The notorious Lazarus hacking group has been actively targeting Windows Internet Information Service (IIS) web servers to distribute malware.
South Korean security analysts at ASEC have been closely monitoring Lazarus’ activities, and they’ve recently uncovered the group’s strategy of exploiting poorly protected IIS services to spread malware.
Initially, Lazarus focused on gaining initial access to corporate networks through IIS servers. Now, they’ve upped their game by utilizing these compromised servers to distribute malware.
This approach allows them to infect unsuspecting visitors to reputable organizations’ websites or users of services hosted on the breached IIS servers.
Watering Hole Technique Used to Lure Victims
In the latest observed attacks, Lazarus infiltrated legitimate South Korean websites, using them as bait for ‘Watering Hole’ attacks. They targeted visitors who unknowingly used a vulnerable version of the INISAFE CrossWeb EX V6 software.
This software is widely used for electronic financial transactions, security certification, and internet banking functions by numerous public and private organizations in South Korea.
The initial vulnerability in INISAFE was documented by Symantec and ASEC in 2022, highlighting its exploitation through HTML email attachments.
The attack begins with a malicious HTM file, typically sent as a link in an email or downloaded from the web. This file is then copied to a DLL file named ‘scskapplink.dll’ and injected into the legitimate INISAFE Web EX Client software.
This flaw gives Lazarus the opportunity to fetch a malicious ‘SCSKAppLink.dll’ payload from a compromised IIS web server, which they’ve already taken control of before launching the attack. Essentially, they gain control over IIS web servers first and then weaponize them for malware distribution.
JuicyPotato Deployed for Privilege Escalation
To escalate their access to the compromised system, Lazarus employs the ‘JuicyPotato’ privilege escalation malware (‘usopriv.exe’).
This allows them to execute a second malware loader (‘usoshared.dat’), which decrypts downloaded data files and executes them in memory, thus evading antivirus detection.
In response to these emerging threats, ASEC advises users of INISAFE CrossWeb EX V6 to update the software to its latest version (184.108.40.206 or later).
Microsoft application servers have recently become a popular target for hackers seeking to distribute malware, owing to their trusted reputation.
In another concerning development, CERT-UA and Microsoft have reported that Russian Turla hackers were utilizing compromised Microsoft Exchange servers to deliver backdoors to their targets. As cyber threats continue to evolve, staying vigilant and proactively updating software becomes paramount in defending against these attacks.