freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

深度剖析MuddyWater武器库之POWERSTATS后门
2021-12-15 18:53:09

概述

MuddyWater APT 组织于 2017 年 2 月被 Unit42 披露命名,被认为是来源于伊朗的 APT 组织,主要针对中东地区进行攻击。该组织早期的攻击活动与FIN7组织有关联,但由于其动机完全不同所以被划分为两个不同的组织。MuddyWater组织的攻击通常始于向组织发送有针对性的电子邮件,然后从该组织内受感染的系统中窃取合法文件,然后将其武器化并分发给其他受害者。其攻击的特点是善于使用高度混淆的PowerShell后门,被称为POWERSTATS。 MuddyWater自被披露以来一直活跃,不断有安全公司披露相关新样本及其后门新变种,其攻击TTP也在不断更新。2018年5月以来其主要目标转移为中东地区的国家的电信和IT服务行业、政府机构和军事实体等。

奇安信威胁情报中心红雨滴团队捕获到一例样本,经分析为MuddyWater早期的样本,属于老样本新上传,基于对其POWERSTATS后门的强大好奇,本文将对MuddyWater早期的攻击手法做一个剖析。本次捕获的诱饵文档如下图所示:

v2-4dd4cdfb1d82ff27cc7c3286ba925426.jpg

样本详细分析

样本基本信息

本次捕获的样本与之前攻击手法一致,模糊背景,诱导受害者点击启用宏,样本基本信息如下:


Name


MD5


1.doc


eccb7346fca1032b8efdb8d458bbe53f

详细分析

初始感染始于启用宏的Office 97-2003 Word文件,其宏通常设置了密码进行保护,以阻碍静态分析。

v2-99209f32444ec65a2a0a358e645915d6.jpg

宏代码中主要负载部分由Base64编码,主要解密了三段加密内容,其宏的主要功能就是将解密的三段内容释放在“ProgramData”目录下,并为其分别命名。v2-08e5782f3f7c0f95911b3496229f8c4e.jpg

然后通过注册表启动项实现持久化。

v2-8bea7b48aeed314e397329f5b61cdd56.jpg

Dropper

上述释放的EventManager.logs,主要内容为通过scrobj.dll(Microsoft Scriptlet 库)注册释放的EventManager.dll。v2-0ecdfb4ba22146c4b33697eaa9dd6c7c.jpg

而释放的EventManager.dll是一个xml文件,里面主要包含高度混淆的JS代码。

v2-1a5079e7358a6692c3feec835b20f0bd.jpg

通过对JS代码的解密,最终获得一段 PowerShell 代码。

v2-0359103df7c94a39bbf3a13d0cf84799.jpg

代码内容主要对释放的WindowsDefenderService.ini文件进行解密并执行,该文件解密后为一段混淆的PowerShell,即MuddyWater组织一直惯用的POWERSTATS后门。

v2-728370ce93fd4fbd99a2f8e0460fc60c.jpg

对其进行多层解密后,得到一份勉强可阅读的代码。对其深入研究后,发现其函数名与部分变量名使用ROT13算法进行混淆,破除其混淆后,POWERSTATS后门完整暴露在视野中。

v2-daf1b5de1aa30145c786c7f1648f6668.jpg

首先禁用office 的“宏警告”和“受保护的视图”,确保以后的攻击不需要和用户交互。设置允许宏代码访问内部 VBA 对象,以便在以后的攻击中更隐蔽地执行宏代码。以及设置注册表启动项,任务计划等实现持久化。

v2-c9c716fad8205d2f395e8d9ed005d5e6.jpg

获取当前运行的进程,计算进程名称的校验和,如果与硬编码的校验和匹配,则会通过ntdll.dll 的NtRaiseHardError函数触发BSOD。

v2-571d844eea621e6780dd929eb137ae33.jpg

检测的进程名称如下:


win32_remote


win64_remote64


ollydbg


ProcessHacker


tcpview


autoruns


filemon


procmon


regmon


procexp


idaq


idaq64


ImmunityDebugger


Wireshark


dumpcap


HookExplorer


ImportREC


PETools


LordPE


SysInspector


proc_analyzer


sysAnalyzer


sniff_hit


windbg


joeboxcontrol


joeboxserver





解密随机代理的URL地址,通过使用随机代理来隐藏C2服务器的真实地址,受感染的端点随机连接到其中一个代理服务器,代理服务器又将信息中继到C2,以此来躲避追踪。

v2-da215b141cfbd60aadb3bf923dfafdaf.jpg

解密的部分代理URL。

v2-38b27c52bb724dabe9704bfab2feb3f8.jpg

接下来获取受害者的操作系统版本、内部IP、操作系统位数、计算机名、工作组、用户名加密后一起发送给上面随机获取的代理URL,用来注册一个新的受害者。这使得攻击者可以根据受害者的ip、国家、地理位置、目标企业等来接受或拒绝受害者。根据攻击者CnC的响应,受害者会被分配一个ID,这个ID与要执行的命令的每个请求一起发送给CnC。

v2-210a5b6d99dadc8ba5b340379e0f3a8b.jpg

判断c:\programdata目录下是否包含杀软Kasper、 Panda、ESET、Symantec、McAfee,不包含则开始截图上传。将截图代码生成为c:\programdata\a.ps1脚本,使用DDEInitiate函数来执行,随后删除这个脚本,抹除痕迹。

v2-683b010d16fd5e6d6ede35c2f3f17d87.jpg

解析返回的远控指令,完成对应操作,其指令功能如下


指令


功能


reboot


重启


shutdown


关机


clean


静默删除磁盘驱动器C、D、E、F,然后重新启动


screenshot


截屏上传


upload


下载文件

关联分析

通过对所捕获样本的攻击手法,代码逻辑层面分析,发现此次捕获的攻击样本与MuddyWater组织早期常用攻击手法,恶意代码基本一致。

v2-61041b622f0785ba9e3f91cd56e05959.jpg

通过对被感染的代理URL关联分析,也可以在VT上找到MuddyWater组织早期的相关样本

v2-9fee71c4cc62b5f86710571ca650e207.jpg

总结

随着中东区域局势的演变,APT攻击也变得复杂不堪,均在互相刺探情报和从事间谍活动。为了避免被检测和保证攻击成功,MuddyWater的TTP也不断升级,从最初单一的POWERSTATS后门逐渐多元化,发展出Python、C#和PowerShell开发的RAT,甚至于包括Android平台的恶意软件。MuddyWater一直以来擅长使用社会工程学进行鱼叉式网络钓鱼邮件攻击,本次捕获的样本中因初始宏解密释放的文件混淆严重,各大安全厂商的查杀率始终不高。MuddyWater也使用被感染的代理网站来中继真实C2的指令,较好的躲避了追踪。

