{"id":10453,"date":"2025-07-23T12:33:57","date_gmt":"2025-07-23T05:33:57","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10453"},"modified":"2026-02-05T12:34:04","modified_gmt":"2026-02-05T05:34:04","slug":"lazarus-phat-tan-ma-doc-golangghost-bang-ky-thuat-clickfix-trong-chien-dich-moi","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/23\/lazarus-phat-tan-ma-doc-golangghost-bang-ky-thuat-clickfix-trong-chien-dich-moi\/","title":{"rendered":"Lazarus ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c GolangGhost b\u1eb1ng k\u1ef9 thu\u1eadt ClickFix trong chi\u1ebfn d\u1ecbch m\u1edbi"},"content":{"rendered":"

M\u1ed9t chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng tinh vi do c\u1ee5m t\u00e1c nh\u00e2n n\u00e2ng cao thu\u1ed9c Lazarus Group v\u1eeba b\u1ecb v\u1ea1ch tr\u1ea7n b\u1edfi nh\u00f3m Sekoia Threat Detection and Response (TDR). Chi\u1ebfn d\u1ecbch, mang t\u00ean \u201cClickFake Interview\u201d, s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt thao t\u00fang t\u00e2m l\u00fd c\u00f3 ch\u1ee7 \u0111\u00edch g\u1ecdi l\u00e0 ClickFix \u0111\u1ec3 ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c GolangGhost, nh\u1eafm v\u00e0o c\u00e1c t\u1ed5 ch\u1ee9c trong l\u0129nh v\u1ef1c ti\u1ec1n m\u00e3 h\u00f3a v\u00e0 c\u00f4ng ngh\u1ec7.<\/b><\/p>\n

\n
\"ClickFix.png\"<\/div>\n<\/div>\n

ClickFake Interview l\u00e0 chi\u1ebfn thu\u1eadt x\u00e3 h\u1ed9i h\u1ecdc \u0111\u00e1nh l\u1eeba n\u1ea1n nh\u00e2n b\u1eb1ng c\u00e1ch gi\u1ea3 d\u1ea1ng qu\u00e1 tr\u00ecnh tuy\u1ec3n d\u1ee5ng, ph\u1ecfng v\u1ea5n vi\u1ec7c l\u00e0m. Tin t\u1eb7c t\u1ea1o ra c\u00e1c th\u00f4ng \u0111i\u1ec7p m\u1ea1o danh nh\u00e0 tuy\u1ec3n d\u1ee5ng, d\u1ee5 ng\u01b0\u1eddi d\u00f9ng t\u01b0\u01a1ng t\u00e1c v\u1edbi t\u00e0i li\u1ec7u ho\u1eb7c \u0111\u01b0\u1eddng d\u1eabn ch\u1ee9a m\u00e3 \u0111\u1ed9c b\u1eb1ng c\u00e1ch vi\u1ec7n l\u00fd do chu\u1ea9n b\u1ecb cho bu\u1ed5i ph\u1ecfng v\u1ea5n. Chi\u1ebfn d\u1ecbch n\u00e0y n\u1eb1m trong m\u1ed9t chu\u1ed7i t\u1ea5n c\u00f4ng c\u00f3 t\u00ean \u201cContagiousInterview\u201d, ph\u1ea3n \u00e1nh s\u1ef1 \u0111\u1ed5i m\u1edbi trong chi\u1ebfn l\u01b0\u1ee3c khai th\u00e1c c\u1ee7a Lazarus nh\u1eb1m v\u00e0o \u0111\u1ed1i t\u01b0\u1ee3ng trong h\u1ec7 sinh th\u00e1i t\u00e0i s\u1ea3n s\u1ed1 \u0111ang t\u0103ng tr\u01b0\u1edfng m\u1ea1nh.<\/p>\n

