{"id":8460,"date":"2023-09-11T12:00:00","date_gmt":"2023-09-11T09:00:00","guid":{"rendered":"https:\/\/blog.eset.ee\/et\/2023\/09\/11\/sponsor-s-batarejnymi-usami-bekdor-ballistic-bobcat-dlya-skanirovaniya-i-ataki\/"},"modified":"2023-09-11T12:00:00","modified_gmt":"2023-09-11T09:00:00","slug":"sponsor-s-batarejnymi-usami-bekdor-ballistic-bobcat-dlya-skanirovaniya-i-ataki","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/ru\/2023\/09\/11\/sponsor-s-batarejnymi-usami-bekdor-ballistic-bobcat-dlya-skanirovaniya-i-ataki\/","title":{"rendered":"\u0421\u043f\u043e\u043d\u0441\u043e\u0440 \u0441 \u0431\u0430\u0442\u0430\u0440\u0435\u0439\u043d\u044b\u043c\u0438 \u0443\u0441\u0430\u043c\u0438: \u0431\u044d\u043a\u0434\u043e\u0440 Ballistic Bobcat \u0434\u043b\u044f \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0438 \u0430\u0442\u0430\u043a\u0438"},"content":{"rendered":"<p>\u0421\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0434\u043b\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u043d\u0430 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0438 \u0438\u043c\u0435\u0435\u0442 \u0444\u043e\u0440\u043c\u0430\u0442 (\u0434\u043e base64-\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f), \u043f\u043e\u043a\u0430\u0437\u0430\u043d\u043d\u044b\u0439 \u043d\u0430 <span lang=\"EN-US\">\u0420\u0438\u0441\u0443\u043d\u043a\u0435 6<\/span>.<\/p>\n<figure><img decoding=\"async\" alt=\"\u0420\u0438\u0441\u0443\u043d\u043e\u043a 6. \u0424\u043e\u0440\u043c\u0430\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u043e\u0433\u043e Sponsor \u0434\u043b\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043a\u043e\u043c\u0430\u043d\u0434 \u043d\u0430 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1-2-3-4-5.png\" title=\"\u0420\u0438\u0441\u0443\u043d\u043e\u043a 6. \u0424\u043e\u0440\u043c\u0430\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u043e\u0433\u043e Sponsor \u0434\u043b\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043a\u043e\u043c\u0430\u043d\u0434 \u043d\u0430 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435\" width=\"\"><figcaption><em>\u0420\u0438\u0441\u0443\u043d\u043e\u043a 6. \u0424\u043e\u0440\u043c\u0430\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u043e\u0433\u043e Sponsor \u0434\u043b\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043a\u043e\u043c\u0430\u043d\u0434 \u043d\u0430 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435<\/em><\/figcaption><\/figure>\n<p>\u041f\u043e\u043b\u0435 <span lang=\"EN-US\">encrypted_none<\/span> \u043d\u0430 \u0440\u0438\u0441\u0443\u043d\u043a\u0435 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u043e\u043c \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0437\u0430\u0445\u0430\u0440\u0434\u043a\u043e\u0436\u0435\u043d\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 <span lang=\"EN-US\">None<\/span> \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e RC4. \u041a\u043b\u044e\u0447\u043e\u043c \u0434\u043b\u044f \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f MD5-\u0445\u0435\u0448 <span lang=\"EN-US\">node_id<\/span>.<\/p>\n<p>URL, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0439 \u0434\u043b\u044f \u0441\u0432\u044f\u0437\u0438 \u0441 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c, \u0441\u0442\u0440\u043e\u0438\u0442\u0441\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c: <span lang=\"EN-US\">http:\/\/&lt;IP_or_domain&gt;:80<\/span>. \u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0442\u044c \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e <span lang=\"EN-US\">37.120.222[.]168:80<\/span> \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0435\u0434\u0438\u043d\u0441\u0442\u0432\u0435\u043d\u043d\u044b\u043c C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u043c \u043d\u0430 \u043f\u0440\u043e\u0442\u044f\u0436\u0435\u043d\u0438\u0438 \u0432\u0441\u0435\u0439 \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u0438 Sponsoring Access, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u044d\u0442\u043e \u0431\u044b\u043b \u0435\u0434\u0438\u043d\u0441\u0442\u0432\u0435\u043d\u043d\u044b\u0439 IP-\u0430\u0434\u0440\u0435\u0441, \u043a \u043a\u043e\u0442\u043e\u0440\u043e\u043c\u0443 \u043e\u0431\u0440\u0430\u0449\u0430\u043b\u0438\u0441\u044c \u043c\u0430\u0448\u0438\u043d\u044b \u0436\u0435\u0440\u0442\u0432 \u043d\u0430 \u043f\u043e\u0440\u0442\u0443 80.<\/p>\n<h5><span lang=\"EN-US\">\u041a\u043e\u043c\u0430\u043d\u0434\u044b \u043e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u0430<\/span><\/h5>\n<p>\u041a\u043e\u043c\u0430\u043d\u0434\u044b \u043e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u0430 \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u043d\u044b \u0432 <span lang=\"EN-US\">\u0422\u0430\u0431\u043b\u0438\u0446\u0435 5<\/span> \u0438 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u044b \u0432 \u0442\u043e\u043c \u043f\u043e\u0440\u044f\u0434\u043a\u0435, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u043e\u043d\u0438 \u0432\u0441\u0442\u0440\u0435\u0447\u0430\u044e\u0442\u0441\u044f \u0432 \u043a\u043e\u0434\u0435. \u0421\u0432\u044f\u0437\u044c \u0441 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0447\u0435\u0440\u0435\u0437 \u043f\u043e\u0440\u0442 80.<\/p>\n<p><em>\u0422\u0430\u0431\u043b\u0438\u0446\u0430 5. \u041a\u043e\u043c\u0430\u043d\u0434\u044b \u043e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u0430 \u0438 \u0438\u0445 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u044f<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"622\">\n<tbody>\n<tr>\n<td width=\"76\">\n<p><strong><span lang=\"EN-US\">\u041a\u043e\u043c\u0430\u043d\u0434\u0430<\/span><\/strong><\/p>\n<\/td>\n<td width=\"546\">\n<p><strong><span lang=\"EN-US\">\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">p<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">\u041e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 \u0434\u043b\u044f \u0437\u0430\u043f\u0443\u0449\u0435\u043d\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 Sponsor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">e<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">\u0412\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u043a\u043e\u043c\u0430\u043d\u0434\u0443, \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u0443\u044e \u0432 \u043f\u043e\u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u043c \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u043c \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u0435, \u043d\u0430 \u0445\u043e\u0441\u0442\u0435 Sponsor, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u0441\u0442\u0440\u043e\u043a\u0443:<\/span><\/p>\n<p><span><span lang=\"EN-US\">c:windowssystem32cmd.exe \/c<span><br \/>\n<\/span>&lt;cmd&gt;<span><br \/>\n<\/span>&gt; result.txt 2&gt;&amp;1<\/span><\/span><\/p>\n<p><span lang=\"EN-US\">\u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u044b \u0441\u043e\u0445\u0440\u0430\u043d\u044f\u044e\u0442\u0441\u044f \u0432 <\/span><span><span lang=\"EN-US\">result.txt<\/span><\/span><span lang=\"EN-US\"> \u0432 \u0442\u0435\u043a\u0443\u0449\u0435\u043c \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0435. \u041e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> \u0441 \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0432\u044b\u0432\u043e\u0434\u043e\u043c \u043d\u0430 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440 \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u0443\u0441\u043f\u0435\u0448\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f. \u0412 \u0441\u043b\u0443\u0447\u0430\u0435 \u043d\u0435\u0443\u0434\u0430\u0447\u0438 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"> (\u0431\u0435\u0437 \u0443\u043a\u0430\u0437\u0430\u043d\u0438\u044f \u043e\u0448\u0438\u0431\u043a\u0438).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">d<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">\u041f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0444\u0430\u0439\u043b \u0441 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u0435\u0433\u043e. \u042d\u0442\u0430 \u043a\u043e\u043c\u0430\u043d\u0434\u0430 \u0438\u043c\u0435\u0435\u0442 \u043c\u043d\u043e\u0436\u0435\u0441\u0442\u0432\u043e \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u043e\u0432: \u0438\u043c\u044f \u0446\u0435\u043b\u0435\u0432\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 \u0434\u043b\u044f \u0437\u0430\u043f\u0438\u0441\u0438, MD5-\u0445\u0435\u0448 \u0444\u0430\u0439\u043b\u0430, \u043a\u0430\u0442\u0430\u043b\u043e\u0433 \u0434\u043b\u044f \u0437\u0430\u043f\u0438\u0441\u0438 \u0444\u0430\u0439\u043b\u0430 (\u0438\u043b\u0438 \u0442\u0435\u043a\u0443\u0449\u0438\u0439 \u0440\u0430\u0431\u043e\u0447\u0438\u0439 \u043a\u0430\u0442\u0430\u043b\u043e\u0433 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e), \u0431\u0443\u043b\u0435\u0432\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435, \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u044e\u0449\u0435\u0435, \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u043b\u0438 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0442\u044c \u0444\u0430\u0439\u043b, \u0438 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430, \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0435 \u0432 base64. \u0412 \u0441\u043b\u0443\u0447\u0430\u0435 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u044f \u043e\u0448\u0438\u0431\u043e\u043a \u043d\u0430 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> \u0441 \u0442\u0435\u043a\u0441\u0442\u043e\u043c <\/span><span><span lang=\"EN-US\">Upload and execute file successfully<\/span><\/span><span lang=\"EN-US\"> (\u0417\u0430\u0433\u0440\u0443\u0437\u043a\u0430 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0444\u0430\u0439\u043b\u0430 \u0443\u0441\u043f\u0435\u0448\u043d\u043e) \u0438\u043b\u0438 <\/span><span><span lang=\"EN-US\">Upload file successfully without execute<\/span><\/span><span lang=\"EN-US\"> (\u0417\u0430\u0433\u0440\u0443\u0437\u043a\u0430 \u0444\u0430\u0439\u043b\u0430 \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0431\u0435\u0437 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f) (\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043e). \u0412 \u0441\u043b\u0443\u0447\u0430\u0435 \u043e\u0448\u0438\u0431\u043e\u043a \u043f\u0440\u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0438 \u0444\u0430\u0439\u043b\u0430 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\">. \u0415\u0441\u043b\u0438 MD5-\u0445\u0435\u0448 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 \u043d\u0435 \u0441\u043e\u0432\u043f\u0430\u0434\u0430\u0435\u0442 \u0441 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u043c \u0445\u0435\u0448\u0435\u043c, \u043d\u0430 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 <\/span><span><span lang=\"EN-US\">e<\/span><\/span><span lang=\"EN-US\"> (<\/span><span><span lang=\"EN-US\">CRC_ERROR<\/span><\/span><span lang=\"EN-US\">) (\u0432\u043a\u043b\u044e\u0447\u0430\u044e\u0449\u0435\u0435 \u0442\u043e\u043b\u044c\u043a\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0439 \u043a\u043b\u044e\u0447 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0438 \u043d\u0438\u043a\u0430\u043a\u043e\u0439 \u0434\u0440\u0443\u0433\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438). \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0442\u0435\u0440\u043c\u0438\u043d\u0430 <\/span><span><span lang=\"EN-US\">Upload<\/span><\/span><span lang=\"EN-US\"> \u0437\u0434\u0435\u0441\u044c \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0431\u0438\u0432\u0430\u0435\u0442 \u0441 \u0442\u043e\u043b\u043a\u0443, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u043e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u044b \u0438 \u043a\u043e\u0434\u0435\u0440\u044b Ballistic Bobcat \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u044e\u0442 \u044d\u0442\u043e \u0441 \u0442\u043e\u0447\u043a\u0438 \u0437\u0440\u0435\u043d\u0438\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u0442\u043e\u0433\u0434\u0430 \u043a\u0430\u043a \u043c\u043d\u043e\u0433\u0438\u0435 \u043c\u043e\u0433\u0443\u0442 \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u0442\u044c \u044d\u0442\u043e \u043a\u0430\u043a \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443 (download) \u0438\u0437-\u0437\u0430 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0444\u0430\u0439\u043b\u0430 (\u0442.