Threat Research

Analysis of APT Attack Cases Targeting Web Services of Korean Corporations – ASEC BLOG

Securonix

Two sentences summarizing the article: ASEC documents repeated APT-style attacks on vulnerable Korean web servers (IIS, Tomcat, JBoss, Nginx) with web shells, privilege escalation, and credential theft, suggesting possible ransomware objectives beyond ad fraud. The threat actor commonly uses a “tripod” account across infections and relies on publicly available Chinese-language tools (e.g., Potato, Ladon, Mimikatz) and Go-based packers to maintain persistence and control. hashtags: #Tripod #Potato #Ladon #Sy_Runas #Mimikatz #WebShell

Keypoints

  • Attacks target publicly accessible web servers (IIS, Tomcat, JBoss, Nginx) on Windows or similar platforms, exploiting unpatched vulnerabilities or poor management.
  • Threat actors deploy web shells via file upload vulnerabilities, enabling initial access and subsequent malware deployment.
  • Persistence is maintained through scheduled tasks that install web shells and trigger page alterations (potential ad fraud) or other payloads.
  • Privilege escalation is primarily achieved with Potato-family tools (e.g., BadPotato, JuicyPotato, SweetPotato) often combined with other tools like PrintSpoofer and UserClone.
  • Credential access centers on Mimikatz (LSASS memory) and ProcDump for memory dumps, with UseLogonCredential enabling plaintext password extraction on newer Windows builds.
  • Remote control and exfiltration leverage NetCat, Ladon (and PowerLadon), Runas/Sy_Runas, and PowerShell as part of a broader attacker toolkit.
  • While initial goals appear to be monetizing ad displays (KISA reports), logs indicate potential ransomware activity (e.g., VSS deletion) in some cases.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploited a file upload vulnerability on the affected corporation’s website to upload a web shell. “They exploited a file upload vulnerability on neglected forums on the web server to install a web shell.”
  • [T1505.003] Web Shell – Web shells are routinely deployed and used to maintain persistence and execute commands after initial access. “the threat actor used the secondary web shell to generate various malware…”
  • [T1053.005] Scheduled Task/Job – The attacker registers tasks (e.g., CredentialTask, CertificateTask) to display ads and run a batch/file for persistence. “the threat actor registered tasks named ‘CredentialTask’ and ‘CertificateTask’…”
  • [T1068] Privilege Escalation – Potato family deployed to escalate privileges; multiple Potato variants used in tandem with other tools. “Potato privilege escalation malware are commonly used.”
  • [T1112] Modify Registry – WDigest UseLogonCredential enabling plaintext password extraction; registry modification command shown. “UseLogonCredential registry key must be configured…”
  • [T1003.001] LSASS Memory – Mimikatz used to collect credentials from the system memory. “Mimikatz to collect credential information present in the currently infected system.”
  • [T1134] Access Token Manipulation – Runas/Sy_Runas to execute commands with another account’s privileges; multiple Runas variants observed. “the Runas malware family is responsible for receiving the account credentials…”
  • [T1059.001] PowerShell – PowerShell is used to execute commands (e.g., set-mppreference, disable real-time monitoring). “powershell set-mppreference -disablerealtimemonitoring”
  • [T1055] Process Injection – Shellcode execution via EtwpCreateEtwThread and CreateFiber (go-shellcode). “routine of executing shellcode using the EtwpCreateEtwThread() function” and “CreateFiber() function.”
  • [T1490] Inhibit System Recovery – Volume Shadow Copy deletion observed as defense evasion. “logs show that the threat actor deleted volume shadow copies.”
  • [T1027] Obfuscated/Compressed Files and Information – Potatos packed with VMProtect or Go-based packers to evade detection. “packed using the ‘go-shellcode’ packing tool” and memory-only execution.
  • [T1105] Ingress Tool Transfer – Use of NetCat as a reverse shell; the same address served as C2/download source. “NetCat to maintain control.”
  • [T1033] System Owner/User Discovery – Logs show user discovery commands (whoami, query user). “whoami” and similar queries observed in logs.
  • [T1136] Create Account – Privilege copying and account modification (Guest to Administrator) via UserClone. “copy the privileges of a Guest account to Administrator … UserClone.”

Indicators of Compromise

  • [File] Web shell paths – D: Root_DB1.aspx, D:**trustwwwphoto_upload..1.aspx, E:**Hoteluploadthankstest.asp, C:***Pay15sourcesource.asp
  • [MD5] – 612585fa3ada349a02bc97d4c60de784, eb1c6004afd91d328c190cd30f32a3d1, and 2 more hashes
  • [MD5] – 9fe61c9538f2df492dff1aab0f90579f, 9dc87e21769fb2b4a616a60a9aeecb03
  • [Tool/Malware] Potato – various Potato family variants (BadPotato, EfsPotato, GodPotato, JuicyPotato, etc.) and VMProtect-packed samples
  • [Tool] Mimikatz – observed in multiple paths (e.g., Hotelmimikatz.exe, mz64_ms_all.exe)
  • [Tool] NetCat – multiple NetCat binaries observed as reverse shell tools
  • [Tool] Ladon – PowerLadon and Ladon variants used for scanning, privilege escalation, and credential access

Read more: https://asec.ahnlab.com/en/56236/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint