Full Report
Overview In February 2025, AhnLab SEcurity intelligence Center (ASEC) identified a threat actor, believed to be Chinese-speaking, distributing a web server native module targeting a South Korean web server. The threat actor gained control over the web server by attempting initial access to poorly managed web servers and using a .NET loader malware (WebShell) […]
Analysis Summary
# Threat Actor: Unnamed Chinese-speaking Actor (Associated with Gh0st RAT)
## Attribution & Identity
* **Identification:** Believed to be a Chinese-speaking threat actor.
* **Aliases/Associations:** Associated with the use of the Gh0st RAT malware, which is primarily used by Chinese threat groups.
## Activity Summary
In February 2025, this actor targeted a South Korean web server. The activity involved gaining initial access to poorly managed IIS web servers. The primary goal was the deployment of a sophisticated payload enabling extensive web traffic manipulation. This payload included a .NET loader malware, a backdoor (Gh0st RAT), and, crucially, a custom, malicious IIS native module (`caches.dll`) installed as `IsapiCachesModule`. The actor also utilized a file-hiding utility named "HijackDriverManager" written in Chinese to conceal the malicious module.
## Tactics, Techniques & Procedures
* **Initial Access:** Exploiting poorly managed web servers.
* **Execution/Persistence:** Installing a malicious IIS native module (`caches.dll`) into the `w3wp.exe` process using the `AppCmd.exe` command (`install module`).
* **Defense Evasion:** Employing the "HijackDriverManager" utility which controls the `Winkbj.sys` rootkit driver to conceal files and kernel objects from security products.
* **Command and Control/Backdoor:** Installing and utilizing the Gh0st RAT malware.
* **Web Shell Functionality:** Using a process that loads a .NET assembly in memory (fileless execution) via Base64 decoding and AES decryption of request body data.
* **Traffic Manipulation:** The native module intercepts HTTP requests at multiple pipeline stages (`OnGlobalPreBeginRequest`, `OnBeginRequest`, `OnSendResponse`) to covertly control and modify web packets.
* **Specific Web Shell Commands (via IIS Module Classes):**
* **WebdllServer:** Executes `.asp` files found in the query string payload after appending `.asp` (e.g., loading malicious code via the ASP engine).
* **RedirectServer:** Forces client redirection (`window.location.href=...`).
* **AffLinkServer:** Checks for affiliate parameters/cookies and injects affiliate banner HTML into responses.
* **HiJackServer:** Responds with server status based on URI requests like `/health`, `/debug`, etc.
* **UploadServer:** Provides an HTML upload form upon identifying the `/mywebdll` URI path.
* **MITRE ATT&CK IDs:** Not explicitly listed in the text, but relevant techniques include Persistence (T1547/T1404 - Rootkit/Service modification), Defense Evasion (T1562.001 - Impair Defenses via Hiding), and Command and Control (T1219 - Remote Access Software, for Gh0st RAT).
## Targeting
* **Sectors:** Web Servers (specifically utilizing Microsoft Windows IIS).
* **Geography:** Primary activity detailed was against a South Korean web server.
* **Victims:** Poorly managed Web Servers.
## Tools & Infrastructure
* **Malware Families Used:**
* Malicious IIS Native Module (named `IsapiCachesModule`, DLL file `caches.dll`).
* .NET Loader Malware (performs fileless assembly loading).
* Gh0st RAT backdoor.
* `HijackDriverManager` utility (File hider).
* `Winkbj.sys` (Rootkit driver).
* **Infrastructure (IOCs):**
* IP: 47(.)236(.)9(.)229 (Note: Further IOCs mentioned as available on AhnLab TIP).
## Implications
This threat actor demonstrates a high level of technical sophistication by leveraging deep integration within the IIS pipeline using native modules to achieve persistent, low-level traffic manipulation. Their objective appears to be monetization via affiliate link injection and potential credential harvesting through phishing redirects. The combination of process injection, rootkit-based evasion, and sophisticated web shell command execution makes detection challenging for systems relying solely on traditional file-based signatures.
## Mitigations
* Apply the latest security patches for the server OS immediately.
* Activate and ensure real-time, behavior-based detection capabilities within security products.
* Monitor IIS application configuration (via `AppCmd.exe` or configuration files) for unauthorized module installations (e.g., new modules registered globally).
* Thoroughly audit running IIS worker processes (`w3wp.exe`) for unexpected DLL loads or memory artifacts.