\u0435. \u0441\u043a\u0430\u0447\u0438\u0432\u0430\u043d\u0438\u044f \u0435\u0433\u043e) \u0441\u0438\u0441\u0442\u0435\u043c\u043e\u0439, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0449\u0435\u0439 \u0431\u044d\u043a\u0434\u043e\u0440 Sponsor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">u<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">\u041f\u044b\u0442\u0430\u0435\u0442\u0441\u044f \u0437\u0430\u0433\u0440\u0443\u0437\u0438\u0442\u044c \u0444\u0430\u0439\u043b \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e Windows API <\/span><span><span lang=\"EN-US\">URLDownloadFileW<\/span><\/span><span lang=\"EN-US\"> \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0435\u0433\u043e. \u0412 \u0441\u043b\u0443\u0447\u0430\u0435 \u0443\u0441\u043f\u0435\u0445\u0430 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u043c \u043a\u043b\u044e\u0447\u043e\u043c \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0438 \u043d\u0438\u043a\u0430\u043a\u043e\u0439 \u0434\u0440\u0443\u0433\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0435\u0439. \u0412 \u0441\u043b\u0443\u0447\u0430\u0435 \u043d\u0435\u0443\u0434\u0430\u0447\u0438 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"> \u0441 \u0430\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u043e\u0439 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u043e\u0439.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">s<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">\u0412\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u0444\u0430\u0439\u043b, \u0443\u0436\u0435 \u043d\u0430\u0445\u043e\u0434\u044f\u0449\u0438\u0439\u0441\u044f \u043d\u0430 \u0434\u0438\u0441\u043a\u0435, <\/span><span><span lang=\"EN-US\">Uninstall.bat<\/span><\/span><span lang=\"EN-US\"> \u0432 \u0442\u0435\u043a\u0443\u0449\u0435\u043c \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0435, \u043a\u043e\u0442\u043e\u0440\u044b\u0439, \u0441\u043a\u043e\u0440\u0435\u0435 \u0432\u0441\u0435\u0433\u043e, \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u0434\u043b\u044f \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u044f \u0444\u0430\u0439\u043b\u043e\u0432, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u044b\u0445 \u0441 \u0431\u044d\u043a\u0434\u043e\u0440\u043e\u043c.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">n<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">\u042d\u0442\u0430 \u043a\u043e\u043c\u0430\u043d\u0434\u0430 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u044f\u0432\u043d\u043e \u0443\u043a\u0430\u0437\u0430\u043d\u0430 \u043e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u043e\u043c \u0438\u043b\u0438 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0432\u044b\u0432\u0435\u0434\u0435\u043d\u0430 Sponsor \u043a\u0430\u043a \u043a\u043e\u043c\u0430\u043d\u0434\u0430 \u0434\u043b\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043f\u0440\u0438 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u0438 \u043a\u0430\u043a\u043e\u0439-\u043b\u0438\u0431\u043e \u0434\u0440\u0443\u0433\u043e\u0439 \u043a\u043e\u043c\u0430\u043d\u0434\u044b. \u0412\u043d\u0443\u0442\u0440\u0438 Sponsor \u043e\u043d\u0430 \u043d\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f <\/span><span><span lang=\"EN-US\">NO_CMD<\/span><\/span><span lang=\"EN-US\">, \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u0441\u043b\u0443\u0447\u0430\u0439\u043d\u0443\u044e \u0437\u0430\u0434\u0435\u0440\u0436\u043a\u0443 \u043f\u0435\u0440\u0435\u0434 \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u043e\u0439 \u0441\u0432\u044f\u0437\u044c\u044e \u0441 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">b<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">\u041e\u0431\u043d\u043e\u0432\u043b\u044f\u0435\u0442 \u0441\u043f\u0438\u0441\u043e\u043a C&amp;C, \u0445\u0440\u0430\u043d\u044f\u0449\u0438\u0439\u0441\u044f \u0432 <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\"> \u0432 \u0442\u0435\u043a\u0443\u0449\u0435\u043c \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0435. \u041d\u043e\u0432\u044b\u0435 \u0430\u0434\u0440\u0435\u0441\u0430 C&amp;C \u0437\u0430\u043c\u0435\u043d\u044f\u044e\u0442 \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0438\u0435; \u043e\u043d\u0438 \u043d\u0435 \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u0432 \u0441\u043f\u0438\u0441\u043e\u043a. \u041e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> \u0441 \u0442\u0435\u043a\u0441\u0442\u043e\u043c <\/span><br \/><span><span lang=\"EN-US\">New relays replaced successfully<\/span><\/span><span lang=\"EN-US\"> (\u041d\u043e\u0432\u044b\u0435 \u0440\u0435\u043b\u0435 \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0437\u0430\u043c\u0435\u043d\u0435\u043d\u044b) (\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043e) \u043d\u0430 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440 \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u0443\u0441\u043f\u0435\u0448\u043d\u043e\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">i<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">\u041e\u0431\u043d\u043e\u0432\u043b\u044f\u0435\u0442 \u043f\u0440\u0435\u0434\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0439 \u0438\u043d\u0442\u0435\u0440\u0432\u0430\u043b \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438, \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u044b\u0439 \u0432 <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">. \u041e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> \u0441 \u0442\u0435\u043a\u0441\u0442\u043e\u043c <\/span><span><span lang=\"EN-US\">New interval replaced successfully<\/span><\/span><span lang=\"EN-US\"> (\u041d\u043e\u0432\u044b\u0439 \u0438\u043d\u0442\u0435\u0440\u0432\u0430\u043b \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0437\u0430\u043c\u0435\u043d\u0435\u043d) \u043d\u0430 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440 \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u0443\u0441\u043f\u0435\u0448\u043d\u043e\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5><span lang=\"EN-US\">\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f Sponsor<\/span><\/h5>\n<p>\u0420\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 Ballistic Bobcat \u0432\u043d\u0435\u0441\u043b\u0438 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0432 \u043a\u043e\u0434 \u043c\u0435\u0436\u0434\u0443 \u0432\u0435\u0440\u0441\u0438\u044f\u043c\u0438 Sponsor v1 \u0438 v2. \u0414\u0432\u0430 \u043d\u0430\u0438\u0431\u043e\u043b\u0435\u0435 \u0437\u043d\u0430\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0432\u043e \u0432\u0442\u043e\u0440\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438:<\/p>\n<ul>\n<li><span lang=\"EN-US\">\u041e\u043f\u0442\u0438\u043c\u0438\u0437\u0430\u0446\u0438\u044f \u043a\u043e\u0434\u0430, \u0433\u0434\u0435 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u0438\u043d\u043d\u044b\u0445 \u0444\u0443\u043d\u043a\u0446\u0438\u0439 \u0431\u044b\u043b\u0438 \u0441\u0432\u0435\u0434\u0435\u043d\u044b \u043a \u0444\u0443\u043d\u043a\u0446\u0438\u044f\u043c \u0438 \u043f\u043e\u0434\u0444\u0443\u043d\u043a\u0446\u0438\u044f\u043c, \u0438<\/span><\/li>\n<li><span lang=\"EN-US\">\u041c\u0430\u0441\u043a\u0438\u0440\u043e\u0432\u043a\u0430 Sponsor \u043f\u043e\u0434 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0443 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0443\u0442\u0435\u043c \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0433\u043e \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u0441\u043b\u0443\u0436\u0431\u044b:<\/span><\/li>\n<\/ul>\n<p><span><span lang=\"EN-US\">\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u043f\u043e\u043b\u0435\u0437\u043d\u044b \u043a\u0430\u043a \u0434\u043b\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439, \u0442\u0430\u043a \u0438 \u0434\u043b\u044f \u0441\u0430\u043c\u0438\u0445 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u2014 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u043e\u0437\u043d\u0430\u0447\u0430\u044e\u0442, \u0447\u0442\u043e \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 \u043f\u043e\u0441\u0442\u043e\u044f\u043d\u043d\u043e \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0442 \u043d\u0430\u0434 \u0443\u043b\u0443\u0447\u0448\u0435\u043d\u0438\u0435\u043c \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f, \u0434\u0443\u043c\u0430\u044f \u043e \u043b\u0443\u0447\u0448\u0435\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u043c \u043e\u043f\u044b\u0442\u0435 \u0441 \u043a\u0430\u0436\u0434\u044b\u043c \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435\u043c.<\/span><\/span><\/p>\n<h2><a><\/a><span lang=\"EN-US\">\u0421\u0435\u0442\u0435\u0432\u0430\u044f \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430<\/span><\/h2>\n<p>\u0412 \u0434\u043e\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044e \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b C&amp;C, \u0437\u0430\u0434\u0435\u0439\u0441\u0442\u0432\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0432 \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u0438 PowerLess, Ballistic Bobcat \u0442\u0430\u043a\u0436\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u0438\u043b \u043d\u043e\u0432\u044b\u0439 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440. \u0413\u0440\u0443\u043f\u043f\u0430 \u0442\u0430\u043a\u0436\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0430 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e IP-\u0430\u0434\u0440\u0435\u0441\u043e\u0432 \u0434\u043b\u044f \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u0438 \u0434\u043e\u0441\u0442\u0430\u0432\u043a\u0438 \u0432\u0441\u043f\u043e\u043c\u043e\u0433\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432 \u0432\u043e \u0432\u0440\u0435\u043c\u044f \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u0438 Sponsoring Access. \u041c\u044b \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u043b\u0438, \u0447\u0442\u043e \u043d\u0438 \u043e\u0434\u0438\u043d \u0438\u0437 \u044d\u0442\u0438\u0445 IP-\u0430\u0434\u0440\u0435\u0441\u043e\u0432 \u0432 \u043d\u0430\u0441\u0442\u043e\u044f\u0449\u0435\u0435 \u0432\u0440\u0435\u043c\u044f \u043d\u0435 \u0430\u043a\u0442\u0438\u0432\u0435\u043d.<\/p>\n<h2><a><\/a><span lang=\"EN-US\">\u0417\u0430\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435<\/span><\/h2>\n<p>Ballistic Bobcat \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0435\u0442 \u0440\u0430\u0431\u043e\u0442\u0430\u0442\u044c \u043f\u043e \u043c\u043e\u0434\u0435\u043b\u0438 \u00ab\u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f\u00bb, \u0432\u044b\u0438\u0441\u043a\u0438\u0432\u0430\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0441 \u043d\u0435\u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u043d\u044b\u043c\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044f\u043c\u0438 \u0432 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0438\u0437 \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445 Microsoft Exchange. \u0413\u0440\u0443\u043f\u043f\u0430 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0440\u0430\u0437\u043d\u043e\u043e\u0431\u0440\u0430\u0437\u043d\u044b\u0439 \u043d\u0430\u0431\u043e\u0440 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432 \u0441 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u043c \u043a\u043e\u0434\u043e\u043c, \u0434\u043e\u043f\u043e\u043b\u043d\u0435\u043d\u043d\u044b\u0439 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u0438\u043c\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u043c\u0438 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u0431\u044d\u043a\u0434\u043e\u0440 Sponsor. \u0417\u0430\u0449\u0438\u0442\u043d\u0438\u043a\u0430\u043c \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u0432\u0441\u0435\u0445 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0438\u0437 \u0418\u043d\u0442\u0435\u0440\u043d\u0435\u0442\u0430, \u0438 \u043e\u0441\u0442\u0430\u0432\u0430\u0442\u044c\u0441\u044f \u0431\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u043c\u0438 \u0432 \u043e\u0442\u043d\u043e\u0448\u0435\u043d\u0438\u0438 \u043f\u043e\u044f\u0432\u043b\u0435\u043d\u0438\u044f \u043d\u043e\u0432\u044b\u0445 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u0432 \u0438\u0445 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0430\u0446\u0438\u044f\u0445.<\/p>\n<blockquote>\n<p>\u041f\u043e \u0432\u0441\u0435\u043c \u0432\u043e\u043f\u0440\u043e\u0441\u0430\u043c, \u043a\u0430\u0441\u0430\u044e\u0449\u0438\u043c\u0441\u044f \u043d\u0430\u0448\u0438\u0445 \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u0439, \u043e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u043d\u0430 WeLiveSecurity, \u043f\u043e\u0436\u0430\u043b\u0443\u0439\u0441\u0442\u0430, \u0441\u0432\u044f\u0436\u0438\u0442\u0435\u0441\u044c \u0441 \u043d\u0430\u043c\u0438 \u043f\u043e \u0430\u0434\u0440\u0435\u0441\u0443 <a href=\"mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>.