Lazarus Hackers Target Windows IIS Web Servers for Initial Access
Cyber Security Threat Summary:
“The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services (IIS) web servers to gain initial access to corporate networks. Lazarus is primarily financially motivated, with many analysts believing that the hackers' malicious activities help fund North Korea's weapons development programs. However, the group has also been involved in several espionage operations. The latest tactic of targeting Windows IIS servers was discovered by South Korean researchers at the AhnLab Security Emergency Response Center (ASEC)” (Bleeping Computer, 2023).
Internet Information Services (IIS) are Windows based web servers that are typically use by organizations to host web content like websites, applications and services, (often Microsoft’s Outlook on the Web). It has been available since the launch of Windows NT, and supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP protocols.
Like most web based servers, if they are poorly managed or outdated, they can provide a convenient access point for cybercriminals.
Security Officer Comments:
Recently, Symantec reported on hackers leveraging IIS malware to execute commands on breached systems via web requests, and to evade detection from security tools. A hacking group known as Cranfly, was also seen employing an unknown technique of using IIS web server logs to control their malware.
Lazarus appears to be using known vulnerabilities or misconfigurations in IIS servers which allows them to create files using the w3wp[.]exe process. The hackers will then use wordconv[.]exe, a legitimate file that is part of Microsoft Office. A malicious DLL msvcr100[.]dll and an encoder file name msvcr100[.]dat is also included in the same folder.
Wordconv[.]exe will load and decrypt a Salsa20 encoded executable from the .dat file in memory where antivirus tools can’t detect it. “ASEC has found several code similarities between 'msvcr100[.]dll' and another malware it observed last year, 'cylvc[.]dll,' which was used by Lazarus to disable anti-malware programs using the "bring your own vulnerable driver" technique.” Hence, ASEC considers the newly discovered DLL file a new variant of the same malware.
Later in the attack chain, Lazarus is seen using a second piece malware diagn[.]dll which exploits a Notepad++ plugin. That second malware receives a new payload encoded with the RC6 algorithm this time, decrypts it using a hard-coded key, and executes it in memory for evasion. ASEC could not determine what this payload did on the breached system, but it saw signs of LSASS dumping pointing to credential theft activity.
Finally, the group performs network reconnaissance and lateral movement through remote desktop port 3389. They are likely using valid user credentials stolen from the LSAAS dumping technique. ASEC says they have yet to see further malicious activity after the attacker spread laterally on the network.
MITRE ATT&CK:
T1190 - Exploit Public-Facing Application
Lazarus appears to be using known vulnerabilities or misconfigurations in IIS servers.
T1574.002 - Hijack Execution Flow: DLL Side-Loading
A malicious DLL msvcr100[.]dll and an encoder file name msvcr100[.]dat is also included in the same folder.
T1036.004 - Masquerading: Masquerade Task or Service
The hackers use wordconv[.]exe, a legitimate file that is part of Microsoft Office.
Lazarus is seen using a second piece malware diagn[.]dll which exploits a Notepad++ plugin.
T1003.001 - OS Credential Dumping: LSASS Memory
ASEC saw signs of LSASS dumping pointing to credential theft activity.
T1078 - Valid Accounts
They are likely using valid user credentials stolen from the LSAAS dumping technique.
T1021.001 - Remote Services: Remote Desktop Protocol
The group performs network reconnaissance and lateral movement through remote desktop port 3389.
Suggested Correction(s):
As Lazarus is relying heavily on DLL sideloading as part of their attacks, ASEC recommends that organizations monitor for abnormal process execution.
"In particular, since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement," concludes ASEC's report.
Link(s):
https://www.bleepingcomputer.com/
https://asec.ahnlab.com/en/53132/