REF3927

REF3927, also referred to as RudePanda, is a Chinese-speaking threat actor cluster associated with compromises of Windows IIS/ASP.NET servers. Elastic Security Labs and TAMUS documented the group exploiting misconfigured IIS/ASP.NET servers that reused publicly disclosed ASP.NET machine keys, enabling ASP.NET ViewState deserialization for initial access. The activity has been linked to abuse of publicly available machine keys from sources such as Microsoft documentation and StackOverflow, and Elastic assessed it as a continuation of similar activity previously described by AhnLab. Check Point reported REF3927 evidence in several environments also breached by Ink Dragon, but stated there were no indications the two actors were operationally linked beyond likely shared initial access methods. Post-compromise, REF3927 deployed webshells including a Godzilla fork, specifically the Z-Godzilla_ekp framework, attempted to create user accounts including an Administrator account, used the legitimate RMM tool GotoHTTP for remote access, and attempted credential dumping with Mimikatz. The actor also attempted to deploy a modified version of the open-source Hidden rootkit, referred to by Elastic as HIDDENDRIVER with the userland controller HIDDENCLI, to hide processes, files, directories, and registry artifacts and to protect or conceal processes via DKOM, kernel callbacks, minifilter callbacks, and registry callbacks. REF3927’s primary apparent monetization objective was deployment of the IIS backdoor module TOLLBOOTH. TOLLBOOTH was observed in 32-bit and 64-bit forms and in both native and .NET managed variants. It supports SEO cloaking, a management channel, and webshell functionality. TOLLBOOTH retrieves per-victim configuration from attacker infrastructure, differentiates bots from human visitors using User-Agent and Referer rules, fingerprints visitors, and reports to attacker-controlled infrastructure to obtain redirect destinations. The webshell was exposed at /mywebdll and used the /scjg endpoint for form submission, with management/debug endpoints including /health, /debug, /conf, and /clean gated by specific bot-like User-Agent strings. Elastic and Validin identified 571 actively infected IIS servers worldwide at the time of publication, with victims globally distributed and not concentrated in a specific vertical, suggesting untargeted automated scanning for machine-key reuse. The identified victim distribution notably excluded servers in China.