Proxy Tools Detected by AhnLab EDR

2024-11-26 Ahnlab

https://asec.ahnlab.com/en/84841/

Thumbnail for Proxy Tools Detected by AhnLab EDR

AhnLab describes how threat actors use proxy and tunneling tools after compromise to expose RDP access from systems hidden behind NAT. The report highlights Ngrok commands that publish port 3389, Plink SSH tunneling used after Exchange exploitation in a LockBit case, and custom proxy tools seen in Andariel and Kimsuky operations. One Andariel proxy tool matched tooling used by Lazarus in 2021, while other samples hardcode or accept RDP port 3389 as an argument. AhnLab EDR detects Ngrok, Plink, and suspicious proxy execution so defenders can spot remote screen control and persistence activity earlier.

Indicators of Compromise

Type Value First Seen Last Seen
IPv4 172.93.181.238 2024-11-26 2024-11-26

Related Actors

First seen: Jul 2017
Last seen: May 2026

Related Reports

2024-07-19 • 65% Match
#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584
Shares tags: Andariel, Kimsuky, Lazarus
« Back