{"id":10483,"date":"2025-07-16T12:36:39","date_gmt":"2025-07-16T05:36:39","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10483"},"modified":"2026-02-05T12:36:46","modified_gmt":"2026-02-05T05:36:46","slug":"ma-doc-interlock-rat-tro-lai-voi-phien-ban-php-mat-na-moi-cua-trojan-nguy-hiem","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/16\/ma-doc-interlock-rat-tro-lai-voi-phien-ban-php-mat-na-moi-cua-trojan-nguy-hiem\/","title":{"rendered":"M\u00e3 \u0111\u1ed9c Interlock RAT tr\u1edf l\u1ea1i v\u1edbi phi\u00ean b\u1ea3n PHP, \u201cm\u1eb7t n\u1ea1\u201d m\u1edbi c\u1ee7a Trojan nguy hi\u1ec3m"},"content":{"rendered":"
Trong nh\u1eefng ng\u00e0y g\u1ea7n \u0111\u00e2y, c\u00e1c chuy\u00ean gia an ninh m\u1ea1ng \u0111\u00e3 ph\u00e1t hi\u1ec7n m\u1ed9t bi\u1ebfn th\u1ec3 m\u1edbi c\u1ef1c k\u1ef3 nguy hi\u1ec3m c\u1ee7a m\u00e3 \u0111\u1ed9c Interlock RAT – m\u1ed9t lo\u1ea1i ph\u1ea7n m\u1ec1m gi\u00e1n \u0111i\u1ec7p cho ph\u00e9p tin t\u1eb7c \u0111i\u1ec1u khi\u1ec3n m\u00e1y t\u00ednh c\u1ee7a n\u1ea1n nh\u00e2n t\u1eeb xa. \u0110\u00e1ng ch\u00fa \u00fd, bi\u1ebfn th\u1ec3 m\u1edbi n\u00e0y \u0111\u01b0\u1ee3c vi\u1ebft b\u1eb1ng ng\u00f4n ng\u1eef PHP v\u00e0 s\u1eed d\u1ee5ng nhi\u1ec1u th\u1ee7 thu\u1eadt tinh vi \u0111\u1ec3 \u0111\u00e1nh l\u1eeba ng\u01b0\u1eddi d\u00f9ng v\u00e0 v\u01b0\u1ee3t qua c\u00e1c h\u1ec7 th\u1ed1ng b\u1ea3o m\u1eadt truy\u1ec1n th\u1ed1ng.<\/b>
\n\u200b<\/div>\n
\"ransomware.jpg\"<\/a>\u200b<\/div>\n
\nInterlock RAT l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 \u0111i\u1ec1u khi\u1ec3n t\u1eeb xa (Remote Access Trojan) \u0111\u01b0\u1ee3c nh\u00f3m tin t\u1eb7c Interlock ph\u00e1t tri\u1ec3n, t\u1eebng \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn trong nhi\u1ec1u chi\u1ebfn d\u1ecbch t\u1ea5n c\u00f4ng tr\u01b0\u1edbc \u0111\u00e2y. N\u00f3 cho ph\u00e9p k\u1ebb x\u1ea5u ki\u1ec3m so\u00e1t ho\u00e0n to\u00e0n m\u00e1y t\u00ednh c\u1ee7a n\u1ea1n nh\u00e2n: Theo d\u00f5i, l\u1ea5y c\u1eafp d\u1eef li\u1ec7u, c\u00e0i \u0111\u1eb7t th\u00eam ph\u1ea7n m\u1ec1m \u0111\u1ed9c h\u1ea1i, th\u1eadm ch\u00ed m\u1edf \u0111\u01b0\u1eddng cho c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ransomware.<\/p>\n

Bi\u1ebfn th\u1ec3 m\u1edbi nh\u1ea5t, \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n trong th\u00e1ng 7\/2025, \u0111\u00e3 chuy\u1ec3n t\u1eeb ng\u00f4n ng\u1eef JavaScript sang PHP – \u0111i\u1ec1u n\u00e0y gi\u00fap m\u00e3 \u0111\u1ed9c tr\u1edf n\u00ean kh\u00f3 b\u1ecb ph\u00e1t hi\u1ec7n h\u01a1n trong m\u00f4i tr\u01b0\u1eddng Windows, n\u01a1i PHP \u00edt khi \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng l\u00e0m ng\u00f4n ng\u1eef l\u1eadp tr\u00ecnh \u1ee9ng d\u1ee5ng.<\/p>\n