<br \/>ESET Research \u043f\u0440\u0435\u0434\u043b\u0430\u0433\u0430\u0435\u0442 \u0447\u0430\u0441\u0442\u043d\u044b\u0435 \u043e\u0442\u0447\u0435\u0442\u044b \u043f\u043e \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0435 \u0443\u0433\u0440\u043e\u0437 APT \u0438 \u043f\u043e\u0442\u043e\u043a\u0438 \u0434\u0430\u043d\u043d\u044b\u0445. \u041f\u043e \u0432\u0441\u0435\u043c \u0432\u043e\u043f\u0440\u043e\u0441\u0430\u043c, \u043a\u0430\u0441\u0430\u044e\u0449\u0438\u043c\u0441\u044f \u044d\u0442\u043e\u0439 \u0443\u0441\u043b\u0443\u0433\u0438, \u043f\u043e\u0441\u0435\u0442\u0438\u0442\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443 <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor\/\">ESET Threat Intelligence<\/a>.<\/p>\n<\/blockquote>\n<h2><a><\/a><span lang=\"EN-US\">IoCs<\/span><\/h2>\n<h3><span lang=\"EN-US\">\u0424\u0430\u0439\u043b\u044b<\/span><\/h3>\n<\/p>\n<p><span lang=\"EN-US\"><br \/>\n<\/span><\/p>\n<h3><span><span lang=\"EN-US\">\u041f\u0443\u0442\u0438 \u043a \u0444\u0430\u0439\u043b\u0430\u043c<\/span><\/span><\/h3>\n<p><span lang=\"EN-US\">\u041d\u0438\u0436\u0435 \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u043d \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u0443\u0442\u0435\u0439, \u043f\u043e \u043a\u043e\u0442\u043e\u0440\u044b\u043c \u0431\u044d\u043a\u0434\u043e\u0440 Sponsor \u0431\u044b\u043b \u0440\u0430\u0437\u0432\u0435\u0440\u043d\u0443\u0442 \u043d\u0430 \u043c\u0430\u0448\u0438\u043d\u0430\u0445 \u0436\u0435\u0440\u0442\u0432.<\/span><\/p>\n<p><span><span lang=\"EN-US\">%SYSTEMDRIVE%inetpubwwwrootaspnet_client<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%AppDataLocalTempfile<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%AppDataLocalTemp2low<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%Desktop<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%Downloadsa<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%INFMSExchange Delivery DSN<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%Tasks<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%Temp%WINDIR%Tempcrashpad1Files<\/span><\/span><\/p>\n<p><span lang=\"EN-US\"><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<tbody>\n<tr>\n<td width=\"170\">\n<p><strong><span lang=\"EN-US\">Filename<\/span><\/strong><\/p>\n<\/td>\n<td width=\"451\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">host2ip.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">Maps a <a href=\"https:\/\/github.com\/IHosseini083\/Host2IP\"><span>hostname to an IP address<\/span><\/a> within the local network. <\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">CSRSS.EXE<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/github.com\/kost\/revsocks\">RevSocks<\/a>, a reverse tunnel application.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">mi.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">Mimikatz, with an original filename of <\/span><span><span lang=\"EN-US\">midongle.exe<\/span><\/span><span lang=\"EN-US\"> and packed with the <a href=\"http:\/\/adn.bioinfo.uqam.ca\/armadillo\/index.html\">Armadillo PE packer<\/a>.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">gost.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">GO Simple Tunnel (<a href=\"https:\/\/github.com\/ginuerzh\/gost\">GOST<\/a>), a tunneling application written in Go.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">chisel.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/github.com\/jpillora\/chisel\">Chisel<\/a>, a TCP\/UDP tunnel over HTTP using SSH layers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">csrss_protected.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">RevSocks tunnel, protected with the trial version of the <a href=\"https:\/\/enigmaprotector.com\/\">Enigma Protector software protection<\/a>.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">plink.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/documentation.help\/PuTTY\/plink-usage.html\">Plink<\/a> (PuTTY Link), a command line connection tool.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\">\n<p><span><span lang=\"EN-US\">WebBrowserPassView.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<\/code><\/td>\n<td width=\"451\"><code><code><\/code><\/code><\/p>\n<p><span lang=\"EN-US\">A <a href=\"https:\/\/www.nirsoft.net\/utils\/web_browser_password.html\">password recovery tool<\/a> for passwords stored in web browsers.<\/span><\/p>\n<p><code><br \/>\n<\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">sqlextractor.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\">A <a href=\"https:\/\/github.com\/chop-dbhi\/sql-extractor\">tool<\/a> for interacting with, and extracting data from, SQL databases.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"170\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">procdump64.exe<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"451\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procdump\">ProcDump<\/a>, a <span><br \/>\n<\/span>Sysinternals command line utility for monitoring applications and generating crash dumps.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/p>\n<p><span><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"643\">\n<tbody>\n<tr>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">IP<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">\u041f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440<\/span><\/strong><\/p>\n<\/td>\n<td width=\"95\">\n<p><strong><span lang=\"EN-US\">\u041f\u0435\u0440\u0432\u044b\u0439 \u0440\u0430\u0437 \u0437\u0430\u043c\u0435\u0447\u0435\u043d<\/span><\/strong><\/p>\n<\/td>\n<td width=\"94\">\n<p><strong><span lang=\"EN-US\">\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0440\u0430\u0437 \u0437\u0430\u043c\u0435\u0447\u0435\u043d<\/span><\/strong><\/p>\n<\/td>\n<td width=\"189\">\n<p><strong><span lang=\"EN-US\">\u0414\u0435\u0442\u0430\u043b\u0438<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">162.55.137[.]20<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">Hetzner Online GMBH<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">14.06.2021<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">15.06.2021<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">PowerLess C&amp;C.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">37.120.222[.]168<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">M247 LTD<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">28.11.2021<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">12.12.2021<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">Sponsor C&amp;C.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">198.144.189[.]74<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">Colocrossing<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">29.11.2021<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">29.11.2021<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">\u0421\u0430\u0439\u0442 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0432\u0441\u043f\u043e\u043c\u043e\u0433\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">5.255.97[.]172<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">The Infrastructure Group B.V.<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">05.09.2021<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">28.10.2021<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">\u0421\u0430\u0439\u0442 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0432\u0441\u043f\u043e\u043c\u043e\u0433\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u043e\u0432.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><span lang=\"EN-US\"><br \/>\n<\/span><a><\/a><\/p>\n<h2>\u0422\u0435\u0445\u043d\u0438\u043a\u0438 MITRE ATT&amp;CK<\/h2>\n<p>\u042d\u0442\u0430 \u0442\u0430\u0431\u043b\u0438\u0446\u0430 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0430 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">\u0432\u0435\u0440\u0441\u0438\u0438 13<\/a> \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0430 MITRE ATT&amp;CK<strong>.<\/strong><\/p>\n<div>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"643\">\n<thead>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">\u0422\u0430\u043a\u0442\u0438\u043a\u0430<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">ID<\/span><\/strong><\/p>\n<\/td>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435<\/span><\/strong><\/p>\n<\/td>\n<td width=\"265\">\n<p><strong><span lang=\"EN-US\">\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">\u0420\u0430\u0437\u0432\u0435\u0434\u043a\u0430<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1595\/\"><em>T1595<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u0410\u043a\u0442\u0438\u0432\u043d\u043e\u0435 \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435: \u0421\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat \u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u0442 \u0443\u044f\u0437\u0432\u0438\u043c\u044b\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 Microsoft Exchange \u0434\u043b\u044f \u0438\u0445 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong><span lang=\"EN-US\">\u0420\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0430 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1587\/001\/\"><em>T1587.001<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u0420\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0430 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0435\u0439: \u0412\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0435 \u041f\u041e<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0430\u043b\u0430 \u0438 \u043d\u0430\u043f\u0438\u0441\u0430\u043b\u0430 \u0431\u044d\u043a\u0434\u043e\u0440 Sponsor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1588\/002\/\"><em>T1588.002<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u041f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0435\u0439: \u0418\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0435 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b \u0441 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u043c \u043a\u043e\u0434\u043e\u043c \u0432 \u0440\u0430\u043c\u043a\u0430\u0445 \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u0438 Sponsoring Access.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">\u041f\u0435\u0440\u0432\u043e\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1190\/\"><em>T1190<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0433\u043e \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat \u043d\u0430\u0446\u0435\u043b\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043d\u0430 \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u044b Microsoft Exchange.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong><span lang=\"EN-US\">\u0412\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1059\/003\/\"><em>T1059.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u0418\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440 \u043a\u043e\u043c\u0430\u043d\u0434 \u0438 \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432: \u041a\u043e\u043c\u0430\u043d\u0434\u043d\u0430\u044f \u043e\u0431\u043e\u043b\u043e\u0447\u043a\u0430 Windows<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">\u0411\u044d\u043a\u0434\u043e\u0440 Sponsor \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u0443\u044e \u043e\u0431\u043e\u043b\u043e\u0447\u043a\u0443 Windows \u0434\u043b\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u0430\u043d\u0434 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u0436\u0435\u0440\u0442\u0432\u044b.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1569\/002\/\"><em>T1569.002<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u0421\u0438\u0441\u0442\u0435\u043c\u043d\u044b\u0435 \u0441\u043b\u0443\u0436\u0431\u044b: \u0412\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0441\u043b\u0443\u0436\u0431\u044b<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">\u0411\u044d\u043a\u0434\u043e\u0440 Sponsor \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442 \u0441\u0435\u0431\u044f \u043a\u0430\u043a \u0441\u043b\u0443\u0436\u0431\u0443 \u0438 \u0438\u043d\u0438\u0446\u0438\u0438\u0440\u0443\u0435\u0442 \u0441\u0432\u043e\u0438 \u043e\u0441\u043d\u043e\u0432\u043d\u044b\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u043f\u043e\u0441\u043b\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0441\u043b\u0443\u0436\u0431\u044b.