ASEC researchers detail APT attack campaign of Chinese hacker group Dalbit targeting organizations
Researchers from ASEC released Monday details of Dalbit group that has typically relied on open-source tools and lacked any distinct characteristics to profile them due to the lack of PDB information. Additionally, the amount of information that could be collected was limited unless the affected Korean companies specifically asked for an investigation since the threat actor’s C2 (Command&Control) server abused the servers of the Korean companies.
“However, after the post was uploaded and a portion of the Korean company servers used by the threat actor were blocked, the threat actor began to use a hosting server called “*[dot]m00nlight[dot]top” as their C2 and download server,” the ASEC team said in a blog post. “This group has had more than 50 confirmed attack attempts on Korean companies since 2022. Most of the attacked companies were mid to small companies while a portion was major companies.”
The team has confirmed that 30 percent of the infected companies were using a certain Korean groupware solution. “It is currently difficult to check whether this groupware product has a vulnerability or not, but if a server that is this exposed has a vulnerability, then there is a chance that companies could be affected gravely through the leakage of confidential information and ransomware behavior. Furthermore, this Dalbit group leaves some infected companies as proxies and download servers to later use them as means to communicate with the threat actor upon infiltration of another company,” they added.
The Dalbit hacking group attempted attacks against vulnerable Korean company servers, and logs are being reported not only from mid-sized and smaller businesses but also from some large companies. In particular, 30 percent of the affected companies were found to have been using a certain Korean groupware product. Moreover, this group uses publicly available tools, from the WebShell used in the early stages to the ransomware used at the end.
“Among these tools, there is a proxy tool that is assumed to have been obtained from a Chinese community, a tool with Chinese documentation, and a Chinese tool not mentioned in this post,” ASEC identified. It can be assumed that the threat actor has at least a partial connection with China, considering their frequent usage of Chinese tools.
If a server admin suspects that their system has been infected, they are advised to check their IOC along with the aforementioned download paths and account name (‘main’) often used by the threat actor, according to the researchers. “If suspicions are confirmed, then it is advised to immediately report your situation to AhnLab in order to minimize additional harm. Furthermore, admins should prevent vulnerability attacks by updating their servers to the newest version for vulnerability patches, and maintenance is especially needed for servers that are open externally but not managed.”
The research also disclosed that it is currently difficult to check whether this groupware product has a vulnerability or not, but if a server that is this exposed has a vulnerability, then there is a chance that companies could be affected gravely through the leakage of confidential information and ransomware behavior. “Furthermore, this Dalbit group leaves some infected companies as proxies and download servers to later use them as means to communicate with the threat actor upon infiltration of another company,” it added.
Since 2022, a total of 50 companies have been identified as affected however it is possible that more businesses may have been impacted and remain undetected. Thus, any organizations that were not clearly confirmed were excluded from this list. Of these, eight were in the technology sector; seven companies were in the industrial vertical; five each in the chemical and construction sectors; four each in automotive and semiconductor sectors; three each in the education and wholesale sectors; two each in the media, shipping, food and hospitality sectors; and one each in the shipbuilding, consulting, and energy sectors.
The ASEC team identified that the Dalbit hacker group targets web servers or SQL servers, which they gain access to by exploiting vulnerabilities. They then attempt to control the systems with tools such as WebShell. Various hacking tools are downloaded through WebShell. Hacking tools include various binaries such as privilege escalation tools, proxy tools, and network scanning tools.
“The threat actor installs a proxy tool such as FRP (Fast Reverse Proxy) before attempting to connect to 2-1) a hosting server built by the threat actor or 2-2) another previously infected company’s server (Company A) via Remote Desktop (RDP),” they added. “Tools such as network scanning tools and account theft tools are used for internal reconnaissance and obtaining information.”
The research also said that the obtained information is used to move to another connectible server or PC. “Afterward, a proxy tool (FRP) is also installed on the PC that has successfully been reached through lateral movement, creating an environment which allows the threat actor to connect via RDP. The required privilege level is then acquired by either adding a specific account or through a credential theft tool like Mimikatz,” it added.
Ultimately, after the Dalbit hacking group steals all the information they desire, they use BitLocker to lock certain drives and demand a ransom.
“Only one tool for leaking emails seems to have been made by the group themselves. The rest are normal Windows programs or tools that can easily be found online,” according to the research.
ASEC researchers said that after infiltrating a server, the threat actor initiates access via proxy to use RDP communications. FRP and LCX were the mainly used proxy tools, and there have been cases where ReGeorg, NPS, or RSOCKS was found in some companies. “Additionally, multiple proxy tools including FRP and LCX were found in one area of a certain company that was infiltrated. Multiple FRP configuration files ([dot]ini) would also be discovered in cases where internal propagation had occurred.”
“We believe that the threat actor installs additional FRPs and uses multiple configuration files when an accessible PC has a lot to gain,” the research said. “Furthermore, the LCX used by this group has the same features as the open-source LCX, but its version is not the same as the one uploaded to GitHub, meaning that a binary that was arbitrarily compiled by a Chinese person was used.”
Given the threat landscape, the ASEC team “strongly recommend performing an internal security check if users suspect that they have been attacked by this Dalbit group. The team asks that users send a report to AhnLab and take preemptive measures to prevent secondary harm and potential damage to other companies.”
The ASEC research coincides with data released Monday by Forescout Technologies’ Vedere Labs on deep lateral movement, which looks into how attackers can move between devices and access OT (operational technology) networks at the controller or L1 level. It details how attackers can cross security perimeters in interfaced Basic Process Control Systems (BPCS)/Safety Instrumented Systems (SIS) architectures or perform detailed manipulation of equipment in fieldbus networks nested behind PLCs (Programmable Logic Controllers).
Last week, U.S. security agencies, the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service published a joint Cybersecurity Advisory (CSA) that highlighted that the ransomware attacks on critical infrastructure fund malicious cyber activities executed by the DPRK (Democratic People’s Republic of Korea). The agencies also revealed that DPRK cyber hackers have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
