{
	"id": "e3f60bc4-ce88-47f0-9659-3e8a597beb48",
	"created_at": "2026-04-06T00:12:44.428638Z",
	"updated_at": "2026-04-10T03:20:58.641935Z",
	"deleted_at": null,
	"sha1_hash": "14d355125e71a053843f322f3bf107519301499c",
	"title": "Why Remediation Alone Is Not Enough When Infected by Malware - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1495656,
	"plain_text": "Why Remediation Alone Is Not Enough When Infected by\r\nMalware - ASEC\r\nBy ATCP\r\nPublished: 2022-05-20 · Archived: 2026-04-05 16:49:09 UTC\r\nIn January 2022, a prominent Korean company in the manufacturing industry had many of its internal systems\r\ninfected by the Darkside ransomware.\r\nAs the ransomware was found to be distributed using the AD group policy, AhnLab attempted to conduct a DC\r\nserver forensic analysis. However, as the virtual environment operating system of the DC server operating in the\r\nvirtual environment was damaged, the server could not be secured. Among the systems that were restored by the\r\nprevious backup after the infection, the two WebLogic servers were found to be infected by WebShell during a\r\nsimilar period. AhnLab conducted the forensic analysis on the servers to check if WebShell was responsible for\r\nthe Darkside infection. \r\nThe analysis result of WAS1 and WAS2 servers restored with previous snapshots showed that WebShell and\r\nDarkside were not related. However, there were Miner infections starting from April 2019, and there was a history\r\nof various malware infections and breach traces until February 2022 (the time of the analysis).\r\nThe company that uses the AhnLab product was aware of the infections, yet it seems the company did not identify\r\nhow the infection happened in the first place. Apparently, the only action they took was remediating the system,\r\nhttps://asec.ahnlab.com/en/34549/\r\nPage 1 of 8\n\nwithout identifying how the infection started.\r\nWhile the malware infecting the system may not inflict serious damage, leaked control and information of the\r\ninternal systems may be traded between attackers and utilized in attacks that may cause serious issues in the\r\nfuture. As such, when the malware is detected, simply remedying the system and deleting the malware is not\r\nenough. To prevent further breaches and attacks of similar types, a detailed analysis of the infected system to\r\nidentify the cause of the malware infections and breaches is needed, as well as resolving the identified issues.\r\nBreach Details\r\nThe traces of the breach discovered on the targeted company’s WAS1 and WAS2 servers are as follows:\r\nWAS1 was infected with CoinMiner in 2019. It was later infected with various malware types such as Cobalt\r\nStrike, WebShell, and info-leaking malware. It appears that the breach had been progressing for the recent 2-3\r\nyears by the various attackers. WAS2 had a malware strain likely created by a North Korean hacker, meaning it\r\nwas probably being targeted by an APT attack. There were also various breach traces discovered on April 22,\r\n2021, but the targeted company stated that it received a penetration testing service on that day.\r\nInitial Approach\r\nhttps://asec.ahnlab.com/en/34549/\r\nPage 2 of 8\n\nWAS1 was infected with CoinMiner on April 30, 2019. The malware was downloaded from 146.196.83.217.\r\nAccording to the Tencent Security blog, the IP address is related to a miner named RunMiner. It was found to be\r\ndistributed by using the WebLog Deserialization vulnerability CVE-2017-10271.\r\nThe initial breach trace of WAS2 happened on April 29, 2020. There was a trace of the attacker attempting to\r\ninfiltrate WebShell. The WebLogic version of WAS1 and WAS2 was 12.1.3, which is a version existing in the\r\nCVE-2017-10271 vulnerability mentioned above. It is likely that the initial breach happened due to the WebLogic\r\nvulnerability of the two servers. \r\nObtaining Account\r\nOn October 22, 2020, a hacking tool included with the dictionary attack feature and Isass.dmp file (a dump file for\r\nthe lsass.exe process) were found as a compressed file (1.rar) in the shared folder of the WAS1 system. It seems\r\nthe attacker stole the password by the dictionary attack method and process dump for lsass.exe.