Dalbit

Description

(AhnLab) This group has had more than 50 confirmed attack attempts on Korean companies since 2022. Most of the attacked companies were mid to small companies while a portion was major companies. The team has confirmed that 30% of the infected companies were using a certain Korean groupware solution. It is currently difficult to check whether this groupware product has a vulnerability or not, but if a server that is this exposed has a vulnerability, then there is a chance that companies could be affected gravely through the leakage of confidential information and ransomware behavior. Furthermore, this Dalbit group leaves some infected companies as proxies and download servers to later use them as means to communicate with the threat actor upon infiltration of another company.

Names

Name	Name-Giver
Dalbit	AhnLab

Country

• China

Motivation

• Information theft and espionage

First Seen

2022

Observed Sectors

• Automotive
• Chemical
• Construction
• Education
• Energy
• Food and Agriculture
• High-Tech
• Hospitality
• Industrial
• Maritime and Shipbuilding
• Media
• Shipping and Logistics
• Technology
• Consulting companies

Observed Countries

• South Korea

Tools

• AntSword
• ASPXSpy
• BadPotato
• BlueShell
• China Chopper
• Cobalt Strike
• EFSPotato
• FRP
• Godzilla
• HTran
• JuicyPotato
• LadonGo
• Metasploit
• Mimikatz
• NPS
• ProcDump
• PsExec
• reGeorg
• Remcom
• RottenPotato
• SweetPotato

Information

• https://asec.ahnlab.com/en/47455/

Other Information

Uuid

d6e1986f-377f-4077-81f9-c1b59ef649d8

Last Card Change

2023-02-17