국내 기업 타겟의 FRP(Fast Reverse Proxy) 사용하는 공격 그룹 - ASEC BLOG
Tags
attack-pattern: | Confluence - T1213.001 Malware - T1587.001 Malware - T1588.001 Connection Proxy - T1090 |
Common Information
Type | Value |
---|---|
UUID | 7d6207e3-5271-4129-a0f8-9c513535ef34 |
Fingerprint | b4e24100da2db042 |
Analysis status | DONE |
Considered CTI value | 2 |
Text language | |
Published | Aug. 16, 2022, 8:32 p.m. |
Added to db | Jan. 16, 2023, 3:56 p.m. |
Last updated | Nov. 17, 2024, 7:44 p.m. |
Headline | 국내 기업 타겟의 FRP(Fast Reverse Proxy) 사용하는 공격 그룹 |
Title | 국내 기업 타겟의 FRP(Fast Reverse Proxy) 사용하는 공격 그룹 - ASEC BLOG |
Detected Hints/Tags/Attributes | 25/1/101 |
Source URLs
Redirection | Url | |
---|---|---|
Details | Source | https://asec.ahnlab.com/ko/37652/ |
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | CVE | 19 | cve-2018-8440 |
|
Details | CVE | 8 | cve-2019-1405 |
|
Details | CVE | 6 | cve-2019-1322 |
|
Details | CVE | 65 | cve-2021-1675 |
|
Details | CVE | 45 | cve-2021-1732 |
|
Details | CVE | 15 | cve-2021-36934 |
|
Details | CVE | 19 | cve-2021-40449 |
|
Details | CVE | 19 | cve-2022-21882 |
|
Details | CVE | 11 | cve-2022-21999 |
|
Details | Domain | 4127 | github.com |
|
Details | Domain | 13 | info.zip |
|
Details | Domain | 22 | update.zip |
|
Details | Domain | 42 | co.kr |
|
Details | File | 128 | w3wp.exe |
|
Details | File | 119 | sqlservr.exe |
|
Details | File | 2 | frps.ini |
|
Details | File | 7 | frpc.ini |
|
Details | File | 5 | frps.exe |
|
Details | File | 15 | frpc.exe |
|
Details | File | 2 | %allusersprofile%\update.exe |
|
Details | File | 2 | %allusersprofile%\info.zip |
|
Details | File | 2 | %allusersprofile%\f.zip |
|
Details | File | 2 | %allusersprofile%\t.zip |
|
Details | File | 2 | %allusersprofile%\frpc.exe |
|
Details | File | 2 | %systemdrive%\perflogs\update.exe |
|
Details | File | 2 | %systemdrive%\temp\update.exe |
|
Details | File | 2 | %systemdrive%\temp\info.zip |
|
Details | File | 2 | %systemroot%\temp\frpc.exe |
|
Details | File | 175 | update.exe |
|
Details | File | 24 | update.zip |
|
Details | File | 13 | info.exe |
|
Details | File | 13 | info.zip |
|
Details | File | 3 | f.zip |
|
Details | File | 5 | htran.exe |
|
Details | File | 14 | c.txt |
|
Details | File | 2 | %systemdrive%\webdriver\chrome\c.txt |
|
Details | File | 4 | c:\windows\system32\bitlockerwizardelev.exe |
|
Details | File | 8 | asp.asp |
|
Details | File | 4 | juicypotato.c4 |
|
Details | File | 4 | sweetpotato.c4 |
|
Details | File | 27 | agent.c4 |
|
Details | File | 2 | cve-2022-21999.c4 |
|
Details | File | 31 | generic.c4 |
|
Details | File | 4 | exploit.c4 |
|
Details | File | 4 | frp.c4 |
|
Details | Github username | 3 | alpha1ab |
|
Details | Github username | 3 | apt69 |
|
Details | Github username | 2 | evilashz |
|
Details | Github username | 3 | kalendsi |
|
Details | Github username | 6 | gossithedog |
|
Details | Github username | 5 | ly4k |
|
