North Korean cybercrime group, Lazarus, has been found to be attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware, according to AhnLab security emergency response center (ASEC).\n\nWindows IIS is Microsoft\u2019s web server solution that is used to host websites or application services. \n\nThe state-sponsored group uses the watering hole technique for initial access. \u201cThe group first hacks Korean websites and modifies the content provided from the site. When a system using a vulnerable version of INISAFE CrossWeb EX V6 visits this website via a web browser, the Lazarus malware (SCSKAppLink.dll) is installed from the distribution site through the INISAFECrossWebEXSvc.exe vulnerability,\u201d ASEC said. \n\nWhile the vulnerability has already been patched, unpatched systems continue to be under attack.\u00a0\u00a0\n\n\u201cIf a system has a vulnerable version of INISAFE CrossWeb EX V3 installed on it, it must be uninstalled and updated to the latest version,\u201d ASEC said. \n\nAttacks against Windows IIS Web Servers\n\nThe cybersecurity firm had earlier reported on attacks against the Windows Web Servers in May. At the time, the attacker used poorly managed or vulnerable web servers as the initial access point. Researchers at ASEC also observed cases of RDP protocol being used for lateral movement after the internal reconnaissance process.\u00a0\n\nUsually, when attackers find a web server with a vulnerable version from scanning, they use the vulnerability suitable for the version to install a WebShell or execute malicious commands, ASEC points out.\u00a0\n\n\u201cWhen the threat actor exploits the vulnerability to execute malicious commands or uses WebShell to download\/upload files and execute remote commands, the malicious behaviors are performed by w3wp.exe that is the IIS web server process,\u201d ASEC said, adding that this was seen in recent cases of the Lazarus threat group\u2019s malware strains.\u00a0\n\nJuicyPotato malware\n\nWhile threat actors can control the processes through WebShells or dictionary attacks, they cannot perform the intended malicious behaviors because the w3wp.exe process does not have the appropriate privilege, ASEC explained. To overcome this threat, actors often simultaneously use privilege escalation tools in their attacks, which in this case is JuicyPotato malware.\n\n\u201cParticularly, the Potato strains of malware for privilege escalation are mainly used in attacks against IIS web servers and MS-SQL database servers. Potato types escalate privilege by abusing some processes with certain privileges activated. Afterward, the threat actor is able to perform malicious behaviors using the elevated privilege,\u201d ASEC said. \n\nUsing the JuicyPatato to execute a loader, the threat actor first decrypts the file name of the data to be used and obtains the string. This string is the name of the data file. Files with this name are searched for in a total of three paths. \n\n\u201cWhile the files in these paths have not been procured as of yet, it could be identified through the loader malware routine that this malware type is a loader that decrypts encrypted data files and executes them in the memory area,\u201d ASEC said. \n\nIf the file exists in the path, the first three bytes are read to determine if it is the string \u201cGIF\u201d. \u201cIt appears that the threat actor disguised the data file as a GIF image file. If the conditions match, the next 4 bytes are read. This contains the size of the data that will be read,\u201d ASEC said. \n\nThe first obtained data (starting with 0xC00) is given as an argument when executing PE in the memory area, and so is deemed to be the configuration data to be used by the decrypted malware.\u00a0\u201cWhile the data file has not been identified yet, examining past cases reveals that the ultimately executed malware strains are mostly downloaders that download additional malware types or backdoors that can receive commands from the threat actor to perform malicious behaviors,\u201d ASEC said.