Heimdal
article featured image

Contents:

The notorious Lazarus Group of North Korean state-sponsored threat actors is currently targeting vulnerable Windows Internet Information Services (IIS) web servers to obtain first access to business networks.

Lazarus’ primary motivation is financial, and many observers think that the hackers’ nefarious deeds help finance North Korea’s weapons-development initiatives. However, the gang has also taken part in a number of covert missions. South Korean researchers at AhnLab Security Emergency Response Center (ASEC) are the ones who discovered the threat group’s latest tactic.

What We Know About Attacks on IIS Servers

Organizations of all sizes utilize Windows Internet Information Services (IIS) web servers to host web content like websites, applications, and services like Microsoft Exchange’s Outlook on the Web.

It’s a flexible solution that has been available since the launch of Windows NT, supporting the HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP protocols. However, if the servers are outdated or poorly managed, they can act as entry points for threat actors.

In order to create files on the IIS server via the w3wp.exe process, Lazarus first acquires access to IIS servers utilizing well-known flaws or configuration errors.

The threat actors drop ‘Wordconv.exe’, a valid Microsoft Office file, together with a malicious DLL called ‘msvcr100.dll’ and an encoded file called ‘msvcr100.dat’. The malicious code in the DLL loads when “Wordconv.exe” is launched in order to decrypt the Salsa20-encoded executable from msvcr100.dat and run it in memory, where antivirus programs cannot detect it.

IIS Lazarus 1

Import DLL List on ‘Wordconv.exe’ (Source)

The virus known as “msvcr100.dll” and “cylvc.dll,” which was used by Lazarus to deactivate anti-malware products via the “bring your own vulnerable driver” strategy, share a number of coding similarities, according to ASEC. Thus, ASEC considers that the newly discovered file is a new variant of the same malware.

IIS Lazarus 2

Source

Lazarus proceeds the attacks by creating a second malware (‘diagn.dll’) through the exploitation of a Notepad++ plugin. The second malware then receives a fresh payload, this time encoded with the RC6 technique, decrypts it using a hard-coded key, and runs the payload in memory to conceal its execution.

IIS Lazarus 3

Source

Using legitimate user credentials, most likely taken in the previous stage, the Lazarus attack’s final step was network reconnaissance and lateral movement through port 3389 (Remote Desktop). However, according to BleepingComputer, ASEC is yet to uncover any further malicious activities after the attackers spread laterally on the network.

As part of their attacks, Lazarus mainly relies on DLL sideloading, hence businesses are advised to keep an eye out for unusual process execution.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE