{"id":49269,"date":"2026-04-20T16:36:08","date_gmt":"2026-04-20T16:36:08","guid":{"rendered":"https:\/\/www.europesays.com\/sk\/49269\/"},"modified":"2026-04-20T16:36:08","modified_gmt":"2026-04-20T16:36:08","slug":"u-susedov-v-cesku-udrel-zakerny-botnet-powmix-u-nas-moze-byt-co-nevidiet-siri-sa-cez-tieto-spravy-vosveteit-sk","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/sk\/49269\/","title":{"rendered":"U susedov v \u010cesku udrel z\u00e1kern\u00fd botnet PowMix. U n\u00e1s m\u00f4\u017ee by\u0165 \u010do nevidie\u0165, \u0161\u00edri sa cez tieto spr\u00e1vy | Vosveteit.sk"},"content":{"rendered":"

V\u00fdskumn\u00edci z Cisco Talos<\/a> upozornili na kampa\u0148, ktor\u00e1 zasiahla najm\u00e4 pracovn\u00e9 prostredie v susednom \u010cesku. Stoj\u00ed za \u0148ou doteraz nezn\u00e1my botnet<\/a> s n\u00e1zvom PowMix. Na prv\u00fd poh\u013ead ide o oby\u010dajn\u00fd dokument alebo pracovn\u00fa ponuku, no v skuto\u010dnosti v\u0161ak m\u00f4\u017ee \u00eds\u0165 o vstupn\u00fa br\u00e1nu pre \u0161kodliv\u00fd k\u00f3d, ktor\u00fd si potichu prevezme kontrolu nad po\u010d\u00edta\u010dom.\u00a0<\/p>\n

\u00dato\u010dn\u00edci cielili hlavne na HR oddelenia, pr\u00e1vnikov \u010di n\u00e1borov\u00e9 agent\u00fary. Pou\u017eili pritom jednoduch\u00fd, ale \u00fa\u010dinn\u00fd trik, d\u00f4veryhodne vyzeraj\u00face dokumenty. Tv\u00e1rili sa ako ofici\u00e1lne materi\u00e1ly s odkazmi na legislat\u00edvu alebo zn\u00e1mu zna\u010dku EDEKA. Pridali aj konkr\u00e9tne \u00fadaje o platoch \u010di pr\u00e1vnych povinnostiach, aby text p\u00f4sobil autenticky.<\/p>\n

<\/p>\n

<\/p>\n

Odoberaj Vosveteit.sk cez Telegram a prihl\u00e1s sa k odberu spr\u00e1v
\n <\/a><\/p>\n

\"V\"VZdroj: CISCO Talos<\/a><\/p>\n

Sta\u010d\u00ed pritom otvori\u0165 ZIP s\u00fabor a v \u0148om skryt\u00fa skratku (.LNK). T\u00e1 n\u00e1sledne spust\u00ed PowerShell skript, ktor\u00fd rozbehne cel\u00fd \u00fatok.<\/p>\n

\u201e\u00datok za\u010d\u00edna spusten\u00edm skratky zo ZIP s\u00faboru, \u010dasto doru\u010den\u00e9ho cez phishing,\u201c vysvet\u013euj\u00fa v\u00fdskumn\u00edci.<\/p>\n

\u00datok vypne obranu Windowsu a priprav\u00ed si prostredie na \u010fal\u0161ie kroky<\/p>\n

Skript sa najsk\u00f4r presunie do syst\u00e9mov\u00e9ho prie\u010dinka a priprav\u00ed prostredie. N\u00e1sledne ob\u00edde bezpe\u010dnostn\u00e9 mechanizmy Windowsu<\/a>. Konkr\u00e9tne uprav\u00ed intern\u00fa kontrolu tak, aby syst\u00e9m \u201euveril\u201c, \u017ee ochrana pred \u0161kodliv\u00fdm k\u00f3dom nefunguje. V tej chv\u00edli m\u00e1 \u00fato\u010dn\u00edk otvoren\u00e9 dvere.<\/p>\n

Hlavn\u00e1 \u010das\u0165 \u00fatoku prich\u00e1dza hne\u010f po pr\u00edprave prostredia. PowMix sa nespust\u00ed ako klasick\u00fd program ulo\u017een\u00fd na disku. Be\u017e\u00ed priamo v opera\u010dnej pam\u00e4ti RAM. To znamen\u00e1, \u017ee na pevnom disku nevznikn\u00fa be\u017en\u00e9 s\u00fabory, ktor\u00e9 by antiv\u00edrus pri skenovan\u00ed na\u0161iel.<\/p>\n

