?????????????????!???????????????

?

2024?12?????18?,?????CNCERT???????????????????????(

???

(????)?

?Exchange????????????????????????????????2???Exchange??,??,?,???

(?)???????????????

???????????????,????????????????2?????????????,??????????????,??????????????????????????????,??/owa/auth/xxx/xx.aspx??????/owa/auth/xxx/yy.aspx,????????????????????????????,??????????????,??

(????)?30?????????????

????????????,???????,?????????,?????????????SSH?SMB???30???????????????????????????????;?,???????????????????????????????????????????????????????????????????????,???websocket+SSH???????????????,??????,?WeChatxxxxxxxx.exe??2??PIPE??????????????????????,????????????????

?????????????????????????????????

(?)????

??????????????,????????,??????,?????,?????????????????,???????????

(?)??????????????????????

?????????????????????3????,????????????????,2023?5???2???????????????,???????????(95.179.XX.XX)????????????,???????,???????????????????????,?????????????????,?“???”?“?”?“??????????????”?“??????????????????????????????(???????????+?)”?“?IP?”?“?????????”?????

(????????????????)????

????????????????????,?????????????????????????????????,2023??????????7?26?,??(65.21.XX.XX)????????,??????????????????????,?????,?????,?????1.03GB??,????“??????”??????“tip4XXXXXXXX.php”?

(??????)????????????

??,????????????,??,???????????????????????????????????SSH??,???????????,???

????????

(?)????

???????????????????,???????????????????????????22???????????????????8?????????????????????????????????,????10?20??????????????,?,??????

(?????????????)??????????

2023?5??????2023????????????????????10?,?30?,??????????IP?,????????????????????????

(??????)????

????????????????2?PIPE?“c:\windows\system32\”??????????,?????.net????,?,??????????KB,?TLS?????????????????????????????????????????????????,??????????????https?,?websocket+SSH???????????????????,?????

??????????????IP?????

??

2024?????????????????12?18???????????,?CNCERT?????????(

???????????????????????????????????????????

(????????????????)?????????

2024?8????19???,?,???????????/???????????????2024??8???????????21????,???????????/?????????????????

(??????)???????

2024???????8?21????????????????????????12?????????,?????????????????????????????,????????,????????????????,???/xxx/xxxx?flag=syn_user_policy???????????????????????????,?/xxx/xxxStats?

(?)?????

2024??????????????????????????11???????????6??2024?11????????????????????????8????????????????????????????2024???????11?16??????,?276?????????????????????

?????????????????????

(?????)??????????????????

??????????IP???????,?????????????,?,????,?????

(???????????????)???????

2024?11???????6????????11??16???????????????????,??3????????IP????????????,?????,???????,?????????????????????????,???????????????????,??????????????????????????????????4.98GB?

???????????????

(????????)?

???????????,????22??????????????8???????????,??10?20????,????,??

(????????)?

??5?????????????IP????,????,???

(?????)??????????

?????????????,??????????????,???????????????

?????????????????????,????????,????????????????

(???????????????????????????)???????????????????????

?,?,??????????,??????276??????,???????????????????????????????,??????????????????????

???IP??????????????????

???:??