{"id":10417,"date":"2025-07-29T12:30:42","date_gmt":"2025-07-29T05:30:42","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10417"},"modified":"2026-02-05T12:30:49","modified_gmt":"2026-02-05T05:30:49","slug":"chien-dich-ma-doc-oyster-gia-cong-cu-it-phat-tan-qua-quang-cao-doc-hai","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/29\/chien-dich-ma-doc-oyster-gia-cong-cu-it-phat-tan-qua-quang-cao-doc-hai\/","title":{"rendered":"Chi\u1ebfn d\u1ecbch m\u00e3 \u0111\u1ed9c Oyster gi\u1ea3 c\u00f4ng c\u1ee5 IT, ph\u00e1t t\u00e1n qua qu\u1ea3ng c\u00e1o \u0111\u1ed9c h\u1ea1i"},"content":{"rendered":"<p><b>M\u1ed9t chi\u1ebfn d\u1ecbch ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c qua qu\u1ea3ng c\u00e1o \u0111\u1ed9c h\u1ea1i (malvertising) \u0111ang gia t\u0103ng m\u1ea1nh m\u1ebd trong th\u00e1ng 7\/2025, nh\u1eafm th\u1eb3ng v\u00e0o nh\u00e2n vi\u00ean IT v\u00e0 qu\u1ea3n tr\u1ecb vi\u00ean h\u1ec7 th\u1ed1ng. M\u1ee5c ti\u00eau l\u00e0 ph\u00e1t t\u00e1n m\u1ed9t lo\u1ea1i backdoor nguy hi\u1ec3m c\u00f3 t\u00ean Oyster, t\u1eebng \u0111\u01b0\u1ee3c bi\u1ebft t\u1edbi d\u01b0\u1edbi c\u00e1c b\u00ed danh nh\u01b0 Broomstick ho\u1eb7c CleanupLoader.<\/b><\/p>\n<div style=\"text-align: center\">\n<div class=\"bbImageWrapper  js-lbImage\" title=\"1753779198144.png\" data-src=\"https:\/\/whitehat.vn\/attachments\/1753779198144-png.17381\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\"><img fetchpriority=\"high\" decoding=\"async\" class=\"bbImage\" title=\"1753779198144.png\" src=\"https:\/\/whitehat.vn\/attachments\/1753779198144-png.17381\/\" alt=\"1753779198144.png\" width=\"728\" height=\"380\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<\/div>\n<p>Theo c\u00e1c chuy\u00ean gia t\u1eeb Arctic Wolf v\u00e0 CyberProof, m\u00e3 \u0111\u1ed9c Oyster \u0111\u00e3 quay tr\u1edf l\u1ea1i v\u1edbi chi\u1ebfn thu\u1eadt tinh vi h\u01a1n. N\u00f3 gi\u1ea3 d\u1ea1ng c\u00f4ng c\u1ee5 n\u1ed5i ti\u1ebfng (l\u00e0 nh\u1eefng ph\u1ea7n m\u1ec1m \u0111\u01b0\u1ee3c c\u00e1c IT Admin t\u1ea3i v\u1ec1 th\u01b0\u1eddng xuy\u00ean), nh\u01b0: PuTTY, KeePass, WinSCP&#8230;<\/p>\n<p>K\u1ebb t\u1ea5n c\u00f4ng d\u00f9ng SEO \u0111\u1ed9c h\u1ea1i (SEO poisoning) v\u00e0 qu\u1ea3ng c\u00e1o gi\u1ea3 (malvertising) \u0111\u1ec3 \u0111\u01b0a c\u00e1c link nhi\u1ec5m \u0111\u1ed9c l\u00ean top Google ho\u1eb7c Bing, khi\u1ebfn ng\u01b0\u1eddi d\u00f9ng d\u1ec5 click nh\u1ea7m.