\n
\"1753246459345.png\"<\/div>\n<\/div>\n

C\u1ed1t l\u00f5i c\u1ee7a chi\u1ebfn d\u1ecbch l\u00e0 k\u1ef9 thu\u1eadt ClickFix, m\u1ed9t quy tr\u00ecnh khai th\u00e1c nhi\u1ec1u giai \u0111o\u1ea1n \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o t\u00ednh b\u1ec1n v\u1eefng v\u00e0 kh\u00f3 b\u1ecb ph\u00e1t hi\u1ec7n. Quy tr\u00ecnh n\u00e0y th\u01b0\u1eddng b\u1eaft \u0111\u1ea7u b\u1eb1ng t\u1ec7p gi\u1ea3 m\u1ea1o ch\u1ee9a m\u00e3 \u0111\u1ed9c nh\u00fang (malicious embed), s\u1eed d\u1ee5ng c\u00e1c loader trung gian nh\u01b0 script PowerShell, macro Office ho\u1eb7c t\u1ec7p shortcut \u0111\u1ec3 qua m\u1eb7t h\u1ec7 th\u1ed1ng ph\u00f2ng ch\u1ed1ng. Sau khi \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t, m\u00e3 \u0111\u1ed9c s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt t\u1ea3i payload theo t\u1ea7ng (staged delivery), trong \u0111\u00f3 shellcode ho\u1eb7c dropper \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a v\u00e0 gi\u1ea3i m\u00e3 t\u1ea1i runtime, t\u1eeb \u0111\u00f3 tri\u1ec3n khai GolangGhost m\u1ed9t c\u00e1ch \u00e2m th\u1ea7m v\u00e0 tr\u00e1nh b\u1ecb sandbox ghi nh\u1eadn h\u00e0nh vi.<\/p>\n

\n
\"1753246489866.png\"<\/div>\n<\/div>\n

GolangGhost l\u00e0 m\u1ed9t implant backdoor \u0111\u01b0\u1ee3c ph\u00e1t tri\u1ec3n b\u1eb1ng ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh Go nh\u1eb1m t\u1ed1i \u01b0u kh\u1ea3 n\u0103ng ho\u1ea1t \u0111\u1ed9ng \u0111a n\u1ec1n t\u1ea3ng, h\u1ed7 tr\u1ee3 c\u1ea3 Windows, Linux v\u00e0 macOS. M\u00e3 \u0111\u1ed9c n\u00e0y giao ti\u1ebfp v\u1edbi m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n (C2) qua k\u00eanh m\u00e3 h\u00f3a, t\u00edch h\u1ee3p c\u00e1c module c\u00f3 th\u1ec3 t\u1ea3i \u0111\u1ed9ng (dynamic modules), cho ph\u00e9p th\u1ef1c hi\u1ec7n c\u00e1c ch\u1ee9c n\u0103ng t\u1eeb xa nh\u01b0 th\u1ef1c thi l\u1ec7nh h\u1ec7 th\u1ed1ng, \u0111\u00e1nh c\u1eafp th\u00f4ng tin nh\u1ea1y c\u1ea3m, thu th\u1eadp file, qu\u00e9t m\u1ea1ng n\u1ed9i b\u1ed9 v\u00e0 di chuy\u1ec3n ngang trong m\u00f4i tr\u01b0\u1eddng doanh nghi\u1ec7p. Ngo\u00e0i kh\u1ea3 n\u0103ng modular h\u00f3a, m\u00e3 \u0111\u1ed9c c\u00f2n s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt l\u00e0m m\u1edd m\u00e3 (obfuscation), gi\u1ea3 l\u1eadp h\u00e0nh vi b\u00ecnh th\u01b0\u1eddng v\u00e0 tr\u00e1nh c\u00e1c hook API th\u01b0\u1eddng d\u00f9ng trong h\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t.<\/p>\n

