SOC Incident Toolkit
Back to Campaigns
Dalbit's Ingenuity

Dalbit's Ingenuity

FRPFast Reverse ProxyDalbitMalwarem00nlight.top

Dalbit is a threat actor group recently discovered to have targeted Korean organisations. Their usual tactic is to target SQL and Web Servers with exploits to upload web shells. Through these web shells, additional tools such as binaries for privilege escalation, proxy tools, and scanning tools are downloaded. Upon initial foothold, FRP (Fast Reverse Proxy) is deployed to connect back to their Command-and-Control server or another victim's server via RDP. It appears that the end goal is to eventually deploy ransomware on their victims.

Indicators of Compromise

Domains (5)

m00nlight.topfk.m00nlight.toponionmail.comsk1.m00nlight.topaa.zxcss.com

Hashes (195)

08a688e1ece7b26a0c01028b965e2255e4f5580abbf60d5a2de1c39d095fe070079c13fbc30a32e4f0386cd53c56d68404961b8f1cd4d4fde1a1e9def42aa557e5f98a1b0d37a09260db033aa09d6829dc4788567beccda9b8fef7e6e37648488de8dfcb99621b21bf66a3ef2fcd81380ca345bc074fa2ef7a2797b875b6cd4d5978475edbbe43d3b97821ecb866adbba071d17c011cedd9932207ee5539895e2a1ed60a88bef25e4958d0a198a2cc0d921e43846ef1cb4959770f365505dee1ad3292f4a3343bebb7a419a78c5afbfc29e60d9533129e959221bf9d5211710747fddabe622f060fce624bdca9a427c3edec1663fd0f73dd80d15626602c08b90529d9fdb998a39b31ad9b409d68dcb74ac6d97d7b40aa57e1c61ecd6db2a1c18e08b0af9f252585ca9b0a55145c8c4cf81c6454f8173dc629b488857932bac069e49ad96a20945ae9f7c9e1a28015e40758bb4f5e0845a9f08c1cfc7966824758b6953afca13226da57b33f95bf3faad1004ee0a03b57cc0103316e974bbb0f159f78f69b0e4652a0317e6e4da66f29a74b5ad7+175 more

IPv4 (10)

91.217.139.11745.136.186.17545.93.31.12245.93.28.10345.93.31.75205.185.122.95175.24.32.22845.136.186.19101.43.121.50103.118.42.208

CVEs (3)

CVE-2018-8639CVE-2017-10271CVE-2019-1458

Notes

<div>Dalbit is the name given to a threat actor group that has been active in South Korea since 2015. This group is known for its sophisticated and persistent attacks against various organizations in the country, including government agencies, universities, and private companies. The name "Dalbit" is Korean for "moonlight," which reflects the group's covert and stealthy nature.</div><div><br></div><div>Dalbit's modus operandi involves using a combination of advanced hacking tools, social engineering, and customized malware to gain access to the target's network. Once inside, the group uses various techniques such as privilege escalation, lateral movement, and data exfiltration to achieve their objectives. The group's ultimate goal is usually to steal sensitive information, disrupt operations, or cause other forms of damage to the target.</div><div><br></div><div>One of the most notable aspects of Dalbit's attacks is their use of web shells. These are small pieces of code that are uploaded to compromised web servers and provide a backdoor into the system for the attackers. Web shells can be used to execute commands, upload/download files, and access the underlying database. Dalbit has been known to use various web shell variants, including China Chopper and AntSword.</div><div><br></div><div>Another hallmark of Dalbit's attacks is their use of proxy tools to hide their activities. The group has been known to use tools like FRP and LCX to create a tunnel between the compromised system and their command-and-control server. This allows them to communicate with the target's network without being detected by network security systems.</div><div><br></div><div>Dalbit has also been observed using various privilege escalation tools to gain higher levels of access within the target's network. These tools include Potato, JuicyPotato, and SweetPotato. Once they have gained administrative access, the group can carry out a range of actions such as adding new user accounts, disabling security features, and installing additional malware.</div><div><br></div><div>One of the most concerning aspects of Dalbit's activities is their persistence. The group has been known to maintain access to a compromised network for extended periods, sometimes years, without being detected. They achieve this by using various techniques to remain hidden, such as deleting logs and masking their activities as legitimate traffic.</div><div><br></div><div>In conclusion, Dalbit is a highly sophisticated and persistent threat actor group that poses a significant risk to organizations in South Korea. Their use of advanced hacking tools, customized malware, and social engineering techniques make them a formidable adversary. To defend against their attacks, organizations need to implement comprehensive security measures and remain vigilant to detect and respond to any potential breaches.</div>

Mitigation

<table style="border-collapse: collapse; border-spacing: 0px; margin-bottom: 0px; border: 1px solid rgb(230, 230, 230); width: 1796.6px;"><thead style="border-bottom: 3px solid;"><tr><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Execution</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Persistence</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Privilege Escalation</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Credential Access</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Discovery</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Defense Evasion</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Lateral Movement</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Collection</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Exfiltration</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Command and Control</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Impact</strong></td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);"><strong>Resource Development</strong></td></tr></thead><tbody><tr><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Command and Scripting Interpreter(T1059)<br><br>– Windows Management Instrumentation(T1047)<br><br>– System Service(T1569)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Scheduled Task/Job(T1053)<br><br>– Create Account(T1136)<br><br>– Server Software Component(T1505)<br><br>– Account Manipulation(T1098)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Access Token Manipulation(T1134)<br><br>– Exploitation for Privilege Escalation(T1068)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– OS Credential Dumping (T1003)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Remote System Discovery(T1018)<br><br>– Network Service Discovery(T1046)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Impair Defenses(T1562)<br><br>– Indicator Removal(T1070)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Remote Services(T1021)<br><br>– Lateral Tool Transfer(T1570)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Data from Local System(T1005)<br><br>– Account Discovery: Email Account(1087.003)<br><br>– Email Collection(T1114)<br><br>– Screen Capture(T1113)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">–&nbsp;Exfiltration Over Web Service(T1567)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Proxy(T1090)<br><br>– Ingress Tool Transfer(T1105)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Data Encrypted for Impact(T1486)</td><td style="padding: 10px 13.3333px; border: 1px solid rgb(230, 230, 230);">– Stage Capabilities: Upload Malware(T1608.001)</td></tr></tbody></table>