<\/p>\n<p>M\u1ed9t tr\u01b0\u1eddng h\u1ee3p \u0111i\u1ec3n h\u00ecnh \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n khi m\u1ed9t ng\u01b0\u1eddi d\u00f9ng t\u1ea3i file \u201cPuTTY-setup.exe\u201d t\u1eeb trang &#8220;danielaurel. tv&#8221;. M\u1eb7c d\u00f9 tr\u00f4ng nh\u01b0 file h\u1ee3p ph\u00e1p, th\u1ef1c t\u1ebf n\u00f3 \u0111\u00e3 b\u1ecb c\u1ea5y m\u00e3 \u0111\u1ed9c.<\/p>\n<p>Trong m\u00f4i tr\u01b0\u1eddng ph\u00e2n t\u00edch sandbox (ANY.RUN), c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u ph\u00e1t hi\u1ec7n:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">File \u0111\u01b0\u1ee3c k\u00fd b\u1eb1ng ch\u1ee9ng ch\u1ec9 s\u1ed1 h\u00f3a \u0111\u00e3 b\u1ecb thu h\u1ed3i khi\u1ebfn nhi\u1ec1u h\u1ec7 th\u1ed1ng v\u1eabn tin t\u01b0\u1edfng file m\u00e0 kh\u00f4ng ph\u00e1t c\u1ea3nh b\u00e1o.<\/li>\n<li data-xf-list-type=\"ul\">Khi ch\u1ea1y, file c\u00e0i \u0111\u1eb7t th\u00eam m\u1ed9t file DLL \u0111\u1ed9c h\u1ea1i (\u201czqin.dll\u201d) v\u00e0o h\u1ec7 th\u1ed1ng v\u00e0 k\u00edch ho\u1ea1t b\u1eb1ng rundll32.exe &#8211; k\u1ef9 thu\u1eadt th\u01b0\u1eddng d\u00f9ng \u0111\u1ec3 tr\u00e1nh b\u1ecb ph\u1ea7n m\u1ec1m di\u1ec7t virus ph\u00e1t hi\u1ec7n.<\/li>\n<li data-xf-list-type=\"ul\">M\u00e3 \u0111\u1ed9c c\u00f2n t\u1ea1o m\u1ed9t Scheduled Task gi\u1ea3 t\u00ean \u201cFireFox Agent INC\u201d, c\u1ee9 3 ph\u00fat l\u1ea1i ch\u1ea1y l\u1ea1i DLL, \u0111\u1ea3m b\u1ea3o duy tr\u00ec ho\u1ea1t \u0111\u1ed9ng li\u00ean t\u1ee5c k\u1ec3 c\u1ea3 khi ng\u01b0\u1eddi d\u00f9ng t\u1eaft m\u00e1y ho\u1eb7c \u0111\u0103ng xu\u1ea5t.<\/li>\n<\/ul>\n<p>M\u1ed9t khi b\u1ecb nhi\u1ec5m, Oyster c\u00f3 th\u1ec3:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">L\u1ea5y c\u1eafp th\u00f4ng tin \u0111\u0103ng nh\u1eadp v\u00e0 m\u1eadt kh\u1ea9u.<\/li>\n<li data-xf-list-type=\"ul\">T\u1ea3i th\u00eam m\u00e3 \u0111\u1ed9c kh\u00e1c v\u00e0o m\u00e1y.<\/li>\n<li data-xf-list-type=\"ul\">M\u1edf k\u1ebft n\u1ed1i \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa (remote shell).<\/li>\n<li data-xf-list-type=\"ul\">G\u1eedi d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m v\u1ec1 m\u00e1y ch\u1ee7 c\u1ee7a hacker.<\/li>\n<\/ul>\n<p>\u0110\u00e2y kh\u00f4ng ch\u1ec9 l\u00e0 m\u00e3 \u0111\u1ed9c gi\u00e1n \u0111i\u1ec7p, Oyster c\u00f2n l\u00e0 b\u01b0\u1edbc \u0111\u1ec7m cho c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng l\u1edbn h\u01a1n, v\u00ed d\u1ee5: tri\u1ec3n khai ransomware nh\u01b0 Rhysida sau khi \u0111\u00e3 \u0111\u1ed9t nh\u1eadp \u0111\u01b0\u1ee3c h\u1ec7 th\u1ed1ng.