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">\u0417\u0430\u043a\u0440\u0435\u043f\u043b\u0435\u043d\u0438\u0435<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1543\/003\/\"><em>T1543.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u0421\u043e\u0437\u0434\u0430\u043d\u0438\u0435 \u0438\u043b\u0438 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430: \u0421\u043b\u0443\u0436\u0431\u0430 Windows<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Sponsor \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0432\u0430\u0435\u0442 \u0437\u0430\u043a\u0440\u0435\u043f\u043b\u0435\u043d\u0438\u0435, \u0441\u043e\u0437\u0434\u0430\u0432\u0430\u044f \u0441\u043b\u0443\u0436\u0431\u0443 \u0441 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u0437\u0430\u043f\u0443\u0441\u043a\u043e\u043c, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442 \u0441\u0432\u043e\u0438 \u043e\u0441\u043d\u043e\u0432\u043d\u044b\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0432 \u0446\u0438\u043a\u043b\u0435.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">\u041f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u0435 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1078\/003\/\"><em>T1078.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u0414\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0437\u0430\u043f\u0438\u0441\u0438: \u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0435 \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0437\u0430\u043f\u0438\u0441\u0438<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">\u041e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u044b Ballistic Bobcat \u043f\u044b\u0442\u0430\u044e\u0442\u0441\u044f \u0443\u043a\u0440\u0430\u0441\u0442\u044c \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043f\u043e\u0441\u043b\u0435 \u043f\u0435\u0440\u0432\u043e\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e\u0439 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043f\u0435\u0440\u0435\u0434 \u0440\u0430\u0437\u0432\u0435\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u0435\u043c \u0431\u044d\u043a\u0434\u043e\u0440\u0430 Sponsor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\">\n<p><strong><span lang=\"EN-US\">\u041e\u0431\u0445\u043e\u0434 \u0437\u0430\u0449\u0438\u0442\u044b<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1140\/\"><em>T1140<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u0414\u0435\u043e\u0431\u0444\u0443\u0441\u043a\u0430\u0446\u0438\u044f\/\u0434\u0435\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0444\u0430\u0439\u043b\u043e\u0432 \u0438\u043b\u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Sponsor \u0445\u0440\u0430\u043d\u0438\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043d\u0430 \u0434\u0438\u0441\u043a\u0435, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0430 \u0438 \u043e\u0431\u0444\u0443\u0441\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u0430, \u0438 \u0434\u0435\u043e\u0431\u0444\u0443\u0441\u0446\u0438\u0440\u0443\u0435\u0442 \u0435\u0435 \u0432\u043e \u0432\u0440\u0435\u043c\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1027\/\"><em>T1027<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u041e\u0431\u0444\u0443\u0441\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b \u0438\u043b\u0438 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">\u041a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0442\u0440\u0435\u0431\u0443\u044e\u0442\u0441\u044f \u0431\u044d\u043a\u0434\u043e\u0440\u0443 Sponsor \u043d\u0430 \u0434\u0438\u0441\u043a\u0435, \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u044b \u0438 \u043e\u0431\u0444\u0443\u0441\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u044b.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1078\/003\/\"><em>T1078.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u0414\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0437\u0430\u043f\u0438\u0441\u0438: \u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0435 \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0437\u0430\u043f\u0438\u0441\u0438<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Sponsor \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u0441 \u043f\u0440\u0430\u0432\u0430\u043c\u0438 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u0430, \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e, \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043d\u0430\u0439\u0434\u0435\u043d\u043d\u044b\u0445 \u043e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u0430\u043c\u0438 \u043d\u0430 \u0434\u0438\u0441\u043a\u0435; \u043d\u0430\u0440\u044f\u0434\u0443 \u0441 \u0431\u0435\u0437\u043e\u0431\u0438\u0434\u043d\u044b\u043c\u0438 \u0441\u043e\u0433\u043b\u0430\u0448\u0435\u043d\u0438\u044f\u043c\u0438 \u043e\u0431 \u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0438 Ballistic Bobcat, \u044d\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 Sponsor \u0441\u043b\u0438\u0442\u044c\u0441\u044f \u0441 \u0444\u043e\u043d\u043e\u043c.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">\u0414\u043e\u0441\u0442\u0443\u043f \u043a \u0443\u0447\u0435\u0442\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1555\/003\/\"><em>T1555.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u0423\u0447\u0435\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0438\u0437 \u0445\u0440\u0430\u043d\u0438\u043b\u0438\u0449 \u043f\u0430\u0440\u043e\u043b\u0435\u0439: \u0423\u0447\u0435\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0438\u0437 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">\u041e\u043f\u0435\u0440\u0430\u0442\u043e\u0440\u044b Ballistic Bobcat \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b \u0441 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u043c \u043a\u043e\u0434\u043e\u043c \u0434\u043b\u044f \u043a\u0440\u0430\u0436\u0438 \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u0438\u0437 \u0445\u0440\u0430\u043d\u0438\u043b\u0438\u0449 \u043f\u0430\u0440\u043e\u043b\u0435\u0439 \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430\u0445.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1018\/\"><em>T1018<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 Host2IP, \u0440\u0430\u043d\u0435\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0432\u0448\u0438\u0439\u0441\u044f Agrius, \u0434\u043b\u044f \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u044f \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u0432 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0441\u0435\u0442\u044f\u0445 \u0438 \u0441\u043e\u043f\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0445 \u0438\u043c\u0435\u043d \u0445\u043e\u0441\u0442\u043e\u0432 \u0438 IP-\u0430\u0434\u0440\u0435\u0441\u043e\u0432.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">\u041a\u043e\u043c\u0430\u043d\u0434\u043e\u0432\u0430\u043d\u0438\u0435 \u0438 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1001\/\"><em>T1001<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">\u041e\u0431\u0444\u0443\u0441\u043a\u0430\u0446\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">\u0411\u044d\u043a\u0434\u043e\u0440 Sponsor \u043e\u0431\u0444\u0443\u0441\u0446\u0438\u0440\u0443\u0435\u0442 \u0434\u0430\u043d\u043d\u044b\u0435 \u043f\u0435\u0440\u0435\u0434 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u043e\u0439 \u043d\u0430 C&amp;C-\u0441\u0435\u0440\u0432\u0435\u0440.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor\/\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"296\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2022\/12\/eset-threat-intelligence.png\" width=\"915\"><\/a><\/p>\n<p><span lang=\"EN-US\">\u041c\u044b \u0441\u0447\u0438\u0442\u0430\u0435\u043c, \u0447\u0442\u043e \u043f\u0430\u043a\u0435\u0442\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b \u0438 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b \u044f\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u0447\u0430\u0441\u0442\u044c\u044e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 \u043c\u043e\u0434\u0443\u043b\u044c\u043d\u043e\u0439 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 Ballistic Bobcat \u043f\u0440\u0435\u0434\u043f\u043e\u0447\u0438\u0442\u0430\u0435\u0442 \u0432 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u043b\u0435\u0442.<\/span><\/p>\n<h4><span lang=\"EN-US\">\u0411\u044d\u043a\u0434\u043e\u0440 Sponsor<\/span><\/h4>\n<p><span lang=\"EN-US\">\u0411\u044d\u043a\u0434\u043e\u0440\u044b Sponsor \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u044b \u043d\u0430 C++ \u0441 \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u043c\u0438 \u043c\u0435\u0442\u043a\u0430\u043c\u0438 \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0446\u0438\u0438 \u0438 \u043f\u0443\u0442\u044f\u043c\u0438 \u043a \u0431\u0430\u0437\u0430\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c (PDB), \u043a\u0430\u043a \u043f\u043e\u043a\u0430\u0437\u0430\u043d\u043e \u0432 <\/span><span lang=\"EN-US\">\u0422\u0430\u0431\u043b\u0438\u0446\u0435 <span>3<\/span><\/span><span lang=\"EN-US\">. \u041f\u0440\u0438\u043c\u0435\u0447\u0430\u043d\u0438\u0435 \u043e \u043d\u043e\u043c\u0435\u0440\u0430\u0445 \u0432\u0435\u0440\u0441\u0438\u0439: \u0441\u0442\u043e\u043b\u0431\u0435\u0446 <\/span><span><span lang=\"EN-US\">\u0412\u0435\u0440\u0441\u0438\u044f<\/span><\/span><span lang=\"EN-US\"> \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u044e, \u043a\u043e\u0442\u043e\u0440\u0443\u044e \u043c\u044b \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0435\u043c \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0435 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u043b\u0438\u043d\u0435\u0439\u043d\u043e\u0439 \u043f\u0440\u043e\u0433\u0440\u0435\u0441\u0441\u0438\u0438 \u0431\u044d\u043a\u0434\u043e\u0440\u043e\u0432 Sponsor, \u0433\u0434\u0435 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0432\u043d\u043e\u0441\u044f\u0442\u0441\u044f \u043e\u0442 \u043e\u0434\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438 \u043a \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0439. \u0421\u0442\u043e\u043b\u0431\u0435\u0446 <\/span><span><span lang=\"EN-US\">\u0412\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u044f\u044f \u0432\u0435\u0440\u0441\u0438\u044f<\/span><\/span><span lang=\"EN-US\"> \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043d\u043e\u043c\u0435\u0440\u0430 \u0432\u0435\u0440\u0441\u0438\u0439, \u043d\u0430\u0431\u043b\u044e\u0434\u0430\u0435\u043c\u044b\u0435 \u0432 \u043a\u0430\u0436\u0434\u043e\u043c \u0431\u044d\u043a\u0434\u043e\u0440\u0435 Sponsor, \u0438 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u044b \u0434\u043b\u044f \u0443\u0434\u043e\u0431\u0441\u0442\u0432\u0430 \u0441\u0440\u0430\u0432\u043d\u0435\u043d\u0438\u044f \u043f\u0440\u0438 \u0430\u043d\u0430\u043b\u0438\u0437\u0435 \u044d\u0442\u0438\u0445 \u0438 \u0434\u0440\u0443\u0433\u0438\u0445 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u043e\u0431\u0440\u0430\u0437\u0446\u043e\u0432 Sponsor.<\/span><\/p>\n<p><em>\u0422\u0430\u0431\u043b\u0438\u0446\u0430 3. \u0412\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 \u043c\u0435\u0442\u043a\u0438 \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0446\u0438\u0438 \u0438 PDB Sponsor<\/em><\/p>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"624\">\n<tbody>\n<tr>\n<td width=\"60\">\n<p><strong><span lang=\"EN-US\">\u0412\u0435\u0440\u0441\u0438\u044f<\/span><\/strong><\/p>\n<\/td>\n<td width=\"63\">\n<p><strong><span lang=\"EN-US\">\u0412\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u044f\u044f \u0432\u0435\u0440\u0441\u0438\u044f<\/span><\/strong><\/p>\n<\/td>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">\u0412\u0440\u0435\u043c\u0435\u043d\u043d\u0430\u044f \u043c\u0435\u0442\u043a\u0430 \u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0446\u0438\u0438<\/span><\/strong><\/p>\n<\/td>\n<td width=\"350\">\n<p><strong><span lang=\"EN-US\">PDB<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">1<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">1.0.0<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2021-08-29 09:12:51<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempBD_Plus_SrvcReleaseBD_Plus_Srvc.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">2<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">1.0.0<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2021-10-09 12:39:15<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempSponsorReleaseSponsor.