PhantomBot laga bilaabo Xatooyada Aqoonsiga ilaa Botnet

PhantomBot: Olole Typosquat ah oo ka dhashay Xatooyada Aqoonsiga una beddelay Qalabka Botnet-ka Turnkey

TL, DR

Hal daabace npm ah, deadcode09284814, ayaa sameeyay olole ka dhan ah khaladaadka qoraalka ee sharci-darrada ah axios iyo chalk-template xirmooyinka tan iyo bartamihii Maajo 2026.

Ololaha wuxuu ku bilaabmay aqoonsi caadi ah iyo xatooyo boorso, isagoo xogta u gudbinaya Tunnelka HTTPS ee Serveo.

On 2026-05-17, la axois-utils:1.0.9, hawlwadeenku wuxuu si buuxda u beddelay culayska lacagta: isku qaab saddex-geesood ah oo rakibid-jillaab ah, isla daabacaha, isla magaca xirmada.

Laakiin qoraalka rakibidda hadda waa qorista DDoS botnet ee iskutallaabta ah.

Culaysku wuxuu la hadlayaa a localhost.run godka waxayna aqbashaa amarrada daadadka, iyadoo deegaannada cudurka qaba u rogaya qayb ka mid ah botnet-ka DDoS-ka awood u leh.

Hawlwadeenku xitaa wuu soo diray C2 server binary gudaha kubadda cagta, taasoo muujinaysa koror cad oo ka yimid xatooyada aqoonsiga ilaa kaabayaasha botnet ee firfircoon.

Laba xirmo, afar nooc oo wali ka shaqeeya diiwaanka, iyo hal hawlwadeen hadda labada qayboodba si is barbar socda u wada.

Darnaanta: sare.

Cinwaanka IOC Nooc kasta oo axois-utils ama chalk-tempalte ah oo ka socda daabacaha deadcode09284814

Weerarkii: Sida uu u Shaqeeyo

Ololaha waxaa lagu dhisay qaab gaarsiineed oo si ula kac ah u caajis badan: laba magac oo xirmooyin ah oo ku qoran qaabka qoraalka, hal xaraf oo ka baxsan xirmooyinka oo leh boqolaal milyan oo soo dejin toddobaadle ah (axios, qaab-caddaan), iyo rakibidda saddex-geesoodka ah hooks taas oo dammaanad qaadaysa fulinta. Waxa xiisaha lihi waa waxa looxa dhismaha ah xambaarsan — iyo xaqiiqda ah in hawlwadeenku uu beddelay xamuulka isagoon wax kale beddelin.

Qalabka la wadaago

Nooc kasta oo la daabacay oo labada xirmo ah ayaa sheegaya saddex wareeg oo nololeed oo isku mid ah hooks in xirmo.json:

"scripts": {    "preinstall":  "node <payload>.js",    "install":     "node <payload>.js",    "postinstall": "node <payload>.js"  } 

Liis gareynta culayska saddexda qayboodba hooks waa xad-dhaaf — postinstall keligaa ayaa ku shaqeyn lahaa caadi ahaan rakibaadda dharkaDoorashadu waa muhiim: rakibidda npm –ignore-scripts waxay ka boodaa qoraallada, laakiin dhowr shaqo oo caadi ah (CI cache ayaa dib u soo celisa wareegga nolosha ee dib loo socodsiiyay hooks si xulasho ah, ama horumariyayaal kaliya oo hubiya postinstall) samee bayaan saddex-laab ah oo sharadka ugu ammaansan ee weeraryahanka.

nuurad-tempalte waxay ku daraysaa farsamo labaad: waxay ku dhawaaqeysaa axois-utils:^1.0.7 sida waqtiga shaqada ku tiirsanaantaKu rakibidda khaladaadka khaldan qaab-caddaan Sidaa darteed waxay sidoo kale soo jiidataa qoraalka khaldan ee walaalaha ah, labada xirmo ee lacagta lagu shubo way shaqeeyaan. Labada xirmo waa labo isku xiran, ee ma aha liisas madax-bannaan.