<\/p>\n<p>M\u1ed9t \u0111i\u1ec3m \u0111\u00e1ng lo l\u00e0 k\u1ebb t\u1ea5n c\u00f4ng l\u1ea1m d\u1ee5ng c\u00e1c ch\u1ee9ng ch\u1ec9 ch\u1eef k\u00fd s\u1ed1 \u0111\u00e3 b\u1ecb thu h\u1ed3i, nh\u01b0ng v\u1eabn \u0111\u01b0\u1ee3c m\u1ed9t s\u1ed1 ph\u1ea7n m\u1ec1m b\u1ea3o m\u1eadt ch\u1ea5p nh\u1eadn. \u0110\u00e2y l\u00e0 chi\u00eau tr\u00f2 ng\u00e0y c\u00e0ng ph\u1ed5 bi\u1ebfn, gi\u00fap m\u00e3 \u0111\u1ed9c d\u1ec5 \u201cqua m\u1eb7t\u201d c\u00e1c l\u1edbp b\u1ea3o v\u1ec7 s\u01a1 c\u1ea5p. \u0110i\u1ec1u n\u00e0y cho th\u1ea5y nhi\u1ec1u t\u1ed5 ch\u1ee9c v\u1eabn ch\u01b0a c\u00f3 h\u1ec7 th\u1ed1ng ki\u1ec3m tra \u0111\u1ed9 tin c\u1eady c\u1ee7a ch\u1eef k\u00fd s\u1ed1 m\u1ed9t c\u00e1ch \u0111\u1ea7y \u0111\u1ee7, nh\u1ea5t l\u00e0 v\u1edbi c\u00e1c endpoint th\u00f4ng th\u01b0\u1eddng.<\/p>\n<p>Chi\u1ebfn d\u1ecbch n\u00e0y kh\u00f4ng ch\u1ec9 l\u00e0 l\u1ebb t\u1ebb. Theo ghi nh\u1eadn, h\u1ec7 th\u1ed1ng nhi\u1ec5m Oyster th\u01b0\u1eddng b\u1ecb ti\u1ebfp t\u1ee5c khai th\u00e1c \u0111\u1ec3 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u v\u00e0 ph\u00e1t t\u00e1n ransomware, g\u00e2y thi\u1ec7t h\u1ea1i l\u1edbn cho c\u1ea3 doanh nghi\u1ec7p l\u1eabn c\u00e1 nh\u00e2n.<\/p>\n<p>Khi m\u1ee5c ti\u00eau l\u00e0 c\u00e1c IT Admin th\u00ec ch\u1ec9 m\u1ed9t c\u00fa click nh\u1ea7m c\u00f3 th\u1ec3 khi\u1ebfn to\u00e0n b\u1ed9 m\u1ea1ng n\u1ed9i b\u1ed9 b\u1ecb \u0111\u00e1nh s\u1eadp.<\/p>\n<p>C\u00e1c chuy\u00ean gia \u0111\u01b0a ra lo\u1ea1t khuy\u1ebfn ngh\u1ecb ph\u00f2ng tr\u00e1nh:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">Tuy\u1ec7t \u0111\u1ed1i kh\u00f4ng t\u1ea3i ph\u1ea7n m\u1ec1m t\u1eeb qu\u1ea3ng c\u00e1o ho\u1eb7c link t\u00ecm ki\u1ebfm, k\u1ec3 c\u1ea3 khi tr\u00f4ng r\u1ea5t h\u1ee3p l\u00fd.<\/li>\n<li data-xf-list-type=\"ul\">Ch\u1ec9 n\u00ean d\u00f9ng trang ch\u00ednh th\u1ee9c c\u1ee7a nh\u00e0 cung c\u1ea5p ph\u1ea7n m\u1ec1m ho\u1eb7c kho n\u1ed9i b\u1ed9 \u0111\u00e3 ki\u1ec3m tra.<\/li>\n<li data-xf-list-type=\"ul\">Doanh nghi\u1ec7p n\u00ean c\u1ea5u h\u00ecnh l\u1ea1i h\u1ec7 th\u1ed1ng x\u00e1c th\u1ef1c m\u00e3 s\u1ed1 \u0111\u1ea3m b\u1ea3o ch\u1ee9ng ch\u1ec9 thu h\u1ed3i kh\u00f4ng c\u00f2n \u0111\u01b0\u1ee3c tin t\u01b0\u1edfng.