Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections – ASEC BLOG

MITRE Techniques

• [T1195] Supply Chain Compromise – The threat actor attacked the VPN company’s website and replaced the installation file with malware, so users install the malware along with the VPN installer. “The threat actor had attacked the VPN company’s website and replaced the installation file with malware.”
• [T1053] Scheduled Task/Job – The disguised installer registers an additional generated “start.exe” on the task scheduler. “schtasks.exe /Create /ru SYSTEM /f /SC ONLOGON /rl highest /tn “system update” /tr [%LOCALAPPDATA%]/start.exe”
• [T1059.001] PowerShell – SparkRAT delivers PowerShell commands as part of its operations. The threat actor uses SparkRAT to execute commands such as PowerShell. “The threat actor utilized SparkRAT to deliver PowerShell commands…”
• [T1105] Ingress Tool Transfer – Downloader/GoLang dropper and the Go-based downloader fetch additional payloads (SparkRAT) from external sources. “start.exe is a downloader… responsible for downloading and executing additional malware from an external source. Like in the previous attack cases, SparkRAT is downloaded from the specified address.”
• [T1027] Obfuscated/Compressed Files and Information – GoLang-based droppers and downloaders are obfuscated GoLang malware. “although they are both obfuscated GoLang malware…”
• [T1021] Remote Services – MeshAgent provides remote-control capabilities via MeshCentral, enabling command execution and file transfer on infected hosts. “MeshAgent connects to a remote control page and registers itself as an agent to be managed.”
• [T1078] Valid Accounts – Access can be gained and maintained after “only a simple email authentication” to use MeshAgent. “There is also the advantage of being able to use MeshAgent after only a simple email authentication.”
• [T1071.001] Web Protocols – C2 communications via a dedicated domain/address for SparkRAT control (C2 URL). “aggbvdfbbafdg.moeuda[.]link:443: SparkRAT”