Wejiga A — aqoonsiga qofka xadaya boorsada (2026-05-15 → hadda)

Wejiga A waa culayska asalka ah. Qalabka rarka waa mid gaaban postinstall.js taas oo tilmaamaysa godka gadaal ee Serveo HTTPS:

// chalk-tempalte/postinstall.js:11-13  const C2_HOST = "f04a273bd84c0622-80-200-28-28.serveousercontent.com";  const C2_PORT = 443;  const C2_PATH = '/collect'; 

Subdomain-ka Serveo wuxuu codeeyaa IP-ga loo socdo (80.200.28.28) si toos ah magaca martida - heshiis la aqoonsan karo oo loogu talagalay adeeggaas. Hawlwadeenku wuxuu u wareejiyaa horgalaha subdomain-ka ee aan kala sooca lahayn noocyada si uu uga baxsado liisaska xannibaadaha domain-ka ee aan caadiga ahayn, laakiin IP-ga hoose waligiis ma dhaqaaqo.nuurad-tempalte:1.0.14 used 8a3e818ea8f11186-80-200-28-28…; 1.0.16 / 1.0.19 / 1.0.20 isticmaal f04a273bd84c0622-….)

postinstall.js gacmaha u leexiya phantom.js, oo ah 7,667-sadar oo ah "ururiye" oo la isku daray. phantom.js wuxuu u socdaa martida:

Furaha gaarka loo leeyahay ee SSH (~/.ssh/*)
.npmrc waxa ku jira iyo wax kasta npm_* calaamadaha env
Faylasha aqoonsiga AWS, GCP, iyo Azure
Regex calaamadda helitaanka shakhsi ahaaneed ee GitHub (ghp_*, gho_*, ghu_*, ghs_*)
Waxyaabaha loo yaqaan 'Crypto-bocket' ee loogu talagalay Bitcoin, Exodus, Electrum, Monero, Litecoin, Dogecoin, Zcash, Dash
Dib-u-celin .env* ku dhex maro ~/projects, ~/dev, ~/code, ~/workspace, iyo rakibidda cwd
Taariikhda Shell iyo dhammaan process.env

Xirmada waxaa lagu dhejiyay godka Serveo ee /ururMa jiro wax qarqaryo ah, ma jiro macquul ka soo horjeeda VM, ma jiro wax qorshe ah - sharadka hawlwadeenku wuxuu ku saabsan yahay mugga iyo xawaaraha.

Wejiga B — PhantomBot DDoS recruit (2026-05-17, axois-utils:1.0.9 oo keliya)

Wejiga B wuxuu ku beddelayaa phantom.js + postinstall.js hal fayl oo la yiraahdo distrube.js (qoraalka khaldan waa kan hawlwadeenka). Qaab-dhismeedka saddex-jibbaaran ee ku jira package.json isma beddelin; xirmadu waxay haysaa isla magaca, baaxadda, iyo qaabka nooca-bump. Dibadda, axois-utils:1.0.9 wuxuu u eg yahay dabagal yar oo 1.0.6 ah. Gudaha, waa qoys malware ah oo ka duwan.

distrube.js waxay ku furmeysaa baloog habeyn ah oo magacawda summada hawlwadeenka u gaarka ah:

// axois-utils-1.0.9/distrube.js:11-15
// Use your localhost.run HTTPS URL (the tunnel handles HTTP internally)
const C2_HOST = 'b94b6bcfa27554.lhr.life'; // Your localhost.run tunnel
const C2_PORT = 443; // HTTPS port - tunnel handles SSL
const BOT_ID = `${os.hostname()}_${Date.now()}_${crypto.randomBytes(4).toString('hex')}`;

Faallooyinka waxaa loo jeedinayaa hawlwadeen mustaqbalka oo maamula qalabka ("Isticmaal URL-kaaga localhost.run HTTPS"). Taas, iyo waxa ku xiga macmiilka bot, waa in la sheego in tani aysan ahayn oo keliya culays dhibbane - waa qalabka.

