{"id":10487,"date":"2025-07-16T12:37:00","date_gmt":"2025-07-16T05:37:00","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10487"},"modified":"2026-02-05T12:37:08","modified_gmt":"2026-02-05T05:37:08","slug":"hazybeacon-ma-doc-loi-dung-aws-lambda-de-danh-cap-du-lieu-chinh-phu-dong-nam-a-2","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/16\/hazybeacon-ma-doc-loi-dung-aws-lambda-de-danh-cap-du-lieu-chinh-phu-dong-nam-a-2\/","title":{"rendered":"HazyBeacon: M\u00e3 \u0111\u1ed9c l\u1ee3i d\u1ee5ng AWS Lambda \u0111\u1ec3 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u ch\u00ednh ph\u1ee7 \u0110\u00f4ng Nam \u00c1"},"content":{"rendered":"

M\u1ed9t chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng tinh vi \u0111ang \u00e2m th\u1ea7m nh\u1eafm v\u00e0o c\u00e1c c\u01a1 quan ch\u00ednh ph\u1ee7 t\u1ea1i \u0110\u00f4ng Nam \u00c1 b\u1eb1ng m\u00e3 \u0111\u1ed9c c\u1eeda h\u1eadu ch\u01b0a t\u1eebng \u0111\u01b0\u1ee3c ghi nh\u1eadn tr\u01b0\u1edbc \u0111\u00e2y tr\u00ean Windows, c\u00f3 t\u00ean HazyBeacon.<\/b><\/p>\n

\n
\"HazyBeacon.png\"<\/div>\n<\/div>\n

Chi\u1ebfn d\u1ecbch n\u00e0y \u0111\u01b0\u1ee3c theo d\u00f5i b\u1edfi nh\u00f3m Unit 42 c\u1ee7a Palo Alto Networks v\u1edbi m\u00e3 \u0111\u1ecbnh danh CL-STA-1020, nh\u1eafm \u0111\u1ebfn vi\u1ec7c \u0111\u00e1nh c\u1eafp c\u00e1c th\u00f4ng tin m\u1eadt li\u00ean quan \u0111\u1ebfn ch\u00ednh s\u00e1ch thu\u1ebf quan, tranh ch\u1ea5p th\u01b0\u01a1ng m\u1ea1i v\u00e0 \u0111\u1ecbnh h\u01b0\u1edbng chi\u1ebfn l\u01b0\u1ee3c qu\u1ed1c gia. Trong b\u1ed1i c\u1ea3nh \u0110\u00f4ng Nam \u00c1 ng\u00e0y c\u00e0ng tr\u1edf th\u00e0nh t\u00e2m \u0111i\u1ec3m c\u1ea1nh tranh gi\u1eefa c\u00e1c c\u01b0\u1eddng qu\u1ed1c, \u0111\u1eb7c bi\u1ec7t l\u00e0 M\u1ef9 v\u00e0 Trung Qu\u1ed1c, khu v\u1ef1c n\u00e0y \u0111\u00e3 n\u1ed5i l\u00ean nh\u01b0 m\u1ed9t m\u1ee5c ti\u00eau h\u1ea5p d\u1eabn c\u1ee7a c\u00e1c chi\u1ebfn d\u1ecbch do th\u00e1m nh\u1eb1m chi\u1ebfm l\u1ee3i th\u1ebf trong th\u01b0\u01a1ng m\u1ea1i, qu\u00e2n s\u1ef1 v\u00e0 ch\u00ednh s\u00e1ch \u0111\u1ed1i ngo\u1ea1i to\u00e0n c\u1ea7u.<\/p>\n

Hi\u1ec7n ch\u01b0a x\u00e1c \u0111\u1ecbnh r\u00f5 c\u00e1ch th\u1ee9c m\u00e0 HazyBeacon x\u00e2m nh\u1eadp v\u00e0o h\u1ec7 th\u1ed1ng, nh\u01b0ng b\u1eb1ng ch\u1ee9ng cho th\u1ea5y nh\u00f3m t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng k\u1ef9 thu\u1eadt DLL side-loading. M\u00e3 \u0111\u1ed9c c\u00e0i m\u1ed9t phi\u00ean b\u1ea3n DLL \u0111\u1ed9c h\u1ea1i c\u00f3 t\u00ean mscorsvc.dll<\/i> c\u00f9ng v\u1edbi t\u1eadp tin th\u1ef1c thi h\u1ee3p ph\u00e1p c\u1ee7a Windows l\u00e0 mscorsvw.exe<\/i>. Khi \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t, DLL \u0111\u1ed9c h\u1ea1i thi\u1ebft l\u1eadp k\u1ebft n\u1ed1i \u0111\u1ebfn m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n do k\u1ebb t\u1ea5n c\u00f4ng ki\u1ec3m so\u00e1t, cho ph\u00e9p th\u1ef1c thi c\u00e1c l\u1ec7nh t\u00f9y \u00fd v\u00e0 t\u1ea3i th\u00eam payload xu\u1ed1ng thi\u1ebft b\u1ecb b\u1ecb x\u00e2m nh\u1eadp. \u0110\u1ec3 \u0111\u1ea3m b\u1ea3o t\u1ed3n t\u1ea1i l\u00e2u d\u00e0i tr\u00ean h\u1ec7 th\u1ed1ng, m\u00e3 \u0111\u1ed9c thi\u1ebft l\u1eadp m\u1ed9t d\u1ecbch v\u1ee5 t\u1ef1 kh\u1edfi \u0111\u1ed9ng l\u1ea1i c\u00f9ng h\u1ec7 \u0111i\u1ec1u h\u00e0nh.<\/p>\n

