Threat Research

BlueShell Used in APT Attacks Against Korean and Thai Targets – ASEC BLOG

Securonix

BlueShell is a Go-based backdoor that supports Windows, Linux, and Mac, and has been observed in APT-style campaigns targeting Korean and Thai entities. The article covers its capabilities, deployment methods (including a dropper that uses an environment variable to configure C2), and the involvement of multiple threat actors and proxy tools such as FRP/Venom. #BlueShell #Dalbit #Frpc

Keypoints

  • BlueShell is a cross‑platform backdoor written in Go; the original GitHub repository appears deleted, but copies exist elsewhere.
  • Attack cases show BlueShell used mainly against Windows systems in Korea, with Linux cases affecting Korea and Thai broadcasting companies.
  • The malware supports TLS communications with its C2 server and offers commands such as remote shell, file upload/download, and a Socks5 proxy.
  • The Dalbit threat group (China-based) commonly uses open‑source tools and has included BlueShell among its attack tools.
  • In some Korean attacks, BlueShell was collected during the operation with a default C2 URL embedded in the binary; in another case, it was obfuscated and combined with Frpc for C2 proxying.
  • Linux-targeted variants use a dropper that sets an environment variable (lgdt) to supply C2 data, decode it (Base64), and run BlueShell in memory, often disguising as legitimate processes.
  • FRP (Fast Reverse Proxy) and Venom proxies are used to route C2 traffic, enabling covert communications across networks.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – BlueShell can execute commands remotely (shell) as well as perform file upload/download and proxy setup. ‘remote command execution, file download/upload, and Socks5 proxy’
  • [T1090] Proxy – The campaign uses Fast Reverse Proxy (FRP) and Venom as proxy tools to route C2 traffic. ‘The most prominent characteristic of the Dalbit group is that it uses Fast Reverse Proxy (FRP) as the proxy tool.’
  • [T1021] Lateral Movement – Impacket is used for lateral movement within the target network. ‘used the Impacket tool for lateral movement’
  • [T1003.001] OS Credential Dumping – Lsass dump tool is used to steal credentials. ‘The threat actor used the Lsass dump tool to steal account credentials’
  • [T1046] Network Service Scanning – Internal network scanning is performed with fscan. ‘fscan tool to scan the internal network’
  • [T1027] Data Encoding – BlueShell decodes the environment variable lgdt (Base64) to obtain configuration data. ‘BlueShell decodes the environment variable “lgdt” with Base64’
  • [T1505.003] Web Shell – Web shells (JSP) are observed in the attack campaigns. ‘JSP web shells used in the attack’
  • [T1105] Ingress Tool Transfer – File upload/download is used to transfer tools/files from/to the infected host. ‘remote command execution, file download/upload’

Indicators of Compromise

  • [MD5] BlueShell/Dalbit indicators – 53271b2ab6c327a68e78a7c0bf9f4044, 011cedd9932207ee5539895e2a1ed60a
  • [Domain] C2/attack domains – aa.zxcss[.]com:443, lt.yxavkb[.]xyz:80
  • [IP] C2 and upload/download hosts – 20.214.201[.]166:443, 121.127.241[.]117:20001
  • [Filename] Sample dropper/runner files – searchapp.exe, bsClient-Win-amd64.exe
  • [Filename] Frpc/related binaries – dllhost.exe, server.exe

Read more: https://asec.ahnlab.com/en/56941/