취약한 Innorix 악용한 악성코드 유포
2023-02-15 • Ahnlab • Malware distribution exploiting vulnerable Innorix software •
AhnLab reported malware distribution targeting users of vulnerable Innorix Agent file-transfer client versions, specifically identifying exploitation of version 9.2.18.418 within the KISA-advised vulnerable range of 9.2.18.450 and earlier. The delivered backdoor attempted C2 connections and could collect victim PC information, capture screenshots, and create or execute files. AhnLab observed both C/C++ and .NET variants with similar functionality, including attempts to hide scheduled tasks using an AhnLab-related name and encoded communications using an XOR key previously documented in a 2017 CISA report. Representative indicators included Andardoor detections, multiple MD5 hashes, and C2 endpoints such as 4.246.144[.]112:443 and 139.177.190[.]243:443.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | c892c60817e6399f939987bd2bf5dee0 | 2023-02-15 | 2024-07-25 |
| HASH | 1ffccc23fef2964e9b1747098c19d956 | 2023-02-15 | 2024-07-25 |
| HASH | 0211a3160cc5871cbcd4e5514449162b | 2023-02-15 | 2024-07-25 |
| HASH | ac0ada011f1544aa3a1cf27a26f2e288 | 2023-02-15 | 2024-07-25 |
| HASH | 88a7c84ac7f7ed310b5ee791ec8bd6c5 | 2023-02-15 | 2024-07-25 |
| HASH | 9112efb49cae021abebd3e9a564e6ca4 | 2023-02-15 | 2024-07-25 |
| HASH | bcac28919fa33704a01d7a9e5e3ddf3f | 2023-02-15 | 2024-07-25 |
| HASH | 0a09b7f2317b3d5f057180be6b6d0755 | 2023-02-15 | 2024-07-25 |
| HASH | e5410abaaac69c88db84ab3d0e9485ac | 2023-02-15 | 2024-07-25 |
| IPv4 | 109.248.150.179 | 2023-02-15 | 2023-08-31 |
| IPv4 | 27.102.113.88 | 2023-02-15 | 2023-08-31 |
| IPv4 | 139.177.190.243 | 2023-02-15 | 2023-08-31 |
| IPv4 | 4.246.144.112 | 2023-02-15 | 2023-08-31 |
| IPv4 | 27.102.107.224 | 2023-02-15 | 2023-08-31 |
| IPv4 | 27.102.107.234 | 2023-02-15 | 2023-08-31 |
| HASH | 74615104773254458995125212023273 | 2023-02-15 | 2023-02-15 |
| HASH | 6dd579cfa0cb4a0eb79414de6fc1d147 | 2023-02-15 | 2023-02-15 |