{"id":10186,"date":"2025-07-16T09:52:23","date_gmt":"2025-07-16T02:52:23","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10186"},"modified":"2026-02-03T09:59:54","modified_gmt":"2026-02-03T02:59:54","slug":"hazybeacon-ma-doc-loi-dung-aws-lambda-de-danh-cap-du-lieu-chinh-phu-dong-nam-a","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/16\/hazybeacon-ma-doc-loi-dung-aws-lambda-de-danh-cap-du-lieu-chinh-phu-dong-nam-a\/","title":{"rendered":"HazyBeacon: M\u00e3 \u0111\u1ed9c l\u1ee3i d\u1ee5ng AWS Lambda \u0111\u1ec3 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u ch\u00ednh ph\u1ee7 \u0110\u00f4ng Nam \u00c1"},"content":{"rendered":"

M\u1ed9t chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng c\u00f3 m\u1ee9c \u0111\u1ed9 tinh vi cao \u0111ang \u00e2m th\u1ea7m nh\u1eafm v\u00e0o c\u00e1c c\u01a1 quan ch\u00ednh ph\u1ee7 t\u1ea1i khu v\u1ef1c \u0110\u00f4ng Nam \u00c1, s\u1eed d\u1ee5ng m\u1ed9t lo\u1ea1i m\u00e3 \u0111\u1ed9c c\u1eeda h\u1eadu ho\u00e0n to\u00e0n m\u1edbi tr\u00ean n\u1ec1n t\u1ea3ng Windows mang t\u00ean HazyBeacon. \u0110\u00e2y l\u00e0 m\u1ed9t m\u1ed1i \u0111e d\u1ecda ch\u01b0a t\u1eebng \u0111\u01b0\u1ee3c ghi nh\u1eadn tr\u01b0\u1edbc \u0111\u00f3, cho th\u1ea5y s\u1ef1 \u0111\u1ea7u t\u01b0 nghi\u00eam t\u00fac v\u00e0 m\u1ee5c ti\u00eau r\u00f5 r\u00e0ng c\u1ee7a nh\u00f3m t\u1ea5n c\u00f4ng \u0111\u1ee9ng sau chi\u1ebfn d\u1ecbch.<\/p>\n

Chi\u1ebfn d\u1ecbch n\u00e0y \u0111\u01b0\u1ee3c theo d\u00f5i b\u1edfi Unit 42 \u2013 nh\u00f3m nghi\u00ean c\u1ee9u m\u1ed1i \u0111e d\u1ecda c\u1ee7a Palo Alto Networks \u2013 v\u1edbi m\u00e3 \u0111\u1ecbnh danh CL-STA-1020. Theo c\u00e1c ph\u00e2n t\u00edch ban \u0111\u1ea7u, m\u1ee5c ti\u00eau ch\u00ednh c\u1ee7a chi\u1ebfn d\u1ecbch l\u00e0 thu th\u1eadp c\u00e1c th\u00f4ng tin nh\u1ea1y c\u1ea3m li\u00ean quan \u0111\u1ebfn ch\u00ednh s\u00e1ch thu\u1ebf quan, tranh ch\u1ea5p th\u01b0\u01a1ng m\u1ea1i v\u00e0 c\u00e1c \u0111\u1ecbnh h\u01b0\u1edbng chi\u1ebfn l\u01b0\u1ee3c qu\u1ed1c gia. Trong b\u1ed1i c\u1ea3nh \u0110\u00f4ng Nam \u00c1 ng\u00e0y c\u00e0ng gi\u1eef vai tr\u00f2 quan tr\u1ecdng trong chu\u1ed7i cung \u1ee9ng to\u00e0n c\u1ea7u v\u00e0 tr\u1edf th\u00e0nh \u0111i\u1ec3m n\u00f3ng c\u1ea1nh tranh gi\u1eefa c\u00e1c c\u01b0\u1eddng qu\u1ed1c, \u0111\u1eb7c bi\u1ec7t l\u00e0 M\u1ef9 v\u00e0 Trung Qu\u1ed1c, khu v\u1ef1c n\u00e0y \u0111\u00e3 n\u1ed5i l\u00ean nh\u01b0 m\u1ed9t m\u1ee5c ti\u00eau l\u00fd t\u01b0\u1edfng cho c\u00e1c ho\u1ea1t \u0111\u1ed9ng do th\u00e1m nh\u1eb1m gi\u00e0nh l\u1ee3i th\u1ebf v\u1ec1 kinh t\u1ebf, qu\u00e2n s\u1ef1 v\u00e0 ch\u00ednh s\u00e1ch \u0111\u1ed1i ngo\u1ea1i.<\/p>\n