Details | Github username | 2 | sailay1996 |
|
Details | md5 | 4 | 0311ee1452a19b97e626d24751375652 |
|
Details | md5 | 3 | 808502752ca0492aca995e9b620d507b |
|
Details | md5 | 4 | 4bafbdca775375283a90f47952e182d9 |
|
Details | md5 | 5 | 9fe61c9538f2df492dff1aab0f90579f |
|
Details | md5 | 5 | ab9091f25a5ad44bef898588764f1990 |
|
Details | md5 | 4 | 87e5c9f3127f29465ae04b9160756c62 |
|
Details | md5 | 4 | fd0f73dd80d15626602c08b90529d9fd |
|
Details | md5 | 4 | 937435bbcbc3670430bb762c56c7b329 |
|
Details | md5 | 2 | 4c56462a3735dba9ee5f132f670e3fb1 |
|
Details | md5 | 3 | 2e2ddfd6d3a10d5dd51f8cbdeaeb4b75 |
|
Details | md5 | 3 | 6a60f718e1ecadd0e26893daa31c7120 |
|
Details | md5 | 2 | e81a9b194cf1bcd4f1bbf21338840ece |
|
Details | md5 | 2 | d406d8889dc1f2d51954808f5587415d |
|
Details | md5 | 2 | ed1762b09d0a966d7a2d6c9167ea5499 |
|
Details | md5 | 2 | 055cc4c30260884c910b383bb81cf7c8 |
|
Details | md5 | 2 | b08b660ed646c390d5a254070123c74c |
|
Details | md5 | 2 | 018dd881f5bf9181b70f78d7d38bd62a |
|
Details | md5 | 2 | 31eb70dc11af05ec4d5cda652396970c |
|
Details | md5 | 2 | b77e3a7e13e39829383fabf436e9c8f2 |
|
Details | md5 | 4 | e31b7d841b1865e11eab056e70416f1a |
|
Details | md5 | 5 | 612585fa3ada349a02bc97d4c60de784 |
|
Details | md5 | 2 | 3921d444a251661662f991b147e22bc3 |
|
Details | md5 | 4 | c802dd3d8732d9834c5a558e9d39ed37 |
|
Details | md5 | 4 | 6b4c7ea91d5696369dd0a848586f0b28 |
|
Details | md5 | 4 | 07191f554ed5d9025bc85ee1bf51f975 |
|
Details | md5 | 2 | 27303a52d7ebd666d2a84529f2c86b3c |
|
Details | md5 | 4 | 4eb5eb52061cc8cf06e28e7eb20cd055 |
|
Details | md5 | 4 | 622f060fce624bdca9a427c3edec1663 |
|
Details | md5 | 2 | 72decb30e84cfe0d726f26c4f45dc1b0 |
|
Details | md5 | 7 | 7d9c233b8c9e3f0ea290d2b84593c842 |
|
Details | md5 | 3 | d862186f24e644b02aa97d98695c73d8 |
|
Details | md5 | 4 | df8f2dc27cbbd10d944210b19f97dafd |
|
Details | md5 | 4 | 8de8dfcb99621b21bf66a3ef2fcd8138 |
|
Details | md5 | 2 | 47f091b0bfa0f3d6e6943d7f178a4dff |
|
Details | md5 | 2 | 1b562817eadfb12f527bf25bf5c803b1 |
|
Details | IPv4 | 1441 | 127.0.0.1 |
|
Details | IPv4 | 2 | 192.168.204.131 |
|
Details | Threat Actor Identifier - APT | 3 | APT69 |
|
Details | Url | 2 | https://github.com/alpha1ab/win2016lpe |
|
Details | Url | 3 | https://github.com/apt69/comahawk |
|
Details | Url | 2 | https://github.com/evilashz/cve-2021-1675-lpe-exp |
|
Details | Url | 2 | https://github.com/kalendsi/cve-2021-1732-exploit |
|
Details | Url | 3 | https://github.com/gossithedog/hivenightmare |
|
Details | Url | 2 | https://github.com/ly4k/callbackhell |
|
Details | Url | 2 | https://github.com/sailay1996/cve-2022-21882-poc |
|
Details | Url | 2 | https://github.com/ly4k/spoolfool |
|
Details | Url | 2 | http://www.ive***.co.kr/uploadfile/ufaceimage/1/info.zip |
|
Details | Url | 4 | http://www.ive***.co.kr/uploadfile/ufaceimage/1/update.zip |
|
Details | Url | 2 | http://www.ive***.co.kr/uploadfile/ufaceimage/1/f.zip |