Socodka:

  1. adkaysiga Marka hore ayuu shaqeeyaa. Qoraalku wuxuu isku rakibayaa saddex siyaabood oo kala duwan OS kasta (diiwaangelinta Run + Faylka bilowga ah + farsamooyin Windows; crontab + adeegga phantom-bot.service cutubka nidaamka + .bashrc/.shshrc ku dar + /etc/rc.local Linux; LaunchAgent com.phantom.bot.plist MacOS). Magaca adeegga joogtada ah iyo calaamadda LaunchAgent labaduba waa isku mid. bot-phantom / com.phantom.bot, kaas oo sidoo kale ah meesha magaca ololaha uu ka yimid.
  2. Macluumaadka nidaamka exfil hal mar ayuu socdaa — far-qaadis hal-toos ah oo loo diro b94b6bcfa27554.lhr.life:443/collect oo wata magaca martida, goobta, qaansada, magaca isticmaalaha, CPU/RAM, is-dhexgalka shabakadda, process.env, cwd, homedir, nooca node, iyo IP-ga dadweynaha. Tani aad bay uga yar tahay marxaladda A: ma jiro SSH, ma jiro boorsooyin, ma jiro dib-u-soo-celin .env ah. Shaqada bot-ku waa inuu isdiiwaangeliyo, ma aha inuu xado.
  3. Wareegga garaaca wadnaha Wuxuu furaa HTTPS POST 30 ilbiriqsi kasta ilaa b94b6bcfa27554.lhr.life:443/. Wakiilka Isticmaalaha waa PhantomBot/1.0. Xaqiijinta TLS si cad ayaa loo joojiyay (rejectUnauthorized: been). Jawaabta C2 waxaa loo kala saaraa JSON ee foomka {nooca, bartilmaameedka, dekedda, muddada, mawduucyada, habka} waana la diraa.
  4. Kaydka daadadka waxaa loo xiraa lix amar:
Nooca taliska Module Notes
ping Jawaabta noolaanshaha Bot wuxuu isku aqoonsadaa
http Daadadka HTTP Daadka codsiga ee lakabka 7
https Daadadka HTTPS La mid ah http, TLS-la duubay
tcp Daadadka TCP 65 KB spam-ka aan kala sooca lahayn
pud Daadadka UDP Xirmooyinka UDP ee 65,507-byte
degdeg ah Dib-u-dejin degdeg ah oo HTTP/2 ah DoS Farsamada 2023 CVE-2023-44487

Dhammaan shanta qaybood ee daadadka waxay qaataan bartilmaameed, dekedda, muddada, Iyo threads dood — bot-ku waa daad-gureyn guud oo loogu talagalay kireysiga, oo aan loogu talagelin dhibane gaar ah. Liiska dhibbanayaasha hawlwadeenka wuxuu ku nool yahay C2, ee kuma jiro xirmada.

Maxaa Cusub Halkan — binary-ga C2 ee la diray

Wejiga A waa qaab la yaqaan: xatooyada aqoonsiga, jillaab rakibid, iyo C2 oo iibiye-tunneled ah. Wejiga B waa sidoo kale qaab la yaqaan — botnet-yada DDoS waxay ahaayeen qalab loogu talagalay xirmooyinka npm ee xaasidnimada leh sannado badan. Waxa aan caadiga ahayn ayaa ah in hawlwadeenku uu soo diray dhinaca server-ka qalabka ku jira kubbadda npm:

  • c2 — 4-megabyte oo ah binary Go ELF ah oo la isku daray
  • c2.go — isha 426-line Go ee loogu talagalay binary-gaas

Midna fayl ma keeno wax ku-xidhka rakibidda ah. Ma aha qayb ka mid ah culayska dhibbanaha. Waxay ku fadhiyaan buugga xirmada sida faylka dukumeentiyada uu sameyn doono. Akhrinta ugu macquulsan ayaa ah in hawl-wadeenku uu geedkiisa shaqada horumarinta ku riixay npm isagoon soo ururin liiska faylka - warqad OpSec ah oo dhab ah - waxa la soo dirayna waa qalab laba dhinac ah oo dhammaystiran: macmiilka dhibbanaha ayaa maamula, iyo server-ka maamula.

Kani waa qaybta sheekada ee caddaynaysa qaab-dhismeedka "qalabka botnet-ka turnkey". Qof kasta oo soo dejiyay axois-utils:1.0.9 ka hor inta aan la saarin, ma laha muunad dhibbane oo keliya - waxay leeyihiin server C2 oo shaqeynaya.

Jumlada, hal jumlad

Daabacaha isku midka ah, magacyada xirmooyinka isku midka ah, isku-dhafka saddex-jibbaarlaha ah, isla summada "khayaaliga ah" - laakiin Lacagta mushaharku waxay beddeshay qaabka lacag-bixinta habeen dhanlaga bilaabo "sirta goosashada waan dib u iibin karaa" ilaa "kiro awoodda daadadka ee aan kireysan karo". TTP-yada waqtiga rakibidda ee ay tahay in difaacayaashu ay daawadaan waa isku mid labada marxaladoodba; difaacyada ku salaysan saxiixa ee lagu xiray xargaha wadada jeebka ee Wejiga A ama phantom.jsUruriyaha 7,667-line wuxuu gebi ahaanba seegi lahaa Marxaladda B.

