Lazarus group exploits Windows IIS servers to distribute malware

North Korean cybercrime group, Lazarus, has been found to be attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware, according to AhnLab security emergency response center (ASEC).

Windows IIS is Microsoft's web server solution that is used to host websites or application services. 

The state-sponsored group uses the watering hole technique for initial access. "The group first hacks Korean websites and modifies the content provided from the site. When a system using a vulnerable version of INISAFE CrossWeb EX V6 visits this website via a web browser, the Lazarus malware (SCSKAppLink.dll) is installed from the distribution site through the INISAFECrossWebEXSvc.exe vulnerability," ASEC said. 

While the vulnerability has already been patched, unpatched systems continue to be under attack.

"If a system has a vulnerable version of INISAFE CrossWeb EX V3 installed on it, it must be uninstalled and updated to the latest version," ASEC said. 

Attacks against Windows IIS Web Servers

The cybersecurity firm had earlier reported on attacks against the Windows Web Servers in May. At the time, the attacker used poorly managed or vulnerable web servers as the initial access point. Researchers at ASEC also observed cases of RDP protocol being used for lateral movement after the internal reconnaissance process.

Usually, when attackers find a web server with a vulnerable version from scanning, they use the vulnerability suitable for the version to install a WebShell or execute malicious commands, ASEC points out.

"When the threat actor exploits the vulnerability to execute malicious commands or uses WebShell to download/upload files and execute remote commands, the malicious behaviors are performed by w3wp.exe that is the IIS web server process," ASEC said, adding that this was seen in recent cases of the Lazarus threat group's malware strains.

JuicyPotato malware

While threat actors can control the processes through WebShells or dictionary attacks, they cannot perform the intended malicious behaviors because the w3wp.exe process does not have the appropriate privilege, ASEC explained. To overcome this threat, actors often simultaneously use privilege escalation tools in their attacks, which in this case is JuicyPotato malware.

"Particularly, the Potato strains of malware for privilege escalation are mainly used in attacks against IIS web servers and MS-SQL database servers. Potato types escalate privilege by abusing some processes with certain privileges activated. Afterward, the threat actor is able to perform malicious behaviors using the elevated privilege," ASEC said. 

Using the JuicyPatato to execute a loader, the threat actor first decrypts the file name of the data to be used and obtains the string. This string is the name of the data file. Files with this name are searched for in a total of three paths. 

"While the files in these paths have not been procured as of yet, it could be identified through the loader malware routine that this malware type is a loader that decrypts encrypted data files and executes them in the memory area," ASEC said. 

If the file exists in the path, the first three bytes are read to determine if it is the string "GIF". "It appears that the threat actor disguised the data file as a GIF image file. If the conditions match, the next 4 bytes are read. This contains the size of the data that will be read," ASEC said. 

The first obtained data (starting with 0xC00) is given as an argument when executing PE in the memory area, and so is deemed to be the configuration data to be used by the decrypted malware. "While the data file has not been identified yet, examining past cases reveals that the ultimately executed malware strains are mostly downloaders that download additional malware types or backdoors that can receive commands from the threat actor to perform malicious behaviors," ASEC said.