Chi\u1ebfn d\u1ecbch ContagiousInterview ph\u1ea3n \u00e1nh s\u1ef1 ti\u1ebfn h\u00f3a \u0111\u00e1ng k\u1ec3 trong chi\u1ebfn thu\u1eadt, k\u1ef9 thu\u1eadt v\u00e0 quy tr\u00ecnh (TTPs) c\u1ee7a Lazarus Group. Vi\u1ec7c k\u1ebft h\u1ee3p gi\u1eefa y\u1ebfu t\u1ed1 x\u00e3 h\u1ed9i v\u00e0 c\u01a1 ch\u1ebf tri\u1ec3n khai m\u00e3 \u0111\u1ed9c ph\u1ee9c t\u1ea1p nh\u01b0 ClickFix gi\u00fap n\u00e2ng cao t\u1ef7 l\u1ec7 nhi\u1ec5m th\u00e0nh c\u00f4ng \u0111\u1ed3ng th\u1eddi gi\u1ea3m kh\u1ea3 n\u0103ng b\u1ecb ph\u00e1t hi\u1ec7n s\u1edbm. M\u1ee5c ti\u00eau t\u1eadp trung v\u00e0o c\u00e1c t\u1ed5 ch\u1ee9c v\u00e0 c\u00e1 nh\u00e2n trong l\u0129nh v\u1ef1c ti\u1ec1n m\u00e3 h\u00f3a cho th\u1ea5y \u0111\u1ed9ng c\u01a1 t\u00e0i ch\u00ednh v\u00e0 t\u00ecnh b\u00e1o chi\u1ebfn l\u01b0\u1ee3c ti\u1ebfp t\u1ee5c l\u00e0 tr\u1ecdng t\u00e2m c\u1ee7a nh\u00f3m tin t\u1eb7c n\u00e0y.<\/p>\n

V\u1ec1 ph\u00e1t hi\u1ec7n n\u00e0y, chuy\u00ean gia WhiteHat cho bi\u1ebft: \u201cClickFix v\u1ec1 b\u1ea3n ch\u1ea5t l\u00e0 m\u1ed9t chu\u1ed7i khai th\u00e1c k\u1ebft h\u1ee3p gi\u1eefa x\u00e3 h\u1ed9i h\u1ecdc v\u00e0 k\u1ef9 thu\u1eadt khai th\u00e1c trung gian. Lazarus t\u1eadn d\u1ee5ng m\u00f4 h\u00ecnh \u0111i\u1ec1u khi\u1ec3n ph\u00e2n t\u1ea7ng (staged execution) \u0111\u1ec3 tr\u00e1nh b\u1ecb sandbox ghi nh\u1eadn to\u00e0n b\u1ed9 h\u00e0nh vi. M\u00e3 \u0111\u1ed9c GolangGhost cho th\u1ea5y s\u1ef1 \u0111\u1ea7u t\u01b0 r\u00f5 r\u1ec7t v\u1edbi kh\u1ea3 n\u0103ng modular h\u00f3a v\u00e0 tr\u00e1nh ph\u00e2n t\u00edch ng\u01b0\u1ee3c b\u1eb1ng c\u00e1ch l\u00e0m m\u1edd m\u00e3 c\u0169ng nh\u01b0 tr\u00e1nh hook API. ClickFix kh\u00f4ng ch\u1ec9 l\u00e0 m\u1ed9t ph\u01b0\u01a1ng th\u1ee9c ph\u00e1t t\u00e1n, n\u00f3 l\u00e0 m\u1ed9t quy tr\u00ecnh l\u1eeba \u0111\u1ea3o c\u00f3 ch\u1ee7 \u0111\u00edch, c\u00f3 k\u1ecbch b\u1ea3n v\u00e0 c\u00f3 t\u00ednh th\u00edch \u1ee9ng cao theo h\u00e0nh vi ng\u01b0\u1eddi d\u00f9ng. \u0110\u00e2y l\u00e0 d\u1ea5u hi\u1ec7u r\u00f5 r\u00e0ng cho th\u1ea5y Lazarus \u0111ang \u0111\u1ea7u t\u01b0 m\u1ea1nh v\u00e0o c\u1ea3 k\u1ef9 thu\u1eadt v\u00e0 khai th\u00e1c y\u1ebfu t\u1ed1 con ng\u01b0\u1eddi.\u201d<\/p>\n

