The tireless and relentless Lazarus Group has been targeting out-of-date Microsoft IIS servers in recent weeks, planting webshells and malware, and stealing credentials to move around the network.
The attacks use a variety of techniques and tactics, including DLL sideloading, and begin with the attackers exploiting a vulnerability in an unpatched IIS server. Microsoft’s IIS platform is a popular web server and has been used in enterprises for more than 25 years at this point. There are many known vulnerabilities in all of the current versions of the web server and attackers regularly scan for vulnerable versions and exploit them. The recent attacks by the Lazarus Group are a part of that larger problem and just one fraction of the operations that group runs.
The Lazarus Group is one of the more active and dangerous APT teams working today and researchers have tied the group to the government of North Korea. The group is known for targeting financial services companies and organizations in the cryptocurrency industry and have been blamed for some large-scale crypto and bank thefts in the last few years. The IIS attacks don’t have a specific industry as their target.
“Windows server systems are being targeted for attacks, and malicious behaviors are being carried out through w3wp.exe, an IIS web server process. Therefore, it can be assumed that the threat actor uses poorly managed or vulnerable web servers as their initial breach routes before executing their malicious commands later,” researchers at AhnLab, who have been tracking the attacks, said.
“The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe. They then execute the normal application to initiate the execution of the malicious DLL. The threat actor creates Wordconv.exe, msvcr100.dll, and msvcr100.dat through the Windows IIS web server process (w3wp.exe) before executing Wordconv.exe.”
The msvcr100.dll is quite similar in its functionality to a known piece of malware used by the Lazarus Group named cylvc.dll. That DLL was used in attacks last year in which the group was disabling antimalware systems on targeted machines.
After gaining access to a new IIS server, the attackers plant a piece of malware on the server and then likely uses some type of credential-theft tool to gather valid credentials from the system. The attackers then perform reconnaissance and move laterally around the network.
“This group is one of the highly dangerous groups that are actively launching attacks worldwide. Therefore, corporate security managers should utilize attack surface management to identify the assets that could be exposed to threat actors and practice caution by applying the latest security patches whenever possible,” the AhnLab researchers said.
“In particular, since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement.”