{"id":10521,"date":"2025-10-17T13:26:37","date_gmt":"2025-10-17T06:26:37","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10521"},"modified":"2026-02-05T13:26:45","modified_gmt":"2026-02-05T06:26:45","slug":"hacker-giau-ma-doc-trong-blockchain-tan-cong-nguoi-dung-qua-website-wordpress","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/10\/17\/hacker-giau-ma-doc-trong-blockchain-tan-cong-nguoi-dung-qua-website-wordpress\/","title":{"rendered":"Hacker gi\u1ea5u m\u00e3 \u0111\u1ed9c trong blockchain, t\u1ea5n c\u00f4ng ng\u01b0\u1eddi d\u00f9ng qua website WordPress"},"content":{"rendered":"

Blockchain v\u1ed1n \u0111\u01b0\u1ee3c ca ng\u1ee3i l\u00e0 c\u00f4ng ngh\u1ec7 minh b\u1ea1ch, phi t\u1eadp trung nh\u01b0ng trong tay tin t\u1eb7c n\u00f3 l\u1ea1i tr\u1edf th\u00e0nh c\u00f4ng c\u1ee5 ho\u00e0n h\u1ea3o \u0111\u1ec3 \u1ea9n gi\u1ea5u m\u00e3 \u0111\u1ed9c. M\u1edbi \u0111\u00e2y, nh\u00f3m tin t\u1eb7c UNC5142 \u0111\u00e3 b\u1ecb ph\u00e1t hi\u1ec7n l\u1ee3i d\u1ee5ng h\u1ee3p \u0111\u1ed3ng th\u00f4ng minh tr\u00ean chu\u1ed7i BNB Smart Chain \u0111\u1ec3 ph\u00e1t t\u00e1n c\u00e1c m\u00e3 \u0111\u1ed9c \u0111\u00e1nh c\u1eafp th\u00f4ng tin ng\u01b0\u1eddi d\u00f9ng, bao g\u1ed3m: Atomic Stealer, Lumma, Rhadamanthys v\u00e0 Vidar.<\/b><\/p>\n

\n
\"1760676101072.png\"<\/div>\n<\/div>\n

\u0110i\u1ec1u \u0111\u00e1ng n\u00f3i, chi\u1ebfn d\u1ecbch n\u00e0y t\u1ea5n c\u00f4ng c\u1ea3 ng\u01b0\u1eddi d\u00f9ng Windows v\u00e0 macOS, d\u00f9ng ch\u00ednh c\u00e1c website WordPress b\u1ecb x\u00e2m nh\u1eadp l\u00e0m b\u00e0n \u0111\u1ea1p l\u00e2y lan.<\/p>\n

Theo b\u00e1o c\u00e1o c\u1ee7a Google, ch\u1ec9 t\u00ednh \u0111\u1ebfn th\u00e1ng 6\/2025, c\u00f3 h\u01a1n 14.000 trang web WordPress b\u1ecb ch\u00e8n m\u00e3 JavaScript \u0111\u1ed9c h\u1ea1i li\u00ean quan \u0111\u1ebfn nh\u00f3m UNC5142. D\u00f9 nh\u00f3m n\u00e0y t\u1ea1m th\u1eddi \u201cim \u1eafng\u201d t\u1eeb th\u00e1ng 7\/2025 nh\u01b0ng chi\u1ebfn thu\u1eadt c\u1ee7a ch\u00fang \u0111ang khi\u1ebfn gi\u1edbi chuy\u00ean gia b\u1ea3o m\u1eadt \u0111\u1eb7c bi\u1ec7t lo ng\u1ea1i.<\/p>\n

Thay v\u00ec l\u01b0u m\u00e3 \u0111\u1ed9c tr\u00ean server \u1ea9n danh ho\u1eb7c file-sharing nh\u01b0 tr\u01b0\u1edbc, UNC5142 gi\u1ea5u m\u00e3 \u0111\u1ed9c ngay trong h\u1ee3p \u0111\u1ed3ng th\u00f4ng minh blockchain, khi\u1ebfn vi\u1ec7c g\u1ee1 b\u1ecf g\u1ea7n nh\u01b0 b\u1ea5t kh\u1ea3 thi. M\u1ed9t khi m\u00e3 \u0111\u1ed9c \u0111\u00e3 \u0111\u01b0\u1ee3c ghi v\u00e0o blockchain, n\u00f3 t\u1ed3n t\u1ea1i v\u0129nh vi\u1ec5n v\u00ec d\u1eef li\u1ec7u tr\u00ean chu\u1ed7i kh\u00f4ng th\u1ec3 x\u00f3a hay ch\u1ec9nh s\u1eeda.<\/p>\n

Chi\u1ebfn d\u1ecbch n\u00e0y s\u1eed d\u1ee5ng m\u1ed9t tr\u00ecnh t\u1ea3i \u0111a t\u1ea7ng c\u00f3 t\u00ean CLEARSHORT (\u0111\u00e2y l\u00e0 bi\u1ebfn th\u1ec3 c\u1ee7a ClearFake t\u1eebng \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n t\u1eeb n\u0103m 2023). Giai \u0111o\u1ea1n \u0111\u1ea7u, m\u00e3 JavaScript \u0111\u01b0\u1ee3c c\u1ea5y v\u00e0o plugin ho\u1eb7c theme c\u1ee7a website WordPress. M\u00e3 n\u00e0y s\u1ebd g\u1ecdi \u0111\u1ebfn h\u1ee3p \u0111\u1ed3ng th\u00f4ng minh tr\u00ean BNB Smart Chain – n\u01a1i ch\u1ee9a \u0111\u1ecba ch\u1ec9 m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n v\u00e0 d\u1eef li\u1ec7u gi\u1ea3i m\u00e3.<\/p>\n

T\u1eeb \u0111\u00f3, n\u1ea1n nh\u00e2n s\u1ebd b\u1ecb chuy\u1ec3n h\u01b0\u1edbng \u0111\u1ebfn trang web gi\u1ea3 m\u1ea1o c\u1eadp nh\u1eadt tr\u00ecnh duy\u1ec7t (fake update), th\u01b0\u1eddng \u0111\u01b0\u1ee3c l\u01b0u tr\u1eef tr\u00ean c\u00e1c t\u00ean mi\u1ec1n h\u1ee3p ph\u00e1p nh\u01b0 Cloudflare .dev khi\u1ebfn ng\u01b0\u1eddi d\u00f9ng kh\u00f3 nh\u1eadn ra. Khi truy c\u1eadp, n\u1ea1n nh\u00e2n b\u1ecb d\u1ee5 ch\u1ea1y m\u1ed9t l\u1ec7nh \u0111\u1ed9c h\u1ea1i qua c\u1eeda s\u1ed5 Run tr\u00ean Windows ho\u1eb7c Terminal tr\u00ean macOS \u0111\u1ec3 t\u1ea3i v\u00e0 ch\u1ea1y m\u00e3 \u0111\u1ed9c \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u.<\/p>\n

Tr\u00ean Windows, m\u00e3 \u0111\u1ed9c t\u1ea3i xu\u1ed1ng file HTA t\u1eeb MediaFire, ch\u1ea1y PowerShell \u0111\u1ec3 t\u1ea3i m\u00e3 \u0111\u1ed9c th\u1ef1c thi tr\u1ef1c ti\u1ebfp trong b\u1ed9 nh\u1edb (fileless malware) gi\u00fap tr\u00e1nh b\u1ecb ph\u1ea7n m\u1ec1m di\u1ec7t virus ph\u00e1t hi\u1ec7n.<\/p>\n

Trong khi \u0111\u00f3, tr\u00ean macOS, ng\u01b0\u1eddi d\u00f9ng b\u1ecb l\u1eeba ch\u1ea1y l\u1ec7nh bash ho\u1eb7c curl \u0111\u1ec3 t\u1ea3i Atomic Stealer (m\u00e3 \u0111\u1ed9c chuy\u00ean \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u v\u00ed ti\u1ec1n \u0111i\u1ec7n t\u1eed, m\u1eadt kh\u1ea9u v\u00e0 cookie).<\/p>\n

Google cho bi\u1ebft UNC5142 \u0111\u00e3 tinh vi h\u01a1n qua t\u1eebng giai \u0111o\u1ea1n. Ban \u0111\u1ea7u ch\u1ec9 d\u00f9ng m\u1ed9t h\u1ee3p \u0111\u1ed3ng th\u00f4ng minh, \u0111\u1ebfn cu\u1ed1i n\u0103m 2024, ch\u00fang ph\u00e1t tri\u1ec3n th\u00e0nh ki\u1ebfn tr\u00fac ba h\u1ee3p \u0111\u1ed3ng (Router – Logic – Storage) m\u00f4 ph\u1ecfng theo m\u00f4 h\u00ecnh proxy trong l\u1eadp tr\u00ecnh h\u1ee3p ph\u00e1p. C\u00e1ch n\u00e0y cho ph\u00e9p hacker thay \u0111\u1ed5i \u0111\u01b0\u1eddng d\u1eabn t\u1ea3i m\u00e3 \u0111\u1ed9c, kh\u00f3a gi\u1ea3i m\u00e3 ho\u1eb7c m\u00e1y ch\u1ee7 \u0111i\u1ec1u khi\u1ec3n ch\u1ec9 v\u1edbi v\u00e0i thao t\u00e1c c\u1eadp nh\u1eadt d\u1eef li\u1ec7u h\u1ee3p \u0111\u1ed3ng, ti\u00eau t\u1ed1n ch\u01b0a t\u1edbi 2 USD ph\u00ed m\u1ea1ng.<\/p>\n

Nh\u1edd \u0111\u00f3, d\u00f9 c\u00e1c chuy\u00ean gia an ninh ch\u1eb7n ho\u1eb7c g\u1ee1 m\u00e3 JavaScript tr\u00ean web b\u1ecb nhi\u1ec5m, hacker v\u1eabn c\u00f3 th\u1ec3 nhanh ch\u00f3ng \u201cc\u1eadp nh\u1eadt\u201d chi\u1ebfn d\u1ecbch m\u00e0 kh\u00f4ng ph\u1ea3i ch\u1ec9nh l\u1ea1i to\u00e0n b\u1ed9 m\u00e3, c\u1ef1c k\u1ef3 linh ho\u1ea1t v\u00e0 kh\u00f3 b\u1ecb tri\u1ec7t h\u1ea1.<\/p>\n

Google c\u00f2n ph\u00e1t hi\u1ec7n hai h\u1ea1 t\u1ea7ng ri\u00eang bi\u1ec7t:<\/p>\n