Back

Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server

May 8, 2024, 5:23 p.m.

Tags

korea
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
meterpreter
webserver
iismodulemalware
gamblingredirect

External References

https://asec.ahnlab.com/

https://otx.alienvault.com/

Description

This report examines a malware strain distributed to web servers in South Korea that redirects users to an illegal gambling site. The threat actor installed a Meterpreter backdoor, a port forwarding tool, and an IIS module malware on a compromised web server. The IIS module inspects HTTP headers and modifies responses to expose ads for the illegal gambling site on portal websites. The actor also used ProcDump to steal credentials, likely for lateral movement.

Date

Published Created Modified
May 8, 2024, 11:05 a.m. May 8, 2024, 11:05 a.m. May 8, 2024, 5:23 p.m.

Indicators

2ec893440e04de55bc6bbe4b1db76df532aa42d3140a15dc5365ef520a1d4247

0f7df7ac22957da6a793f641cda611c2c2a294355d4d19b29b6920853a012d98

43.156.50.76

https://ll.olacityviet.com/av.js

http://ll.olacityviet.com

http://jsc.olacityviet.com

Attack Patterns

Meterpreter

T1556.002

T1021.002

T1543.003

T1053.005

T1555.003

T1059.004

T1204.002

T1190

T1078