Image: sebastiaan stam (unsplash)
The infamous Lazarus Group, a hacking entity with ties to North Korea, has set its sights on compromised Windows Internet Information Services (IIS) web servers as a stepping stone to infiltrate corporate networks.
Finances drive Lazarus’s actions, leading some to speculate that their nefarious deeds are indirectly bankrolling North Korea’s weapons development endeavors. Still, the hacker group has also participated in multiple espionage ventures.
This newly adopted strategy of exploiting Windows IIS servers was brought to light by a team of researchers working in the South Korean-based AhnLab Security Emergency Response Center (ASEC).
Attacks on IIS servers
Windows Internet Information Services (IIS) web servers are utilized by a vast array of organizations to host web-based content such as websites, apps, and services including Microsoft Exchange’s Outlook on the Web.
Introduced alongside Windows NT, this versatile solution supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP protocols.
However, when inadequately managed or neglected, these servers may offer hackers easy access points into the network.
Previously, Symantec shared insights into incidents where hackers used IIS to introduce malware capable of performing commands on the infiltrated systems through web requests, thereby slipping past security measures.
Another report disclosed a hacking group named ‘Cranfly’ innovatively controlling malware through the IIS web server logs – a technique yet to be fully understood.
Lazarus’ incursions into IIS
Lazarus infiltrates IIS servers by leveraging known vulnerabilities or misconfigurations. This permits the hackers to create files on the IIS server via the w3wp.exe process.
They introduce ‘Wordconv.exe,’ an authentic file associated with Microsoft Office, into the server, along with a harmful DLL (‘msvcr100.dll’) and an encrypted file dubbed ‘msvcr100.dat.’
Once ‘Wordconv.exe’ is triggered, the malevolent code within the DLL decrypts the Salsa20-encoded executable from msvcr100.dat and sets it into motion in memory, a location beyond the reach of antivirus tools.
There are notable parallels in the code between ‘msvcr100.dll’ and another malware ‘cylvc.dll,’ detected the previous year. Lazarus had used ‘cylvc.dll’ to neutralize anti-malware programs by using a “bring your own vulnerable driver” method. Consequently, ASEC has identified the newly discovered DLL file as a variant of the same malware.
As the attack progresses, Lazarus conjures up a secondary malware (‘diagn.dll’) by compromising a Notepad++ plugin.
The subsequent malware acquires a fresh payload encrypted with the RC6 algorithm, decrypts it utilizing a hard-coded key, and activates it in memory for evasion.
Although ASEC failed to unravel the purpose of this payload within the compromised system, indications of LSASS dumping hinted at credential theft activity.
The final segment of the Lazarus assault involved scanning the network and lateral movement via port 3389 (Remote Desktop) using authentic user credentials, likely pilfered in the previous stage.
Despite this, ASEC has yet to uncover additional malicious activities following the hackers’ lateral network spread.
Considering Lazarus’s reliance on DLL sideloading during their assaults, ASEC advises organizations to be vigilant of unusual process execution.
ASEC’s report concludes by stressing that “organizations must proactively monitor abnormal process execution relationships and take anticipatory actions to prevent the threat group from executing activities such as data exfiltration and lateral movement, given that the group frequently employs DLL sideloading technique in their initial infiltrations.”