Taariikh (UTC) Event
2026-05-15 Daabacaaddii ugu horreysay: axois-utils:1.0.4 (Dhismaha tijaabada LAN, qalabka horumarinta ee 192.168.129.19)
2026-05-15 axois-utils:1.0.6 la daabacay — Wejiga A C2 ayaa loo beddelay 80.200.28.28 iyada oo loo marayo godka Serveo; faallo laga soo xigtay isha // Change to '80.200.28.28' for public waxay xaqiijineysaa isbeddelka dev→prod
2026-05-16 chalk-tempalte:1.0.14 iyo 1.0.16 la daabacay - rarka silsiladaysan oo ku dhawaaqaya axois-utils:^1.0.7 sida ku tiirsanaanta waqtiga socodsiinta; Serveo subdomain ayaa la wareejiyay
2026-05-16 Ololaha Wajiga A ayaa la helay intii lagu jiray baaritaanka caadiga ah ee npm; xukunno xunxun oo la xaqiijiyay ayaa la dabaqay
2026-05-17 axois-utils:1.0.9 la daabacay — qaabka lacagta lagu shubo: PhantomBot DDoS recruit via localhost.run tunnel; operator-side c2 laba-geesood ah iyo c2.go ilo lagu soo diray kubbadda cagta
2026-05-17 chalk-tempalte:1.0.19 iyo 1.0.20 la daabacay — wali Wajiga A (xatooyo); hawlwadeenka hadda wuxuu ku shaqeynayaa labada qayboodba is barbar socda
2026-05-17 Helitaanka Wajiga B inta lagu jiro baaritaanka caadiga ah; go'aannada ayaa lagu dabaqay dhammaan 2026-05-17 versions
(socda) Warbixinnada la soo saarayo ayaa sugaya; dhammaan afarta xirmo ee la daabacay waxay ku jiraan diiwaanka waqtiga qoraalka

Tilmaamayaasha Tanaasulka

Baakado

deegaanka Xidhmada versions
shm axois-utils (nooca axios-ka) 1.0.4, 1.0.6, 1.0.9
shm chalk-tempalte (nooca nuuradda) 1.0.14, 1.0.16, 1.0.19, 1.0.20

Aqoonsiga qoraaga

Field Qiimaha
daabacaha npm deadcode09284814
Iimaylka Daabacaha phantomdeadcode@tutamail.com
SCM xaqiijinta ma jiro

Taliska-iyo-xakamaynta

Phase Ugu dambeyntii Transport
A f04a273bd84c0622-80-200-28-28.serveousercontent.com:443/collect Tunnelka HTTPS ee Serveo
A 8a3e818ea8f11186-80-200-28-28.serveousercontent.com:443/collect Tunnelka Serveo HTTPS (noocii hore)
A 80.200.28.28:443/collect Dhammaadka hoose ee VPS
B b94b6bcfa27554.lhr.life:443/ localhost.run HTTPS rogaal-rog ah

Faylasha la soo koobay (SHA-256)

file SHA-256 Notes
c2 (Tag ELF, 4 MB) 165fa92d237fd017c227d00da06ab788212a62be94bf61e95df2d22d00377ef2 Adeeg-hayaha dhinaca C2, oo gudaha loo diray axois-utils:1.0.9
c2.go (426 sadar) 7d0ae79fdb1e9968f3323a3712b624643a782ba3efb2cf3a2cb9c4c5513cea30 Tag isha binary-ga C2
distrube.js 308b15c023088a7188dea4ef609010ac2493eb4c365b103053d7621a9ca5b935 Macaamiisha wejiga B bot
phantom.js (chalk-tempalte:1.0.19) 9e380ec88d3ccf3929e1a104e3b868d4d7b59ca189a8a431a54e9f3357dfdd81 Shahaadada aqoonsiga/ururiyaha boorsada wejiga A
phantom.js (chalk-tempalte:1.0.20) d1c9e3f296ee9f7d5032f73f9c504cede50334bc14c394055fd5cb9c3a6e08b3 Ururiyaha Wajiga A (nooca 1.0.20)
postinstall.js (chalk-tempalte:1.0.19 = 1.0.20) ffba9bdd6793edd5b38e12900252c1813a693f59c25af51c3b658cf3f27b6162 Qalabka rarka wejiga A, oo byte-isku mid ah labada noocba

