Full Report
Lately, attacks on South Korean web servers utilizing MeshAgent and SuperShell have been identified. The presence of ELF-based malware at the malicious code distribution address suggests that the attackers are targeting not only Windows servers but also Linux servers. It is assumed that the attackers installed a web shell using a file upload vulnerability and […]
Analysis Summary
# Incident Report: Cross-Platform Malware Deployment via Web Shell Exploitation
## Executive Summary
Security incidents targeting South Korean web servers were discovered, involving the exploitation of a web file upload vulnerability to install web shells. Attackers progressed to deploy various remote access tools like MeshAgent and SuperShell, including ELF-based malware, indicating a cross-platform compromise strategy targeting both Windows and Linux systems. The incident suggests potential links to previous campaigns using WogRAT, pointing towards sophisticated threat actors likely utilizing publicly available tools for reconnaissance, credential theft, and lateral movement across the network.
## Incident Details
- Discovery Date: Recently confirmed (Timing inferred from report publication referencing "Lately")
- Incident Date: Ongoing or recently concluded (Specific initial date not stated)
- Affected Organization: South Korean Web Servers (IIS)
- Sector: Undisclosed (Involved web hosting/services)
- Geography: South Korea
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Exploitation of a Web File Upload Vulnerability in a web server.
- Details: Attackers used the vulnerability to install various web shells (ASP/ASPX formats, including Chopper, Godzilla, and ReGe-ORG) in paths like `D:\WEB\*******\******\Data\Editor\File\g.asp`.
### Persistence
- Details: Web shells were immediately installed to maintain remote command execution capabilities on the compromised IIS web server.
### Discovery
- Date/Time: Following initial access and persistence.
- Details: Execution of standard reconnaissance commands (`ipconfig`, `whoami`, `systeminfo`, `netstat -ano`, `tasklist`) and deployment of the Fscan tool for network and system scanning.
### Privilege Escalation
- Details: The attackers utilized the Ladon tool (specifically `PowerLadon` via PowerShell) and its built-in `SweetPotato` command to escalate privileges, likely because the initial `w3wp.exe` process lacked necessary permissions.
### Command and Control (C2)
- Details: Installation of multiple C2 mechanisms, including SuperShell (for reverse shell control on Windows/Linux) and MeshAgent (for remote management functions like RDP/VNC). ELF-based malware and WogRAT were also found associated with the distribution address.
### Credential Access
- Details: Attackers successfully obtained an NT hash of an administrator account, confirmed by the use of the Network Password Dump tool and subsequent lateral movement techniques.
### Lateral Movement
- Details: Attackers used the stolen credentials (NT hash) to move laterally via WMIExec against other systems. They also targeted MS-SQL Servers, attempting remote command execution using Ladon's `MssqlCmd` function.
## Attack Methodology
- Initial Access: Exploitation of a file upload vulnerability leading to web shell deployment.
- Persistence: Installation of ASP/ASPX web shells (Chopper, Godzilla, ReGe-ORG).
- Privilege Escalation: Use of Ladon via PowerLadon, specifically the `SweetPotato` technique.
- Defense Evasion: Use of multiple, potentially legitimate but abused, tools (MeshAgent, SuperShell).
- Credential Access: Use of Network Password Dump tool and Ladon to steal credentials/hashes.
- Discovery: Execution of inbuilt commands (`systeminfo`, `whoami`) and use of Fscan.
- Lateral Movement: WMIExec utilizing stolen admin NT hashes and Ladon for SQL command execution (`MssqlCmd`).
- Collection: Detailed system and network information gathering post-privilege escalation.
- Exfiltration: Not explicitly detailed, but lateral movement and C2 tools suggest intent to steal sensitive data or deploy further ransomware/malware.
- Impact: Potential full network compromise due to successful lateral movement using admin credentials.
## Impact Assessment
- Financial: Not explicitly detailed.
- Data Breach: Potential theft of sensitive information, as the ultimate goal appears to allow the attacker to take control of the network (suggesting data or ransomware as the final payload).
- Operational: Potential for significant business disruption if ransomware infection succeeds following complete network control.
- Reputational: Risk to reputation due to the nature of the compromise involving core web servers.
## Indicators of Compromise
- Network Indicators (Defanged):
- `hxxp://139[.]180[.]142[.]127/Invoke-WMIExec.ps1`
- `hxxp://45[.]76[.]219[.]39/bb`
- `hxxp://45[.]76[.]219[.]39/mc[.]exe`
- `hxxp://66[.]42[.]113[.]183/acccc`, `hxxp://66[.]42[.]113[.]183/kblockd`
- IP: `108[.]61[.]247[.]121`, `66[.]42[.]113[.]183`
- FQDN: `linuxwork[.]net`
- File Indicators:
- ELF-based malware, PE malware, WogRAT, Ladon, MeshAgent, SuperShell.
- Web Shells: ASP/ASPX files (e.g., `g.asp`, `aa.asp`, `tunnel1.aspx`).
- Behavioral Indicators:
- Execution of Fscan tool for internal scanning.
- Use of Ladon's `SweetPotato` for privilege escalation.
- Use of WMIExec for remote command execution using stolen credentials/hashes.
- Cross-platform targeting (Windows IIS and Linux systems via ELF malware/SuperShell).
## Response Actions
- Containment: Actions were implied by the detection of tools, likely involving isolating compromised systems and blocking external C2 communication.
- Eradication: Not explicitly detailed, but would require removal of all web shells (Chopper, Godzilla, ReGe-ORG), C2 agents (MeshAgent, SuperShell), and other deployed malware (WogRAT, Ladon).
- Recovery: Inferred steps would include patching the exploited file upload vulnerability, rebuilding/cleaning affected servers, and resetting all potentially compromised credentials, especially administrator accounts whose hashes were stolen.
## Lessons Learned
- Key Takeaways: The use of publicly known tools (often associated with Chinese-speaking threat actors) by attackers indicates that signature detection alone is insufficient; behavioral monitoring is critical. Attackers are capable of rapidly pivoting from initial web server compromise to cross-platform network infiltration (Windows/Linux).
- What could have been done better: Stronger input validation and access controls on web server file upload functionality would have prevented initial access. Implementation of network segmentation and stricter credential hygiene (e.g., MFA, minimizing privileged access) could have limited lateral movement success.
## Recommendations
- Prevention Measures for Similar Incidents:
1. Immediately audit and secure all web application file upload functionality to prevent arbitrary code execution.
2. Implement robust Endpoint Detection and Response (EDR) capable of detecting behavior associated with tools like Ladon, Fscan, and WMIExec usage by unauthorized processes.
3. Restrict network lateral movement capabilities, specifically disabling or tightly controlling WMI/SMB access between low-trust and high-trust network segments.
4. Review and update configurations for MS-SQL servers, ensuring `xp_cmdshell` is disabled unless absolutely necessary, and monitoring its use closely.
5. Proactively hunt for known indicators associated with past WogRAT campaigns.