Full Report
In early 2025, AhnLab Security Intelligence Center (ASEC) discovered a targeted attack campaign dubbed Larva-25003, believed to be operated by Chinese-speaking threat actors. The attackers gained access to poorly secured Microsoft IIS web servers in South Korea and deployed a ...
Analysis Summary
# Incident Report: Larva-25003 IIS Native Module Attack Campaign
## Executive Summary
In early 2025, AhnLab Security Intelligence Center (ASEC) detected the Larva-25003 campaign, attributed to Chinese-speaking threat actors targeting poorly secured Microsoft IIS web servers in South Korea. The attackers primarily utilized a malicious native IIS module, alongside Gh0st RAT and a custom rootkit, to hijack HTTP traffic for espionage, ad injection, and monetization. The incident highlights a sophisticated blend of APT techniques with financially motivated objectives executed via web server compromise.
## Incident Details
- Discovery Date: Early 2025 (Reported April 30, 2025)
- Incident Date: Early 2025
- Affected Organization: Various organizations utilizing poorly secured Microsoft IIS web servers.
- Sector: Unspecified (Web Services/Hosting focused)
- Geography: South Korea
## Timeline of Events
### Initial Access
- Date/Time: Early 2025
- Vector: Exploitation of Poorly Secured Microsoft IIS Web Servers
- Details: The threat actors compromised IIS servers via known vulnerabilities or weak configurations.
### Lateral Movement
- Details: Not explicitly detailed, but persistence mechanisms (native module, in-memory loaders) and Gh0st RAT suggest internal reconnaissance and establishment of foothold capability.
### Data Exfiltration/Impact
- Impact: Interception and modification of HTTP traffic (espionage, ad injection, phishing), resource hijacking.
### Detection & Response
- Detection: Discovered by AhnLab Security Intelligence Center (ASEC).
- Response actions taken: Not fully detailed, but analysis and reporting were conducted by ASEC.
## Attack Methodology
- Initial Access: Exploitation of poorly secured Microsoft IIS web servers.
- Persistence: Malicious native IIS module registered via `appcmd.exe`, fileless .NET loader, custom rootkit ("HijackDriverManager").
- Privilege Escalation: Likely achieved system-level access necessary to register a native IIS module (`w3wp.exe` process context).
- Defense Evasion: Custom rootkit utility ("HijackDriverManager") used to hide deployed components.
- Credential Access: Not specified in detail.
- Discovery: Internal reconnaissance likely using Gh0st RAT post-compromise.
- Lateral Movement: Not specified in detail, focus was on web server control.
- Collection: Intercepting HTTP requests and responses via the loaded native module.
- Exfiltration: Indirect exfiltration via traffic manipulation (phishing content delivery) and potential data theft via RAT.
- Impact: Modification of legitimate traffic (banner ads, phishing links), espionage, and resource hijacking.
## Impact Assessment
- Financial: Monetization through ad injection, redirection, and affiliate link serving.
- Data Breach: Potential interception of sensitive communications if administrative or user traffic was processed.
- Operational: Potential degradation of web service integrity due to traffic modification.
- Reputational: Damage to hosting providers or organizations whose servers were compromised.
## Indicators of Compromise
- Network indicators: (None explicitly listed/defanged in the summary)
- File indicators: Native IIS Module, Fileless .NET loader, Gh0st RAT, "HijackDriverManager" rootkit.
- Behavioral indicators: Modification of IIS configuration via `appcmd.exe`, interception of HTTP requests within the `w3wp.exe` process pipeline, execution of logic based on URI patterns.
## Response Actions
- Containment measures: (Not specified, likely isolating affected web servers/unloading malicious modules).
- Eradication steps: (Not specified, likely cleanup of malware and remediation of server configuration).
- Recovery actions: (Not specified).
## Lessons Learned
- Poorly secured web servers (specifically IIS) remain a high-value target for sophisticated threat actors.
- Attackers are increasingly layering traditional remote access tools (RATs) with highly specific web application techniques (Native IIS Modules) to achieve multi-faceted objectives (espionage + monetization).
- Fileless execution techniques and custom rootkits remain effective in evading standard endpoint detection.
## Recommendations
- Immediately audit and patch all Microsoft IIS web servers for known vulnerabilities.
- Implement strict least-privilege access controls for web server management utilities (e.g., `appcmd.exe`).
- Monitor IIS application pipeline events for unauthorized registration of native modules or unusual hook registrations within `w3wp.exe`.
- Enforce application allow-listing to prevent in-memory execution of unauthorized code loaders.