Hacking

North Korea-linked Lazarus APT targets Microsoft IIS servers to deploy malware

North Korea-linked APT group Lazarus actor has been targeting vulnerable Microsoft IIS servers to deploy malware.

AhnLab Security Emergency response Center (ASEC) researchers reported that the Lazarus APT Group is targeting vulnerable versions of Microsoft IIS servers in a recent wave of malware-based attacks.

Once discovered a vulnerable ISS server, the attackers leverage the DLL side-loading (T1574.002) technique to execute a malicious DLL (msvcr100.dll) that they have placed in the same folder path as a normal application (Wordconv.exe). Then the library is executed via the Windows IIS web server process.

The msvcr100.dll is contained within the import DLL list of Wordconv.exe, this means that the first DLL is loaded in the memory of the Wordconv.exe process when it is executed.

Lazarus ISS attackLazarus ISS attack

“the functionality of msvcr100.dll involves decrypting an encoded PE file (msvcr100.dat) and the key (df2bsr2rob5s1f8788yk6ddi4x0wz1jq) that is transmitted as a command-line argument during the execution of Wordconv.exe by utilizing the Salsa20 algorithm.” reads the analysis published by ASEC. “The decrypted PE file is then executed in the memory. It then performs the function of clearing the malicious DLL module that was loaded through the FreeLibraryAndExitThread WinAPI call before deleting itself (msvcr100.dll).”

The researchers noticed important similarities between the msvcr100.dll and the cylvc.dll previously detailed by ASEC and related to another Lazarus campaign.

The threat actor exploited an open-source Notepad++ plugin called Quick Color Picker (a discontinued project) to establish a foothold in the target network before creating additional malware (diagn.dll).

The diagn.dll received the PE file encoded with the RC6 algorithm as an execution argument value, then uses an internally hard-coded key to decrypt the data file and execute the PE file directly in the memory.

The researchers were not able to determine the malicious behavior of the PE file because the PE data file that was encoded during the attack could not be collected, but the analysis of the log suggests threat the attackers had executed a credential theft tool such as Mimikatz.

Once obtained the system credentials, the threat actor performed internal reconnaissance and used remote access (port 3389) to perform lateral movement into the internal network.

“The Lazarus group used a variety of attack vectors to perform their initial breach, including Log4Shell public certificate vulnerability3CX supply chain attack, etc.” concludes the report that also provides Indicators of Compromise (IoCs). “since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement.”

This week, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against four entities and one individual for their role in malicious cyber operations conducted to support the government of North Korea.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DPRK)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

10 hours ago

Coinbase disclosed a data breach after an extortion attempt

Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…

13 hours ago

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

22 hours ago

Kosovo authorities extradited admin of the cybercrime marketplace BlackDB.cc

Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal…

23 hours ago

U.S. CISA adds Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…

1 day ago

Ivanti fixed two EPMM flaws exploited in limited attacks

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…

2 days ago