v2-65684a131fefc56a04218168cbcc6dd3.jpg

此次捕获的样本主要针对中东地区开展攻击活动,暂未发现影响国内用户,但防范之心不可无,广大用户切勿打开社交媒体分享的来历不明的链接,不点击执行未知来源的邮件附件,不运行夸张的标题的未知文件,不安装非正规途径来源的APP。做到及时备份重要文件,更新安装补丁。

IOCs

MD5

ECCB7346FCA1032B8EFDB8D458BBE53F

161C4A04FF1D64E750BABCD6EAD676E6

1DEF9F57402F69089F31357E578EF394

321D62FA4A7EAA8D19C3275D6775F55D

URL

hxxps://www.theharith.com/wp-includes/db-config-ini.php

hxxp://www.easy-home-sales.co.za/wp-includes/db-config-ini.php

hxxp://www.rashidalinawabshahi.com/ranwp/wp-admin/db-config-ini.php

hxxps://allinonebusinessresources.com/wp-includes/db-config-ini.php

hxxps://amishcountryfurnishings.com/awstats/db-config-ini.php

hxxp://vumavaluations.co.za//db-config-ini.php

hxxp://harryandbell.com/wp-admin/db-config-ini.php

hxxp://admiralgaragedoorrepair.com/wp-admin/db-config-ini.php

hxxp://viewphotos.co.za//db-config-ini.php

hxxp://supersavari.com/wp-admin/db-config-ini.php

hxxp://www.mzansicompanies.co.za/wp-includes/db-config-ini.php

hxxps://bloggingio.com//db-config-ini.php

hxxp://www.loansonhomes.co.za/wp-admin/db-config-ini.php

hxxp://ppe4u.co.za/system/db-config-ini.php

hxxp://www.gilforsenate.com//db-config-ini.php

hxxp://www.getcord.co.za/wp-admin/db-config-ini.php

hxxp://www.thusoconsulting.co.za/wp-admin/db-config-ini.php

hxxp://mgamule.co.za/css/db-config-ini.php

hxxp://chrisdejager-attorneys.co.za//db-config-ini.php

hxxp://sajidenterprises.com/contact/db-config-ini.php

hxxp://alxcorp.com/css/db-config-ini.php

hxxp://epss.ae/lib/db-config-ini.php

hxxp://canadianvc.com/includes/db-config-ini.php

hxxp://saacma.co.za//db-config-ini.php

hxxp://rsbholdings.co.za//db-config-ini.php

hxxp://adupree.com//db-config-ini.php

hxxp://www.atcouriers.co.za//db-config-ini.php

hxxp://transactionjunction.co.za//db-config-ini.php

hxxp://hisabati.com/include/mailchimp/db-config-ini.php

hxxp://www.duotonedigital.co.za//db-config-ini.php

hxxp://finalnewstv.com//db-config-ini.php

hxxp://www.tanati.co.za//db-config-ini.php

hxxp://emware.co.za/includes/db-config-ini.php

hxxp://breastfeedingbra.co.za//db-config-ini.php

hxxp://www.androidwikihow.com//db-config-ini.php

hxxp://cashforyousa.co.za/wpscripts/db-config-ini.php

hxxp://nolandsintl.com/templates/db-config-ini.php

hxxp://photoboothotm.co.za/components/db-config-ini.php

hxxp://roshnee.co.za//db-config-ini.php

hxxp://hesterwebber.co.za//db-config-ini.php

hxxp://sadcta-client.co.za/shopping/db-config-ini.php

hxxp://fickstarelectrical.co.za/DataCapture/db-config-ini.php

hxxp://xclusivenetwork.com/wp-includes/db-config-ini.php

hxxp://cc.com.pk/css/_vti_cnf/db-config-ini.php

hxxp://www.aoryx.ae/whitelilies.ae/db-config-ini.php

hxxp://pinnacleweld.co.za//db-config-ini.php

hxxp://airplussa.co.za/wp-admin/db-config-ini.php

hxxp://www.ieced.com.pk/wp-includes/db-config-ini.php

hxxp://foryou.guru/css/db-config-ini.php

hxxps://americanbrasil.com.br/downloader/db-config-ini.php

hxxp://oc.tsfengineering.com/resources/db-config-ini.php

hxxps://bigbaazaronline.com/wp-includes/db-config-ini.php

hxxp://jwseshowe.co.za/assets/db-config-ini.php

hxxp://goldeninstitute.co.za/contents/db-config-ini.php

hxxp://panathimaids.co.za/js/db-config-ini.php

hxxp://advss.co.za/images/db-config-ini.php

hxxp://ednpk.com//db-config-ini.php

hxxp://malbus.net/b/db-config-ini.php

hxxp://proeventsports.co.za/wp-admin/db-config-ini.php

hxxp://glenbridge.co.za//db-config-ini.php

hxxp://berped.co.za//db-config-ini.php

hxxp://best-digital-slr-cameras.com/privacy/db-config-ini.php

hxxps://kamas.pk/wp-admin/db-config-ini.php

hxxp://www.printinghub.co.za//db-config-ini.php

hxxps://cultofmobile.com/wp-includes/db-config-ini.php

hxxp://kkattorneys.com.pk/libraries/joomla/error/db-config-ini.php

hxxp://roseace.com.pk/components/com_djimageslider/db-config-ini.php

hxxp://www.bgoodideas.com/wp-includes/db-config-ini.php

hxxp://aljasar.com/Dining-Trendz/db-config-ini.php

hxxp://vatmiddleeast.com//wp-content/themes/twentyseventeen/inc/db-config-ini.php