Hi\u1ec7n t\u1ea1i, ph\u01b0\u01a1ng th\u1ee9c x\u00e2m nh\u1eadp ban \u0111\u1ea7u c\u1ee7a HazyBeacon v\u1eabn ch\u01b0a \u0111\u01b0\u1ee3c x\u00e1c \u0111\u1ecbnh m\u1ed9t c\u00e1ch ch\u1eafc ch\u1eafn. Tuy nhi\u00ean, c\u00e1c b\u1eb1ng ch\u1ee9ng k\u1ef9 thu\u1eadt cho th\u1ea5y nh\u00f3m t\u1ea5n c\u00f4ng \u0111\u00e3 s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt DLL side-loading \u2013 m\u1ed9t ph\u01b0\u01a1ng ph\u00e1p ph\u1ed5 bi\u1ebfn nh\u01b0ng hi\u1ec7u qu\u1ea3 cao trong c\u00e1c chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng c\u00f3 ch\u1ee7 \u0111\u00edch. C\u1ee5 th\u1ec3, m\u00e3 \u0111\u1ed9c c\u00e0i \u0111\u1eb7t m\u1ed9t th\u01b0 vi\u1ec7n DLL \u0111\u1ed9c h\u1ea1i c\u00f3 t\u00ean mscorsvc.dll, \u0111\u01b0\u1ee3c \u0111\u1eb7t c\u00f9ng th\u01b0 m\u1ee5c v\u1edbi t\u1ec7p th\u1ef1c thi h\u1ee3p ph\u00e1p c\u1ee7a Windows l\u00e0 mscorsvw.exe. Khi ti\u1ebfn tr\u00ecnh h\u1ee3p ph\u00e1p n\u00e0y \u0111\u01b0\u1ee3c kh\u1edfi ch\u1ea1y, DLL \u0111\u1ed9c h\u1ea1i s\u1ebd \u0111\u01b0\u1ee3c t\u1ea3i theo, t\u1eeb \u0111\u00f3 \u00e2m th\u1ea7m thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i t\u1edbi m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n do k\u1ebb t\u1ea5n c\u00f4ng ki\u1ec3m so\u00e1t. Th\u00f4ng qua k\u00eanh n\u00e0y, attacker c\u00f3 th\u1ec3 th\u1ef1c thi c\u00e1c l\u1ec7nh t\u1eeb xa, tri\u1ec3n khai th\u00eam payload v\u00e0 m\u1edf r\u1ed9ng ph\u1ea1m vi ki\u1ec3m so\u00e1t. \u0110\u1ec3 duy tr\u00ec s\u1ef1 t\u1ed3n t\u1ea1i l\u00e2u d\u00e0i, HazyBeacon c\u00f2n t\u1ea1o m\u1ed9t d\u1ecbch v\u1ee5 h\u1ec7 th\u1ed1ng t\u1ef1 \u0111\u1ed9ng kh\u1edfi \u0111\u1ed9ng c\u00f9ng h\u1ec7 \u0111i\u1ec1u h\u00e0nh, \u0111\u1ea3m b\u1ea3o m\u00e3 \u0111\u1ed9c lu\u00f4n ho\u1ea1t \u0111\u1ed9ng sau m\u1ed7i l\u1ea7n kh\u1edfi \u0111\u1ed9ng l\u1ea1i.<\/p>\n

Y\u1ebfu t\u1ed1 khi\u1ebfn HazyBeacon tr\u1edf n\u00ean \u0111\u1eb7c bi\u1ec7t nguy hi\u1ec3m n\u1eb1m \u1edf c\u00e1ch th\u1ee9c thi\u1ebft l\u1eadp k\u00eanh \u0111i\u1ec1u khi\u1ec3n. Thay v\u00ec s\u1eed d\u1ee5ng h\u1ea1 t\u1ea7ng C2 truy\u1ec1n th\u1ed1ng, m\u00e3 \u0111\u1ed9c l\u1ee3i d\u1ee5ng AWS Lambda URLs \u2013 m\u1ed9t t\u00ednh n\u0103ng h\u1ee3p ph\u00e1p trong h\u1ec7 sinh th\u00e1i \u0111\u00e1m m\u00e2y c\u1ee7a Amazon cho ph\u00e9p g\u1ecdi c\u00e1c h\u00e0m serverless th\u00f4ng qua giao th\u1ee9c HTTPS. Vi\u1ec7c s\u1eed d\u1ee5ng d\u1ecbch v\u1ee5 h\u1ee3p ph\u00e1p v\u00e0 ph\u1ed5 bi\u1ebfn nh\u01b0 AWS gi\u00fap l\u01b0u l\u01b0\u1ee3ng \u0111i\u1ec1u khi\u1ec3n c\u1ee7a m\u00e3 \u0111\u1ed9c h\u00f2a l\u1eabn v\u1edbi c\u00e1c k\u1ebft n\u1ed1i h\u1ee3p l\u1ec7, khi\u1ebfn vi\u1ec7c ph\u00e1t hi\u1ec7n tr\u1edf n\u00ean kh\u00f3 kh\u0103n h\u01a1n \u0111\u00e1ng k\u1ec3. Trong m\u1eaft nhi\u1ec1u h\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t, c\u00e1c k\u1ebft n\u1ed1i n\u00e0y kh\u00f4ng kh\u00e1c g\u00ec ho\u1ea1t \u0111\u1ed9ng b\u00ecnh th\u01b0\u1eddng c\u1ee7a \u1ee9ng d\u1ee5ng doanh nghi\u1ec7p.<\/p>\n