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">3<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">1.4.0<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2021-11-24 11:51:55<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempSponsorReleaseSponsor.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">4<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">2.1.1<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2022-02-19 13:12:07<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempSponsorReleaseSponsor.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"60\">\n<p><span lang=\"EN-US\">5<\/span><\/p>\n<\/td>\n<td width=\"63\">\n<p><span lang=\"EN-US\">1.2.3.0<\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">2022-06-19 14:14:13<\/span><\/p>\n<\/td>\n<td width=\"350\">\n<p><span><span lang=\"EN-US\">D:TempAluminaReleaseAlumina.pdb<\/span><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span lang=\"EN-US\">\u041d\u0430\u0447\u0430\u043b\u044c\u043d\u043e\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 Sponsor \u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u0430 \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 <\/span><span><span lang=\"EN-US\">install<\/span><\/span><span lang=\"EN-US\">, \u0431\u0435\u0437 \u043a\u043e\u0442\u043e\u0440\u043e\u0433\u043e Sponsor \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e \u0437\u0430\u0432\u0435\u0440\u0448\u0430\u0435\u0442\u0441\u044f, \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e, \u044d\u0442\u043e \u043f\u0440\u043e\u0441\u0442\u0430\u044f \u0442\u0435\u0445\u043d\u0438\u043a\u0430 \u0437\u0430\u0449\u0438\u0442\u044b \u043e\u0442 \u044d\u043c\u0443\u043b\u044f\u0446\u0438\u0438\/\u043f\u0435\u0441\u043e\u0447\u043d\u0438\u0446\u044b. \u0415\u0441\u043b\u0438 \u044d\u0442\u043e\u0442 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442 \u043f\u0435\u0440\u0435\u0434\u0430\u043d, Sponsor \u0441\u043e\u0437\u0434\u0430\u0435\u0442 \u0441\u043b\u0443\u0436\u0431\u0443 \u043f\u043e\u0434 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435\u043c <\/span><span><span lang=\"EN-US\">SystemNetwork<\/span><\/span><span lang=\"EN-US\"> (\u0432 <\/span><span><span lang=\"EN-US\">v1<\/span><\/span><span lang=\"EN-US\">) \u0438 <\/span><span><span lang=\"EN-US\">Update<\/span><\/span><span lang=\"EN-US\"> (\u0432\u043e \u0432\u0441\u0435\u0445 \u043e\u0441\u0442\u0430\u043b\u044c\u043d\u044b\u0445 \u0432\u0435\u0440\u0441\u0438\u044f\u0445). \u041e\u043d \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442 \u0434\u043b\u044f \u0441\u043b\u0443\u0436\u0431\u044b \u0442\u0438\u043f \u0437\u0430\u043f\u0443\u0441\u043a\u0430 <\/span><span><span lang=\"EN-US\">\u0410\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439<\/span><\/span><span lang=\"EN-US\">, \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0435\u0442 \u0435\u0435 \u043d\u0430 \u0437\u0430\u043f\u0443\u0441\u043a \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 Sponsor \u0438 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0435\u0439 \u043f\u043e\u043b\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f. \u0417\u0430\u0442\u0435\u043c \u043e\u043d \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u0442 \u0441\u043b\u0443\u0436\u0431\u0443.<\/span><\/p>\n<p><span lang=\"EN-US\">Sponsor, \u0442\u0435\u043f\u0435\u0440\u044c \u0437\u0430\u043f\u0443\u0449\u0435\u043d\u043d\u044b\u0439 \u043a\u0430\u043a \u0441\u043b\u0443\u0436\u0431\u0430, \u043f\u044b\u0442\u0430\u0435\u0442\u0441\u044f \u043e\u0442\u043a\u0440\u044b\u0442\u044c \u0443\u043f\u043e\u043c\u044f\u043d\u0443\u0442\u044b\u0435 \u0432\u044b\u0448\u0435 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b, \u0440\u0430\u043d\u0435\u0435 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u043d\u044b\u0435 \u043d\u0430 \u0434\u0438\u0441\u043a\u0435. \u041e\u043d \u0438\u0449\u0435\u0442 <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\"> \u0438 <\/span><span><span lang=\"EN-US\">node.txt<\/span><\/span><span lang=\"EN-US\">, \u043e\u0431\u0430 \u0432 \u0442\u0435\u043a\u0443\u0449\u0435\u043c \u0440\u0430\u0431\u043e\u0447\u0435\u043c \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0435. \u0415\u0441\u043b\u0438 \u043f\u0435\u0440\u0432\u044b\u0439 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442, Sponsor \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442 \u0441\u043b\u0443\u0436\u0431\u0443 \u0432 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 <\/span><span lang=\"EN-US\"><span>\u041e\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0430<\/span><\/span><span lang=\"EN-US\"> \u0438 \u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e \u0437\u0430\u0432\u0435\u0440\u0448\u0430\u0435\u0442\u0441\u044f.<\/span><\/p>\n<h5><span lang=\"EN-US\">\u041a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f \u0431\u044d\u043a\u0434\u043e\u0440\u0430<\/span><\/h5>\n<p><span lang=\"EN-US\">\u041a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f Sponsor, \u0445\u0440\u0430\u043d\u044f\u0449\u0430\u044f\u0441\u044f \u0432 <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">, \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0434\u0432\u0430 \u043f\u043e\u043b\u044f:<\/span><\/p>\n<ul>\n<li><span lang=\"EN-US\">\u0418\u043d\u0442\u0435\u0440\u0432\u0430\u043b \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0432 \u0441\u0435\u043a\u0443\u043d\u0434\u0430\u0445 \u0434\u043b\u044f \u043f\u0435\u0440\u0438\u043e\u0434\u0438\u0447\u0435\u0441\u043a\u043e\u0433\u043e \u043e\u0431\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u0443 C&amp;C \u0437\u0430 \u043a\u043e\u043c\u0430\u043d\u0434\u0430\u043c\u0438.<\/span><\/li>\n<li><span lang=\"EN-US\">\u0421\u043f\u0438\u0441\u043e\u043a \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 C&amp;C, \u043d\u0430\u0437\u044b\u0432\u0430\u0435\u043c\u044b\u0445 <\/span><span><span lang=\"EN-US\">relays<\/span><\/span><span lang=\"EN-US\"> \u0432 \u0431\u0438\u043d\u0430\u0440\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u0430\u0445 Sponsor.<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">\u0421\u0435\u0440\u0432\u0435\u0440\u044b C&amp;C \u0445\u0440\u0430\u043d\u044f\u0442\u0441\u044f \u0432 \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0432\u0438\u0434\u0435 (RC4), \u0430 \u043a\u043b\u044e\u0447 \u0434\u0435\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u0432 \u043f\u0435\u0440\u0432\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0435 <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">. \u041a\u0430\u0436\u0434\u043e\u0435 \u0438\u0437 \u043f\u043e\u043b\u0435\u0439, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u043a\u043b\u044e\u0447 \u0434\u0435\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f, \u0438\u043c\u0435\u0435\u0442 \u0444\u043e\u0440\u043c\u0430\u0442, \u043f\u043e\u043a\u0430\u0437\u0430\u043d\u043d\u044b\u0439 \u043d\u0430 <\/span><span lang=\"EN-US\">\u0420\u0438\u0441\u0443\u043d\u043a\u0435 <span>3<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<figure><img decoding=\"async\" alt=\"\u0420\u0438\u0441\u0443\u043d\u043e\u043a 3. \u0424\u043e\u0440\u043c\u0430\u0442 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u0435\u0439 \u0432 config.txt\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1-2.png\" title=\"\u0420\u0438\u0441\u0443\u043d\u043e\u043a 3. \u0424\u043e\u0440\u043c\u0430\u0442 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u0435\u0439 \u0432 config.txt\" width=\"\"><figcaption><em>\u0420\u0438\u0441\u0443\u043d\u043e\u043a 3. \u0424\u043e\u0440\u043c\u0430\u0442 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u0435\u0439 \u0432<\/em><br \/>\n<span>config.txt<\/span><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">\u042d\u0442\u0438 \u043f\u043e\u0434\u043f\u043e\u043b\u044f:<\/span><\/p>\n<ul>\n<li><span><span lang=\"EN-US\">config_start<\/span><\/span><span lang=\"EN-US\">: \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442 \u0434\u043b\u0438\u043d\u0443 <\/span><span><span lang=\"EN-US\">config_name<\/span><\/span><span lang=\"EN-US\">, \u0435\u0441\u043b\u0438 \u043e\u043d \u043f\u0440\u0438\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442, \u0438\u043b\u0438 \u043d\u043e\u043b\u044c, \u0435\u0441\u043b\u0438 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0431\u044d\u043a\u0434\u043e\u0440\u043e\u043c, \u0447\u0442\u043e\u0431\u044b \u0437\u043d\u0430\u0442\u044c, \u0433\u0434\u0435 \u043d\u0430\u0447\u0438\u043d\u0430\u044e\u0442\u0441\u044f <\/span><span><span lang=\"EN-US\">config_data<\/span><\/span><span lang=\"EN-US\">.<\/span><\/li>\n<li><span><span lang=\"EN-US\">config_len<\/span><\/span><span lang=\"EN-US\">: \u0434\u043b\u0438\u043d\u0430 <\/span><span><span lang=\"EN-US\">config_data<\/span><\/span><span lang=\"EN-US\">.<\/span><\/li>\n<li><span><span lang=\"EN-US\">config_name<\/span><\/span><span lang=\"EN-US\">: \u043d\u0435\u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0435 \u043f\u043e\u043b\u0435, \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0438\u043c\u044f, \u0434\u0430\u043d\u043d\u043e\u0435 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u043c\u0443 \u043f\u043e\u043b\u044e.<\/span><\/li>\n<li><span><span lang=\"EN-US\">config_data<\/span><\/span><span lang=\"EN-US\">: \u0441\u0430\u043c\u0430 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f, \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u0430\u044f (\u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432 C&amp;C) \u0438\u043b\u0438 \u043d\u0435\u0442 (\u0432\u0441\u0435 \u043e\u0441\u0442\u0430\u043b\u044c\u043d\u044b\u0435 \u043f\u043e\u043b\u044f).<\/span><\/li>\n<\/ul>\n<p><span lang=\"EN-US\">\u041d\u0430 <\/span><span lang=\"EN-US\">\u0420\u0438\u0441\u0443\u043d\u043a\u0435 <span>4<\/span><\/span><span lang=\"EN-US\"> \u043f\u043e\u043a\u0430\u0437\u0430\u043d \u043f\u0440\u0438\u043c\u0435\u0440 \u0441 \u0446\u0432\u0435\u0442\u043e\u0432\u043e\u0439 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u043e\u0439 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">. \u041e\u0431\u0440\u0430\u0442\u0438\u0442\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435, \u0447\u0442\u043e \u044d\u0442\u043e \u043d\u0435 \u0440\u0435\u0430\u043b\u044c\u043d\u044b\u0439 \u0444\u0430\u0439\u043b, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u044b \u043d\u0430\u0431\u043b\u044e\u0434\u0430\u043b\u0438, \u0430 \u0441\u0444\u0430\u0431\u0440\u0438\u043a\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043f\u0440\u0438\u043c\u0435\u0440.<\/span><\/p>\n<figure><img decoding=\"async\" alt=\"\u0420\u0438\u0441\u0443\u043d\u043e\u043a 4. \u041f\u0440\u0438\u043c\u0435\u0440 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0433\u043e \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e config.txt\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1-2-3.png\" title=\"\u0420\u0438\u0441\u0443\u043d\u043e\u043a 4. \u041f\u0440\u0438\u043c\u0435\u0440 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0433\u043e \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e config.txt\" width=\"\"><figcaption><em>\u0420\u0438\u0441\u0443\u043d\u043e\u043a 4. \u041f\u0440\u0438\u043c\u0435\u0440 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0433\u043e \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e<\/em><br \/>\n<span>config.txt<\/span><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0435 \u0434\u0432\u0430 \u043f\u043e\u043b\u044f \u0432 <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\"> \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u044b \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e RC4, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0441\u0442\u0440\u043e\u043a\u043e\u0432\u043e\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0445\u0435\u0448\u0430 SHA-256 \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u043e\u0433\u043e \u043a\u043b\u044e\u0447\u0430 \u0434\u0435\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u043a\u043b\u044e\u0447\u0430 \u0434\u043b\u044f \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0434\u0430\u043d\u043d\u044b\u0445. \u041c\u044b \u0432\u0438\u0434\u0438\u043c, \u0447\u0442\u043e \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0431\u0430\u0439\u0442\u044b \u0445\u0440\u0430\u043d\u044f\u0442\u0441\u044f \u0432 \u0448\u0435\u0441\u0442\u043d\u0430\u0434\u0446\u0430\u0442\u0435\u0440\u0438\u0447\u043d\u043e\u043c \u0444\u043e\u0440\u043c\u0430\u0442\u0435 \u043a\u0430\u043a \u0442\u0435\u043a\u0441\u0442\u043e\u0432\u044b\u0435 ASCII-\u0441\u0438\u043c\u0432\u043e\u043b\u044b.