Ph\u00e2n t\u00edch chuy\u00ean s\u00e2u t\u1eeb Sekoia kh\u00f4ng ch\u1ec9 gi\u00fap l\u00e0m s\u00e1ng t\u1ecf ph\u01b0\u01a1ng th\u1ee9c t\u1ea5n c\u00f4ng m\u1edbi m\u00e0 c\u00f2n cung c\u1ea5p c\u00e1i nh\u00ecn to\u00e0n di\u1ec7n v\u1ec1 c\u00e1ch tin t\u1eb7c t\u00edch h\u1ee3p thao t\u00fang x\u00e3 h\u1ed9i v\u00e0 k\u1ef9 thu\u1eadt l\u1eadp tr\u00ecnh ti\u00ean ti\u1ebfn nh\u1eb1m v\u01b0\u1ee3t qua h\u00e0ng r\u00e0o b\u1ea3o m\u1eadt truy\u1ec1n th\u1ed1ng. C\u00e1c t\u1ed5 ch\u1ee9c ho\u1ea1t \u0111\u1ed9ng trong l\u0129nh v\u1ef1c crypto, fintech v\u00e0 c\u00f4ng ngh\u1ec7 \u0111\u01b0\u1ee3c khuy\u1ebfn ngh\u1ecb t\u0103ng c\u01b0\u1eddng b\u1ed9 l\u1ecdc email, tri\u1ec3n khai c\u00e1c gi\u1ea3i ph\u00e1p EDR m\u1ea1nh m\u1ebd v\u00e0 \u0111\u1ea9y m\u1ea1nh \u0111\u00e0o t\u1ea1o nh\u1eadn th\u1ee9c v\u1ec1 spear-phishing ki\u1ec3u m\u1edbi nh\u01b0 ClickFake Interview.<\/p>\n

S\u1ef1 xu\u1ea5t hi\u1ec7n c\u1ee7a ClickFix v\u00e0 GolangGhost cho th\u1ea5y Lazarus \u0111ang ti\u1ebfn h\u00e0nh \u0111i\u1ec1u ch\u1ec9nh k\u1ef9 thu\u1eadt t\u1ea5n c\u00f4ng theo h\u01b0\u1edbng v\u1eeba t\u0103ng \u0111\u1ed9 t\u00f9y bi\u1ebfn v\u1eeba t\u0103ng kh\u1ea3 n\u0103ng v\u01b0\u1ee3t qua ph\u00f2ng tuy\u1ebfn ph\u00e2n t\u00edch h\u00e0nh vi. C\u00e1c \u0111\u1ed9i ng\u0169 ph\u00f2ng th\u1ee7 c\u1ea7n ch\u00fa tr\u1ecdng ph\u00e1t hi\u1ec7n t\u1ea3i \u0111\u1ed9ng, gi\u00e1m s\u00e1t ti\u1ebfn tr\u00ecnh b\u1ea5t th\u01b0\u1eddng, ki\u1ec3m so\u00e1t c\u00e1c c\u00f4ng c\u1ee5 qu\u1ea3n tr\u1ecb t\u1eeb xa b\u1ecb l\u1ea1m d\u1ee5ng v\u00e0 t\u0103ng c\u01b0\u1eddng kh\u1ea3 n\u0103ng ph\u1ea3n h\u1ed3i s\u1ef1 c\u1ed1 \u1edf c\u1ea5p \u0111\u1ed9 con ng\u01b0\u1eddi, v\u1ed1n v\u1eabn l\u00e0 m\u1eaft x\u00edch d\u1ec5 b\u1ecb khai th\u00e1c b\u1edfi c\u1ea3 nh\u00f3m APT v\u00e0 c\u00e1c t\u1ed5 ch\u1ee9c t\u1ed9i ph\u1ea1m m\u1ea1ng.<\/p>\n

Theo Cyber Press v\u00e0 WhiteHat<\/i><\/b>\u200b<\/div>\n
Theo: https:\/\/whitehat.vn\/threads\/lazarus-phat-tan-ma-doc-golangghost-bang-ky-thuat-clickfix-trong-chien-dich-moi.18592\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"

M\u1ed9t chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng tinh vi do c\u1ee5m t\u00e1c nh\u00e2n n\u00e2ng cao thu\u1ed9c Lazarus Group v\u1eeba b\u1ecb v\u1ea1ch tr\u1ea7n b\u1edfi nh\u00f3m Sekoia Threat Detection and Response (TDR). Chi\u1ebfn d\u1ecbch, mang t\u00ean \u201cClickFake Interview\u201d, s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt thao t\u00fang t\u00e2m l\u00fd c\u00f3 ch\u1ee7 \u0111\u00edch g\u1ecdi l\u00e0 ClickFix \u0111\u1ec3 ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c GolangGhost, […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10453","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10453"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10453\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}