{
	"id": "2bbf2eaf-01ec-4565-ac18-c7fc2fa19fec",
	"created_at": "2026-04-06T00:15:04.232441Z",
	"updated_at": "2026-04-10T13:13:04.417442Z",
	"deleted_at": null,
	"sha1_hash": "1b37cda3ec756ea533891576424c01517f7005bc",
	"title": "Penetration and Distribution Method of Gwisin Attacker - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 955892,
	"plain_text": "Penetration and Distribution Method of Gwisin Attacker - ASEC\r\nBy ATCP\r\nPublished: 2022-10-31 · Archived: 2026-04-05 16:13:53 UTC\r\nThe attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the\r\nserver as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses\r\nvarious means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into\r\nthe internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. \r\nHow Gwisin Attacker Penetrates a Server\r\nUnlike other attackers who use spear phishing, watering hole, and other known methods to dominate a PC and obtain\r\nadministrator privilege to propagate the virus into a target company’s internal network systems, the Gwisin threat actor\r\ndirectly performs the web hacking attack to penetrate into the web servers. As such, companies must check for web\r\nvulnerabilities and fortify the security of connected DBs to defend against web hacking attacks. \r\nIt appears that the attacker attempts to steal system account info prior to distributing the ransomware. They scan and perform\r\nSQL injection attack on publicly-exposed web servers. \r\nAmong the traces of the attack, an attack code of SQL Injection, written for use against an MS SQL server, was found in a\r\nLinux server. This hints that the attacker is indiscriminately attacking the servers using automated offense tools.\r\nIt has been confirmed that the attacker uses WebShell following after a successful attack on a web server. Some cases\r\ninvolve WebShell inserted into a PHP file. In other cases, independent WebShell files were created. However, the techniques\r\nof inserting WebShell code into the existing file or uploading the file have not yet been identified.\r\nAdditionally, the attacker uses a Reverse Shell code written with Python to establish a reverse connection. It was discovered\r\nthat the attacker adds service_issue() function performing the roll of Reverse Shell to the init type of Linux shell script\r\nexisting inside the system. The attacker creates a TCP socket through the function, connects to the attacker server\r\n(158.247.221.23:80), and runs sh to provide the attacker with Linux shell.\r\nWhat the Attacker Does After Penetrating into Server\r\nAfter dominating a Linux system, the attacker uses RPM to install NMAP. They then perform multiple port scans on the\r\ninternal systems to identify additional attack targets.\r\nhttps://asec.ahnlab.com/en/41565/\r\nPage 1 of 5\n\nHow the Attacker Moves Inside the Internal Server\r\nThe attacker, after dominating the Windows system of the internal network, registers a service that perform Full Memory\r\nDumping on the memory of the Isass.exe process to obtain additional credentials. They then secure the memory dump of the\r\nlsass.exe process.\r\nThe attacker then uses the obtained credentials to send reverse connection command to other systems. Among the target\r\nsystems that received the command, the systems connected to the Internet are connected to the C2 server. As a result, the\r\nattacker gains direct control over the internal system from the outside.\r\nThe attacker then downloads the Gwisin MSI file from the C2 server.\r\nHow the Attacker Distributes the Ransomware\r\nhttps://asec.ahnlab.com/en/41565/\r\nPage 2 of 5\n\nThe attacker installs the IIS web service into the first dominated system and uses it to spread the ransomware to internal\r\nsystems of the target company. After installing the IIS web service, the attacker creates the ransomware files in the web root\r\npath (C:\\inetpub\\wwwroot) and distributes the ransomware.