<\/li>\n<li data-xf-list-type=\"ul\">Gi\u00e1m s\u00e1t \u0111\u1ecbnh k\u1ef3 c\u00e1c Scheduled Task l\u1ea1 v\u00e0 c\u00e1c ti\u1ebfn tr\u00ecnh nh\u01b0 rundll32.exe ch\u1ea1y DLL ngo\u00e0i h\u1ec7 th\u1ed1ng.<\/li>\n<li data-xf-list-type=\"ul\">D\u00f9ng EDR (Endpoint Detection &amp; Response) c\u00f3 kh\u1ea3 n\u0103ng ph\u00e1t hi\u1ec7n k\u1ef9 thu\u1eadt DLL side-loading ho\u1eb7c h\u00e0nh vi b\u1ea5t th\u01b0\u1eddng.<\/li>\n<\/ul>\n<p>Chi\u1ebfn d\u1ecbch Oyster cho th\u1ea5y hacker ng\u00e0y c\u00e0ng tinh vi, ch\u1ee7 \u0111\u1ed9ng ti\u1ebfp c\u1eadn ng\u01b0\u1eddi d\u00f9ng c\u00f3 k\u1ef9 n\u0103ng th\u00f4ng qua nh\u1eefng con \u0111\u01b0\u1eddng t\u01b0\u1edfng nh\u01b0 an to\u00e0n: Qu\u1ea3ng c\u00e1o, t\u00ecm ki\u1ebfm, c\u00f4ng c\u1ee5 quen thu\u1ed9c.<\/p>\n<p>\u0110\u00e2y l\u00e0 h\u1ed3i chu\u00f4ng c\u1ea3nh t\u1ec9nh cho c\u1ea3 c\u00e1 nh\u00e2n v\u00e0 t\u1ed5 ch\u1ee9c, \u0111\u1eebng \u0111\u1ec3 th\u00f3i quen t\u1ea3i ph\u1ea7n m\u1ec1m \u201ccho nhanh\u201d tr\u1edf th\u00e0nh c\u1eeda ng\u00f5 cho hacker ki\u1ec3m so\u00e1t c\u1ea3 h\u1ec7 th\u1ed1ng.<\/p>\n<div style=\"text-align: right\"><i><b>WhiteHat<\/b><\/i>\u200b<\/div>\n<div style=\"text-align: right;margin-top: 16px\"><i>Theo: <a href=\"https:\/\/whitehat.vn\/threads\/chien-dich-ma-doc-oyster-gia-cong-cu-it-phat-tan-qua-quang-cao-doc-hai.18610\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/whitehat.vn\/threads\/chien-dich-ma-doc-oyster-gia-cong-cu-it-phat-tan-qua-quang-cao-doc-hai.18610\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t chi\u1ebfn d\u1ecbch ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c qua qu\u1ea3ng c\u00e1o \u0111\u1ed9c h\u1ea1i (malvertising) \u0111ang gia t\u0103ng m\u1ea1nh m\u1ebd trong th\u00e1ng 7\/2025, nh\u1eafm th\u1eb3ng v\u00e0o nh\u00e2n vi\u00ean IT v\u00e0 qu\u1ea3n tr\u1ecb vi\u00ean h\u1ec7 th\u1ed1ng. M\u1ee5c ti\u00eau l\u00e0 ph\u00e1t t\u00e1n m\u1ed9t lo\u1ea1i backdoor nguy hi\u1ec3m c\u00f3 t\u00ean Oyster, t\u1eebng \u0111\u01b0\u1ee3c bi\u1ebft t\u1edbi d\u01b0\u1edbi c\u00e1c b\u00ed danh nh\u01b0 [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10417","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10417","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10417"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10417\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}