C\u00e1ch t\u1ea5n c\u00f4ng c\u1ee7a bi\u1ebfn th\u1ec3 Interlock RAT m\u1edbi r\u1ea5t tinh vi nh\u01b0ng l\u1ea1i \u0111\u00e1nh v\u00e0o th\u00f3i quen b\u1ea5t c\u1ea9n c\u1ee7a ng\u01b0\u1eddi d\u00f9ng. Tin t\u1eb7c \u0111\u1ea7u ti\u00ean s\u1ebd ch\u00e8n m\u1ed9t \u0111o\u1ea1n m\u00e3 \u0111\u1ed9c v\u00e0o c\u00e1c trang web b\u1ecb x\u00e2m nh\u1eadp, \u0111\u1eb7c bi\u1ec7t l\u00e0 c\u00e1c trang WordPress s\u1eed d\u1ee5ng plugin n\u1ed5i ti\u1ebfng nh\u01b0 GravityForms. Khi ng\u01b0\u1eddi d\u00f9ng truy c\u1eadp trang web, h\u1ecd s\u1ebd b\u1ecb chuy\u1ec3n h\u01b0\u1edbng \u0111\u1ebfn m\u1ed9t trang gi\u1ea3 m\u1ea1o CAPTCHA \u2013 m\u1ed9t ki\u1ec3u ki\u1ec3m tra th\u01b0\u1eddng th\u1ea5y \u0111\u1ec3 x\u00e1c nh\u1eadn ng\u01b0\u1eddi d\u00f9ng kh\u00f4ng ph\u1ea3i robot.<\/p>\n

T\u1ea1i \u0111\u00e2y, n\u1ea1n nh\u00e2n \u0111\u01b0\u1ee3c y\u00eau c\u1ea7u sao ch\u00e9p v\u00e0 d\u00e1n m\u1ed9t \u0111o\u1ea1n m\u00e3 v\u00e0o h\u1ed9p tho\u1ea1i \u201cRun\u201d (ch\u1ea1y l\u1ec7nh) tr\u00ean m\u00e1y t\u00ednh Windows \u0111\u1ec3 “x\u00e1c minh danh t\u00ednh”. Tuy nhi\u00ean, th\u1ef1c ch\u1ea5t \u0111o\u1ea1n m\u00e3 \u0111\u00f3 l\u00e0 m\u1ed9t l\u1ec7nh PowerShell s\u1ebd t\u1ea3i xu\u1ed1ng v\u00e0 c\u00e0i \u0111\u1eb7t m\u00e3 \u0111\u1ed9c v\u00e0o m\u00e1y.<\/p>\n

Sau khi \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t, Interlock RAT b\u1eaft \u0111\u1ea7u qu\u00e1 tr\u00ecnh thu th\u1eadp d\u1eef li\u1ec7u: Th\u00f4ng tin h\u1ec7 \u0111i\u1ec1u h\u00e0nh, ng\u01b0\u1eddi d\u00f9ng, c\u00e1c ch\u01b0\u01a1ng tr\u00ecnh \u0111ang ch\u1ea1y, c\u00e1c d\u1ecbch v\u1ee5 tr\u00ean h\u1ec7 th\u1ed1ng, m\u1ea1ng n\u1ed9i b\u1ed9\u2026 To\u00e0n b\u1ed9 th\u00f4ng tin \u0111\u01b0\u1ee3c g\u1eedi ng\u01b0\u1ee3c v\u1ec1 m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n (C2 server) do tin t\u1eb7c ki\u1ec3m so\u00e1t.<\/p>\n

\u0110\u1ec3 che gi\u1ea5u ho\u1ea1t \u0111\u1ed9ng n\u00e0y, RAT s\u1eed d\u1ee5ng m\u1ed9t c\u00f4ng c\u1ee5 mang t\u00ean Cloudflare Tunnel – cho ph\u00e9p k\u1ebft n\u1ed1i ra ngo\u00e0i Internet m\u00e0 kh\u00f4ng b\u1ecb c\u00e1c h\u1ec7 th\u1ed1ng t\u01b0\u1eddng l\u1eeda n\u1ed9i b\u1ed9 ch\u1eb7n l\u1ea1i. N\u1ebfu c\u00e1ch n\u00e0y th\u1ea5t b\u1ea1i, n\u00f3 s\u1ebd t\u1ef1 \u0111\u1ed9ng chuy\u1ec3n sang s\u1eed d\u1ee5ng \u0111\u1ecba ch\u1ec9 IP d\u1ef1 ph\u00f2ng \u0111\u00e3 \u0111\u01b0\u1ee3c l\u1eadp tr\u00ecnh s\u1eb5n.<\/p>\n

RAT c\u00f2n c\u00f3 kh\u1ea3 n\u0103ng t\u1ef1 duy tr\u00ec tr\u00ean m\u00e1y, th\u1ef1c thi th\u00eam c\u00e1c \u0111o\u1ea1n m\u00e3, th\u00e2m nh\u1eadp v\u00e0o c\u00e1c m\u00e1y t\u00ednh kh\u00e1c trong c\u00f9ng m\u1ea1ng, m\u1edf \u0111\u01b0\u1eddng cho c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u1ebfp theo nh\u01b0 \u0111\u00e1nh c\u1eafp t\u00e0i kho\u1ea3n, ph\u00e1 ho\u1ea1i h\u1ec7 th\u1ed1ng ho\u1eb7c m\u00e3 h\u00f3a d\u1eef li\u1ec7u \u0111\u1ec3 \u0111\u00f2i ti\u1ec1n chu\u1ed9c.<\/p>\n

\u0110i\u1ec1u khi\u1ebfn bi\u1ebfn th\u1ec3 PHP c\u1ee7a Interlock RAT tr\u1edf n\u00ean \u0111\u1eb7c bi\u1ec7t nguy hi\u1ec3m l\u00e0:\u200b<\/p><\/div>\n