Lazarus Group Targeting Microsoft Web Servers to Launch Espionage Malware

Written by

North Korea threat actor Lazarus group is targeting Windows IIS web servers to launch espionage attacks, according to a new analysis by AhnLab Security Emergency response Center (ASEC).

The researchers said the approach represents a variation on the dynamic-link library (DLL) side-loading technique, a tactic regularly utilized by the state-affiliated group.

Here, they believe the attackers use “poorly managed or vulnerable web servers as their initial breach routes before executing their malicious commands later.”

ASEC explained: “The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe. They then execute the normal application to initiate the execution of the malicious DLL. In MITRE ATT&CK, this method of attack is categorized as the DLL side-loading (T1574.002) technique.”

Following initial infiltration, Lazarus establish a foothold before creating additional malware (diagn.dll) by exploiting the open-source ‘color picker plugin,’ which is a plugin for Notepad++. This malware facilitates credential theft and lateral movement, ideal for carrying out espionage operations.

Last year, Microsoft published an advisory warning that North Korea-associated threat actors weaponizing legitimate open-source software targeting employees in organizations across multiple industries.

ASEC highlighted the growing sophistication of Lazarus group, and its abilities to utilize a range of attack vectors to perform their initial breach. These have been demonstrated in incidents like Log4Shell, public certificate vulnerability and the 3CX supply chain attack.

The researchers warned: “[Lazarus]is one of the highly dangerous groups that are actively launching attacks worldwide. Therefore, corporate security managers should utilize attack surface management to identify the assets that could be exposed to threat actors and practice caution by applying the latest security patches whenever possible.”

They added that due to Lazarus’ focus on the DLL side-loading technique during initial infiltrations, “companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement.”

This week (May 23, 2023), the US government announced sanctions on three entities because of their link with North Korea’s primary intelligence service, the Reconnaissance General Bureau (RGB), which US officials say is behind many of the country's cyber espionage and cyber theft activities.

What’s hot on Infosecurity Magazine?