Neprehliadni
\n <\/p>\n

\"Tvoje\"Tvoje <\/p>\n

\n\t\t\t\t\tPopul\u00e1rna spravodajsk\u00e1 aplik\u00e1cia pre iOS a Android dostala ve\u013ek\u00fa aktualiz\u00e1ciu. Pribudlo mno\u017estvo nov\u00fdch funkci\u00ed, ktor\u00e9 mus\u00ed\u0161 vysk\u00fa\u0161a\u0165 <\/p>\n

<\/a><\/p>\n

\u00dato\u010dn\u00edci tak zneu\u017eij\u00fa vlastn\u00e9 n\u00e1stroje syst\u00e9mu, konkr\u00e9tne PowerShellu, proti nemu samotn\u00e9mu. PowMix n\u00e1sledne vytvor\u00ed napl\u00e1novan\u00fa \u00falohu, ktor\u00e1 ho ka\u017ed\u00fd de\u0148 znovu spust\u00ed. Bezpe\u010dnostn\u00ed analytici pritom upozor\u0148uj\u00fa na na\u010dasovanie spustenia malv\u00e9ru, \u010dasto okolo 11:00 dopoludnia. V tom \u010dase je sie\u0165ov\u00e1 prev\u00e1dzka najhustej\u0161ia, tak\u017ee jeho komunik\u00e1cia \u013eah\u0161ie zapadne medzi be\u017en\u00e9 d\u00e1ta.<\/p>\n

Ke\u010f sa raz usad\u00ed, za\u010dne nen\u00e1padne komunikova\u0165 so serverom \u00fato\u010dn\u00edka. Namiesto trval\u00e9ho spojenia sa oz\u00fdva v nepravideln\u00fdch intervaloch, raz po p\u00e1r sekund\u00e1ch, inokedy po nieko\u013ek\u00fdch min\u00fatach. Tento \u201en\u00e1hodn\u00fd rytmus\u201c s\u0165a\u017euje odhalenie.<\/p>\n

V\u00fdskumn\u00edkov taktie\u017e zasko\u010dil sp\u00f4sob, ak\u00fdm sa skr\u00fdva v sieti. PowMix vyu\u017e\u00edva legit\u00edmne cloudov\u00e9 slu\u017eby, napr\u00edklad Heroku. Pre firewall ide o be\u017en\u00fa komunik\u00e1ciu so zn\u00e1mou platformou, ktor\u00fa vyu\u017e\u00edva mno\u017estvo firiem. \u00dato\u010dn\u00edci sa tak neskr\u00fdvaj\u00fa v tieni, ale priamo \u201epod lampou\u201c, pri\u010dom ich d\u00e1ta sa tv\u00e1ria ako norm\u00e1lna webov\u00e1 prev\u00e1dzka. Do URL adries zak\u00f3duj\u00fa inform\u00e1cie o zariaden\u00ed a stave syst\u00e9mu, tak\u017ee komunik\u00e1cia vyzer\u00e1 ako be\u017en\u00e9 API volanie.<\/p>\n

\u201eMalv\u00e9r maskuje komunik\u00e1ciu ako legit\u00edmnu webov\u00fa prev\u00e1dzku,\u201c upozor\u0148uj\u00fa v\u00fdskumn\u00edci.<\/p>\n

Ak hroz\u00ed odhalenie, botnet sa dok\u00e1\u017ee vymaza\u0165 a zahladi\u0165 po sebe stopy<\/p>\n

PowMix dok\u00e1\u017ee aj reagova\u0165 na pr\u00edkazy. \u00dato\u010dn\u00edk m\u00f4\u017ee meni\u0165 riadiaci server, sp\u00fa\u0161\u0165a\u0165 \u010fal\u0161\u00ed k\u00f3d alebo \u00faplne vymaza\u0165 stopu. V niektor\u00fdch pr\u00edpadoch odstr\u00e1ni s\u00e1m seba, aby nezanechal d\u00f4kazy.<\/p>\n