hxxp://www.evoko.ae//db-config-ini.php

hxxp://totallyfreepeoplesearch.org//db-config-ini.php

hxxp://www.exuberant-group.com/wp-includes/db-config-ini.php

hxxp://delectronics.com.pk//db-config-ini.php

hxxp://www.bashancorp.co.za//db-config-ini.php

hxxp://bitsym.com/wp-content/plugins/duplicate-page/db-config-ini.php

hxxp://www.penisdevelopmentcentre.co.za//db-config-ini.php

hxxp://visionclinic.co.ls/includes/db-config-ini.php

hxxp://fgpcw-kr.edu.pk/wp-admin/includes/db-config-ini.php

hxxp://gemana.ae/wp-includes/db-config-ini.php

hxxp://bmctelecom.ae/test/shamayal/db-config-ini.php

hxxps://www.addsaintgaudens.com/wp-admin/db-config-ini.php

hxxp://www.buhlebayoacademy.com//db-config-ini.php

hxxp://capitalradiopetition.co.za/script/db-config-ini.php

hxxp://koldpressjuice.com/wp-includes/Requests/db-config-ini.php

hxxp://victorypipe.com.pk/wp-includes/db-config-ini.php

hxxp://vintage.ae//wp-includes/Text/Diff/db-config-ini.php

hxxp://almaqsd.com/wp-admin/db-config-ini.php

hxxp://www.diginixtech.com//db-config-ini.php

hxxp://www.sorumvar.net//db-config-ini.php

hxxp://bios-chip.co.za//db-config-ini.php

hxxp://www.crissamconsulting.co.za//db-config-ini.php

hxxp://capriflower.co.za//db-config-ini.php

hxxp://www.dingaanassociates.co.za/wp-includes/db-config-ini.php

hxxp://apidubai.ae/themes/en/db-config-ini.php

hxxp://batistadopovosjc.org.br//db-config-ini.php

hxxp://indiba-africa.co.za/includes/db-config-ini.php

hxxp://sprintpackersnmovers.com/spmbeta/db-config-ini.php

hxxp://www.proxelinternational.co.za/engine1/db-config-ini.php

hxxp://ngomahconstruction.co.za/js/db-config-ini.php

hxxp://clandecor.co.za/rvsUtf8Backup/db-config-ini.php

hxxp://bakron.co.za//db-config-ini.php

hxxp://plexsolutions.co.za/wp-includes/db-config-ini.php

hxxp://regionprinters.com/wp-admin/db-config-ini.php

hxxp://gsnconsulting.co.za/wp-admin/db-config-ini.php

hxxp://aahung.org/assets/db-config-ini.php

hxxp://heritagetravelmw.com//db-config-ini.php

hxxp://shgida.com/wp-includes/customize/db-config-ini.php

hxxp://www.afikaquadpro.com//db-config-ini.php

hxxps://news9pakistan.com/wp-admin/db-config-ini.php

hxxp://havilahglo.co.za/wpimages/db-config-ini.php

hxxp://www.paktechinfo.com/wp-includes/db-config-ini.php

hxxp://gcmbdin.edu.pk//db-config-ini.php

hxxp://www.thoughtsandthings.co.za/wp-includes/db-config-ini.php

hxxp://clouditzone.com/revolution/assets/db-config-ini.php

hxxp://rollotech.co.za//db-config-ini.php

hxxp://genesisbs.co.za//db-config-ini.php

hxxps://www.bornear.com/components/db-config-ini.php

hxxp://insafradio.pk/his/db-config-ini.php

hxxp://www.harmonyguesthouse.co.za/wp-includes/db-config-ini.php

hxxp://www.cle.ae//db-config-ini.php

hxxp://triumphsportscarclub-kzn.co.za//db-config-ini.php

hxxp://www.mycogentrading.com//db-config-ini.php

hxxp://betatechnologiesme.com//db-config-ini.php

hxxp://pgpaltex.co.za//db-config-ini.php

hxxp://strictlybusiness.co.za/wpscripts/db-config-ini.php

hxxp://www.volleybold.com//templates/system/db-config-ini.php

hxxp://dusttek.com.tr/yonet/tinymce/examples/db-config-ini.php

hxxp://zafarhalalmeat.com.pk//db-config-ini.php

hxxp://desirablehair.co.za/documents/db-config-ini.php

hxxp://comsip.org.mw/sync/db-config-ini.php

hxxp://www.wbdrivingschool.com//db-config-ini.php

hxxp://jdcorporate.co.za/multiseller/db-config-ini.php

hxxp://jumpstart.ae//db-config-ini.php

hxxps://www.tsmgranite.com//db-config-ini.php

hxxps://boatwif.co.uk/wp-includes/db-config-ini.php

hxxp://www.soccerkidsdubai.com//wp-content/plugins/db-config-ini.php

hxxp://adsbook.co.za/a/db-config-ini.php

hxxp://hashtag.com.pk/test/db-config-ini.php

hxxp://host4unix.net/jorani/db-config-ini.php

hxxp://mepure.com/wp-includes/widgets/db-config-ini.php

hxxp://dorakiletisim.com/resimler/dorak/db-config-ini.php

hxxp://tosmacakes.co.za//db-config-ini.php

hxxp://seloanaholdings.co.za/js/db-config-ini.php

hxxp://jvpsfunerals.co.za//db-config-ini.php

hxxp://absfinancialplanning.co.za/images/db-config-ini.php

hxxp://tcpbereka.co.za/js/db-config-ini.php

hxxp://www.nalitravel.co.za//db-config-ini.php

hxxp://simplyplumbing.co.za//db-config-ini.php

hxxp://investaholdings.co.za/htc/db-config-ini.php

hxxp://djtrina.com/wp-includes/theme-compat/db-config-ini.php

hxxp://sallyscott.co.za/templates/db-config-ini.php

hxxp://findinfo-more.com//db-config-ini.php

hxxp://www.amazingtour.pk//db-config-ini.php

hxxp://rmbmanufactures.co.za//db-config-ini.php

hxxp://web28tech.co.za/weather/db-config-ini.php

hxxp://irshadfoundation.co.za//db-config-ini.php

hxxp://nabtires.com/z-backup/search/db-config-ini.php

hxxp://cds.org.pk//db-config-ini.php

hxxp://ladiescircle.co.za/wp-admin/db-config-ini.php

hxxps://betterstep.ae/wp-admin/db-config-ini.php

hxxp://luxconprojects.co.za/wp-includes/db-config-ini.php