Tilmaamaha iyo Dhiirigelinta

Waxaan ula soconaa ololahan sida PhantomBot, iyadoo laga qaadayo sumcadda shirkadda Wakiilka Isticmaalaha: PhantomBot/1.0 madaxa garaaca wadnaha, adeegga phantom-bot.service cutubka nidaamka, com.phantom.bot calaamadda LaunchAgent, iyo koodhka phantomdead@ Gacanta iimaylka. Hawl-wadeenku wuxuu si isku mid ah uga hadlayaa magacan ugu yaraan afar farshaxan.

Buugga calaamadaha

  • Daabacaadda - code-ka dhimashada09284814 on npm. Akoon hal-gacan leh, Tutamail iimayl la tuuri karo, maya SCM xaqiijin. Ma jirto taariikh hore oo daabacaad ah oo ka baxsan ololahan.
  • Dib u isticmaalka summeynta — "Phantom" waxay ka muuqataa iimaylka daabacaha, magaca faylka ururinta Wajiga A (phantom.js), magaca adeegga joogtada ah ee Wajiga B (adeegga phantom-bot.service), oo ku jira calaamadda LaunchAgent (com.phantom.bot), iyo bot-ka User-Agent (PhantomBot/1.0).
  • Kaabayaasha - Hal VPS oo keliya oo ku taal 80.200.28.28 Wajiga hore ee Wajiga A iyada oo loo marayo wareegga subdomain-ka ee Serveo; Wajiga B wuxuu u guuraa a localhost.run godka gadaal (b94b6bcfa27554.lhr.nolosha) Labada adeeg ee iibiyaha waa bilaash waxayna u baahan yihiin oo keliya SSH dibadda ah oo dhinaca hawlwadeenka ah, oo la jaan qaadaya dejinta OpSec ee miisaaniyad yar.
  • qaabka code — JavaScript-ka oo dhan; ma jiro wax qarin ah, ma jiro wax cod-bixin xarig ah, ma jiro hubin ka-hortagga VM. Magacyada doorsoomayaasha ah waa kuwo sharraxaad leh (macluumaadka nidaamka, fuli Amarka, httpFlood) Faallooyinka ku jira distrube.js si toos ah ula xiriir hawlwadeen mustaqbalka ("Isticmaal URL-kaaga localhost.run HTTPS"), taasoo soo jeedinaysa in faylka loogu talagalay in dib loogu qaybiyo qalab ahaan, oo aan loo isticmaalin hal weeraryahan.
  • Warqadda OpSec — Kubadda cagta wejiga B waxay soo dirtaa labadaba macmiilka bot iyo server-ka dhinaca hawlwadeenka C2 (c2 ELF + c2.go isha). Tani waxay la jaanqaadaysaa hawlwadeenka oo geedkiisa shaqada ku riixay npm isagoon hubin liiska faylasha. Hawlwadeenku waa mid aan khibrad lahayn, ama qalabku waa mid aan khibrad lahayn. waxaa loola jeedaa in si guud loo qaybiyo oo binary-ga C2 uu qayb ka yahay badeecada.
  • Is-xaqiijinta - axois-utils:1.0.4 waxaa ku jira faallada isha // U beddel '80.200.28.28' dadweynaha khadka 12, isagoo xaqiijinaya horumarka horumarinta / diyaarinta / wax soo saarka ee ay caadiyan shirkadaha ka shaqeeyaa ay diidaan.

Rabitaan

Culayska Wajiga A waa xatooyo dhaqaale oo toos ah: aqoonsiga, furaha daruuraha, calaamadaha GitHub, iyo boorsooyinka crypto dhammaantood waxay leeyihiin suuqyo dib-u-iibin dareere ah. Wajiga B sidoo kale waa mid dhaqaale, laakiin aan toos ahayn: Adeegyada DDoS-for-kire ("booter") waxay kireeyaan awoodda daadadka daqiiqaddii, bots-yada sida kan halkan lagu soo dirayna waa kaydka adeegyadaasi ay ku shaqeeyaan. Garaaca 30-ilbiriqsi, guud ahaan. bartilmaameed/dekedda/muddada qorshaha taliska, iyo kaydka daadadka ee shanta borotokool ah waa standard wax soo saarka hawlwadeenka booter-ka.