<\/span><\/p>\n<h5><span lang=\"EN-US\">\u0421\u0431\u043e\u0440 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u0445\u043e\u0441\u0442\u0435<\/span><\/h5>\n<p><span lang=\"EN-US\">Sponsor \u0441\u043e\u0431\u0438\u0440\u0430\u0435\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u0445\u043e\u0441\u0442\u0435, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u043e\u043d \u0437\u0430\u043f\u0443\u0449\u0435\u043d, \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442 \u0432\u0441\u044e \u0441\u043e\u0431\u0440\u0430\u043d\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440 C&amp;C \u0438 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0443\u0437\u043b\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0437\u0430\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 <\/span><span><span lang=\"EN-US\">node.txt<\/span><\/span><span lang=\"EN-US\">. <\/span><span lang=\"EN-US\">\u0422\u0430\u0431\u043b\u0438\u0446\u0430 <span>4<\/span><\/span><span lang=\"EN-US\"><\/span><span lang=\"EN-US\"><span><br \/>\n<\/span>\u043f\u0435\u0440\u0435\u0447\u0438\u0441\u043b\u044f\u0435\u0442 \u043a\u043b\u044e\u0447\u0438 \u0438 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u0432 \u0440\u0435\u0435\u0441\u0442\u0440\u0435 Windows, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 Sponsor \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438, \u0438 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u043f\u0440\u0438\u043c\u0435\u0440 \u0441\u043e\u0431\u0440\u0430\u043d\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445.<\/span><\/p>\n<p><span lang=\"EN-US\"><em><span lang=\"EN-US\">\u0422\u0430\u0431\u043b\u0438\u0446\u0430 4. \u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f, \u0441\u043e\u0431\u0440\u0430\u043d\u043d\u0430\u044f Sponsor<\/span><\/em><\/span><\/p>\n<p><span lang=\"EN-US\"><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\">\n<thead>\n<tr>\n<td width=\"318\">\n<p><strong><span lang=\"EN-US\">Registry key<\/span><\/strong><\/p>\n<\/td>\n<td width=\"144\">\n<p><strong><span lang=\"EN-US\">Value<\/span><\/strong><\/p>\n<\/td>\n<td width=\"159\">\n<p><strong><span lang=\"EN-US\">Example<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">Hostname<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">D-835MK12<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTimeZoneInformation<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">TimeZoneKeyName<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">Israel Standard Time<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_USERS.DEFAULTControl PanelInternational<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">LocaleName<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">he-IL<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemBIOS<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">BaseBoardProduct<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">10NX0010IL<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor\u0000<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">ProcessorNameString<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"PL\">Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td rowspan=\"4\" width=\"318\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">ProductName<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">Windows 10 Enterprise N<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">CurrentVersion<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">6.3<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">CurrentBuildNumber<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">19044<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<\/tr>\n<tr>\n<td width=\"144\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">InstallationType<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"159\">\n<p><span><span lang=\"EN-US\">Client<\/span><\/span><\/p>\n<p><code><br \/>\n<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/p>\n<p><span lang=\"EN-US\">Sponsor \u0442\u0430\u043a\u0436\u0435 \u0441\u043e\u0431\u0438\u0440\u0430\u0435\u0442 \u0434\u043e\u043c\u0435\u043d Windows \u0445\u043e\u0441\u0442\u0430, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u0443 <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/wmisdk\/wmic\">WMIC<\/a>:<\/span><\/p>\n<p><span><span lang=\"EN-US\">wmic computersystem get domain<\/span><\/span><\/p>\n<p><span lang=\"EN-US\">\u041d\u0430\u043a\u043e\u043d\u0435\u0446, Sponsor \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 API Windows \u0434\u043b\u044f \u0441\u0431\u043e\u0440\u0430 \u0442\u0435\u043a\u0443\u0449\u0435\u0433\u043e \u0438\u043c\u0435\u043d\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f (<\/span><span><span lang=\"EN-US\">GetUserNameW<\/span><\/span><span lang=\"EN-US\">), \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f, \u0437\u0430\u043f\u0443\u0449\u0435\u043d \u043b\u0438 \u0442\u0435\u043a\u0443\u0449\u0438\u0439 \u043f\u0440\u043e\u0446\u0435\u0441\u0441 Sponsor \u043a\u0430\u043a 32- \u0438\u043b\u0438 64-\u0431\u0438\u0442\u043d\u043e\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 (<\/span><span><span lang=\"EN-US\">GetCurrentProcess<\/span><\/span><span lang=\"EN-US\">, \u0437\u0430\u0442\u0435\u043c <\/span><span><span lang=\"EN-US\">IsWow64Process(CurrentProcess)<\/span><\/span><span lang=\"EN-US\">) \u0438 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f, \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043b\u0438 \u0441\u0438\u0441\u0442\u0435\u043c\u0430 \u043e\u0442 \u0431\u0430\u0442\u0430\u0440\u0435\u0438 \u0438\u043b\u0438 \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0430 \u043a \u0441\u0435\u0442\u0438 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0433\u043e \u0438\u043b\u0438 \u043f\u043e\u0441\u0442\u043e\u044f\u043d\u043d\u043e\u0433\u043e \u0442\u043e\u043a\u0430 (<\/span><span><span lang=\"EN-US\">GetSystemPowerStatus<\/span><\/span><span lang=\"EN-US\">).<\/span><\/p>\n<p><span lang=\"EN-US\">\u041e\u0434\u043d\u043e\u0439 \u0438\u0437 \u0441\u0442\u0440\u0430\u043d\u043d\u043e\u0441\u0442\u0435\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 32- \u0438\u043b\u0438 64-\u0431\u0438\u0442\u043d\u043e\u0433\u043e \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0442\u043e, \u0447\u0442\u043e \u0432\u0441\u0435 \u043d\u0430\u0431\u043b\u044e\u0434\u0430\u0435\u043c\u044b\u0435 \u043e\u0431\u0440\u0430\u0437\u0446\u044b Sponsor \u0431\u044b\u043b\u0438 32-\u0431\u0438\u0442\u043d\u044b\u043c\u0438. \u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043e\u0437\u043d\u0430\u0447\u0430\u0442\u044c, \u0447\u0442\u043e \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u044b \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0433\u043e \u044d\u0442\u0430\u043f\u0430 \u0442\u0440\u0435\u0431\u0443\u044e\u0442 \u044d\u0442\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438.<\/span><\/p>\n<p><span lang=\"EN-US\">\u0421\u043e\u0431\u0440\u0430\u043d\u043d\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0432 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0438, \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0432 base64, \u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u043f\u0435\u0440\u0435\u0434 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043d\u0430\u0447\u0438\u043d\u0430\u0435\u0442\u0441\u044f \u0441 <\/span><span><br \/>\n<span lang=\"EN-US\">r<\/span><\/span><span lang=\"EN-US\"> \u0438 \u0438\u043c\u0435\u0435\u0442 \u0444\u043e\u0440\u043c\u0430\u0442, \u043f\u043e\u043a\u0430\u0437\u0430\u043d\u043d\u044b\u0439 \u043d\u0430 <\/span><span lang=\"EN-US\">\u0420\u0438\u0441\u0443\u043d\u043a\u0435 <span>5<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<figure><img decoding=\"async\" alt=\"\u0420\u0438\u0441\u0443\u043d\u043e\u043a 5. \u0424\u043e\u0440\u043c\u0430\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u043e\u0433\u043e Sponsor \u0434\u043b\u044f \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0436\u0435\u0440\u0442\u0432\u044b\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1-2-3-4.png\" title=\"\u0420\u0438\u0441\u0443\u043d\u043e\u043a 5. \u0424\u043e\u0440\u043c\u0430\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u043e\u0433\u043e Sponsor \u0434\u043b\u044f \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0436\u0435\u0440\u0442\u0432\u044b\" width=\"\"><figcaption><em>\u0420\u0438\u0441\u0443\u043d\u043e\u043a 5. \u0424\u043e\u0440\u043c\u0430\u0442 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u043e\u0433\u043e Sponsor \u0434\u043b\u044f \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0436\u0435\u0440\u0442\u0432\u044b<\/em><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u0448\u0438\u0444\u0440\u0443\u0435\u0442\u0441\u044f \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e RC4, \u0430 \u043a\u043b\u044e\u0447 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u2014 \u0441\u043b\u0443\u0447\u0430\u0439\u043d\u043e\u0435 \u0447\u0438\u0441\u043b\u043e, \u0433\u0435\u043d\u0435\u0440\u0438\u0440\u0443\u0435\u043c\u043e\u0435 \u043d\u0430 \u043c\u0435\u0441\u0442\u0435. \u041a\u043b\u044e\u0447 \u0445\u0435\u0448\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0430\u043b\u0433\u043e\u0440\u0438\u0442\u043c\u0430 MD5, \u0430 \u043d\u0435 SHA-256, \u043a\u0430\u043a \u0443\u043f\u043e\u043c\u0438\u043d\u0430\u043b\u043e\u0441\u044c \u0440\u0430\u043d\u0435\u0435. \u042d\u0442\u043e \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0441\u044f \u043a\u043e \u0432\u0441\u0435\u043c \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u044f\u043c, \u0433\u0434\u0435 Sponsor \u0434\u043e\u043b\u0436\u0435\u043d \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435.<\/span><\/p>\n<p><span lang=\"EN-US\">\u0421\u0435\u0440\u0432\u0435\u0440 C&amp;C \u043e\u0442\u0432\u0435\u0447\u0430\u0435\u0442 \u0447\u0438\u0441\u043b\u043e\u043c, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u043c \u0434\u043b\u044f \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430 \u0436\u0435\u0440\u0442\u0432\u044b \u0432 \u043f\u043e\u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u044f\u0445, \u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u0437\u0430\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432 <\/span><span><span lang=\"EN-US\">node.txt<\/span><\/span><span lang=\"EN-US\">. \u041e\u0431\u0440\u0430\u0442\u0438\u0442\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435, \u0447\u0442\u043e \u0441\u0435\u0440\u0432\u0435\u0440 C&amp;C \u0432\u044b\u0431\u0438\u0440\u0430\u0435\u0442\u0441\u044f \u0441\u043b\u0443\u0447\u0430\u0439\u043d\u044b\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u0438\u0437 \u0441\u043f\u0438\u0441\u043a\u0430 \u043f\u0440\u0438 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f <\/span><span><span lang=\"EN-US\">r<\/span><\/span><span lang=\"EN-US\">, \u0438 \u0442\u043e\u0442 \u0436\u0435 \u0441\u0435\u0440\u0432\u0435\u0440 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0432\u043e \u0432\u0441\u0435\u0445 \u043f\u043e\u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u044f\u0445.<\/span><\/p>\n<h5><span lang=\"EN-US\">\u0426\u0438\u043a\u043b \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u043a\u043e\u043c\u0430\u043d\u0434<\/span><\/h5>\n<p><span lang=\"EN-US\">Sponsor \u0437\u0430\u043f\u0440\u0430\u0448\u0438\u0432\u0430\u0435\u0442 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u0432 \u0446\u0438\u043a\u043b\u0435, \u0437\u0430\u0441\u044b\u043f\u0430\u044f \u0432 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0438\u0438 \u0441 \u0438\u043d\u0442\u0435\u0440\u0432\u0430\u043b\u043e\u043c, \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u044b\u043c \u0432 <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">. \u0428\u0430\u0433\u0438 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435:<\/span><\/p>\n<ol>\n<li><span lang=\"EN-US\">Send a <\/span><span><span lang=\"EN-US\">chk=Test<\/span><\/span><span lang=\"EN-US\"> message repeatedly, until the C&amp;C server replies <\/span><span><span lang=\"EN-US\">Ok<\/span><\/span><span lang=\"EN-US\">.<\/span><\/li>\n<li><span lang=\"EN-US\">Send a <\/span><span><span lang=\"EN-US\">c<\/span><\/span><span lang=\"EN-US\"> (<\/span><span><span lang=\"EN-US\">IS_CMD_AVAIL<\/span><\/span><span lang=\"EN-US\">) message to the C&amp;C server, and receive an operator command.<\/span><\/li>\n<li><span lang=\"EN-US\">Process the command.