\"Pre\u010do\"Pre\u010doZdroj: Vosveteit.sk<\/p>\n

Pre be\u017en\u00e9ho pou\u017e\u00edvate\u013ea sa tieto \u00fatoky daj\u00fa rozpozna\u0165 pod\u013ea nieko\u013ek\u00fdch varovn\u00fdch sign\u00e1lov. Podozriv\u00e9 je u\u017e samotn\u00e9 doru\u010denie dokumentov, napr\u00edklad materi\u00e1ly o platoch, GDPR alebo intern\u00fdch pravidl\u00e1ch by sa nikdy nemali objavi\u0165 ako skratka (.LNK) ukryt\u00e1 v ZIP arch\u00edve.<\/p>\n

\u010eal\u0161\u00ed d\u00f4le\u017eit\u00fd moment nast\u00e1va priamo po otvoren\u00ed s\u00faboru, ke\u010f sa na kr\u00e1tky okamih objav\u00ed \u010dierne okno pr\u00edkazov\u00e9ho riadku alebo PowerShellu<\/a>. To \u010dasto znamen\u00e1, \u017ee sa na pozad\u00ed spustil skript, ktor\u00fd si be\u017en\u00fd pou\u017e\u00edvate\u013e ani nev\u0161imne. Zvl\u00e1\u0161tne spr\u00e1vanie m\u00f4\u017ee uk\u00e1za\u0165 aj samotn\u00fd po\u010d\u00edta\u010d, ak za\u010dne vykazova\u0165 aktivitu, hoci ni\u010d nesp\u00fa\u0161\u0165a\u0161, napr\u00edklad vy\u0161\u0161ie za\u0165a\u017eenie alebo sie\u0165ov\u00fa komunik\u00e1ciu v \u201etichom\u201c re\u017eime, ide o sign\u00e1l, \u017ee nie\u010do be\u017e\u00ed skryto na pozad\u00ed.<\/p>\n

\u201eAj ke\u010f vid\u00edme podobnosti so star\u0161\u00edmi kampa\u0148ami, fin\u00e1lny cie\u013e zatia\u013e nie je jasn\u00fd,\u201c uv\u00e1dzaj\u00fa v\u00fdskumn\u00edci z Cisco Talos.<\/p>\n

To znamen\u00e1, \u017ee \u00fato\u010dn\u00edci si m\u00f4\u017eu budova\u0165 pr\u00edstup do syst\u00e9mov bez okam\u017eit\u00e9ho vyu\u017eitia. Ke\u010f\u017ee ide o botnet, v bud\u00facnosti by mohli \u00fato\u010dn\u00edci arm\u00e1du infikovan\u00fdch zariaden\u00ed vyu\u017ei\u0165 napr\u00edklad na DDoS \u00fatoky. Z\u00e1rove\u0148 v\u0161ak m\u00f4\u017eu jednotliv\u00e9 infikovan\u00e9 zariadenia prenaj\u00edma\u0165 ako proxy, teda umo\u017enia in\u00fdm hackerom vykon\u00e1va\u0165 cez ne \u00fatoky a t\u00fdm maskova\u0165 svoju stopu.<\/p>\n


\n
\n
\n
\n
\n
\n P\u00e1\u010dil sa v\u00e1m \u010dl\u00e1nok? Sledujte n\u00e1s na Facebooku
\n
\n <\/a> <\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"V\u00fdskumn\u00edci z Cisco Talos upozornili na kampa\u0148, ktor\u00e1 zasiahla najm\u00e4 pracovn\u00e9 prostredie v susednom \u010cesku. Stoj\u00ed za \u0148ou…\n","protected":false},"author":2,"featured_media":41104,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[20300,20301,168,2282,9277,20302,34,37,15208,33,20303,20304,43,40,39,42,41,36,38,35],"class_list":{"0":"post-49269","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-spravy","8":"tag-ako-sa-chranit","9":"tag-botnet","10":"tag-cesko","11":"tag-dokument","12":"tag-e-mail","13":"tag-falosna-sprava","14":"tag-headlines","15":"tag-hlavne-spravy","16":"tag-malver","17":"tag-news","18":"tag-powmix","19":"tag-priloha","20":"tag-sk","21":"tag-slovak","22":"tag-slovakia","23":"tag-slovencina","24":"tag-slovensko","25":"tag-spravy","26":"tag-titulky","27":"tag-top-stories"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@sk\/116438013254420193","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/posts\/49269","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/comments?post=49269"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/posts\/49269\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/media\/41104"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/media?parent=49269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/categories?post=49269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/sk\/wp-json\/wp\/v2\/tags?post=49269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}