Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server

May 8, 2024, 5:23 p.m.


This report examines a malware strain distributed to web servers in South Korea that redirects users to an illegal gambling site. The threat actor installed a Meterpreter backdoor, a port forwarding tool, and an IIS module malware on a compromised web server. The IIS module inspects HTTP headers and modifies responses to expose ads for the illegal gambling site on portal websites. The actor also used ProcDump to steal credentials, likely for lateral movement.


Published Created Modified
May 8, 2024, 11:05 a.m. May 8, 2024, 11:05 a.m. May 8, 2024, 5:23 p.m.


Attack Patterns