Analysis Summary

In a highly sophisticated campaign uncovered, Chinese-speaking threat actors targeted Windows IIS web servers, particularly in South Korea, deploying stealthy malware modules capable of intercepting and manipulating all incoming and outgoing HTTP traffic. The attack begins with the compromise of poorly managed IIS servers, allowing initial access. A multi-stage infection chain follows, starting with a . NET-based WebShell loader, which is used to deploy a malicious native IIS module. This module is cleverly installed using legitimate administrative tools like AppCmd.exe, masquerading as a valid component named IsapiCachesModule to blend seamlessly with native server operations, ensuring persistence and stealth.

Once embedded, the malicious native module integrates itself deeply into the IIS HTTP request pipeline by hooking into three critical processing stages: OnGlobalPreBeginRequest, OnBeginRequest, and OnSendResponse. This deep integration allows attackers to monitor, manipulate, and hijack web traffic in real-time. The module is composed of five distinct malicious classes: WebdllServer (executes malicious ASP payloads), RedirectServer (redirects users to attacker-controlled sites), AffLinkServer (injects affiliate links via cookies), HiJackServer (handles backdoor configuration through hidden URIs), and UploadServer (covertly uploads files to the server). These functionalities grant attackers comprehensive control and monetization opportunities, including redirecting traffic and stealing data.

To maintain invisibility, the attackers use a specialized rootkit management utility named HijackDriverManager, featuring a Chinese-language interface. This utility leverages a rootkit driver called Winkbj.sys to hide malicious files, registry entries, and running processes, making detection by standard security tools extremely difficult. This stealth tactic ensures prolonged access to the compromised systems. Additionally, the presence of Gh0st RAT, a notorious remote access trojan frequently used by Chinese APT groups, was observed communicating with the command-and-control server at 47.236.9[.]229:10086, strengthening attribution to a Chinese-speaking threat group.

Attribution is supported by various indicators, including the language used in the malware, deployment of Gh0st RAT, and operational similarities with past Chinese APT campaigns. According to the Researcher, the threat actors are believed to be driven by both financial and intelligence-gathering motives. Aside from installing phishing pages and redirecting users to steal credentials and sensitive information, the attackers also manipulated HTTP traffic to insert affiliate banners for financial gain. The strategic placement of these malicious modules inside web servers demonstrates a dangerous evolution in web-based attacks, showcasing how native server components can be subverted to serve persistent, covert, and profitable threats.

Impact

• Sensitive Information Theft
• Gain Access
• Financial Loss

Indicators of Compromise

SHA1

• 1c85aa9f61d92cfb9107b8ec5303ed60990509b1

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply the latest security patches to server operating systems
• Enable real-time, behavior-based detection in security products
• Monitor for unusual IIS module installations using AppCmd[.]exe
• Regularly audit web server configurations for unauthorized changes
• Implement rigorous access controls for administrative functions