Lazarus Hackers Hijack Microsoft IIS Servers to Spread Malware
Cyber Security Threat Summary:
The Lazarus hacking group, sponsored by the North Korean state, is currently involved in breaching Windows Internet Information Service (IIS) web servers with the intention of taking control of these servers for distributing malware. IIS is a web server solution developed by Microsoft, commonly used to host websites or application services, including Microsoft Exchange’s Outlook on the web. According to South Korean security analyst at ASEC, Lazarus has been known to target IIS servers as an entry point into corporate networks in the past. However, as of yesterday, the cybersecurity company has reported that the threat group is also exploiting poorly protected IIS services to distribute malware. The primary benefit of this technique lies in its ability to effortlessly infect visitors of websites or users of services hosted on compromised IIS servers that belong to reputable organizations.
“In the recent attacks observed by ASEC's analysts, Lazarus compromised legitimate South Korean websites to perform 'Watering Hole' attacks on visitors using a vulnerable version of the INISAFE CrossWeb EX V6 software. Many public and private organizations in South Korea use this particular software for electronic financial transactions, security certification, internet banking, etc. The INISAFE vulnerability was previously documented by both Symantec and ASEC in 2022, explaining that it was exploited using HTML email attachments at the time. "A typical attack begins when a malicious HTM file is received, likely as a malicious link in an email or downloaded from the web. The HTM file is copied to a DLL file called scskapplink.dll and injected into the legitimate system management software INISAFE Web EX Client," explains the 2022 report by Symantec. Exploiting the flaw fetches a malicious 'SCSKAppLink.dll' payload from an IIS web server already compromised before the attack for use as a malware distribution server. "The download URL for 'SCSKAppLink.dll' was identified as being the aforementioned IIS web server," explains ASEC's new report. "This signifies that the threat actor attacked and gained control over IIS web servers before using these as servers for distributing malware." ASEC did not analyze the particular payload but says it is likely a malware downloader seen in other recent Lazarus campaigns” (BleepingComputer, 2023).
Security Officer Comments:
Additionally, Lazarus employs the ‘JuicyPotato’ privilege escalation malware to achieve elevated access on the compromised system. JuicyPotato serves as a means to execute a second malware loader responsible for decrypting downloaded data files and executing them in memory to avoid detection by antivirus solutions.
Suggested Correction(s):
Researchers at the Anh Lab Security Emergency Response Center recommend that NISAFE CrossWeb EX V6 users update the software to its latest version, as Lazarus' exploitation of known vulnerabilities in the product has been underway since at least April 2022. The security company advises users to upgrade to version 3.3.2.41 or later and points to remediation instructions it posted four months ago, highlighting the Lazarus threat. Microsoft application servers are becoming a popular target for hackers to use in malware distribution, likely due to their trusted nature.
Link(s):
https://www.bleepingcomputer.com/
https://asec.ahnlab.com/en/55369/