A sophisticated cyber attack campaign targeting South Korean web servers has emerged, with threat actors deploying MeshAgent and SuperShell malware to compromise both Windows and Linux infrastructure.
The multi-platform assault demonstrates an escalation in attack complexity, as adversaries leverage file upload vulnerabilities to establish persistent footholds across diverse server environments.
The campaign represents a significant evolution in web server exploitation tactics, where attackers initially gain access through vulnerable file upload mechanisms before deploying an arsenal of reconnaissance and persistence tools.
Evidence suggests the threat actors maintain operations across both Windows IIS servers and Linux systems, indicating a well-resourced operation with cross-platform capabilities that spans multiple operating system architectures.
Investigation reveals the presence of ELF-based malware alongside traditional Windows executables at malicious distribution points, confirming the attackers’ intent to compromise heterogeneous server environments.
The discovered malware repository contains WogRAT, a backdoor that shares infrastructure with previous attack campaigns, suggesting operational continuity by the same threat group across multiple attack vectors.
ASEC analysts identified multiple web shells deployed across compromised systems, including popular variants such as Chopper, Godzilla, and ReGe-ORG.
The researchers noted that these tools, combined with Chinese-language reconnaissance utilities like Fscan and Ladon, strongly indicate Chinese-speaking threat actors orchestrating the campaign through coordinated infrastructure management.
The attack methodology follows a systematic approach beginning with web shell deployment through file upload vulnerabilities in web server configurations.
Once established, attackers execute comprehensive reconnaissance commands to map the target environment and identify potential lateral movement opportunities:-
> ipconfig
> whoami /all
> systeminfo
> netstat -ano
> fscan.exe -hf i.txt -nocolor -silent -o rr8.txtFollowing initial reconnaissance, the threat actors deploy SuperShell, a Go-language reverse shell supporting Windows, Linux, and Android platforms.
This cross-platform capability enables unified command and control across diverse infrastructure components while maintaining operational flexibility.
The malware establishes persistence through MeshAgent, which provides comprehensive remote management functions including file transfer, command execution, and web-based remote desktop access.
Privilege escalation occurs through PowerLadon execution, specifically leveraging the SweetPotato technique for token manipulation:-
powershell -exec bypass Import-Module .\Ladon.ps1;Ladon SweetPotato whoamiThe attackers subsequently perform lateral movement using stolen credentials and WMIExec, targeting additional systems including MS-SQL servers within the compromised network perimeter.
This methodical approach demonstrates advanced persistent threat characteristics, with the ultimate objective remaining undetermined but potentially involving sensitive data exfiltration or ransomware deployment across organizational infrastructure.
Powered by