hxxp://wegallop.com//db-config-ini.php

hxxp://www.10shapes.com/wp-includes/db-config-ini.php

hxxp://sinebar.co.za//db-config-ini.php

hxxp://www.hfhl.org.ls/images/db-config-ini.php

hxxp://laraibgroup.com/plugins/editors/tinymce/db-config-ini.php

hxxp://beachroad.ae/wp-includes/IXR/db-config-ini.php

hxxp://ventronics.co.za/vent1/db-config-ini.php

hxxp://www.speedmasterprinters.co.za//db-config-ini.php

hxxp://www.ffc.com.pk/wp-admin/includes/db-config-ini.php

hxxp://cemsolutions.org/wp-admin/db-config-ini.php

hxxp://www.ipripak.org/wp-includes/theme-compat/db-config-ini.php

hxxp://awuav.world//db-config-ini.php

hxxp://albedogida.com/Eski_web/db-config-ini.php

hxxp://bluewaves.ae/switcher/js/db-config-ini.php

hxxp://nakoserum.com/wp-admin/includes/db-config-ini.php

hxxp://aniroleplay.net//db-config-ini.php

hxxp://bgpsouthasia.com/tracking/db-config-ini.php

hxxp://fccltest.nayatel.com/wp-includes/theme-compat/db-config-ini.php

hxxp://welcomecaters.com/wp-includes/db-config-ini.php

hxxp://www.galwayprimary.co.za//db-config-ini.php

hxxp://pmdpk.com//db-config-ini.php

hxxp://cambridgetuts.com/css/db-config-ini.php

hxxps://lahorewholesalemarket.com/wp-admin/db-config-ini.php

hxxp://mepetresources.com/website/db-config-ini.php

hxxp://anzanihealth.co.za/wpimages/db-config-ini.php

hxxp://gvs.com.pk/font-awesome/db-config-ini.php

hxxp://geetransfers.co.za/font-awesome/db-config-ini.php

hxxp://dmc.gov.pk/libraries/phpmailer/db-config-ini.php

hxxp://elevate.ae/wp-includes/SimplePie/db-config-ini.php

hxxp://rsmaluminium.co.za//db-config-ini.php

hxxp://carlagrobler.co.za/components/db-config-ini.php

hxxp://paksteel.com//db-config-ini.php

hxxp://azadpattanhpp.com/xfiles/db-config-ini.php

hxxp://www.blaahblaah.com/Snaps/db-config-ini.php

hxxp://wmcsoj.edu.pk//db-config-ini.php

hxxp://lensofafrica.co.za/wpscripts/db-config-ini.php

hxxps://artumus.co.za//db-config-ini.php

hxxp://greenacrestf.co.za/video/db-config-ini.php

hxxp://www.tonaro.co.za/wp-includes/db-config-ini.php

hxxp://rmbmanufacturers.co.za/DataCapture/db-config-ini.php

hxxp://simpexbpo.com/wp-includes/db-config-ini.php

hxxp://ambiances-toiles.fr//db-config-ini.php

hxxp://tepsecurity.co.za//db-config-ini.php

hxxp://tophillsports.com/wp-includes/db-config-ini.php

hxxp://chrishanicdc.org/wpimages/db-config-ini.php

hxxp://www.britishasia-equip.co.uk//db-config-ini.php

hxxp://assemblee-nationale.cg/image/db-config-ini.php

hxxp://bonasfalogtrans.com/images/db-config-ini.php

hxxp://sonafoundation.org.pk//db-config-ini.php

hxxp://entracorntrading.co.za//db-config-ini.php

hxxps://dailysportsgossips.com/wp-includes/db-config-ini.php

hxxp://plantconsultants.co.za//db-config-ini.php

hxxp://chickenandkitchen.com//db-config-ini.php

hxxp://suzzyshuttles.co.za//db-config-ini.php

hxxp://siyabuselelatransport.co.za/swf/db-config-ini.php

hxxps://www.hosthof.com/phpmailer/db-config-ini.php

hxxp://assuredfirst.com/wp-includes/db-config-ini.php

hxxp://signsoftime.co.za/user/db-config-ini.php

hxxp://neomfarming.com//db-config-ini.php

hxxp://mumtazandbrohi.com/wp-includes/db-config-ini.php

hxxp://immaculatepainters.co.za/upload/db-config-ini.php

hxxp://charispaarl.co.za//db-config-ini.php

hxxp://indlovusecurity.co.za//db-config-ini.php

hxxp://www.aladiyat.ae/centers/db-config-ini.php

hxxp://www.popfilms.co.za//db-config-ini.php

hxxp://atexmodels.co.za//db-config-ini.php

hxxp://www.s5ncertificationservices.co.za//db-config-ini.php

hxxp://mhealth.ae//db-config-ini.php

hxxp://www.terapine.com//db-config-ini.php

hxxp://botanikbahcesi.com/test/db-config-ini.php

hxxp://fragranceoil.co.za/wp-includes/db-config-ini.php

hxxp://gbti.org.pk/public_html/js/db-config-ini.php

hxxp://tippinggate.co.za/training/db-config-ini.php

hxxp://aqlaal.com/wp-includes/SimplePie/db-config-ini.php

hxxp://comfortex.co.za/php/db-config-ini.php

hxxp://deepgraphics.co.za//db-config-ini.php

hxxp://www.icapmecareers.com/wp-includes/db-config-ini.php

hxxps://iconicciti.com//db-config-ini.php

hxxp://mukhtarfeeds.com//db-config-ini.php

hxxp://souqwalls.com/wp-includes/rest-api/db-config-ini.php

hxxp://www.malboer.co.za/trendy1/db-config-ini.php

hxxp://sefikengfarm.co.ls//db-config-ini.php

hxxp://dailyqadamat.com//db-config-ini.php

hxxp://www.thelightcleaning.co.za/wp-admin/db-config-ini.php

hxxp://passright.co.za//db-config-ini.php

hxxp://aboutduvetcovers.com/Seller/db-config-ini.php

hxxp://www.britishofficefitout.com//db-config-ini.php

hxxp://seismicfactory.co.za/wp-admin/db-config-ini.php

hxxp://abadleabantu.co.za/fonts/db-config-ini.php

hxxp://mountsinaischool.edu.pk/wp-includes/theme-compat/db-config-ini.php

hxxp://www.gooline.net//db-config-ini.php

hxxp://africangypsyjazz.com/libraries/db-config-ini.php

hxxps://aquabsafe.com/wp-admin/db-config-ini.php

