This is a case of infiltration into an IIS web server or an MS Exchange server and is the same as previously known types. However, this post will discuss cases that are presumed to be done by a certain hacker group, not by individual attackers. The most significant characteristic of this group is that they use FRP open-source tools. This group finds a server accessible from outside and attacks it, and when infiltration is successful, privilege escalation is attempted.
Afterward, for more complete access control, FRP (Fast Reverse Proxy) or LCX (commonly referred to as HTran) tool is installed, and the use of FRP tools is particularly more common. And when FRPs are installed, they use a certain download address, and download servers where FRPs are uploaded are deemed to be web servers of Korean companies which hackers have already taken over. Other characteristics include using particular file names when installing FRPs or overtaking another Korean company’s server to abuse as a relay server needed for using FRPs.
![[correlate]](/data/avatars/m/79/79653.jpg?1556985072){kind=avatar}
asec.ahnlab.com
