
Dalbit's Ingenuity
FRPFast Reverse ProxyDalbitMalwarem00nlight.top
Dalbit is a threat actor group recently discovered to have targeted Korean organisations. Their usual tactic is to target SQL and Web Servers with exploits to upload web shells. Through these web shells, additional tools such as binaries for privilege escalation, proxy tools, and scanning tools are downloaded. Upon initial foothold, FRP (Fast Reverse Proxy) is deployed to connect back to their Command-and-Control server or another victim's server via RDP. It appears that the end goal is to eventually deploy ransomware on their victims.
Indicators of Compromise
m00nlight.topSOCRadar2023-03-20
fk.m00nlight.topSOCRadar2023-03-20
onionmail.comSOCRadar2023-03-20
sk1.m00nlight.topSOCRadar2023-03-20
aa.zxcss.comSOCRadar2023-03-20
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
| Execution | Persistence | Privilege Escalation | Credential Access | Discovery | Defense Evasion | Lateral Movement | Collection | Exfiltration | Command and Control | Impact | Resource Development |
| – Command and Scripting Interpreter(T1059) – Windows Management Instrumentation(T1047) – System Service(T1569) | – Scheduled Task/Job(T1053) – Create Account(T1136) – Server Software Component(T1505) – Account Manipulation(T1098) | – Access Token Manipulation(T1134) – Exploitation for Privilege Escalation(T1068) | – OS Credential Dumping (T1003) | – Remote System Discovery(T1018) – Network Service Discovery(T1046) | – Impair Defenses(T1562) – Indicator Removal(T1070) | – Remote Services(T1021) – Lateral Tool Transfer(T1570) | – Data from Local System(T1005) – Account Discovery: Email Account(1087.003) – Email Collection(T1114) – Screen Capture(T1113) | – Exfiltration Over Web Service(T1567) | – Proxy(T1090) – Ingress Tool Transfer(T1105) | – Data Encrypted for Impact(T1486) | – Stage Capabilities: Upload Malware(T1608.001) |
Reports & References1
Observed Countries2
CN (585)
KP (481)