\"\"<\/p>\n

Tr\u01b0\u1edbc xu h\u01b0\u1edbng n\u00e0y, c\u00e1c chuy\u00ean gia an ninh khuy\u1ebfn ngh\u1ecb c\u1ea7n \u0111\u1eb7c bi\u1ec7t ch\u00fa \u00fd \u0111\u1ebfn l\u01b0u l\u01b0\u1ee3ng outbound h\u01b0\u1edbng t\u1edbi c\u00e1c t\u00ean mi\u1ec1n \u00edt ph\u1ed5 bi\u1ebfn nh\u01b0 .lambda-url.<\/em>.amazonaws.com, nh\u1ea5t l\u00e0 khi nh\u1eefng k\u1ebft n\u1ed1i \u0111\u00f3 xu\u1ea5t ph\u00e1t t\u1eeb c\u00e1c ti\u1ebfn tr\u00ecnh b\u1ea5t th\u01b0\u1eddng ho\u1eb7c d\u1ecbch v\u1ee5 h\u1ec7 th\u1ed1ng kh\u00f4ng r\u00f5 ngu\u1ed3n g\u1ed1c. Vi\u1ec7c gi\u00e1m s\u00e1t \u0111\u01a1n thu\u1ea7n d\u1ef1a tr\u00ean IP hay t\u00ean mi\u1ec1n \u0111\u00e3 kh\u00f4ng c\u00f2n \u0111\u1ee7 hi\u1ec7u qu\u1ea3. Thay v\u00e0o \u0111\u00f3, c\u00e1c t\u1ed5 ch\u1ee9c c\u1ea7n \u00e1p d\u1ee5ng ph\u01b0\u01a1ng ph\u00e1p ph\u00e1t hi\u1ec7n d\u1ef1a tr\u00ean ng\u1eef c\u1ea3nh, bao g\u1ed3m ph\u00e2n t\u00edch chu\u1ed7i ti\u1ebfn tr\u00ecnh cha \u2013 con, theo d\u00f5i m\u1ed1i quan h\u1ec7 th\u1ef1c thi gi\u1eefa c\u00e1c ti\u1ebfn tr\u00ecnh v\u00e0 gi\u00e1m s\u00e1t h\u00e0nh vi endpoint theo th\u1eddi gian th\u1ef1c. Nh\u1eefng k\u1ef9 thu\u1eadt n\u00e0y gi\u00fap ph\u00e2n bi\u1ec7t r\u00f5 r\u00e0ng \u0111\u00e2u l\u00e0 k\u1ebft n\u1ed1i h\u1ee3p l\u1ec7 t\u1edbi AWS Lambda v\u00e0 \u0111\u00e2u l\u00e0 k\u00eanh \u0111i\u1ec1u khi\u1ec3n ng\u1ee5y trang do m\u00e3 \u0111\u1ed9c thi\u1ebft l\u1eadp.<\/p>\n