<\/span>\n<ul>\n<li><span lang=\"EN-US\">If there is output to be sent to the C&amp;C server, send an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> (<\/span><span><span lang=\"EN-US\">ACK<\/span><\/span><span lang=\"EN-US\">) message, including the output (encrypted), or<\/span><\/li>\n<li><span lang=\"EN-US\">If execution failed, send an <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"><code> (<\/code><\/span><span><span lang=\"EN-US\">FAILED<\/span><\/span><span lang=\"EN-US\">) message. The error message is not sent.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span lang=\"EN-US\">Sleep.<\/span><\/li>\n<\/ol>\n<p><span lang=\"EN-US\">The <\/span><span><span lang=\"EN-US\">c<\/span><\/span><span lang=\"EN-US\"> message is sent to request a command to execute, and has the format (before base64 encoding) shown in <\/span><span lang=\"EN-US\">Figure <span>6<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<figure><img decoding=\"async\" alt=\"Figure 6. Format of the message sent by Sponsor to ask for commands to execute\" height=\"\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2023\/2023-8\/map-apt42-1-2-3-4-5.png\" title=\"Figure 6. Format of the message sent by Sponsor to ask for commands to execute\" width=\"\"><figcaption><em>Figure 6. Format of the message sent by Sponsor to ask for commands to execute<\/em><\/figcaption><\/figure>\n<p><span lang=\"EN-US\">The <\/span><span><span lang=\"EN-US\">encrypted_none<\/span><\/span><span lang=\"EN-US\"> field in the figure is the result of encrypting the hardcoded string <\/span><span><span lang=\"EN-US\">None<\/span><\/span><span lang=\"EN-US\"> with RC4. The key for encryption is the MD5 hash of <\/span><span><span lang=\"EN-US\">node_id<\/span><\/span><span lang=\"EN-US\">.<\/span><\/p>\n<p><span lang=\"EN-US\">The URL used to contact the C&amp;C server is built as: <span>http:\/\/&lt;IP_or_domain&gt;:80<\/span>. This may indicate that <span>37.120.222[.]168:80<\/span> is the only C&amp;C server used throughout the Sponsoring Access campaign, as it was the only IP address we observed victim machines reaching out to on port 80.<\/span><\/p>\n<h5><span lang=\"EN-US\">Operator commands<\/span><\/h5>\n<p><span lang=\"EN-US\">Operator commands are delineated in <\/span><span lang=\"EN-US\">Table <span>5<\/span><\/span><span lang=\"EN-US\"> and appear in the order in which they are found in the code. Communication with the C&amp;C server occurs over port 80.<\/span><\/p>\n<p><span lang=\"EN-US\"><em>Table 5. Operator commands and descriptions<\/em><\/span><\/p>\n<p><span lang=\"EN-US\"><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"622\">\n<tbody>\n<tr>\n<td width=\"76\">\n<p><strong><span lang=\"EN-US\">Command<\/span><\/strong><\/p>\n<\/td>\n<td width=\"546\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">p<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Sends the process ID for the running Sponsor process.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">e<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Executes a command, as specified in a subsequent additional argument, on the Sponsor host using the following string:<\/span><\/p>\n<p><span><span lang=\"EN-US\">c:windowssystem32cmd.exe \/c<span><br \/>\n<\/span>&lt;cmd&gt;<span><br \/>\n<\/span>&gt; result.txt 2&gt;&amp;1<\/span><\/span><\/p>\n<p><span lang=\"EN-US\">Results are stored in <\/span><span><span lang=\"EN-US\">result.txt<\/span><\/span><span lang=\"EN-US\"> in the current working directory. Sends an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message with the encrypted output to the C&amp;C server if successfully executed. If failed, sends an <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"> message (without specifying the error).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">d<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Receives a file from the C&amp;C server and executes it. This command has many arguments: the target filename to write the file into, the MD5 hash of the file, a directory to write the file to (or the current working directory, by default), a Boolean to indicate whether to run the file or not, and the contents of the executable file, base64-encoded. If no errors occur, an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message is sent to the C&amp;C server with <\/span><span><span lang=\"EN-US\">Upload and execute file successfully<\/span><\/span><span lang=\"EN-US\"> or <\/span><span><span lang=\"EN-US\">Upload file successfully without execute<\/span><\/span><span lang=\"EN-US\"> (encrypted). If errors occur during execution of the file, an <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"> message is sent. If the MD5 hash of the contents of the file does not match the provided hash, an <\/span><span><span lang=\"EN-US\">e<\/span><\/span><span lang=\"EN-US\"> (<\/span><span><span lang=\"EN-US\">CRC_ERROR<\/span><\/span><span lang=\"EN-US\">) message is sent to the C&amp;C server (including only the encryption key used, and no other information). The use of the term <\/span><span><span lang=\"EN-US\">Upload<\/span><\/span><span lang=\"EN-US\"> here is potentially confusing as the Ballistic Bobcat operators and coders take the point of view from the server side, whereas many might view this as a download based on the pulling of the file (i.e., downloading it) by the system using the Sponsor backdoor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">u<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Attempts to download a file using the <\/span><span><span lang=\"EN-US\">URLDownloadFileW<\/span><\/span><span lang=\"EN-US\"> Windows API and execute it. Success sends an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message with the encryption key used, and no other information. Failure sends an <\/span><span><span lang=\"EN-US\">f<\/span><\/span><span lang=\"EN-US\"> message with a similar structure. <\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">s<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Executes a file already on disk, <\/span><span><span lang=\"EN-US\">Uninstall.bat<\/span><\/span><span lang=\"EN-US\"> in the current working directory, that most likely contains commands to delete files related to the backdoor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">n<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">This command can be explicitly supplied by an operator or can be inferred by Sponsor as the command to execute in the absence of any other command. Referred to within Sponsor as <\/span><span><span lang=\"EN-US\">NO_CMD<\/span><\/span><span lang=\"EN-US\">, it executes a randomized sleep before checking back in with the C&amp;C server.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">b<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Updates the list of C&amp;Cs stored in <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\"> in the current working directory. The new C&amp;C addresses replace the previous ones; they are not added to the list. It sends an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message with <\/span><br \/><span><span lang=\"EN-US\">New relays replaced successfully<\/span><\/span><span lang=\"EN-US\"> (encrypted) to the C&amp;C server if successfully updated.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"76\">\n<p align=\"center\"><span><span lang=\"EN-US\">i<\/span><\/span><\/p>\n<\/td>\n<td width=\"546\">\n<p><span lang=\"EN-US\">Updates the predetermined check-in interval specified in <\/span><span><span lang=\"EN-US\">config.txt<\/span><\/span><span lang=\"EN-US\">. It sends an <\/span><span><span lang=\"EN-US\">a<\/span><\/span><span lang=\"EN-US\"> message with <\/span><span><span lang=\"EN-US\">New interval replaced successfully<\/span><\/span><span lang=\"EN-US\"> to the C&amp;C server if successfully updated.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><\/p>\n<h5><span lang=\"EN-US\">Updates to Sponsor<\/span><\/h5>\n<p><span lang=\"EN-US\">Ballistic Bobcat coders made code revisions between Sponsor v1 and v2. The two most significant changes in the latter are:<\/span><\/p>\n<ul>\n<li><span lang=\"EN-US\">Optimization of code where several longer functions were minimized into functions and subfunctions, and<\/span><\/li>\n<li><span lang=\"EN-US\">Disguising Sponsor as an updater program by including the following message in the service configuration:<\/span><\/li>\n<\/ul>\n<p><span><span lang=\"EN-US\">App updates are great for both app users and apps \u2013 updates mean that developers are always working on improving the app, keeping in mind a better customer experience with each update.<\/span><\/span><\/p>\n<h2><a><\/a><span lang=\"EN-US\">Network infrastructure<\/span><\/h2>\n<p><span lang=\"EN-US\">In addition to piggybacking on the C&amp;C infrastructure used in the PowerLess campaign, Ballistic Bobcat also introduced a new C&amp;C server. The group also utilized multiple IPs to store and deliver support tools during the Sponsoring Access campaign. We have confirmed that none of these IPs are in operation at this time.<\/span><\/p>\n<h2><a><\/a><span lang=\"EN-US\">Conclusion<\/span><\/h2>\n<p><span lang=\"EN-US\">Ballistic Bobcat continues to operate on a scan-and-exploit model, looking for targets of opportunity with unpatched vulnerabilities in internet-exposed Microsoft Exchange servers. The group continues to use a diverse open-source toolset supplemented with several custom applications, including its Sponsor backdoor. Defenders would be well advised to patch any internet-exposed devices and remain vigilant for new applications popping up within their organizations.<\/span><\/p>\n<blockquote>\n<p>For any inquiries about our research published on WeLiveSecurity, please contact us at <a href=\"mailto:threatintel@eset.com?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=autotagging&amp;utm_content=eset-research&amp;utm_term=en\">threatintel@eset.com<\/a>.<br \/>ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the <a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor\/\">ESET Threat Intelligence<\/a> page.<\/p>\n<\/blockquote>\n<h2><a><\/a><span lang=\"EN-US\">IoCs<\/span><\/h2>\n<h3><span lang=\"EN-US\">Files<\/span><\/h3>\n<\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"622\">\n<tbody>\n<tr>\n<td width=\"179\">\n<p><strong><span lang=\"EN-US\">SHA-1<\/span><\/strong><\/p>\n<\/td>\n<td width=\"76\">\n<p><strong><span lang=\"EN-US\">Filename<\/span><\/strong><\/p>\n<\/td>\n<td width=\"161\">\n<p><strong><span lang=\"EN-US\">Detection<\/span><\/strong><\/p>\n<\/td>\n<td width=\"206\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">098B9A6CE722311553E1D8AC5849BA1DC5834C52<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v1).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">5AEE3C957056A8640041ABC108D0B8A3D7A02EBD<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v2).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">764EB6CA3752576C182FC19CFF3E86C38DD51475<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v3).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">2F3EDA9D788A35F4C467B63860E73C3B010529CC<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v4).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">E443DC53284537513C00818392E569C79328F56F<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/Agent.UXG<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Ballistic Bobcat backdoor, Sponsor (v5, aka Alumina).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">C4BC1A5A02F8AC3CF642880DC1FC3B1E46E4DA61<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">WinGo\/Agent.BT<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">RevSocks reverse tunnel.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">39AE8BA8C5280A09BA638DF4C9D64AC0F3F706B6<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">clean<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">ProcDump, a command line utility for monitoring applications and generating crash dumps.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">A200BE662CDC0ECE2A2C8FC4DBBC8C574D31848A<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Generik.EYWYQYF<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Mimikatz.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">5D60C8507AC9B840A13FFDF19E3315A3E14DE66A<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">WinGo\/Riskware.Gost.D<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">GO Simple Tunnel (GOST).<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">50CFB3CF1A0FE5EC2264ACE53F96FADFE99CC617<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">WinGo\/HackTool.Chisel.A<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Chisel reverse tunnel.