Campaigns
Dalbit's Ingenuity

Dalbit's Ingenuity

FRPFast Reverse ProxyDalbitMalwarem00nlight.top
Dalbit is a threat actor group recently discovered to have targeted Korean organisations. Their usual tactic is to target SQL and Web Servers with exploits to upload web shells. Through these web shells, additional tools such as binaries for privilege escalation, proxy tools, and scanning tools are downloaded. Upon initial foothold, FRP (Fast Reverse Proxy) is deployed to connect back to their Command-and-Control server or another victim's server via RDP. It appears that the end goal is to eventually deploy ransomware on their victims.

Indicators of Compromise

m00nlight.top
fk.m00nlight.top
onionmail.com
sk1.m00nlight.top
aa.zxcss.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

ExecutionPersistencePrivilege EscalationCredential AccessDiscoveryDefense EvasionLateral MovementCollectionExfiltrationCommand and ControlImpactResource Development
– Command and Scripting Interpreter(T1059)

– Windows Management Instrumentation(T1047)

– System Service(T1569)
– Scheduled Task/Job(T1053)

– Create Account(T1136)

– Server Software Component(T1505)

– Account Manipulation(T1098)
– Access Token Manipulation(T1134)

– Exploitation for Privilege Escalation(T1068)
– OS Credential Dumping (T1003)– Remote System Discovery(T1018)

– Network Service Discovery(T1046)
– Impair Defenses(T1562)

– Indicator Removal(T1070)
– Remote Services(T1021)

– Lateral Tool Transfer(T1570)
– Data from Local System(T1005)

– Account Discovery: Email Account(1087.003)

– Email Collection(T1114)

– Screen Capture(T1113)
– Exfiltration Over Web Service(T1567)– Proxy(T1090)

– Ingress Tool Transfer(T1105)
– Data Encrypted for Impact(T1486)– Stage Capabilities: Upload Malware(T1608.001)

Reports & References1

Observed Countries2

CN (585)
KP (481)