange?????????????2??????????????Exchange?,??????????????????,???????????,????????

(?????????????)??

??????????????,???????2?,?????,???????,?/owa/auth/xxx/xx.aspx?????????/owa/auth/xxx/yy.aspx,?????????????????????????????????,?,??

(????)?????????????30??????????

?,??????????????????????????,????????????,?????SSH?SMB??????30?????????????;??????????????,?????????????????????????????????????????????????????????????????,????websocket+SSH?????????????,??????????,??????????WeChatxxxxxxxx.exe???2?PIPE?,???

????????????????

(???????????)?

????,??????????????????????????,?,????,?,????????????????????????

(???????????)???????????????

???????3?,?????????????????????????????????,2023?5??2???????????????????????????,?????(95.179.XX.XX)?,?,?,??????????,??????????????????????????????“???????????????????????”?“???????????????????????????”?“??????????”?“???(???????????????????+???????)”?“??IP???”?“?????????????????”????????????????????????????

(?)????????????

????????????????????????,??????????,2023???????????????7?26????????????????????,?????????(65.21.XX.XX)???????????????,?????????,??????????????????????,?????,???????????????????1.03GB???????????,?“??????????????????????”?????????????????????“tip4XXXXXXXX.php”?

(?)??????????

?,?,?,????????????????????SSH?,?,??

????????????????????

(?)????

???????????,???????????????????22???????????????????8???????????????,?????10????????????????????????20????????????????,?,????????????????????

(???????????????)??????????????

2023?5??2023??10?????,??????30??????????????????,?IP????????,???????????

(??????)?????????

????2????????????PIPE?????“c:\windows\system32\”??????????????,??????????.net??????????????????????,?,?KB,????TLS??????????????????????????????????,??????????https????????????,????????????websocket+SSH???????????,????

??????????????????????IP?

???????????

2024?????????????????????????????????12?????????????18????,????????CNCERT?????(

??????????????

(??)?????????

2024??????8???19????????,????????????????,?/??2024?8????21?????????,??????????????????????????????????/????????????????????

(?????????????????)?

2024???????8??????21???????12?,??????????????????,?????????,?????????????,??????????????/xxx/xxxx?flag=syn_user_policy??,???????????/xxx/xxxStats?

(??????)?????????????????

2024????11??6???2024????11?????????????????????8??2024????11?16??????,?276?????????????????????????????????????????????????????????

???????????

(?)???????

???????????????IP????,?,???,?,??

(?)?

2024??????????????????????11????6?11?16??,?3?IP?????,?,?????,????????,??????????,???????????????????4.98GB?

???????????????????????????

(??)????????????????????????????

?????????????????,?22??8?????????????,???????????????????????????10?????????????20?,???????????????????????,?????

(????????????????????????)?????

???????5???IP??????????,??,?????

(???)???????????????????????

???????????????????,??????????????????????,????????

??????,??????,???????

(?????)?????

???,??????????????,?????????,????????276????,???????????????,??????????????

???????????????IP?????????????

?????????????:???????????????