Recently, cybersecurity specialists made a concerning discovery regarding the North Korean state-sponsored Lazarus APT group. The ASEC team found that the group is actively targeting Windows Internet Information Service (IIS) web servers as a means to distribute malware.
Lazarus employs a tactic known as the “watering hole” technique to gain initial access. This involves compromising Korean websites and altering their content to exploit a vulnerability in the INISAFE CrossWeb EX V6.
The Process Unfolds as Follows:
- When users with vulnerable versions of INISAFE CrossWeb EX V6 visit these compromised sites, the Lazarus malware (SCSKAppLink.dll) is installed through the INISAFECrossWebEXSvc.exe vulnerability.
- To further facilitate their malicious activities, Lazarus utilizes the JuicyPotato malware packed with Themida to escalate privileges.
- Once inside the systems, the attackers attempt to install the “SCSKAppLink.dll” malware through these exploits. This malware acts as a downloader, fetching additional strains of malware from external sources, granting the attackers control over compromised systems.
Recent Lazarus Incidents
Recent incidents attributed to Lazarus include the JumpCloud breach, where API keys were reset as a precautionary measure, and the attack on Atomic Wallet, resulting in the theft of approximately $35 million in cryptocurrency.
In addition, Lazarus was linked to a new macOS malware called RustBucket, used by the North Korea-associated BlueNoroff group, which is a subset of Lazarus, explains Cyware.
ASEC’s complete analysis is available here.
Adopt Proactive Security Practices
The threat posed by Lazarus targeting Windows IIS web servers is substantial for both organizations and individuals. It is crucial for organizations to implement stringent measures, including attack surface management and constantly apply the latest security patches, to identify exposed assets and mitigate risks.
Adopting proactive security practices is essential in countering threats posed by state-funded threat actors like Lazarus. If you want to learn more about building a strong cybersecurity defense, check out the following piece: How to Create a Successful Cybersecurity Strategy.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.