Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server

May 8, 2024, 5:23 p.m.

Description

This report examines a malware strain distributed to web servers in South Korea that redirects users to an illegal gambling site. The threat actor installed a Meterpreter backdoor, a port forwarding tool, and an IIS module malware on a compromised web server. The IIS module inspects HTTP headers and modifies responses to expose ads for the illegal gambling site on portal websites. The actor also used ProcDump to steal credentials, likely for lateral movement.

External References

https://asec.ahnlab.com/en/65131/
https://otx.alienvault.com/pulse/663b5c8da8626db7ddbcd6d0
Tags
korea
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
meterpreter
webserver
iismodulemalware
gamblingredirect

Date

  • Created: May 8, 2024, 11:05 a.m.
  • Published: May 8, 2024, 11:05 a.m.
  • Modified: May 8, 2024, 5:23 p.m.

Indicators

  • 2ec893440e04de55bc6bbe4b1db76df532aa42d3140a15dc5365ef520a1d4247
  • 0f7df7ac22957da6a793f641cda611c2c2a294355d4d19b29b6920853a012d98
  • 43.156.50.76
  • https://ll.olacityviet.com/av.js
  • http://ll.olacityviet.com
  • http://jsc.olacityviet.com
  • ll.olacityviet.com
  • jsc.olacityviet.com
Download all indicators here!

Attack Patterns

  • Meterpreter
  • T1556.002
  • T1021.002
  • T1543.003
  • T1053.005
  • T1555.003
  • T1059.004
  • T1204.002
  • T1190
  • T1078