程序被滥用 #1012
Description
Abuse of Microsoft.Win32.TaskScheduler Library in Malware Campaign
恶意软件活动中滥用 Microsoft.Win32.TaskScheduler 库的问题
Problem Description / 问题描述
English:
We have discovered that the Microsoft.Win32.TaskScheduler library (version 2.11.0.0) is being actively abused by malware authors in a recent attack campaign. The legitimate DLL is being embedded within malicious HTA (HTML Application) files and distributed through disguised PNG images containing Base64-encoded payloads.
中文:
我们发现近期有一个恶意软件攻击活动正在滥用 Microsoft.Win32.TaskScheduler 库(版本 2.11.0.0)。攻击者将合法的DLL文件嵌入到恶意的HTA(HTML应用程序)文件中,并通过包含Base64编码载荷的伪装PNG图片进行分发。
Attack Vector / 攻击向量
English:
- Malicious HTA files download disguised PNG images
- PNG images contain Base64-encoded
Microsoft.Win32.TaskScheduler.dll - The DLL is extracted and loaded via reflection in PowerShell
- Used to create scheduled tasks for persistence
中文:
- 恶意HTA文件下载伪装的PNG图片
- PNG图片包含Base64编码的
Microsoft.Win32.TaskScheduler.dll - 通过PowerShell反射加载提取的DLL
- 用于创建计划任务实现持久化
Technical Details / 技术细节
English:
- File: Microsoft.Win32.TaskScheduler.dll
- Version: 2.11.0.0
- Size: 4.63 MB
- Abuse Method: The library's legitimate functions for task creation are being exploited to establish persistence on compromised systems.
中文:
- 文件: Microsoft.Win32.TaskScheduler.dll
- 版本: 2.11.0.0
- 大小: 4.63 MB
- 滥用方法: 攻击者利用该库合法的任务创建功能在受感染系统上建立持久化。
Impact / 影响
English:
- Damages the reputation of your legitimate project
- Could lead to false positives in antivirus software
- Enables malware persistence mechanisms
- Affects users who might unknowingly associate your project with malicious activity
中文:
- 损害您合法项目的声誉
- 可能导致杀毒软件误报
- 为恶意软件提供持久化机制
- 影响可能无意中将您的项目与恶意活动关联的用户
Suggested Mitigations / 建议的缓解措施
English:
- Consider adding runtime checks to detect malicious usage patterns
- Implement code signing verification within the library
- Add warning messages when used in suspicious contexts
- Provide guidance for security vendors on legitimate usage patterns
- Consider adding telemetry to detect abuse
中文:
- 考虑添加运行时检查以检测恶意使用模式
- 在库内实现代码签名验证
- 在可疑上下文中使用时添加警告消息
- 为安全厂商提供合法使用模式的指导
- 考虑添加遥测功能以检测滥用行为
Additional Context / 额外背景
English:
This is part of a larger malware distribution campaign using polyglot files and social engineering. The attackers are leveraging the legitimacy of your well-known library to bypass security controls.
中文:
这是一个更大的恶意软件分发活动的一部分,使用多语言文件和社会工程学。攻击者利用您知名库的合法性来绕过安全控制。
References / 参考资料
- Library: https://github.com/dahall/TaskScheduler
- Detection: Multiple security vendors have flagged this abuse pattern
Note to Maintainers / 给维护者的说明:
We recognize that this is a legitimate library being abused, not a vulnerability in the code itself. We're reporting this to help protect both your project's reputation and potential victims of this malware campaign.
我们认识到这是一个被滥用的合法库,而不是代码本身的漏洞。我们报告此问题是为了帮助保护您项目的声誉和此恶意软件活动的潜在受害者。
File / 文件
IMG__pic0099400000300200005050050500500505050050052333.html
Note / 注释
The png.txt file contains the Base64-encoded DLL file that was detected as malicious by antivirus software. You can examine it for verification.
这个“png.txt”文件是被报毒的dll文件