Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server

May 8, 2024, 5:23 p.m.

Description

This report examines a malware strain distributed to web servers in South Korea that redirects users to an illegal gambling site. The threat actor installed a Meterpreter backdoor, a port forwarding tool, and an IIS module malware on a compromised web server. The IIS module inspects HTTP headers and modifies responses to expose ads for the illegal gambling site on portal websites. The actor also used ProcDump to steal credentials, likely for lateral movement.

Date

Published Created Modified
May 8, 2024, 11:05 a.m. May 8, 2024, 11:05 a.m. May 8, 2024, 5:23 p.m.

Indicators

Attack Patterns