Labada qayboodba si is barbar socda ayay u shaqeynayaan — nuurad-tempalte:1.0.19 iyo 1.0.20 sii wad inaad rarto tuugga intaad axois-utils:1.0.9 waxay soo dirtaa bot-ka - waxay soo jeedinaysaa in hawlwadeenku uu ilaalinayo ilaha dakhliga halkii uu ka tagi lahaa Wejiga A. Habkani waa Intaa waxaa dheer, ma aha beddelka.

Waxa aynaan sheeganayn

Ma aanan awoodin inaan xaqiijino aqoonsiga dhabta ah ee ka dambeeya adduunka dhabta ah code-ka dhimashada09284814 gacanta, mana nihinno ololahan mid ka mid ah jilayaasha khatarta ah ee la magacaabay, koox, ama waddan. Sumcadda "khayaaliga ah" waa mid ku filan dhammaan farshaxannada si ay u soo jeediso hal hawlwadeen, laakiin rarista nooca qalabka ee laba-geesoodka ah ee C2 waxay furaysaa suurtagalnimada in xirmooyinka mustaqbalka ee ka imanaya gacan-qabashada aan la xiriirin ay dib u isticmaali doonaan isla koodka.

Saameynta

Bartilmaameedyada saxda ah ee squat-ka axios iyo qaab-caddaan waxaa si weyn loogu tiirsan yahay nidaamka deegaanka ee JavaScript; axios Kaliya wuxuu ka mid yahay soddonka ugu sarreeya ee xirmooyinka npm ee ugu badan ee la soo dejiyo. Magacyada typosquat-ka waa hal keystroke oo ka fog kuwa dhabta ah (aksoisaxios, tempaltetemplate), labaduba waa higgaad khaldan oo luqad ahaan macquul ah.

Ma aanan awoodin inaan helno tirakoobyo la isku halleyn karo oo ku saabsan soo dejinta noocyada xaasidnimada leh ka hor inta aan la saarin - npm ma hayso tirinta soo dejinta nooc kasta ka dib marka xirmo aan la daabicin, iyo npms.ioWakiillada -style-ka ayaa buuq badan ku leh heerkan. Urur kasta oo faylkiisa qufulka ah uu ku beddelo xirmo la magacaabay axois-utils or nuurad-tempalte laga soo xigtay daabacaha code-ka dhimashada09284814 waa in loola dhaqmaa sidii wax la jabiyay: wareeji aqoonsi kasta oo ku jira gudaha geedi socodka.env on martida ay saameysay, vectors joogtaynta hubinta ee OS kasta (fiiri "Waxa ay difaacayaashu sameyn karaan" ee hoose), oo ka saar ku tiirsanaanta.

Qaababka soo baxaya

Ololahani wuxuu tusaale u yahay isbeddel aan ku aragnay dhowr dhacdo oo npm ah oo dhawaan dhacay: qalabka rakibida-jillaabku waa hanti waara; culayska waa la beddeli karaaDaabacaha isku midka ah, isla xirmadaas, waa isku mid horay u rakib / rakibi / postinstall saddex-jibbaaran, iyo xitaa nooc isku mid ah - cadence-ka - waxa kaliya ee isbeddelay inta u dhaxaysa axois-utils:1.0.6 iyo axois-utils:1.0.9 waxay ahayd faylka hooks socodsii. Ogaanshaha ku salaysan saxiixa oo lagu xidhay culayska Wajiga A (xadhkaha wadada jeebka, phantom.jsUruriyaha 7,667-line, oo ah martigeliyaha Serveo C2) ayaa calaamadayn lahaa saddexda nooc ee ugu horreeya oo gebi ahaanba seegay Marxaladda B.

Isla qaabkan ayaa ka muuqda ololayaasha kale ee 2026 ee aan raadraacnay: hal hawlwadeen oo leh qaab deggan, is-weydaarsi u dhexeeya xatooyada aqoonsiga, macaamiisha khiyaanada imtixaanka, Telegram-bot exfil, iyo hadda shaqaalaysiinta DDoS. Difaacayaasha ku tiirsan saxiixyada mushaharka ayaa sii wadi doona inay lumiyaan wareegga labaad ee olole kasta.