\u0110i\u1ec3m n\u1ed5i b\u1eadt khi\u1ebfn HazyBeacon tr\u1edf n\u00ean nguy hi\u1ec3m l\u00e0 vi\u1ec7c n\u00f3 s\u1eed d\u1ee5ng AWS Lambda URLs<\/i> l\u00e0m k\u00eanh \u0111i\u1ec1u khi\u1ec3n. \u0110\u00e2y l\u00e0 ch\u1ee9c n\u0103ng h\u1ee3p ph\u00e1p trong n\u1ec1n t\u1ea3ng \u0111\u00e1m m\u00e2y c\u1ee7a Amazon cho ph\u00e9p g\u1ecdi c\u00e1c h\u00e0m serverless th\u00f4ng qua HTTPS. K\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 l\u1ee3i d\u1ee5ng \u0111\u1eb7c \u0111i\u1ec3m n\u00e0y \u0111\u1ec3 ng\u1ee5y trang l\u01b0u l\u01b0\u1ee3ng C2, khi\u1ebfn n\u00f3 gi\u1ed1ng nh\u01b0 c\u00e1c ho\u1ea1t \u0111\u1ed9ng h\u1ee3p l\u1ec7 v\u00e0 kh\u00f3 b\u1ecb ph\u00e1t hi\u1ec7n. Vi\u1ec7c s\u1eed d\u1ee5ng c\u00e1c d\u1ecbch v\u1ee5 \u0111\u00e1m m\u00e2y ph\u1ed5 bi\u1ebfn nh\u01b0 AWS t\u1ea1o ra m\u1ed9t k\u00eanh li\u00ean l\u1ea1c v\u1eeba \u0111\u00e1ng tin c\u1eady v\u1eeba kh\u00f3 ph\u00e2n bi\u1ec7t v\u1edbi l\u01b0u l\u01b0\u1ee3ng b\u00ecnh th\u01b0\u1eddng, cho ph\u00e9p m\u00e3 \u0111\u1ed9c \u00e2m th\u1ea7m ho\u1ea1t \u0111\u1ed9ng d\u01b0\u1edbi l\u1edbp v\u1ecf h\u1ee3p ph\u00e1p.<\/p>\n

