Penetration and Distribution Method of Gwisin Attacker

The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. 

How Gwisin Attacker Penetrates a Server

Unlike other attackers who use spear phishing, watering hole, and other known methods to dominate a PC and obtain administrator privilege to propagate the virus into a target company’s internal network systems, the Gwisin threat actor directly performs the web hacking attack to penetrate into the web servers. As such, companies must check for web vulnerabilities and fortify the security of connected DBs to defend against web hacking attacks. 

It appears that the attacker attempts to steal system account info prior to distributing the ransomware. They scan and perform SQL injection attack on publicly-exposed web servers. 

Among the traces of the attack, an attack code of SQL Injection, written for use against an MS SQL server, was found in a Linux server. This hints that the attacker is indiscriminately attacking the servers using automated offense tools.

 Figure. SQL injection attack code of the Gwisin attacker found in Linux server

 

It has been confirmed that the attacker uses WebShell following after a successful attack on a web server. Some cases involve WebShell inserted into a PHP file. In other cases, independent WebShell files were created. However, the techniques of inserting WebShell code into the existing file or uploading the file have not yet been identified.

Additionally, the attacker uses a Reverse Shell code written with Python to establish a reverse connection. It was discovered that the attacker adds service_issue() function performing the roll of Reverse Shell to the init type of Linux shell script existing inside the system. The attacker creates a TCP socket through the function, connects to the attacker server (158.247.221.23:80), and runs sh to provide the attacker with Linux shell.

Figure. Reverse Shell code inserted by the attacker

What the Attacker Does After Penetrating into Server

After dominating a Linux system, the attacker uses RPM to install NMAP. They then perform multiple port scans on the internal systems to identify additional attack targets.

Figure. Confirmed installed NMAP

Figure. History of NMAP execution

How the Attacker Moves Inside the Internal Server

The attacker, after dominating the Windows system of the internal network, registers a service that perform Full Memory Dumping on the memory of the Isass.exe process to obtain additional credentials. They then secure the memory dump of the lsass.exe process.

Figure. Event log for registering lsass.exe dumping service

The attacker then uses the obtained credentials to send reverse connection command to other systems. Among the target systems that received the command, the systems connected to the Internet are connected to the C2 server. As a result, the attacker gains direct control over the internal system from the outside.

Figure. Trace of reverse connection attempted using attacker IP

The attacker then downloads the Gwisin MSI file from the C2 server.

Figure. Event log of the system downloading ransomware MSI file

How the Attacker Distributes the Ransomware

The attacker installs the IIS web service into the first dominated system and uses it to spread the ransomware to internal systems of the target company. After installing the IIS web service, the attacker creates the ransomware files in the web root path (C:\inetpub\wwwroot) and distributes the ransomware.

  • Ransomware for Windows: x64_install.msi
  • Ransomware for Linux: x64_nix, x86_nix
Figure. Part of event log for installing of IIS service 

The attacker can use the IIS web service in the internal system to easily distribute the ransomware to multiples systems connected to the domain via AD policy and WMI command. Furthermore, the attacker does not have to directly access the server that distributes the malware on the Internet. As such, they can successfully distribute the ransomware into the internal systems without Internet access. 

The attacker uses the following command to download and run the ransomware. 

Figure. Command for downloading and running ransomware

When the above command is executed, “x64_install.msi,” the ransomware file in the IIS web route directory, is downloaded and executed. 

Characteristics of Gwisin

To run Gwisin, one must enter the exact arguments.

Figure. Command for running ransomware

The description of each argument is as follows:

  • LICENSE: A key that decrypts the encoded ransomware (creates decryption key by combining with SERIAL)
  • SERIAL: A key that decrypts the encoded ransomware (creates decryption key by combining with LICENSE)
  • SMM (see Malicious File Analysis Results for details)
    • 0: File Encryption Mode 
    • 1: Safe Mode Boot Mode 

When the file is encrypted via the ransomware, an extension similar to the name of the target company is added to the encrypted file. Additionally, a file with ‘0’ at the end of the extension is also created in the same directory. It contains information required to restore the original file.

Upon the file encryption, a ransom note is created. The ransom note’s filename and body text contain strings that can identify the target company. It contains the URL that connects to the attacker’s website, and account and password that can be used to log in to the website.

Figure. Ransom note confirmed from the ransomware-infected system (!!!_HOW_TO_UNLOCK_FILES_!!!.TXT)

Gwisin deletes event logs and ransomware files of the system after the file encryption.

For more information on Gwisin’s process flow and characteristics, see ASEC blog’s Gwisin Ransomware Targeting Korean Companies (https://asec.ahnlab.com/en/37483/). 

Malware Used by the Attacker 

MD5FilenameAnalysis Results 
13eef02d5e5f5543
e83ad8c8a8c8ff9a
MSI****.tmpGwisin file for Windows which is the DLL file of install_x64.msi

[Ransomware Behavior Details]
If executed with SMM=1

1. Self-Replication
ㆍCopies itself into the following filepath
ㆍC:\ProgramData\a35f23725b5feab2.msi
2. Ransomware Service Creation
ㆍService Name: ****************(16-digit HEX)
ㆍImage Path: msiexec /qn /i C:\ProgramData\****************.msi SERIAL=**************** LICENSE=**************** SMM=0 ORG=***
3. Copying of bcdedit.exe and Changing Boot Option
ㆍCopies bcdedit.exe to ProgramData folder with a different name (dxdiag.exe)
ㆍChanges default boot mode to safe mode
4. Registering Service to Enable Operation in Safe Mode
ㆍHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
ㆍHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
5. Reboot
ㆍReboots as safe mode after 5 seconds
6. Ransomware Operation
95237d0c6e6b1822
cecca34994c0d273
x86_nixx86 version file of Gwisin

[File Detection]

  • Ransomware/Win.Gwisin (2022.07.27.03)
  • Trojan/Linux.Agent (2022.08.05)

[File MD5]

  • 13EEF02D5E5F5543E83AD8C8A8C8FF9A
  • 95237D0C6E6B1822CECCA34994C0D273

[IP/URL]

  • 158.247.221[.]23

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis informaion.

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments