Ddos 
Flowchart | Image: ASEC
AhnLab Security Intelligence Center (ASEC) has uncovered a sophisticated series of attacks aimed at both Windows IIS web servers and Linux systems in South Korea, deploying a mix of open-source and custom malware including WogRAT, MeshAgent, and SuperShell. These campaigns reveal a broad and adaptive approach to cyber-espionage and lateral movement across compromised networks.
The attackers exploited file upload vulnerabilities on IIS web servers to implant web shells in various directories, allowing for initial access, command execution, and further payload delivery.
Common file paths observed included:
- D:\WEB\…\test6\aa.asp
- D:\WEB\…\test9\1.aspx
These web shells, such as Chopper, Godzilla, and ReGe-ORG, were used to perform reconnaissance and install additional malware.
“Attackers install web shells to control the compromised system… All in ASP and ASPX formats,” ASEC states.
Post-compromise, attackers used Fscan, a Chinese-developed scanning tool, to enumerate the infected system and the internal network:
They ran standard enumeration commands like ipconfig, systeminfo, tasklist, and netstat, indicating detailed system profiling.
To escalate privileges, attackers deployed PowerLadon, the PowerShell version of Ladon, invoking SweetPotato for exploiting token privilege escalation:
This method bypasses process restrictions (such as from w3wp.exe) to gain higher access levels.
The attackers went beyond basic access by installing SuperShell, a Go-based reverse shell tool supporting Windows, Linux, and Android. It provides stealthy remote access and has been used in prior APT activity, including by groups like UNC5174.
“SuperShell… allows the attacker to remotely control the infected system.”
In addition, MeshAgent was deployed, offering features like remote desktop (RDP, VNC), file transfer, and user monitoring. Although legitimate, its misuse highlights the dual-use nature of remote management tools.
One of the most notable elements was the presence of WogRAT, a backdoor malware similar to Rekoobe, based on Tiny SHell. Previously distributed via aNotepad, the current version retains the same C&C server domain as earlier cases, strongly suggesting the same threat actor.
“The malware is characterized by the string ‘WingsOfGod’… WogRAT has both Windows and Linux versions.”
Its presence in this campaign signifies an evolution in multi-platform targeting and code reuse.
Once inside the network, the attackers moved laterally using tools like WMIExec and Network Password Dump to steal credentials. The confirmed NT hash of an administrator account was used to compromise other systems. SQL servers were also targeted using Ladon’s MssqlCmd function to execute remote commands.
This campaign illustrates a multi-phase, multi-platform intrusion by a likely Chinese-speaking threat actor. From exploiting web server vulnerabilities to deploying a cross-platform malware arsenal, the attackers are capable of stealthy persistence, extensive reconnaissance, and deep lateral movement.
“While the ultimate goal is unknown, the attacker may steal sensitive information or infect the network with ransomware if they successfully take control.”
Organizations—especially those managing exposed web services—should audit file upload mechanisms, monitor for web shell activity, and apply defense-in-depth strategies against lateral movement and privilege escalation.
Related Posts:
- WogRAT Backdoor: The Stealthy Malware Lurking in Online Notepads
- Microsoft Alerts of Novel SQL Server-Based Lateral Cloud Movement
- UAC-0185 APT Leverages Social Engineering to Target Ukrainian Defense Industrial Base
- Sophisticated IIS Malware Targets South Korean Web Servers
- LilacSquid APT Unveiled: A Stealthy Campaign Targeting Global Industries
Donate