Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server
May 8, 2024, 5:23 p.m.
Tags
External References
Description
This report examines a malware strain distributed to web servers in South Korea that redirects users to an illegal gambling site. The threat actor installed a Meterpreter backdoor, a port forwarding tool, and an IIS module malware on a compromised web server. The IIS module inspects HTTP headers and modifies responses to expose ads for the illegal gambling site on portal websites. The actor also used ProcDump to steal credentials, likely for lateral movement.
Date
Published: May 8, 2024, 11:05 a.m.
Created: May 8, 2024, 11:05 a.m.
Modified: May 8, 2024, 5:23 p.m.
Indicators
2ec893440e04de55bc6bbe4b1db76df532aa42d3140a15dc5365ef520a1d4247
0f7df7ac22957da6a793f641cda611c2c2a294355d4d19b29b6920853a012d98
43.156.50.76
https://ll.olacityviet.com/av.js
http://ll.olacityviet.com
http://jsc.olacityviet.com
ll.olacityviet.com
jsc.olacityviet.com
Attack Patterns
Meterpreter
T1556.002
T1021.002
T1543.003
T1053.005
T1555.003
T1059.004
T1204.002
T1190
T1078