hxxp://pkix.pk//db-config-ini.php

hxxp://ahworld.com.pk/docs/products/heating-products/db-config-ini.php

hxxp://3axis.co/wp-admin/includes/db-config-ini.php

hxxp://chinamall.co.za//db-config-ini.php

hxxp://www.waohost.com/wp-includes/db-config-ini.php

hxxp://utor.co.za//db-config-ini.php

hxxp://www.odcpkintranet.org/wp-admin/includes/db-config-ini.php

hxxp://tombstonedesigns.co.za/libraries/db-config-ini.php

hxxp://yogakidsuae.com//wp-includes/customize/db-config-ini.php

hxxp://rashidalinawabshahi.com/ranwp/db-config-ini.php

hxxp://bmasokaprojects.co.za//db-config-ini.php

hxxp://whitepearlpro.co.za/font/db-config-ini.php

hxxp://itengineering.co.za/gatewaydiamond/db-config-ini.php

hxxp://arm.net.pk//db-config-ini.php

hxxp://www.acer-parts.co.za//db-config-ini.php

hxxp://simpowerlogistics.co.za//db-config-ini.php

hxxp://buildingstandards.com.pk/wp-admin/db-config-ini.php

hxxp://thepianostudio.co.za/wp-includes/db-config-ini.php

hxxp://mzuzulionsclub.org/modules/db-config-ini.php

hxxp://10x10guru.com//db-config-ini.php

hxxp://www.abies.co.za/wp-includes/db-config-ini.php

hxxp://candidsourcing.com/wp-includes/db-config-ini.php

hxxp://pkproud.com/roshitrust/db-config-ini.php

hxxp://ldams.org.ls/supplies/db-config-ini.php

hxxp://addorg.org/wp-includes/db-config-ini.php

hxxp://menaboracks.co.za/tmp/db-config-ini.php

hxxp://www.oursort.co.za/timothyowenauthor/db-config-ini.php

hxxps://bloggertemplates4u.com//db-config-ini.php

hxxp://boardaffairs.com/wpscripts/db-config-ini.php

hxxp://macleodphotography.com/theme/db-config-ini.php

hxxp://capetownway.co.za/wp-includes/db-config-ini.php

hxxp://www.tntfire.co.za/wp-admin/db-config-ini.php

hxxp://hartenboswaterpark.co.za/templates/db-config-ini.php

hxxp://fccorp.co.za/php/db-config-ini.php

hxxp://www.dws-gov.co.za/wp-admin/db-config-ini.php

hxxp://baksapk.com//db-config-ini.php

hxxp://embali.co.za/php/db-config-ini.php

hxxp://infomate.biz//db-config-ini.php

hxxp://worshipaltar.co.za/components/db-config-ini.php

hxxp://allhandshygiene.co.za//db-config-ini.php

hxxps://www.logicsfort.com/font-awesome/db-config-ini.php

hxxp://www.afikapower.com//db-config-ini.php

hxxp://verifiedseller.co.za/js/db-config-ini.php

hxxp://www.mumtazandbrohi.com/coughingdish/93grahammiller/db-config-ini.php

hxxp://onspotlinks.co.za/upload/db-config-ini.php

hxxp://cdxtrading.co.za//db-config-ini.php

hxxp://vital.com.pk//db-config-ini.php

hxxp://glgroup.co.za/images/db-config-ini.php

hxxp://www.gokhantemiz.com/wp-content/languages/plugins/db-config-ini.php

hxxp://www.triconfabrication.com/wp-admin/db-config-ini.php

hxxp://buboobioinnovations.co.za/wpimages/db-config-ini.php

hxxp://www.galaxyforwarders.com/wp-includes/random_compat/db-config-ini.php

hxxp://www.advcadsys.com/wp-includes/db-config-ini.php

hxxp://thebedspace.com/wp-includes//db-config-ini.php

hxxp://isibaniedu.co.za/admin/db-config-ini.php

hxxp://www.exomi.es/wp-admin/db-config-ini.php

hxxp://dianakleyn.co.za/layouts/db-config-ini.php

hxxp://themotoringcalendar.co.za/wp-includes/db-config-ini.php

hxxp://canbeginsaat.com/madmin/include/db-config-ini.php

hxxp://www.after.vix.br//db-config-ini.php

hxxp://9newshd.com/smf/wp-admin/db-config-ini.php

hxxp://www.gooline.pk/bridge2cart/db-config-ini.php

hxxp://highschoolsuperstar.co.za/files/db-config-ini.php

hxxp://thedailymusicshow.com/wp-admin/db-config-ini.php

hxxp://dubaihelishow.com/tmp/db-config-ini.php

hxxp://cafawelding.co.za/font-awesome/db-config-ini.php

hxxp://www.edesignz.co.za/wp-admin/db-config-ini.php

hxxp://www.buy4you.pk/wp-includes/db-config-ini.php

hxxp://centuryacademy.co.za/css/db-config-ini.php

hxxp://ceramica.co.za//db-config-ini.php

hxxp://airtronuae.com//db-config-ini.php

hxxp://mediaology.com.pk/wp-includes/db-config-ini.php

hxxp://eastrandmotorlab.co.za/fleet/db-config-ini.php

hxxp://stevegardens.co.za/php/db-config-ini.php

hxxp://www.mikimaths.com/wp-admin/db-config-ini.php

hxxp://hjb-racing.co.za/htdocs/db-config-ini.php

hxxp://www.smartoools.co.za//db-config-ini.php

hxxp://vhuenilodge.co.za/php/db-config-ini.php

hxxp://wavecafe.co.za//db-config-ini.php

hxxp://tuules.com//db-config-ini.php

hxxp://www.wmcpk.org/wp/wp-includes/db-config-ini.php

hxxp://www.zamilindustrial.com/akib/db-config-ini.php

hxxp://www.iancullen.co.za//db-config-ini.php

hxxp://anythingispossible.world/wp-includes/db-config-ini.php

hxxp://jeanetteproperties.co.za//db-config-ini.php

hxxp://tradernox.com/wp-includes/widgets/db-config-ini.php

hxxp://weinvest.co.za//db-config-ini.php

hxxp://blackgoldoilserv.com//db-config-ini.php

hxxp://www.rejoicetheatre.com//db-config-ini.php

hxxp://capitalexchange.ae/capital_files/db-config-ini.php

hxxp://dummy.celerosnetworks.com/wp-content/plugins/duplicate-page/db-config-ini.php

