The infamous Lazarus Group, a state-sponsored hacking organization from North Korea, exploits vulnerable Windows Internet Information Services (IIS) web servers to gain initial entry into corporate networks.
What have they done?
Lazarus is primarily driven by financial motives, with many experts suspecting that their malicious activities contribute to funding North Korea’s weapons development programs. However, the group has also been involved in various espionage operations.
South Korean researchers at the AhnLab Security Emergency Response Center (ASEC) discovered the current strategy of targeting Windows IIS servers.
DLL Sideloading using IIS servers
Windows Internet Information Services (IIS) web servers are utilized by organizations of all sizes to host web content such as websites, applications, and services like Microsoft Exchange’s Outlook on the Web.
IIS is a versatile solution that has been available since the introduction of Windows NT. It supports protocols such as HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP.
Source: Eginnovations
However, if these servers are poorly managed or outdated, they can serve as entry points for hackers to infiltrate networks.
Previously, Symantec reported instances of hackers deploying malware on IIS servers, enabling them to execute commands on compromised systems through web requests. This approach allowed them to avoid detection by security tools.
Another report disclosed that a hacking group called ‘Cranefly‘ was employing an undisclosed method of malware control using IIS web server logs.
Source: FBI
Lazarus’ attacks on IIS
Lazarus gains initial access to IIS servers by exploiting known vulnerabilities or misconfigurations that allow attackers to create files on the IIS server using the w3wp.exe process.
The hackers introduce a legitimate file called ‘Wordconv.exe,’ part of Microsoft Office, along with a malicious DLL (‘msvcr100.dll’) in the same folder. Additionally, an encoded file named ‘msvcr100.dat’ is dropped.
Source: DLL list
Upon launching ‘Wordconv.exe,’ the malicious code within the DLL is loaded to decrypt the Salsa20-encoded executable from msvcr100.dat and execute it in memory, evading detection by antivirus tools.
A new variant of the same malware
First step
ASEC has identified several similarities between ‘msvcr100.dll’ and another malware they observed last year, named ‘cylvc.dll.’ Lazarus had used ‘cylvc.dll’ to disable anti-malware programs using the “bring your own vulnerable driver” technique. Therefore, ASEC considers the newly discovered DLL file a new variant of the same malware.
Second step
In the second phase of the attack, Lazarus exploits a Notepad++ plugin to create a second malware (‘diagn.dll’). This malware receives a new payload encrypted with the RC6 algorithm, decrypts it using a hardcoded key, and executes it in memory to evade detection.
ASEC could not determine the specific actions carried out by this payload on the compromised system, but they observed indications of LSASS dumping, suggesting credential theft activity.
Third step
The final step of the Lazarus attack involves network reconnaissance and lateral movement through port 3389 (Remote Desktop) using valid user credentials, presumably stolen in the previous step.
However, ASEC has not discovered any further malicious activities once the attackers have spread laterally within the network.
Shutting down: ASEC advisory
Since Lazarus heavily relies on DLL sideloading as part of their attacks, ASEC recommends that organizations monitor for abnormal execution of processes. They advise companies to proactively watch for unusual relationships between executed processes and take preventive measures to impede the threat group from carrying out activities such as information theft and lateral movement, as emphasized in ASIC’s report.