\r\nThrough the Isass.dmp file secured by the attacker, one can obtain various information such as drmftp, plain\r\npassword of the Administrator account, and NTLM hash as shown below. \r\nhttps://asec.ahnlab.com/en/34549/\r\nPage 3 of 8\n\nFigure 2. Account information (ID, plain password, and NTLM Hash) extracted from Isass.dmp\r\nstolen by the attacker \r\nThe targeted company’s administrator account was in a vulnerable state:\r\nThe password for the Administrator account did not change once since it was created.\r\nThe account used a password that could be easily guessed.\r\nAs the Administrator account’s password for both WAS1 and WAS2 was the same, it is likely that most of\r\nthe other servers used the same password for their administrator accounts.\r\nReverse RDP Access\r\nAfter obtaining the account with the administrator privilege, the attacker sometimes had direct control of the\r\nsystem within the organization by accessing it with the Reverse RDP method using Lcx.exe.\r\nhttps://asec.ahnlab.com/en/34549/\r\nPage 4 of 8\n\nLcx.exe is an open-source tunneling tool that can be used to connect the external attacker with the internal system.\r\nThe RDP communication process of Lcx.exe is as follows:\r\nFigure 3. RDP communication process using Lcx.exe\r\nThe history of Lcx.exe being created and executed in WAS1 was confirmed, as well as the access IP of 127.0.0.1\r\nrecorded in the event log (Event ID: 4624). The accounts used for verifying tunneling were local Administrator\r\nand test, both of them being administrator accounts. The test account was created right before the event, most\r\nlikely done by the attacker. Unfortunately, AhnLab could not check the IP that the external attacker used for\r\nremote access. \r\nFigure 4. Tunneling RDP access event log – Event ID: 4624\r\nhttps://asec.ahnlab.com/en/34549/\r\nPage 5 of 8\n\nTools Used for Attack\r\nThe infected system had a scanning tool, proxy and port forwarding tool, WebShell, backdoor malware, etc.\r\nThe attacker used various tools for different purposes: collecting information for infiltration, port forwarding for\r\nestablishing an external connection, installing backdoor for persistence, etc. The tools discovered in the system are\r\nshown below.\r\nTable 1. Tools Used for Attack\r\nTo bypass anti-malware products, the attacker used open-source programs that are relatively difficult to detect as\r\nattack tools. AhnLab detects and blocks malware and attack tools discovered in the infected system using the\r\naliases below.\r\n[File Detection]\r\nhttps://asec.ahnlab.com/en/34549/\r\nPage 6 of 8\n\nUnwanted/Win32.NSSM \r\nUnwanted/Win32.BitCoinMiner \r\nUnwanted/Win32.BitCoinMiner \r\nDropper/Win.Agent \r\nDropper/Win32.Agent \r\nDropper/Win.Agent \r\nHackTool/Win.Fscan \r\nHackTool/Win.Fscan \r\nHackTool/Win.Fscan \r\nHackTool/Win.NbtScan\r\nMalware/Gen.Reputation \r\nHackTool/Win.AliveScan\r\nExploit/Win.Scanner\r\nHackTool/Win.LCX \r\nHackTool/Win.Stowaway \r\nHackTool/Win.NPS \r\nHackTool/Win.Frp \r\nHackTool/Win.Frp \r\nMalware/Win64.Generic \r\nPatched/Win.Loader\r\nHackTool/Win.ExploitScanner\r\n[File MD5]\r\n1136efb1a46d1f2d508162387f30dc4d\r\nae00198dfa0ef3a7e5fea8dd06a8d8b8\r\nf2f94708cef791d9664d2e4fa20ff520\r\n0dabd600cea6dcf3c049a667b67b4482\r\n99b0638f134a0d607edb8dbab01d3f95\r\n763f2cae2072647d61d11047c8aaaf09\r\ne636a07bb8d8fbfb1cab5557fdc217aa\r\n0f7baf15408a49895439aa273ee7f867\r\n7650484a85247bc922de760a6a335a76\r\n62eada472d6d2d7606ba322c8b7f9153\r\nf01a9a2d1e31332ed36c1a4d2839f412\r\nf4a992b87d70c622eef107a09d712e9e\r\nd221d51f4599ae051709b5cf5c45af10\r\nfb6bf74c6c1f2482e914816d6e97ce09\r\n4b8fbfc68b9969549f050c0e8366a10d\r\n716979a28125fa65903e77dc5b399383\r\n88a5ebccf60464764d0fe015d71bf330\r\nd862186f24e644b02aa97d98695c73d8\r\n114f26e7b46d0f4c4a202353c41ce366\r\nhttps://asec.ahnlab.com/en/34549/\r\nPage 7 of 8\n\n0b877ea03db28b275dd535f16dd78239\r\nfe12b5008334ad718008307e1a0750f7\r\n[IP/URL]\r\n198.13.53.81\r\n180.235.137.14\r\n185.239.226.133\r\n159.233.41.219\r\nSubscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC\r\nand detailed analysis information.\r\nSource: https://asec.ahnlab.com/en/34549/\r\nhttps://asec.ahnlab.com/en/34549/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/34549/"
	],
	"report_names": [
		"34549"
	],
	"threat_actors": [],
	"ts_created_at": 1775434364,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14d355125e71a053843f322f3bf107519301499c.pdf",
		"text": "https://archive.orkl.eu/14d355125e71a053843f322f3bf107519301499c.txt",
		"img": "https://archive.orkl.eu/14d355125e71a053843f322f3bf107519301499c.jpg"
	}
}