hxxp://dpscdgkhan.edu.pk/shopping/db-config-ini.php

hxxp://edgeforensic.co.za//db-config-ini.php

hxxp://willpowerpos.co.za//db-config-ini.php

hxxp://ramzcapital.com//db-config-ini.php

hxxp://www.alshohub.org/NewsLetter/db-config-ini.php

hxxp://colenesphotography.co.za/administrator/db-config-ini.php

hxxp://ecology.haglerbailly.com.pk//db-config-ini.php

hxxp://www.theguitarstudio.co.za//db-config-ini.php

hxxp://softwarehub.co.za/layouts/db-config-ini.php

hxxp://fbrvolume.co.za//db-config-ini.php

hxxp://risabaattorneys.com//db-config-ini.php

hxxp://dubaigip.com//db-config-ini.php

hxxp://www.bbconlinenetwork.com/wp-includes/db-config-ini.php

hxxp://panfam.co.za//db-config-ini.php

hxxp://reatlegile.com/upload/db-config-ini.php

hxxp://www.khotsonglodge.co.ls/wp-admin/db-config-ini.php

hxxp://www.goolineb2b.com/wp-includes/db-config-ini.php

hxxp://erniecommunications.co.za/css/db-config-ini.php

hxxp://salmanandassociates.com.pk//db-config-ini.php

hxxp://promechtransport.co.za/include/db-config-ini.php

hxxp://rightwayfoundationpk.org/wp-admin/db-config-ini.php

hxxp://centuriongsd.co.za//db-config-ini.php

hxxp://delcom.co.za//db-config-ini.php

hxxp://www.andrebruton.com//db-config-ini.php

hxxp://h-dubepromotions.co.za//db-config-ini.php

hxxp://ambientmoon.co.za//db-config-ini.php

hxxp://www.ultrapexsustainable.org.za//db-config-ini.php

hxxp://crystaltidings.co.za//db-config-ini.php

hxxp://diegemmerkat.co.za/wp-includes/db-config-ini.php

hxxp://funisalodge.co.za/data1/db-config-ini.php

hxxp://arabaemlak.com/magaza/cgi-bin/db-config-ini.php

hxxps://eurospa.ae/wp-includes/db-config-ini.php

hxxp://experttutors.co.za//db-config-ini.php

hxxps://www.cartridgecave.co.za/wp-admin/db-config-ini.php

hxxp://ecs-consult.com/components/db-config-ini.php

hxxp://oftheearthphotography.com/www/db-config-ini.php

hxxp://hmholdings360.co.za/wp-admin/db-config-ini.php

hxxp://joyngroup.com//db-config-ini.php

hxxp://hybridauto.co.za/photography/db-config-ini.php

hxxp://www.vhupo-tours.com/wp-includes/db-config-ini.php

hxxp://seoinlahorepakistan.com/clockwork/db-config-ini.php

hxxp://africanpixels.zar.cc/includes/db-config-ini.php

hxxp://doggypetstore.com//db-config-ini.php

hxxp://adambaluch.ae/wp-includes/Requests/Utility/db-config-ini.php

hxxp://ryanchristiefurniture.co.za//db-config-ini.php

hxxp://evansmokaba.com/evansmokaba.com/thabiso/db-config-ini.php

hxxps://afrikitti.com//db-config-ini.php

hxxp://www.fun4kidz.co.za//db-config-ini.php

hxxp://www.infratechconsulting.com//db-config-ini.php

hxxp://www.snackattack.co.za//db-config-ini.php

hxxp://www.proplumbing.co.za/wp-admin/db-config-ini.php

hxxp://sipambi-projects.co.za//db-config-ini.php

hxxp://solartree.pk//db-config-ini.php

hxxp://charliewestsecurity.co.za//db-config-ini.php

hxxps://zasamag.com/wp-includes/db-config-ini.php

hxxp://superdelight.co.za/livezilla/db-config-ini.php

hxxp://www.execwash.ae//db-config-ini.php

hxxp://moonsteel.ae//wp-content/themes/twentyfifteen/genericons/db-config-ini.php