\r\nRansomware for Windows: x64_install.msi\r\nRansomware for Linux: x64_nix, x86_nix\r\nThe attacker can use the IIS web service in the internal system to easily distribute the ransomware to multiples systems\r\nconnected to the domain via AD policy and WMI command. Furthermore, the attacker does not have to directly access the\r\nserver that distributes the malware on the Internet. As such, they can successfully distribute the ransomware into the internal\r\nsystems without Internet access. \r\nThe attacker uses the following command to download and run the ransomware. \r\nWhen the above command is executed, “x64_install.msi,” the ransomware file in the IIS web route directory, is downloaded\r\nand executed. \r\nCharacteristics of Gwisin\r\nTo run Gwisin, one must enter the exact arguments.\r\nThe description of each argument is as follows:\r\nLICENSE: A key that decrypts the encoded ransomware (creates decryption key by combining with SERIAL)\r\nSERIAL: A key that decrypts the encoded ransomware (creates decryption key by combining with LICENSE)\r\nSMM (see Malicious File Analysis Results for details)\r\n0: File Encryption Mode\r\n1: Safe Mode Boot Mode\r\nWhen the file is encrypted via the ransomware, an extension similar to the name of the target company is added to the\r\nencrypted file. Additionally, a file with ‘0’ at the end of the extension is also created in the same directory. It contains\r\ninformation required to restore the original file.\r\nUpon the file encryption, a ransom note is created. The ransom note’s filename and body text contain strings that can\r\nidentify the target company. It contains the URL that connects to the attacker’s website, and account and password that can\r\nbe used to log in to the website.\r\nhttps://asec.ahnlab.com/en/41565/\r\nPage 3 of 5\n\nGwisin deletes event logs and ransomware files of the system after the file encryption.\r\nFor more information on Gwisin’s process flow and characteristics, see ASEC blog’s Gwisin Ransomware Targeting Korean\r\nCompanies (https://asec.ahnlab.com/en/37483/). \r\nMalware Used by the Attacker \r\nMD5 Filename Analysis Results \r\n13eef02d5e5f5543\r\ne83ad8c8a8c8ff9a\r\nMSI****.tmp Gwisin file for Windows which is the DLL file of install_x64.msi\r\n[Ransomware Behavior Details]\r\nIf executed with SMM=1\r\n1. Self-Replication\r\nㆍCopies itself into the following filepath\r\nㆍC:\\ProgramData\\a35f23725b5feab2.msi\r\n2. Ransomware Service Creation\r\nㆍService Name: ****************(16-digit HEX)\r\nㆍImage Path: msiexec /qn /i C:\\ProgramData\\****************.msi\r\nSERIAL=**************** LICENSE=**************** SMM=0 ORG=***\r\n3. Copying of bcdedit.exe and Changing Boot Option\r\nㆍCopies bcdedit.exe to ProgramData folder with a different name (dxdiag.exe)\r\nㆍChanges default boot mode to safe mode\r\n4. Registering Service to Enable Operation in Safe Mode\r\nhttps://asec.ahnlab.com/en/41565/\r\nPage 4 of 5\n\nㆍ\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minim\r\nㆍ\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Netw\r\n5. Reboot\r\nㆍReboots as safe mode after 5 seconds\r\n6. Ransomware Operation\r\n95237d0c6e6b1822\r\ncecca34994c0d273\r\nx86_nix x86 version file of Gwisin\r\n[File Detection]\r\nRansomware/Win.Gwisin (2022.07.27.03)\r\nTrojan/Linux.Agent (2022.08.05)\r\nMD5\r\n13eef02d5e5f5543e83ad8c8a8c8ff9a\r\n95237d0c6e6b1822cecca34994c0d273\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//158[.]247[.]221[.]23/\r\nAdditional IOCs are available on AhnLab TIP.\r\nIP\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/41565/\r\nhttps://asec.ahnlab.com/en/41565/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/41565/"
	],
	"report_names": [
		"41565"
	],
	"threat_actors": [],
	"ts_created_at": 1775434504,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b37cda3ec756ea533891576424c01517f7005bc.pdf",
		"text": "https://archive.orkl.eu/1b37cda3ec756ea533891576424c01517f7005bc.txt",
		"img": "https://archive.orkl.eu/1b37cda3ec756ea533891576424c01517f7005bc.jpg"
	}
}