\n
\"1752648818335.png\"<\/div>\n<\/div>\n

C\u00e1c chuy\u00ean gia khuy\u1ebfn c\u00e1o c\u1ea7n \u0111\u1eb7c bi\u1ec7t theo d\u00f5i l\u01b0u l\u01b0\u1ee3ng outbound \u0111\u1ebfn c\u00e1c t\u00ean mi\u1ec1n \u00edt ph\u1ed5 bi\u1ebfn nh\u01b0 *.lambda-url.*.amazonaws.com<\/i>, nh\u1ea5t l\u00e0 khi c\u00e1c k\u1ebft n\u1ed1i n\u00e0y b\u1eaft ngu\u1ed3n t\u1eeb ti\u1ebfn tr\u00ecnh b\u1ea5t th\u01b0\u1eddng ho\u1eb7c d\u1ecbch v\u1ee5 h\u1ec7 th\u1ed1ng kh\u00f4ng r\u00f5 ngu\u1ed3n g\u1ed1c. Vi\u1ec7c gi\u00e1m s\u00e1t \u0111\u01a1n thu\u1ea7n theo \u0111\u1ecba ch\u1ec9 IP ho\u1eb7c t\u00ean mi\u1ec1n kh\u00f4ng c\u00f2n \u0111\u1ee7 hi\u1ec7u qu\u1ea3. Thay v\u00e0o \u0111\u00f3, c\u1ea7n \u00e1p d\u1ee5ng k\u1ef9 thu\u1eadt ph\u00e1t hi\u1ec7n d\u1ef1a tr\u00ean ng\u1eef c\u1ea3nh, bao g\u1ed3m ph\u00e2n t\u00edch chu\u1ed7i ti\u1ebfn tr\u00ecnh cha \u2013 con, truy v\u1ebft m\u1ed1i quan h\u1ec7 th\u1ef1c thi gi\u1eefa c\u00e1c ti\u1ebfn tr\u00ecnh v\u00e0 gi\u00e1m s\u00e1t h\u00e0nh vi endpoint theo th\u1eddi gian th\u1ef1c. Nh\u1eefng ph\u01b0\u01a1ng ph\u00e1p n\u00e0y gi\u00fap x\u00e1c \u0111\u1ecbnh li\u1ec7u m\u1ed9t k\u1ebft n\u1ed1i \u0111\u1ebfn d\u1ecbch v\u1ee5 AWS Lambda l\u00e0 h\u00e0nh vi h\u1ee3p l\u1ec7 c\u1ee7a \u1ee9ng d\u1ee5ng hay l\u00e0 m\u1ed9t k\u00eanh \u0111i\u1ec1u khi\u1ec3n ng\u1ee5y trang tinh vi do m\u00e3 \u0111\u1ed9c thi\u1ebft l\u1eadp. Trong m\u00f4i tr\u01b0\u1eddng m\u00e0 c\u00e1c d\u1ecbch v\u1ee5 \u0111\u00e1m m\u00e2y ng\u00e0y c\u00e0ng ph\u1ed5 bi\u1ebfn, kh\u1ea3 n\u0103ng ph\u00e2n bi\u1ec7t r\u00f5 r\u00e0ng gi\u1eefa ho\u1ea1t \u0111\u1ed9ng b\u00ecnh th\u01b0\u1eddng v\u00e0 h\u00e0nh vi l\u1ea9n tr\u00e1nh \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf kh\u00e9o l\u00e9o ch\u00ednh l\u00e0 ch\u00eca kh\u00f3a \u0111\u1ec3 ph\u00e1t hi\u1ec7n s\u1edbm c\u00e1c m\u1ed1i \u0111e d\u1ecda tinh vi nh\u01b0 HazyBeacon.<\/p>\n

HazyBeacon c\u00f2n t\u1ea3i v\u1ec1 m\u1ed9t m\u00f4-\u0111un chuy\u00ean thu th\u1eadp d\u1eef li\u1ec7u, c\u00f3 kh\u1ea3 n\u0103ng qu\u00e9t v\u00e0 l\u1ecdc c\u00e1c t\u1eadp tin \u0111\u1ecbnh d\u1ea1ng ph\u1ed5 bi\u1ebfn nh\u01b0 doc, docx, xls, xlsx v\u00e0 pdf, gi\u1edbi h\u1ea1n trong m\u1ed9t kho\u1ea3ng th\u1eddi gian nh\u1ea5t \u0111\u1ecbnh. M\u1ee5c ti\u00eau l\u00e0 truy v\u1ebft c\u00e1c t\u00e0i li\u1ec7u ch\u1ee9a th\u00f4ng tin nh\u1ea1y c\u1ea3m, trong \u0111\u00f3 c\u00f3 c\u1ea3 nh\u1eefng n\u1ed9i dung li\u00ean quan \u0111\u1ebfn c\u00e1c ch\u00ednh s\u00e1ch thu\u1ebf quan m\u1edbi c\u1ee7a Hoa K\u1ef3. Sau khi thu th\u1eadp, d\u1eef li\u1ec7u \u0111\u01b0\u1ee3c t\u00ecm c\u00e1ch exfiltrate th\u00f4ng qua c\u00e1c d\u1ecbch v\u1ee5 l\u01b0u tr\u1eef \u0111\u00e1m m\u00e2y quen thu\u1ed9c nh\u01b0 Google Drive v\u00e0 Dropbox. Vi\u1ec7c t\u1eadn d\u1ee5ng c\u00e1c n\u1ec1n t\u1ea3ng ph\u1ed5 bi\u1ebfn gi\u00fap l\u01b0u l\u01b0\u1ee3ng \u0111\u1ed9c h\u1ea1i h\u00f2a l\u1eabn v\u00e0o ho\u1ea1t \u0111\u1ed9ng m\u1ea1ng h\u1ee3p l\u1ec7, g\u00e2y kh\u00f3 kh\u0103n cho c\u00e1c h\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t truy\u1ec1n th\u1ed1ng. Trong s\u1ef1 c\u1ed1 \u0111\u01b0\u1ee3c Unit 42 ph\u00e2n t\u00edch, n\u1ed7 l\u1ef1c t\u1ea3i d\u1eef li\u1ec7u ra ngo\u00e0i qua c\u00e1c d\u1ecbch v\u1ee5 n\u00e0y \u0111\u00e3 b\u1ecb ch\u1eb7n, song v\u1eabn cho th\u1ea5y chi\u1ebfn thu\u1eadt tinh vi c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng khi ch\u1ee7 \u0111\u1ed9ng l\u1ee3i d\u1ee5ng c\u00e1c h\u1ea1 t\u1ea7ng \u0111\u00e1m m\u00e2y \u0111\u00e1ng tin c\u1eady \u0111\u1ec3 che gi\u1ea5u h\u00e0nh vi v\u00e0 tr\u00e1nh h\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t.<\/p>\n