hxxp://www.waterforevents.co.za//db-config-ini.php

hxxp://servicebox.co.za//db-config-ini.php

hxxp://globalelectricalandconstruction.co.za/wpscripts/db-config-ini.php

hxxp://skyblueprint.co.za/scripts/db-config-ini.php

hxxp://www.sowetojive.co.za//db-config-ini.php

hxxp://ushostinc.com/Slider/db-config-ini.php

hxxps://alceharfield.com//db-config-ini.php

hxxp://indocraft.co.za/test/db-config-ini.php

hxxps://awebcommerce.com/wp-admin/db-config-ini.php

hxxp://w1africa.co/crmsugar/db-config-ini.php

hxxp://sullivanprimary.co.za/wp-admin/db-config-ini.php

hxxp://www.rcpk.co.za//db-config-ini.php

hxxp://jakobieducation.co.za//db-config-ini.php

hxxp://globaltransformers.com/wp-admin/db-config-ini.php

hxxp://abvsecurity.co.za//db-config-ini.php

hxxp://tlcservers.co.za//db-config-ini.php

hxxp://pamudzi.co.za/wp-includes/db-config-ini.php

hxxp://shullen.co.za//db-config-ini.php

hxxp://www.daleth.co.za/wp-includes/db-config-ini.php

hxxp://opendisclosure.org.za//db-config-ini.php

hxxp://winagainstebola.com/assets/db-config-ini.php

hxxp://permanite.co.za/wp-includes/db-config-ini.php

hxxp://onlinenews.com.pk//db-config-ini.php

hxxp://afrogeo.com/afroweb/db-config-ini.php

hxxp://reniko.co.za/wp-admin/db-config-ini.php

hxxp://bm360.com.pk//db-config-ini.php

hxxp://tawaair.com//db-config-ini.php

hxxp://ancoeng.co.za//db-config-ini.php

hxxp://irfanandirfan.com/irfanadnirfan/db-config-ini.php

hxxp://www.peoplealley.com/wp-admin/db-config-ini.php

hxxp://lahorecoolingtower.com//db-config-ini.php

hxxp://debnoch.com/image/db-config-ini.php

hxxp://gideonitesprojects.com//db-config-ini.php

hxxp://threelivingprojects.co.za//db-config-ini.php

hxxp://twinnovations.co.za/wp-includes/db-config-ini.php

hxxp://woodracefurniture.co.za/js/db-config-ini.php

hxxp://www.koshcreative.co.uk/wp-includes/db-config-ini.php

hxxps://www.3dremodel.com//db-config-ini.php

hxxp://iinvest4u.co.za/wp-includes/db-config-ini.php

hxxp://burgercoetzeeattorneys.co.za//db-config-ini.php

hxxp://h-u-i.co.za/heiren/db-config-ini.php

hxxp://insta-art.co.za//db-config-ini.php

hxxp://twickenhamsa.co.za/wp-includes/db-config-ini.php

hxxp://firstchoiceproperties.co.za//db-config-ini.php

hxxp://sikanderajam.com//db-config-ini.php

hxxp://muallematsela.com/wp-admin/db-config-ini.php

hxxp://pronette.co.za/images/db-config-ini.php

hxxp://sheqworld.co.za/js/db-config-ini.php

hxxp://slcmprojects.co.za/phpMailer/db-config-ini.php

hxxp://www.geotrading.ae//db-config-ini.php

hxxp://nbscorporation.co.za//db-config-ini.php

hxxps://www.bizxess.com//db-config-ini.php

hxxp://perfectlabels.net//db-config-ini.php

hxxp://susinternational.com//db-config-ini.php

hxxp://www.obaidsaqerbusit.com//db-config-ini.php

hxxps://www.aboserver.xyz/wp-includes/db-config-ini.php

hxxp://www.bestdecorativemirrors.com/More-Mirrors/db-config-ini.php

hxxp://www.m-3.co.za/wp-includes/db-config-ini.php

hxxp://beesrenovations.co.za/images/db-config-ini.php

hxxp://sefukaletrading.co.za/wpscripts/db-config-ini.php

hxxp://hellohealthy.pro/wp-includes/widgets/db-config-ini.php

hxxp://nrsp.org.pk/publications/db-config-ini.php

hxxp://paimantrust.org/wp-content/plugins/contact-form-7/includes/db-config-ini.php

