Analysis Report on Malware Distributed Through a South Korean Language Academy Website
Overview
The AhnLab SEcurity intelligence Center (ASEC) recently confirmed that a Meterpreter backdoor, port forwarding, and IIS module malware tools were installed through an improperly managed Windows IIS (Internet Information Services) web server. In the case of this attack, the threat actor ultimately installed IIS module malware on the web server. IIS modules can be developed using the IIS C++ API or ASP.NET 2.0 API, and server developers can use IIS modules to record and modify HTTP request data transmitted to the server.
IIS module-based malware was first discovered by Trustwave in 2013 acting as an ISN Infostealer[1]. The IIS module malware identified in this incident monitors the HTTP User-Agent value for the web server where the module is installed. It falsifies the response value under certain conditions to display advertisements for illegal gambling sites on South Korean and Chinese search portal sites and direct users to illegal gambling sites if they click the link.
Figure 1. Meterpreter backdoor distribution through Windows IIS web server
Figure 2. Illegal gambling sites displayed on Naver portal site
[1] The Curious Case of the Malicious IIS Module (trustwave.com)
