Threat Research

Malware Distribution Linked to Illegal Korean Gambling Website Targeting Web Server

Ahnlab

ASEC reports a malware campaign targeting South Korean web servers, redirecting visitors to an illegal gambling site via an IIS module and a Meterpreter backdoor. The operation included port forwarding with HTran, persistence via a created attacker account, and credential dumping using ProcDump for lateral movement. #MeterpreterBackdoor #HTran #IISModuleMalware #ProcDump #IllegalGambling #KoreanWebServer

Keypoints

  • Malware distributed to a poorly managed Windows IIS web server in Korea leading users to an illegal gambling site.
  • Deployment sequence included Meterpreter backdoor, HTran port forwarding, and the IIS module malware to control web server responses.
  • Threat actor created a new attacker account to maintain persistence and enable external access to the server.
  • The IIS module malware monitors HTTP headers and redirects certain requests to illegal gambling pages by altering responses.
  • ProcDump was used to exfiltrate LSASS credentials, facilitating lateral movement to other systems.
  • IoCs include specific MD5s and C2/related URLs, underscoring indicators to monitor and patch attack surfaces.

MITRE Techniques

  • [T1190] Initial Access – Exploit Public-Facing Application – The actor infiltrated a poorly managed Windows IIS web server in Korea. “infiltrated a poorly managed Windows IIS web server in Korea.”
  • [T1082] System Information Discovery – Discovery of target environment using commands like ipconfig and systeminfo. “ipconfig” and “systeminfo” were executed prior to deployment.
  • [T1059] Windows Command Shell – Command and Scripting Interpreter usage during discovery and setup. “whoami” and “powershell whoami” were executed.
  • [T1136] Create Account – Persistence via new account creation. “net user kr$ test123!@# /add” quoted in activity logs.
  • [T1003] Credential Dumping – LSASS credential access using ProcDump to dump memory. “procDump to dump the process memory of lsass.exe.”
  • [T1090] Proxy – Port forwarding with HTran to enable external access and C2 communication. “HTran is a port forwarding tool…”
  • [T1071] Application Layer Protocol – Command and Control communications by Meterpreter backdoor to receive and execute shellcode. “communicated with the threat actor’s server to receive and execute a shellcode.”

Indicators of Compromise

  • [MD5] Meterpreter Backdoor – d5312ab7f01fd74d399c392effdfe437, ebeb931a6dd91a227225f0ff92142f2b
  • [IP] C2 Address – 43.156.50[.]76
  • [URL] C2/delivery URL – hxxp://ll.olacityviet[.]com
  • [URL] Additional resource – hxxps://ll.olacityviet[.]com/av.js

Read more: https://asec.ahnlab.com/en/65131/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint