{"id":10455,"date":"2025-07-22T12:34:07","date_gmt":"2025-07-22T05:34:07","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10455"},"modified":"2026-02-05T12:34:15","modified_gmt":"2026-02-05T05:34:15","slug":"chien-dich-ma-doc-deerstealer-khi-tep-shortcut-vo-hai-tro-thanh-cong-cu-danh-cap-du-lieu","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/22\/chien-dich-ma-doc-deerstealer-khi-tep-shortcut-vo-hai-tro-thanh-cong-cu-danh-cap-du-lieu\/","title":{"rendered":"Chi\u1ebfn d\u1ecbch m\u00e3 \u0111\u1ed9c DeerStealer: Khi t\u1ec7p shortcut v\u00f4 h\u1ea1i tr\u1edf th\u00e0nh c\u00f4ng c\u1ee5 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u"},"content":{"rendered":"
M\u1ed9t chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng m\u1ea1ng m\u1edbi v\u1eeba b\u1ecb c\u00e1c chuy\u00ean gia an ninh m\u1ea1ng ph\u00e1t hi\u1ec7n, s\u1eed d\u1ee5ng t\u1ec7p shortcut Windows (.LNK) t\u01b0\u1edfng ch\u1eebng v\u00f4 h\u1ea1i, \u0111\u1ec3 ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c \u0111\u00e1nh c\u1eafp th\u00f4ng tin DeerStealer<\/b>. Chi\u1ebfn d\u1ecbch n\u00e0y kh\u00f4ng ch\u1ec9 tinh vi v\u1ec1 m\u1eb7t k\u1ef9 thu\u1eadt m\u00e0 c\u00f2n \u0111\u00e1nh tr\u00fang v\u00e0o m\u1ed9t l\u1ed7 h\u1ed5ng l\u1edbn trong h\u00e0nh vi ng\u01b0\u1eddi d\u00f9ng, th\u00f3i quen m\u1edf c\u00e1c t\u1ec7p \u201cb\u00e1o c\u00e1o\u201d, \u201c\u0111\u01a1n h\u00e0ng\u201d hay \u201ch\u00f3a \u0111\u01a1n\u201d \u0111\u01b0\u1ee3c g\u1eedi k\u00e8m qua email m\u00e0 kh\u00f4ng ki\u1ec3m tra k\u1ef9.<\/b>
\n\u200b<\/div>\n
\n
\"1753175199674.png\"<\/div>\n<\/div>\n
\nHi\u1ec7n ch\u01b0a c\u00f3 nh\u00f3m t\u1ea5n c\u00f4ng c\u1ee5 th\u1ec3 n\u00e0o \u0111\u1ee9ng ra nh\u1eadn tr\u00e1ch nhi\u1ec7m cho chi\u1ebfn d\u1ecbch ph\u00e1t t\u00e1n DeerStealer. Tuy nhi\u00ean, m\u1ee9c \u0111\u1ed9 tinh vi c\u1ee7a c\u00e1c k\u1ef9 thu\u1eadt \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng cho th\u1ea5y \u0111\u00e2y l\u00e0 m\u1ed9t chi\u1ebfn d\u1ecbch \u0111\u01b0\u1ee3c \u0111\u1ea7u t\u01b0 b\u00e0i b\u1ea3n, c\u00f3 ch\u1ee7 \u0111\u00edch v\u00e0 nh\u1eafm v\u00e0o c\u00e1c c\u00e1 nh\u00e2n ho\u1eb7c t\u1ed5 ch\u1ee9c s\u1edf h\u1eefu d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m, nh\u01b0: T\u00e0i kho\u1ea3n m\u1ea1ng x\u00e3 h\u1ed9i, v\u00ed ti\u1ec1n \u0111i\u1ec7n t\u1eed, t\u00e0i kho\u1ea3n email ho\u1eb7c d\u1eef li\u1ec7u n\u1ed9i b\u1ed9 c\u00f4ng ty.<\/p>\n

Cu\u1ed9c t\u1ea5n c\u00f4ng b\u1eaft \u0111\u1ea7u b\u1eb1ng m\u1ed9t t\u1ec7p shortcut c\u00f3 t\u00ean nh\u01b0 \u201cReport.lnk\u201d \u0111\u01b0\u1ee3c ng\u1ee5y trang d\u01b0\u1edbi d\u1ea1ng b\u00e1o c\u00e1o hay t\u00e0i li\u1ec7u. Khi ng\u01b0\u1eddi d\u00f9ng nh\u1ea5p (click) v\u00e0o, t\u1eadp tin n\u00e0y \u00e2m th\u1ea7m k\u00edch ho\u1ea1t m\u1ed9t c\u00f4ng c\u1ee5 c\u00f3 s\u1eb5n trong Windows l\u00e0 “mshta.exe” (v\u1ed1n d\u00f9ng \u0111\u1ec3 ch\u1ea1y c\u00e1c \u1ee9ng d\u1ee5ng HTML) \u0111\u1ec3 th\u1ef1c thi c\u00e1c \u0111o\u1ea1n m\u00e3 \u0111\u1ed9c \u0111\u01b0\u1ee3c \u1ea9n gi\u1ea5u b\u00ean trong.<\/p>\n

Qu\u00e1 tr\u00ecnh n\u00e0y kh\u00f4ng d\u1eebng l\u1ea1i \u1edf \u0111\u00f3. Mshta kh\u1edfi ch\u1ea1y ti\u1ebfp “cmd.exe” r\u1ed3i \u0111\u1ebfn PowerShell, n\u01a1i h\u00e0ng lo\u1ea1t m\u00e3 \u0111\u1ed9c \u0111\u01b0\u1ee3c gi\u1ea3i m\u00e3 t\u1eebng b\u01b0\u1edbc t\u1eeb d\u1ea1ng m\u00e3 h\u00f3a Base64. Th\u1eadm ch\u00ed, c\u00e1c \u0111o\u1ea1n script c\u00f2n \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1ec3 t\u1eaft t\u00ednh n\u0103ng ghi nh\u1eadt k\u00fd v\u00e0 theo d\u00f5i h\u00e0nh vi c\u1ee7a PowerShell, khi\u1ebfn vi\u1ec7c ph\u00e1t hi\u1ec7n g\u1ea7n nh\u01b0 kh\u00f4ng th\u1ec3 b\u1eb1ng c\u00e1c c\u00f4ng c\u1ee5 b\u1ea3o m\u1eadt th\u00f4ng th\u01b0\u1eddng.<\/p>\n

M\u1ed9t trong nh\u1eefng chi\u00eau th\u1ee9c \u0111\u00e1nh l\u1eeba ng\u01b0\u1eddi d\u00f9ng tinh vi nh\u1ea5t c\u1ee7a chi\u1ebfn d\u1ecbch n\u00e0y l\u00e0 ngay sau khi nh\u1ea5p m\u1edf t\u1ec7p “.LNK”, m\u1ed9t t\u00e0i li\u1ec7u PDF gi\u1ea3 s\u1ebd \u0111\u01b0\u1ee3c t\u1ea3i v\u1ec1 v\u00e0 m\u1edf b\u1eb1ng Adobe Reader. Trong l\u00fac ng\u01b0\u1eddi d\u00f9ng \u0111ang xem t\u00e0i li\u1ec7u, m\u00e3 \u0111\u1ed9c DeerStealer \u0111\u00e3 \u00e2m th\u1ea7m \u0111\u01b0\u1ee3c ghi v\u00e0o th\u01b0 m\u1ee5c %AppData% v\u00e0 k\u00edch ho\u1ea1t trong n\u1ec1n.<\/p>\n

C\u00e1c \u0111\u1ecba ch\u1ec9 t\u1ea3i m\u00e3 \u0111\u1ed9c \u0111\u01b0\u1ee3c t\u1ea1o t\u1eeb chu\u1ed7i k\u00fd t\u1ef1 b\u1ecb x\u00e1o tr\u1ed9n, gi\u00fap ch\u00fang tr\u00e1nh \u0111\u01b0\u1ee3c c\u00e1c c\u00f4ng c\u1ee5 l\u1ecdc d\u1ef1a tr\u00ean ch\u1ec9 s\u1ed1 IOC (Indicators of Compromise). Th\u1eadm ch\u00ed, m\u00e3 \u0111\u1ed9c c\u00f2n ki\u1ec3m tra v\u1ecb tr\u00ed ch\u00ednh x\u00e1c c\u1ee7a mshta.exe tr\u00ean t\u1eebng m\u00e1y b\u1ecb l\u00e2y nhi\u1ec5m thay v\u00ec d\u00f9ng \u0111\u01b0\u1eddng d\u1eabn c\u1ed1 \u0111\u1ecbnh, khi\u1ebfn vi\u1ec7c ph\u00e1t hi\u1ec7n c\u00e0ng th\u00eam kh\u00f3 kh\u0103n.<\/p>\n

C\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u t\u1eeb n\u1ec1n t\u1ea3ng ph\u00e2n t\u00edch m\u00e3 \u0111\u1ed9c “ANY.RUN” \u0111\u00e3 theo d\u00f5i to\u00e0n b\u1ed9 chu\u1ed7i t\u1ea5n c\u00f4ng theo th\u1eddi gian th\u1ef1c v\u00e0 cho bi\u1ebft:\u200b<\/p><\/div>\n