North Korea-Linked Lazarus APT Targets Microsoft IIS Servers to Deploy Malware

Cyber Security Threat Summary:
Researchers at AnhLab Security Emergency Response Center (ASEC) have revealed that the Lazarus APT Group, a cybercriminal organization associated with North Korea, has been focusing its attention on exploiting vulnerable Microsoft IIS servers. Through the use of DLL side-loading, the attackers deploy a malicious Dll file named msvcr100[.]dll, which is strategically placed in the same directory as a legitimate application called Wordconv[.]exe. By exploiting the Windows ISS web server process the malicious library is executed to carry out their nefarious activities.

"The msvcr100[.]dll is contained within the import DLL list of Wordconv[.]exe, this means that the first DLL is loaded in the memory of the Wordconv[.]exe process when it is executed. “the functionality of msvcr100[.]dll involves decrypting an encoded PE file (msvcr100[.]dat) and the key that is transmitted as a command-line argument during the execution of Wordconv[.]exe by utilizing the Salsa20 algorithm.” reads the analysis published by ASEC. “The decrypted PE file is then executed in the memory. It then performs the function of clearing the malicious DLL module that was loaded through the FreeLibraryAndExitThread WinAPI call before deleting itself (msvcr100[.]dll).” The researchers noticed important similarities between the msvcr100[.]dll and the cylvc[.]dll previously detailed by ASEC and related to another Lazarus campaign" (Security Affairs, 2023).

The malicious actor took advantage of a discontinued open-source Notepad ++ plugin called Quick Color Picker to gain a foothold in the target network. Subsequently, they developed additional malware, known as diagn[.]dll. The diagn[.]dll module received a PE file, which was encoded using the RC6 algorithm, as a value for execution. The module then utilized a pre-set internal key to decrypt the data file and directly execute the PE file in the computer's memory. Due to the inability to collect the encoded PE data file used during the attack, researchers were unable to determine the specific malicious activities performed by the PE file. However, analysis of the logs indicates that the attackers likely executed a credential theft tool like Mimikatz. After acquiring the system credentials, the threat actor conducted internal reconnaissance and employed remote access via Port 3389 to carry out lateral movement within the internal network.

Security Officer Comments:
According to the report, the Lazarus group employed various methods, such as Log4Shell, public certificate vulnerability, and the 3CX supply chain attack, to initiate their breach. The report also provides Indicators of Compromise (IoCs). Considering the group's preference for DLL side-loading technique during their initial infiltration, organizations are advised to proactively monitor unusual process execution relationships and implement preventive measures to hinder activities like information exfiltration and lateral movement by the threat group. In recent news, the US Department of the Treasury's Office of Foreign Assets Control (OFAC) imposed sanctions on four entities and one individual for their involvement in conducting malicious cyber operations in support of the North Korean government.

Suggested Correction(s):
Researchers at the AnhLab Security Emergency Response Center have released IOCs that can be used to detect the Lazarus Group:

https://asec.ahnlab.com/en/53132/

Link(s):
https://securityaffairs.com/146639/hacking/lazarus-targets-microsoft-iis-servers.html