ASEC20REPORT_vol.89_ENG.pdf (328 KB)

AhnLab analyzed attacks abusing central management systems used by organizations to distribute policies and files to internal endpoint agents. The excerpt describes two main intrusion paths: stealing or abusing management-server administrator access to push malicious files, and exploiting agent-side vulnerabilities by impersonating the management server. South Korean management software cases from 2015 through 2017 used files such as PScan.exe, nc.exe, nt.exe, n5lic.exe, nc5rt2.exe, Bin.exe, and generated VBS scripts including winrm.vbs and vs1.vbs to download and reconstruct executable malware. The defensive significance is that compromise of a trusted management server or agent channel can rapidly turn normal software-distribution functions into large-scale internal malware deployment.