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">1AAE62ACEE3C04A6728F9EDC3756FABD6E342252<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Host2IP discovery tool.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">519CA93366F1B1D71052C6CE140F5C80CE885181<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win64\/Packed.Enigma.BV<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">RevSocks tunnel, protected with the trial version of the Enigma Protector software protection.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">4709827C7A95012AB970BF651ED5183083366C79<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">Plink (PuTTY Link), a command line connection tool.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">99C7B5827DF89B4FAFC2B565ABED97C58A3C65B8<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">Win32\/PSWTool.WebBrowserPassView.I<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">A password recovery tool for passwords stored in web browsers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"179\"><code><code><\/code><\/code><\/p>\n<p><span><span lang=\"EN-US\">E52AA118A59502790A4DD6625854BD93C0DEAF27<\/span><\/span><\/p>\n<p><code><br \/>\n<code><br \/>\n<\/code><\/code><\/td>\n<td width=\"76\">\n<p><span lang=\"EN-US\">N\/A<\/span><\/p>\n<\/td>\n<td width=\"161\">\n<p><span lang=\"EN-US\">MSIL\/HackTool.SQLDump.A<\/span><\/p>\n<\/td>\n<td width=\"206\">\n<p><span lang=\"EN-US\">A tool for interacting with, and extracting data from, SQL databases.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span lang=\"EN-US\"><br \/>\n<\/span><\/p>\n<h3><span><span lang=\"EN-US\">File paths<\/span><\/span><\/h3>\n<p><span lang=\"EN-US\">The following is a list of paths where the Sponsor backdoor was deployed on victimized machines.<\/span><\/p>\n<p><span><span lang=\"EN-US\">%SYSTEMDRIVE%inetpubwwwrootaspnet_client<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%AppDataLocalTempfile<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%AppDataLocalTemp2low<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%Desktop<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%USERPROFILE%Downloadsa<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%INFMSExchange Delivery DSN<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%Tasks<\/span><\/span><\/p>\n<p><span><span lang=\"EN-US\">%WINDIR%Temp%WINDIR%Tempcrashpad1Files<\/span><\/span><\/p>\n<h2><a><\/a><span lang=\"EN-US\">Network<\/span><\/h2>\n<p><span><\/p>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"643\">\n<tbody>\n<tr>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">IP<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Provider<\/span><\/strong><\/p>\n<\/td>\n<td width=\"95\">\n<p><strong><span lang=\"EN-US\">First seen<\/span><\/strong><\/p>\n<\/td>\n<td width=\"94\">\n<p><strong><span lang=\"EN-US\">Last seen<\/span><\/strong><\/p>\n<\/td>\n<td width=\"189\">\n<p><strong><span lang=\"EN-US\">Details<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">162.55.137[.]20<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">Hetzner Online GMBH<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">2021-06-14<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">2021-06-15<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">PowerLess C&amp;C.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">37.120.222[.]168<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">M247 LTD<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">2021-11-28<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">2021-12-12<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">Sponsor C&amp;C.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">198.144.189[.]74<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">Colocrossing<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">2021-11-29<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">2021-11-29<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">Support tools download site.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"151\">\n<p><span><span lang=\"EN-US\">5.255.97[.]172<\/span><\/span><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\">The Infrastructure Group B.V.<\/span><\/p>\n<\/td>\n<td width=\"95\">\n<p><span lang=\"EN-US\">2021-09-05<\/span><\/p>\n<\/td>\n<td width=\"94\">\n<p><span lang=\"EN-US\">2021-10-28<\/span><\/p>\n<\/td>\n<td width=\"189\">\n<p><span lang=\"EN-US\">Support tools download site.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/span><span lang=\"EN-US\"><br \/>\n<\/span><a><\/a><\/p>\n<h2>MITRE ATT&amp;CK techniques<\/h2>\n<p><span lang=\"EN-US\">This table was built using <a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 13<\/a> of the MITRE ATT&amp;CK framework<strong>.<\/strong><\/span><\/p>\n<div>\n<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" width=\"643\">\n<thead>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Tactic<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">ID<\/span><\/strong><\/p>\n<\/td>\n<td width=\"151\">\n<p><strong><span lang=\"EN-US\">Name<\/span><\/strong><\/p>\n<\/td>\n<td width=\"265\">\n<p><strong><span lang=\"EN-US\">Description<\/span><\/strong><\/p>\n<\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Reconnaissance<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1595\/\"><em>T1595<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Active Scanning: Vulnerability Scanning<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat scans for vulnerable versions of Microsoft Exchange Servers to exploit.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Resource Development<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1587\/001\/\"><em><span>T1587.001<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Develop Capabilities: Malware<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat designed and coded the Sponsor backdoor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1588\/002\/\"><em><span>T1588.002<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Obtain Capabilities: Tool<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat uses various open-source tools as part of the Sponsoring Access campaign.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Initial Access<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1190\/\"><em><span>T1190<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Exploit Public-Facing Application<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat targets internet-exposed <span><br \/>\n<\/span>Microsoft Exchange Servers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"2\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Execution<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1059\/003\/\"><em><span>T1059.003<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Command and Scripting Interpreter: Windows Command Shell<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">The Sponsor backdoor uses the Windows command shell to execute commands on the victim\u2019s system.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1569\/002\/\"><em><span>T1569.002<\/span><\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">System Services: Service Execution<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">The Sponsor backdoor sets itself as a service and initiates its primary functions after the service is executed.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Persistence<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1543\/003\/\"><em>T1543.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Create or Modify System Process: Windows Service<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Sponsor maintains persistence by creating a service with automatic startup that executes its primary functions in a loop.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Privilege Escalation<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1078\/003\/\"><em>T1078.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Valid Accounts: Local Accounts<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat operators attempt to steal credentials of valid users after initially exploiting a system before deploying the Sponsor backdoor.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td rowspan=\"3\" width=\"113\">\n<p><strong><span lang=\"EN-US\">Defense Evasion<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1140\/\"><em>T1140<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Deobfuscate\/Decode Files or Information<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Sponsor stores information on disk that is encrypted and obfuscated, and deobfuscates it at runtime.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1027\/\"><em>T1027<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Obfuscated Files or Information<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Configuration files that the Sponsor backdoor requires on disk are encrypted and obfuscated.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1078\/003\/\"><em>T1078.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Valid Accounts: Local Accounts<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Sponsor is executed with admin privileges, likely using credentials that operators found on disk; along with Ballistic Bobcat\u2019s innocuous naming conventions, this allows Sponsor to blend into the background.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Credential Access<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1555\/003\/\"><em>T1555.003<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Credentials from Password Stores: Credentials from Web Browsers<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat operators use open-source tools to steal credentials from password stores inside web browsers.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Discovery<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1018\/\"><em>T1018<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Remote System Discovery<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">Ballistic Bobcat uses the Host2IP tool, previously used by Agrius, to discover other systems within reachable networks and correlate their hostnames and IP addresses.<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"113\">\n<p><strong><span lang=\"EN-US\">Command and Control<\/span><\/strong><\/p>\n<\/td>\n<td width=\"113\">\n<p><span lang=\"EN-US\"><a href=\"https:\/\/attack.mitre.org\/versions\/v13\/techniques\/T1001\/\"><em>T1001<\/em><\/a><\/span><\/p>\n<\/td>\n<td width=\"151\">\n<p><span lang=\"EN-US\">Data Obfuscation<\/span><\/p>\n<\/td>\n<td width=\"265\">\n<p><span lang=\"EN-US\">The Sponsor backdoor obfuscates data before sending it to the C&amp;C server.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p><a href=\"https:\/\/www.eset.com\/int\/business\/services\/threat-intelligence\/?utm_source=welivesecurity.com&amp;utm_medium=referral&amp;utm_campaign=wls-research&amp;utm_content=sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor\/\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" height=\"296\" src=\"https:\/\/web-assets.esetstatic.com\/wls\/2022\/12\/eset-threat-intelligence.png\" width=\"915\"><\/a><\/p>\n<p class=\"wls-source\"><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor\/\" rel=\"nofollow noopener\" target=\"_blank\">\u0427\u0438\u0442\u0430\u0442\u044c \u043f\u043e\u043b\u043d\u044b\u0439 \u0430\u043d\u0430\u043b\u0438\u0437 \u043d\u0430 WeLiveSecurity \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>ESET Research \u0440\u0430\u0441\u043a\u0440\u044b\u0432\u0430\u0435\u0442 \u043a\u0430\u043c\u043f\u0430\u043d\u0438\u044e Sponsoring Access, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u043d\u0435\u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0431\u044d\u043a\u0434\u043e\u0440 Ballistic Bobcat, \u043d\u0430\u0437\u0432\u0430\u043d\u043d\u044b\u0439 \u043d\u0430\u043c\u0438 Sponsor<\/p>\n","protected":false},"author":5,"featured_media":8458,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2891],"tags":[],"class_list":["post-8460","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-issledovaniya-eset"],"acf":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/posts\/8460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/comments?post=8460"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/posts\/8460\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/media\/8458"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/media?parent=8460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/categories?post=8460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/ru\/wp-json\/wp\/v2\/tags?post=8460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}