B\u00ean c\u1ea1nh ch\u1ee9c n\u0103ng c\u1eeda h\u1eadu, HazyBeacon c\u00f2n t\u1ea3i v\u1ec1 m\u1ed9t m\u00f4-\u0111un chuy\u00ean thu th\u1eadp d\u1eef li\u1ec7u. M\u00f4-\u0111un n\u00e0y c\u00f3 kh\u1ea3 n\u0103ng qu\u00e9t v\u00e0 l\u1ecdc c\u00e1c t\u1ec7p t\u00e0i li\u1ec7u ph\u1ed5 bi\u1ebfn nh\u01b0 doc, docx, xls, xlsx v\u00e0 pdf trong m\u1ed9t khung th\u1eddi gian x\u00e1c \u0111\u1ecbnh, nh\u1eb1m t\u00ecm ki\u1ebfm c\u00e1c t\u00e0i li\u1ec7u ch\u1ee9a th\u00f4ng tin nh\u1ea1y c\u1ea3m. \u0110\u00e1ng ch\u00fa \u00fd, m\u1ed9t s\u1ed1 d\u1eef li\u1ec7u b\u1ecb nh\u1eafm t\u1edbi li\u00ean quan tr\u1ef1c ti\u1ebfp \u0111\u1ebfn c\u00e1c ch\u00ednh s\u00e1ch thu\u1ebf quan m\u1edbi c\u1ee7a Hoa K\u1ef3. Sau khi thu th\u1eadp, d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c t\u00ecm c\u00e1ch exfiltrate th\u00f4ng qua c\u00e1c n\u1ec1n t\u1ea3ng l\u01b0u tr\u1eef \u0111\u00e1m m\u00e2y quen thu\u1ed9c nh\u01b0 Google Drive v\u00e0 Dropbox. Vi\u1ec7c l\u1ee3i d\u1ee5ng c\u00e1c d\u1ecbch v\u1ee5 ph\u1ed5 bi\u1ebfn n\u00e0y gi\u00fap l\u01b0u l\u01b0\u1ee3ng \u0111\u1ed9c h\u1ea1i kh\u00f3 b\u1ecb ph\u00e2n bi\u1ec7t v\u1edbi ho\u1ea1t \u0111\u1ed9ng h\u1ee3p l\u1ec7 c\u1ee7a ng\u01b0\u1eddi d\u00f9ng. Trong tr\u01b0\u1eddng h\u1ee3p \u0111\u01b0\u1ee3c Unit 42 ph\u00e2n t\u00edch, qu\u00e1 tr\u00ecnh exfiltration \u0111\u00e3 b\u1ecb ch\u1eb7n, nh\u01b0ng v\u1eabn ph\u1ea3n \u00e1nh r\u00f5 chi\u1ebfn thu\u1eadt tinh vi c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng.<\/p>\n

Sau khi ho\u00e0n t\u1ea5t nhi\u1ec7m v\u1ee5, HazyBeacon th\u1ef1c hi\u1ec7n c\u00e1c l\u1ec7nh d\u1ecdn d\u1eb9p nh\u1eb1m x\u00f3a d\u1ea5u v\u1ebft, bao g\u1ed3m c\u00e1c t\u1ec7p t\u1ea1m v\u00e0 payload trung gian. Theo \u0111\u00e1nh gi\u00e1 c\u1ee7a Unit 42, HazyBeacon \u0111\u00f3ng vai tr\u00f2 then ch\u1ed1t trong vi\u1ec7c duy tr\u00ec s\u1ef1 hi\u1ec7n di\u1ec7n l\u00e2u d\u00e0i v\u00e0 h\u1ed7 tr\u1ee3 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u t\u1ea1i c\u00e1c t\u1ed5 ch\u1ee9c b\u1ecb nh\u1eafm m\u1ee5c ti\u00eau. Chi\u1ebfn d\u1ecbch n\u00e0y l\u00e0 minh ch\u1ee9ng r\u00f5 r\u00e0ng cho xu h\u01b0\u1edbng \u201cliving off trusted services\u201d (LOTS), trong \u0111\u00f3 c\u00e1c nh\u00f3m \u0111e d\u1ecda ng\u00e0y c\u00e0ng l\u1ea1m d\u1ee5ng c\u00e1c d\u1ecbch v\u1ee5 \u0111\u00e1m m\u00e2y h\u1ee3p ph\u00e1p nh\u01b0 AWS, Google Workspace, Microsoft Teams hay Dropbox \u0111\u1ec3 n\u00e9 tr\u00e1nh h\u1ec7 th\u1ed1ng ph\u00f2ng th\u1ee7 truy\u1ec1n th\u1ed1ng v\u00e0 k\u00e9o d\u00e0i th\u1eddi gian \u1ea9n m\u00ecnh trong m\u1ea1ng n\u1ea1n nh\u00e2n.<\/p>\n","protected":false},"excerpt":{"rendered":"

M\u1ed9t chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng c\u00f3 m\u1ee9c \u0111\u1ed9 tinh vi cao \u0111ang \u00e2m th\u1ea7m nh\u1eafm v\u00e0o c\u00e1c c\u01a1 quan ch\u00ednh ph\u1ee7 t\u1ea1i khu v\u1ef1c \u0110\u00f4ng Nam \u00c1, s\u1eed d\u1ee5ng m\u1ed9t lo\u1ea1i m\u00e3 \u0111\u1ed9c c\u1eeda h\u1eadu ho\u00e0n to\u00e0n m\u1edbi tr\u00ean n\u1ec1n t\u1ea3ng Windows mang t\u00ean HazyBeacon. \u0110\u00e2y l\u00e0 m\u1ed9t m\u1ed1i \u0111e d\u1ecda ch\u01b0a t\u1eebng \u0111\u01b0\u1ee3c […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10186","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10186"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10186\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}