Analysis Report on Larva-24011 Threat Actor’s Latest Attack Trend
1. Overview
The Larva-24011 threat actor is targeting vulnerable systems to install CoinMiner and proxyware for financial gain. AhnLab Security Intelligence Center (ASEC) has recently observed that besides installing CoinMiner and proxyware, the threat actor is engaging in more attack cases of controlling infected systems and exfiltrating information such as installing remote control malware stains or adding backdoor accounts.
The threat actor has been active since at least 2021, targeting improperly managed IIS, Tomcat web servers, and MS-SQL servers. Due to the nature of attacks targeting vulnerable systems, specific targets cannot be identified. Still, the presence of the Chinese language in many of the tools used suggests that the threat actor is a Chinese speaker.
The threat actor initially used brute force and dictionary attacks on inadequately managed MS-SQL servers to install CoinMiner and later installed proxyware to gain financial profit.
This report covers both the past and recently identified attack cases by the Larva-24011 threat actor involving the use of CoinMiner and proxyware. In recent attack cases, the threat actor has been installing remote control malware strains like Gh0st RAT or adding backdoor accounts. In addition, they installed RDP Wrapper and proxy tools to take control of the infected systems.
2. Malware Analysis
2.1. Initial Infiltration Cases
In attack cases targeting MS-SQL servers, initial infiltration appears to occur through brute force or dictionary attacks. This can be inferred from the fact that systems compromised by the threat actor generally have other malware installed through such attacks.
The Larva-24011 threat actor also uses SqlShell in their attacks. In the following image, the top part shows SqlShell installing proxyware and the bottom part shows SqlShell installing the XMRig CoinMiner. In this case, SqlShell simply performed as a dropper and loader for proxyware or CoinMiner included in the resources without executing any commands from the attacker.
Figure. SqlShell identified in recent attack cases
The threat actor used to primarily target inadequately managed MS-SQL servers, but web servers have also become their targets recently. Attack cases targeting IIS servers as well as Tomcat servers have been identified, where a web shell is first installed and then used to install additional payloads. Some of the collected web shells include Chinese language content (see Figure 4). Many of the malware samples identified in attack cases contain Chinese strings, suggesting that the attacker may be a Chinese speaker.
Figure. Malware generated by a vulnerable Tomcat service
2.2. CoinMiner / Proxyware Attack Cases
In past attack cases after initial infiltration, the “sqlbase” folder was created in the MS-SQL data folder (e.g., %ProgramFiles%\microsoft sql server\mssql13.mssqlserver\mssql\data) and the malware named “SqlBase.exe” was generated in that path. SqlBase.exe is a simple downloader malware developed in .NET, which functions by downloading and installing configuration data and CoinMiner from a C&C server.
Although the number of CoinMiner has decreased compared to the past, it is still being identified in recent attack cases. It is characterized by being distributed in a form disguised as a legitimate program, registering XMRig as a service. However, as in the past, CoinMiner is stored in the resources under the name “gmp”.
Figure. CoinMiner stored in the resource named “gmp”
The Larva-24011 threat actor has targeted improperly managed MS-SQL servers starting from early June of 2022, installing the proxyware from the company Peer2Profit under the name “sdk.mdf”. Since “sdk.mdf” is a file provided by the proxyware, it was used simultaneously with CLR Assembly exploiting the proxyware to steal bandwidth. CLR Assembly loads the proxyware “sdk.mdf” and operates without the user’s awareness by calling the export function p2p_start(). When calling p2p_start(), the email address to receive profits must be passed as an argument, so the attacker’s email address can be checked in the malware.
The GmpStart() function is responsible for the actual dropper function and installs the launcher malware “warpstrat.dll” along with proxyware tools such as Traffmonetizer, IPRoyal, Proxyrack, and PacketStream. The GmpStart() function, in a simple form shown in the table below, is responsible for sequential installation in each function with all files installed in the %APPDATA% path. Instead of directly executing the installed proxyware, the dropper indirectly executes them using “warpstrat.dll”.
|
Type |
Path Name |
File |
Feature |
|---|---|---|---|
|
Launcher |
%APPDATA%\ | warpstrat.dll | Launcher tool |
| Traffmonetizer |
%APPDATA%\sraffzer\ |
sraffzer.exe, etc. | Traffmonetizer proxyware |
| %APPDATA%\traffmonetizer\ | settings.json, etc. | Traffmonetizer configuration file | |
|
IPRoyal |
%APPDATA%\ | SQLSERVERHUP.dll | IPRoyal proxyware |
| %APPDATA%\ip_royal_paws\ | Other files | IPRoyal configuration file | |
|
Proxyrack |
%APPDATA%\ | sqlgo.exe | Proxyrack proxyware |
| %APPDATA%\ | prokey.obj | Proxyrack configuration file | |
|
PacketStream |
%APPDATA%\ | psexitnode.exe | PacketStream proxyware |
Table. List of installed proxyware
2.3. Remote Control
The only malware directly identified in attack cases is Gh0st RAT, but the identification of a few downloaders suggests the possibility of using other malware strains.
Gh0st RAT is a remote control malware strain developed by C. Rufus Security Team. Because the source code is publicly available, malware developers are using it as a reference to develop various variants, and it has been continually used in attacks. Gh0st RAT is mainly used for targeting vulnerable services such as web servers or MS-SQL servers. Although the source code is publicly available, it is characterized by being primarily used by attackers who speak Chinese.
Figure. Gh0st RAT used in attacks
In addition, there were cases where the remote control tool AnyDesk (sometimes used for legitimate purposes) was installed to bypass security products. In addition to these known malware strains, new types of malware are also identified. These are mainly downloader types, with AuAgent being a major example. AuAgent is a downloader that downloads the files “mpclient.exe,” “mpclient.dll,” and “mpclient.dat”. Judging by the use of the .dat file, it is suspected to be PlugX commonly used by China-based attackers, but the actual malware could not be confirmed as the download failed during analysis.
Figure. AuAgent’s configuration data
The threat actor uses Mimikatz to steal existing user credential information or adds backdoor accounts using the NetUser tool. Most types are NetUser tools that operate by receiving commands from the attacker, but there are also cases where the ID/PW of the account to be added is directly hard-coded as shown below.
| No | ID | Password |
|---|---|---|
| 1 | test123 | TestPass123@\ |
| 2 | admin$ | getm0ney.$$$ |
| 3 | TempUser$ | TempUser888#NULL… |
Table. Credentials used by the threat actor
The web shells identified during the attack process and the NetUser tools contain the following Chinese strings.
Figure. Chinese strings found in the malware
To control the infected system remotely through the acquired account, the threat actor installs RDP Wrapper and may also use a port forwarding tool called PortTranC if the infected system is within the internal network. Given that the logs and malware strains using PortTranC all connect the C&C server with the local port 3389, it seems that the threat actor uses PortTranC for RDP remote control.
The threat actor uses a variety of other hacking tools. Because they attack vulnerable services like web servers or MS-SQL servers, there is a high reliance on privilege escalation tools such as PrintSpoofer or Potato. Additionally, they may install SQLck (a password cracking tool for SQL servers) or SQLServerSniffer (a password sniffer) on the infected system.
Figure. SQL hacking tools installed on the infected system