Aragtida ayaa ah in TTP-yada waqtiga rakibida ayaa ah calaamadda ugu fiicanKu dhawaaqyada saddex-geesoodka ah ee rakibidda, ku rakib qoraallada soo dejiya https or habka_carruurta, rakib qoraallo wax ku qora faylalka bilowga isticmaalaha, oo rakib qoraallo xalliya magacyada martida ee adeegyada tunnel-ka ee bilaashka ah (Serveo, localhost.run, ngrok, cloudflared) dhammaantood waa naadir ku ah xirmooyinka sharciga ah waxayna ku badan yihiin kuwa xaasidnimada leh.

Waxa ay tahay in difaacayaashu sameeyaan

  • Baaritaanka faylka qufulka. Raadi mid kasta xirmo-quful.json / dun.quful / pnpm-lock.yaml ururkaaga si aad u hesho xarfo sax ah axois-utils iyo nuurad-tempalteUla dhaqan wixii isku dhac ah heshiis.
  • Wareeji sirta martida ay saameysay. Wejiga A aqoonsiga SSH, daruur, GitHub, npm, iyo boorsada jeebka oo la goostay. Qaado aqoonsi kasta oo waligaa ku jira geedi socodka.env, ~ / .ssh, ~/.aws, ~/.npmrc, ~ / .kordhin, ama wax kasta .env* Faylka ku jira martida ay dhibaatadu saameysey waa la soo bandhigay.
  • Ka saar adkeysiga (Wejiga B). Windows-ka, tirtir HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate, saar %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\system-update.bat, Iyo schtasks /tirtir /tn SystemUpdate /fLinux, baarista oo meesha ka saar @dib u bilow node…, systemctl –user disable –now phantom-bot.service markaa tirtir ~/.config/systemd/user/phantom-bot.service, xoq .bashrc / .shshrc / /etc/rc.localmacOS-ka, launchctl unload ~/Library/LaunchAgents/com.phantom.bot.plist ka dibna tirtir plist-ka.
  • Xayira martida C2. Ku dar afarta dhibcood ee C2 ee jadwalka IOC liiska xannibaadaha bixitaankaaga. *.servousercontent.com iyo *.lhr.nolosha waa la xannibi karaa jumlad ahaan haddii deegaankaagu uusan lahayn isticmaal sharci ah oo loogu talagalay adeegyada tunnel-ka dib-u-noqoshada.
  • Ugaarso TTP-ga waqtiga rakibidda, maaha culayska la saarayo. Gelitaanka faylka qufulka kaydka ee ku jira xirmo.json dhawaaqay horay u rakib, rakibi, Iyo postinstall dhammaantood waxay tilmaamayaan isla qoraalka. Hubin isku mid ah oo ka dhan ah da'da xirmada iyo xaaladda xaqiijinta daabacaha. Qaabkani waa mid naadir ku ah xirmooyinka sharciga ah waana calaamadda ugu kalsoonida badan ee PhantomBot dib u isticmaasho.
  • Hantidhawrka laba-geesoodka ah ee C2. Qof kasta oo soo dejiyay axois-utils:1.0.9 wuxuu leeyahay server-ka C2 ee hawlwadeenka (c2 ELF, sha256 165fa92d…) diskka. Kaydka iskaanka iyo bakhaarada farshaxanka CI. Binary-gu wuu iska hurdaa, laakiin joogitaankiisa goobta shaqada waa caddayn aan caddayn oo muujinaysa in xirmada la rakibay.

Khadka xidhitaanka

Hawl-wadeenka isku midka ah, isla xirmada, iyo isku xidhka rakibidda ayaa keeni kara khataro gebi ahaanba kala duwan 48 saacadood gudahood. Fiiri dhismaha, ee ha ka taxaddarin culayska.

qalabka-sca-tools-software-ka-samaynta-qalabka-falanqaynta
Mudnaanta sii, hagaaji, oo sug khataraha software-kaaga
Hel Akoonkaaga Bilaashka ah.
Looma baahna kaarka deynta.

Sug Horumarinta Software-kaaga iyo Bixintaada

oo leh Xygeni Product Suite