hxxp://mokorotlocorporate.com//db-config-ini.php

hxxp://aeconafrica.com//db-config-ini.php

hxxp://alvesajewellery.com//db-config-ini.php

hxxp://in2accounting.co.za//db-config-ini.php

hxxp://rvnstudios.co.za/specials/db-config-ini.php

hxxp://chitchatdosti.com/wp-content/db-config-ini.php

hxxp://domusgroup.ae/wp-admin/db-config-ini.php

hxxp://elektroniksigaralab.com/wp-includes/db-config-ini.php

hxxp://www.alphapridesafaris.com//db-config-ini.php

hxxp://giginsulation.com/new/db-config-ini.php

hxxp://reesconsulting.co.za/wpimages/db-config-ini.php

hxxp://ntombizenhloso.co.za//db-config-ini.php

hxxp://thealtarofworship.co.za//db-config-ini.php

hxxp://cloudhub.co.ls/modules/db-config-ini.php

hxxp://www.olexco.ae/wp/db-config-ini.php

hxxp://ftu965.com/wp-includes/theme-compat/db-config-ini.php

hxxp://digital-cameras-south-africa.co.za/Templates/db-config-ini.php

hxxp://uptown-trading.zar.cc/ana/db-config-ini.php

hxxp://satwa.ae/wp-includes/Requests/db-config-ini.php

hxxp://satcomputers.co.za//db-config-ini.php

hxxp://boschxpress.com//db-config-ini.php

hxxp://hosthof.pk/customer/db-config-ini.php

hxxp://newtech-consulting.ae/templates/db-config-ini.php

hxxps://www.engeltjieakademie.co.za/wp-admin/db-config-ini.php

hxxp://juniorad.co.za/vendor/db-config-ini.php

hxxp://dryve.ae//db-config-ini.php

hxxp://2strongmagazine.co.za//db-config-ini.php

hxxp://binhamgroup.com/event/db-config-ini.php

hxxp://www.centreforgovernance.uk//db-config-ini.php

hxxp://bepovoblago.com//db-config-ini.php

hxxp://isgs.com.pk//db-config-ini.php

hxxp://balaateen.co.za/less/db-config-ini.php

hxxp://www.babypk.net/wp-admin/includes/db-config-ini.php

hxxp://labas-health.apps.ae/wp-content/themes/twentyfourteen/db-config-ini.php

hxxp://bntlaminates.com//db-config-ini.php

hxxp://serversvalley.com//db-config-ini.php

hxxp://courtesydriving.co.za/js/db-config-ini.php

hxxp://prommap.co.za//db-config-ini.php

hxxp://narcolepsy-symptom-treatment.org//db-config-ini.php

hxxps://zafarstocks.com/wp-includes/db-config-ini.php

hxxp://www.freshhub.ae/var/db-config-ini.php

hxxp://www.icsswaziland.com//db-config-ini.php

hxxp://askarisecurities.com.pk//db-config-ini.php

hxxp://funeralbusinesssolution.com/email_template/db-config-ini.php

hxxp://intellismartglobal.com/public_html/db-config-ini.php

hxxp://thelawyerscanvas.pk/wp-admin/db-config-ini.php

hxxp://sirketcv.com/css/dist/loop/db-config-ini.php

hxxps://3dprintingdubai.ae//db-config-ini.php

hxxp://symergy.co.za/wp-admin/db-config-ini.php

hxxp://hostingvalley.co.uk/downloads/db-config-ini.php

hxxp://haveytv.com//db-config-ini.php

hxxp://officialdivinea.com//db-config-ini.php

hxxp://www.ampleadminservices.com/wp-includes/db-config-ini.php

hxxp://www.ihlosiqs-pm.co.za//db-config-ini.php

hxxp://mtinetworkdubai.com//db-config-ini.php

hxxps://boilersinfo.com/wp-includes/db-config-ini.php

hxxp://aresebetseng.co.za/wp-includes/db-config-ini.php

hxxp://aleph.pk/administrator/modules/mod_menu/db-config-ini.php

hxxp://www.moboradar.com/wp-includes/db-config-ini.php

hxxp://blackthorn.co.za//db-config-ini.php

hxxp://tmkprojects.co.za//db-config-ini.php

hxxp://alaqaba.com//db-config-ini.php

hxxp://www.qsrimages.co.za/wp-admin/db-config-ini.php

hxxp://tamer.info/dle/engine/ajax/db-config-ini.php

hxxp://getabletravel.co.za/data1/db-config-ini.php

hxxps://quickauto.tools/wp-admin/db-config-ini.php

hxxp://printernet.co.za//db-config-ini.php

hxxp://get-paid-for-online-survey.com//db-config-ini.php

hxxp://abrahamseed.co.za/scripts/db-config-ini.php

hxxp://cybercraft.biz/AB/db-config-ini.php

hxxp://www.competitiveedoptions.com//db-config-ini.php

hxxp://www.humorcarbons.com/wp-includes/db-config-ini.php

hxxps://carepvtltdpk.com/index_videolb/thumbnails/db-config-ini.php

hxxp://intelligentprotection.co.za/wp-admin/db-config-ini.php

hxxp://lppaportal.org.ls/dist/db-config-ini.php

hxxp://satuwrite.com//db-config-ini.php

hxxp://orsiniconsulting.co.za/newsite/db-config-ini.php

hxxp://www.themusicstudio.co.za/wp-includes/db-config-ini.php

hxxp://incoso.co.za/images/db-config-ini.php

hxxp://aboutbodybuildingworkout.com//db-config-ini.php

hxxp://webhostinc.net//db-config-ini.php

hxxp://bitteeth.com/docbank/db-config-ini.php

hxxp://www.superlead.org/wp-includes/db-config-ini.php

hxxp://technicians.global//db-config-ini.php

hxxp://isound.co.za/wp-admin/db-config-ini.php

hxxps://www.pacificprime.ae//db-config-ini.php

hxxp://tandemtraining.co.za//db-config-ini.php

hxxp://aexergy.com//db-config-ini.php

hxxp://adriaanvorster.co.za/engines/db-config-ini.php

hxxp://www.gsmmid.com/wp-admin/db-config-ini.php

hxxp://24newstube.com/satu/db-config-ini.php

hxxp://goolinegaming.com//db-config-ini.php

hxxp://hisandherskennels.co.za/assets/sass/db-config-ini.php

hxxp://empowerbridge.com/projects/abianasystem/db-config-ini.php

hxxp://www.wdsc.co.za/wp-includes/db-config-ini.php

hxxp://projectartdivvy.com/wp-admin/maint/db-config-ini.php

hxxp://iqra.co.za/admin/db-config-ini.php

hxxp://thecompasssolutions.co.za//db-config-ini.php

hxxp://mailingservers.net//db-config-ini.php

hxxps://rstextilesourcing.com//db-config-ini.php

hxxp://quikteam.com/scripts/contrib/db-config-ini.php

hxxp://iggleconsulting.com//db-config-ini.php

hxxp://astrumtechnologies.co.za/templates/db-config-ini.php

hxxp://cupboardcure.co.za/vendor/db-config-ini.php

hxxp://www.blockdos.net/wp-admin/db-config-ini.php

hxxps://bednbreakfasthotel.com/wp-includes/db-config-ini.php

hxxp://broken-arrow.co.za//db-config-ini.php

hxxps://mayoorschoolabudhabi.com//db-config-ini.php

hxxp://www.goolinespace.com//db-config-ini.php

hxxp://www.simpleks.co.za/wp-includes/db-config-ini.php

hxxp://abanganifunerals.co.za/fonts/db-config-ini.php

hxxp://technics.pk/info/db-config-ini.php

hxxp://www.bhakkarrishtey.com//db-config-ini.php

hxxp://arabelaholdings.com/wpscripts/db-config-ini.php

hxxp://bestencouragementwords.com//db-config-ini.php

hxxp://myhealthmedical.ae//old/PHPMailer/extras/db-config-ini.php

hxxp://sjog.mw//db-config-ini.php

hxxp://www.phoenix.zar.cc/wp-includes/db-config-ini.php

hxxp://www.induworld.ae/wp-admin/db-config-ini.php

hxxp://legacybeautysalon.com/wp-content/plugins/contact-form-7/includes/db-config-ini.php

hxxp://prestbusiness.co.za//db-config-ini.php

hxxp://habibtextiles.pk/wp-admin/db-config-ini.php

hxxp://fsproperties.co.za/engine1/db-config-ini.php

hxxps://www.brandspeak.org/contact/include/db-config-ini.php

hxxp://bridgepakistan.org//db-config-ini.php

hxxp://realstar.co.za//db-config-ini.php

hxxp://www.afikagroup.com/wp-includes/db-config-ini.php

hxxp://molepetravel.co.ls/data1/db-config-ini.php

hxxp://iiee.edu.pk//db-config-ini.php

hxxp://cmhts.co.za/resources/db-config-ini.php

hxxp://www.organisejournalise.co.za//db-config-ini.php

hxxp://www.arabblower.com//db-config-ini.php

hxxp://cns.com.pk/wp-includes/theme-compat/db-config-ini.php

hxxp://domesticguardians.co.za/Banner/db-config-ini.php

hxxp://stubbornsystems.com//db-config-ini.php

hxxp://ahdaaf.ae/wp-admin/db-config-ini.php

hxxp://cazochem.co.za/cazochem/db-config-ini.php

hxxp://www.algom-law.com//db-config-ini.php

参考链接

[1]. https://ti.qianxin.com/apt/detail/5b0d2e66596a10001cde7c79?name=MuddyWater&type=map

# apt攻击 # 后门分析 # MuddyWater
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者
文章目录