After initially infiltrating a poorly managed Windows Internet Information Services (IIS) web server in Korea, the threat actor installed the Meterpreter backdoor, a port forwarding tool, and an IIS module malware tool. The IIS module malware discovered in this case monitors for a string in the HTTP header in the web server where the module is installed and sends a modified response value when certain conditions are met to expose ads for an illegal gambling website on Korean and Chinese portal websites.
Disclaimer: This article is part of X-Force OSINT Advisories automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference:
https://asec.ahnlab.com/en/65131/
Sample Indicators of Compromise:
http://ll.olacityviet.comd5312ab7f01fd74d399c392effdfe43728dd72e322f6be382dac4fa9eb5cd09bebeb931a6dd91a227225f0ff92142f2b43.156.50.76