Sau khi ho\u00e0n t\u1ea5t vi\u1ec7c \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u, m\u00e3 \u0111\u1ed9c th\u1ef1c hi\u1ec7n c\u00e1c l\u1ec7nh d\u1ecdn d\u1eb9p nh\u1eb1m x\u00f3a m\u1ecdi d\u1ea5u v\u1ebft tr\u00ean h\u1ec7 th\u1ed1ng, bao g\u1ed3m c\u00e1c b\u1ea3n l\u01b0u tr\u1eef c\u1ee7a t\u1eadp tin thu th\u1eadp \u0111\u01b0\u1ee3c v\u00e0 c\u00e1c payload trung gian. Theo ph\u00e2n t\u00edch c\u1ee7a Unit 42, HazyBeacon ch\u00ednh l\u00e0 c\u00f4ng c\u1ee5 ch\u00ednh gi\u00fap nh\u00f3m t\u1ea5n c\u00f4ng duy tr\u00ec hi\u1ec7n di\u1ec7n v\u00e0 \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u t\u1ea1i c\u00e1c t\u1ed5 ch\u1ee9c b\u1ecb nh\u1eafm m\u1ee5c ti\u00eau.<\/p>\n

Chi\u1ebfn d\u1ecbch n\u00e0y l\u00e0 minh ch\u1ee9ng r\u00f5 r\u00e0ng cho xu h\u01b0\u1edbng ng\u00e0y c\u00e0ng ph\u1ed5 bi\u1ebfn trong c\u00e1c nh\u00f3m m\u1ed1i \u0111e d\u1ecda tinh vi. L\u1ee3i d\u1ee5ng h\u1ea1 t\u1ea7ng v\u00e0 d\u1ecbch v\u1ee5 \u0111\u00e1m m\u00e2y h\u1ee3p ph\u00e1p \u0111\u1ec3 tr\u1ed1n tr\u00e1nh c\u00e1c bi\u1ec7n ph\u00e1p ph\u00f2ng th\u1ee7 b\u1ea3o m\u1eadt \u0111ang tr\u1edf th\u00e0nh l\u1ef1a ch\u1ecdn \u01b0u ti\u00ean. Xu h\u01b0\u1edbng n\u00e0y, th\u01b0\u1eddng \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 \u201cliving off trusted services\u201d (LOTS) c\u0169ng t\u1eebng xu\u1ea5t hi\u1ec7n trong c\u00e1c chi\u1ebfn d\u1ecbch s\u1eed d\u1ee5ng Google Workspace, Microsoft Teams hay Dropbox API nh\u1eb1m duy tr\u00ec quy\u1ec1n truy c\u1eadp v\u00e0 n\u00e9 tr\u00e1nh h\u1ec7 th\u1ed1ng ph\u00e1t hi\u1ec7n truy\u1ec1n th\u1ed1ng.<\/p>\n

Theo The Hacker News<\/i><\/b>\u200b<\/div>\n
Theo: https:\/\/whitehat.vn\/threads\/hazybeacon-ma-doc-loi-dung-aws-lambda-de-danh-cap-du-lieu-chinh-phu-dong-nam-a.18570\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"

M\u1ed9t chi\u1ebfn d\u1ecbch gi\u00e1n \u0111i\u1ec7p m\u1ea1ng tinh vi \u0111ang \u00e2m th\u1ea7m nh\u1eafm v\u00e0o c\u00e1c c\u01a1 quan ch\u00ednh ph\u1ee7 t\u1ea1i \u0110\u00f4ng Nam \u00c1 b\u1eb1ng m\u00e3 \u0111\u1ed9c c\u1eeda h\u1eadu ch\u01b0a t\u1eebng \u0111\u01b0\u1ee3c ghi nh\u1eadn tr\u01b0\u1edbc \u0111\u00e2y tr\u00ean Windows, c\u00f3 t\u00ean HazyBeacon. Chi\u1ebfn d\u1ecbch n\u00e0y \u0111\u01b0\u1ee3c theo d\u00f5i b\u1edfi nh\u00f3m Unit 42 c\u1ee7a Palo Alto Networks v\u1edbi m\u00e3 […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10487","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10487"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10487\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}