?????????????????!???????????????

?????????????

2024?12??????18?,?CNCERT??????????????(

??????????????????????????????????????

(?)??????????????????????????????

???Exchange????????????????????????????2??????????????Exchange????????????,?????????????????????,???????????,???????????

(??????)????

???????????????,???????????????2??,???????????????????,????????,?????????/owa/auth/xxx/xx.aspx???????????????????/owa/auth/xxx/yy.aspx,??????????????????????????????????,?????????????,??

(?????)????30??????????????????

????????????????????,?,????,?????????SSH?SMB???????????30???????????????????????????????;??,????????????????????????????????????????????????????,??????websocket+SSH?,??????????????????????????????????????????,?????WeChatxxxxxxxx.exe???????????????2???PIPE?????????????,?????????????????????????

????????????????????

(???????????????????????)??????????????

???????????????????,??????????????,?,??,?,??

(?)??????

?????????????3?,????????????????,2023???5??2??,??????????????????????????????????(95.179.XX.XX)????,???????,?,?,????????????“??????????????????”?“?????????”?“????????????????????????”?“?(??????????????+????????????)”?“?????????IP????????????????”?“????”???

(?)???

????????????????,??????????????????????,2023??7??????26??,?(65.21.XX.XX)??????????????,?????????,???????????,??????????????,????1.03GB????????????????????,?“????”?“tip4XXXXXXXX.php”?

(?)?

??,????????????,??????,?????????SSH???????????????,?,?????????????

??????

(????)???????????????

?,?22?????????????????????8?,????10????20??????,??????????????????????????,??

(??)???????????????????

2023?????5?????????2023????10?,?30???????,?IP?,?????????????????????????

(??????????)???????????????

?????2?PIPE???????????“c:\windows\system32\”?,???????.net??????????,???????????,?????????????????KB,???????????????????????????TLS???????????????????????????????????????,????????????https????,?websocket+SSH???????,????????????

???????????????????IP????????????????

??????????

2024?????????????????????????????????12?18??????,???CNCERT???????????(

???????????????

(??????)?????

2024?8????????19??,??,??????????/????????2024??????????8????????????21?????,???????????????/??

(?)????????????????

2024????????????8???21????????12?,????????????????????????????,????????,????????????????,?????/xxx/xxxx?flag=syn_user_policy???,?/xxx/xxxStats?

(?)?

2024?11??????6??2024?11?8???????2024??????????????11?16????????????????????????????,???????????????276???????????????????????????????????????????????????

????

(????)??

??????IP????,?,??????????????,???????,?????????

(????)???????????

2024?11?6??????11????????????????16?????????,?????????????????3????IP????????,?????????,?????????????,????????????????????????????????????????,??,???????????????????4.98GB?

???

(??????????)??????????

????,????22???????????????8??????????,???????????????????????????10???????????????????????20???????????,???,??????

(???????)??????????

?5???IP??????,??????,??????????

(????????????????????????????)??????????????????????????

?,??????????????????????????????????,???????????????

?,?,??

(??)?????

?????????????????,???,??????????????,????276?????????,??????????,??????????????????????????????????????????????

????IP?

?????:??