Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies – ASEC BLOG

MITRE Techniques

• [T1100] Web Shell – ASPXSpy is the major ASPX Webshell used on vulnerable IIS servers to enable control and command execution. “ASPXSpy is the major ASPX Webshell and it has been verified that the hacker has used this web shell for multiple attacks.”
• [T1059] Command and Scripting Interpreter – Webshells enable command execution and file operations within the target server. “Hackers can perform various malicious acts in this panel including looking up information, creating files, and executing processes.”
• [T1134] Access Token Manipulation – Privilege escalation via token abuse to reach system privileges (Potato family). “Potato is an open-source privilege escalation tool published on GitHub. It operates by abusing specific privileges from the tokens of the process account currently being run and provides the feature of escalating said privileges into system privileges.”
• [T1068] Exploitation for Privilege Escalation – CVE-based PoCs used to escalate privileges. “The following is a PoC that abuses CVE-2021-1732 vulnerabilities to escalate privileges… The following is a CVE-2022-21999 PoC that can load the designated DLL and run malware after privilege escalation.”
• [T1090] Proxy – FRP (Fast Reverse Proxy) creates a proxy between attacker and target to enable external access. “FRP is an open source tool formed with a mediating dummy to enable external access to an intranet PC that cannot be accessed directly.”
• [T1021.001] Remote Services – RDP-based access via FRP/relay chains; attackers use remote desktop connections to manage compromised hosts. “FRP tools were commonly used by hackers in ‘remote desktop connections’ and ‘masking attacker IP’.”
• [T1486] Data Encrypted for Impact – BitLocker-based ransomware activity to encrypt drives. “The hackers encrypted using the following command… manage-bde to enable the use of the BitLocker feature…”