Penetration and Distribution Method of Gwisin Attacker

The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. 

How Gwisin Attacker Penetrates a Server

Unlike other attackers who use spear phishing, watering hole, and other known methods to dominate a PC and obtain administrator privilege to propagate the virus into a target company’s internal network systems, the Gwisin threat actor directly performs the web hacking attack to penetrate into the web servers. As such, companies must check for web vulnerabilities and fortify the security of connected DBs to defend against web hacking attacks. 

It appears that the attacker attempts to steal system account info prior to distributing the ransomware. They scan and perform SQL injection attack on publicly-exposed web servers. 

Among the traces of the attack, an attack code of SQL Injection, written for use against an MS SQL server, was found in a Linux server. This hints that the attacker is indiscriminately attacking the servers using automated offense tools.

It has been confirmed that the attacker uses WebShell following after a successful attack on a web server. Some cases involve WebShell inserted into a PHP file. In other cases, independent WebShell files were created. However, the techniques of inserting WebShell code into the existing file or uploading the file have not yet been identified.

Additionally, the attacker uses a Reverse Shell code written with Python to establish a reverse connection. It was discovered that the attacker adds service_issue() function performing the roll of Reverse Shell to the init type of Linux shell script existing inside the system. The attacker creates a TCP socket through the function, connects to the attacker server (158.247.221.23:80), and runs sh to provide the attacker with Linux shell.

What the Attacker Does After Penetrating into Server

After dominating a Linux system, the attacker uses RPM to install NMAP. They then perform multiple port scans on the internal systems to identify additional attack targets.

How the Attacker Moves Inside the Internal Server

The attacker, after dominating the Windows system of the internal network, registers a service that perform Full Memory Dumping on the memory of the Isass.exe process to obtain additional credentials. They then secure the memory dump of the lsass.exe process.

The attacker then uses the obtained credentials to send reverse connection command to other systems. Among the target systems that received the command, the systems connected to the Internet are connected to the C2 server. As a result, the attacker gains direct control over the internal system from the outside.

The attacker then downloads the Gwisin MSI file from the C2 server.

How the Attacker Distributes the Ransomware

The attacker installs the IIS web service into the first dominated system and uses it to spread the ransomware to internal systems of the target company. After installing the IIS web service, the attacker creates the ransomware files in the web root path (C:\inetpub\wwwroot) and distributes the ransomware.

• Ransomware for Windows: x64_install.msi
• Ransomware for Linux: x64_nix, x86_nix

The attacker can use the IIS web service in the internal system to easily distribute the ransomware to multiples systems connected to the domain via AD policy and WMI command. Furthermore, the attacker does not have to directly access the server that distributes the malware on the Internet. As such, they can successfully distribute the ransomware into the internal systems without Internet access. 

The attacker uses the following command to download and run the ransomware. 

When the above command is executed, “x64_install.msi,” the ransomware file in the IIS web route directory, is downloaded and executed. 

Characteristics of Gwisin

To run Gwisin, one must enter the exact arguments.

The description of each argument is as follows:

• LICENSE: A key that decrypts the encoded ransomware (creates decryption key by combining with SERIAL)
• SERIAL: A key that decrypts the encoded ransomware (creates decryption key by combining with LICENSE)
• SMM (see Malicious File Analysis Results for details)
  • 0: File Encryption Mode 
  • 1: Safe Mode Boot Mode 

When the file is encrypted via the ransomware, an extension similar to the name of the target company is added to the encrypted file. Additionally, a file with ‘0’ at the end of the extension is also created in the same directory. It contains information required to restore the original file.

Upon the file encryption, a ransom note is created. The ransom note’s filename and body text contain strings that can identify the target company. It contains the URL that connects to the attacker’s website, and account and password that can be used to log in to the website.

Gwisin deletes event logs and ransomware files of the system after the file encryption.

For more information on Gwisin’s process flow and characteristics, see ASEC blog’s Gwisin Ransomware Targeting Korean Companies (https://asec.ahnlab.com/en/37483/). 

Malware Used by the Attacker 

[File Detection]

• Ransomware/Win.Gwisin (2022.07.27.03)
• Trojan/Linux.Agent (2022.08.05)

[File MD5]

• 13EEF02D5E5F5543E83AD8C8A8C8FF9A
• 95237D0C6E6B1822CECCA34994C0D273

[IP/URL]

• 158.247.221[.]23

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis informaion.