infamous Lazarus Group Attackers are targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial entry point for deploying malware on targeted systems.
The findings, from the AhnLab Security Emergency Response Center (ASEC), detail how Advanced Persistent Threats (APTs) continue to exploit DLL sideloading techniques to deploy malware. doing.
“Through w3wp.exe, a Windows IIS web server process, an attacker places a malicious DLL (msvcr100.dll) in the same folder path as a regular application (Wordconv.exe),” ASEC explained. bottom. “Then they run normal applications and start executing malicious DLLs.”
DLL sideloading, similar to DLL search order hijacking, refers to proxying a rogue DLL through a safe binary planted in the same directory.
Lazarus, a highly effective and persistent nation-state group with ties to North Korea, was recently discovered to be using the same technique in connection with a cascading supply chain attack against enterprise communications service provider 3CX. I was.
The malicious msvcr100.dll library is designed to decrypt the encoded payload and execute it in memory. The malware is said to be a variant of a similar artifact discovered by ASEC last year that acted as a backdoor to communicate with attacker-controlled servers.
The attack chain also included the exploitation of a deprecated open-source Notepad++ plugin called Quick Color Picker and delivered additional malware to facilitate credential theft and lateral movement.
The latest developments demonstrate the versatility of the Lazarus attack and its ability to use an extensive set of tools against the victim to carry out long-term espionage.
“In particular, since threat groups primarily utilize DLL sideloading techniques during initial intrusions, enterprises should actively monitor for anomalous process execution relationships, allowing threat groups to perform activities such as information leaks and lateral movement. We need to take pre-emptive measures to prevent it from happening,” ASEC said.
US Treasury imposes sanctions on North Korean companies
The findings also show that the U.S. Treasury Department has sanctioned four entities and one individual involved in malicious cyber activities and fundraising schemes aimed at supporting North Korea’s strategic priorities. announced after receiving
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
This includes the Pyongyang Automation University, the Technology Reconnaissance Bureau and its subordinate cyber unit, the 110 Research Center, the Jinnyeong Information Technology Cooperation Company, and a North Korean named Kim Sang-man.
Lazarus Group and its various clusters are believed to be operated by the Technical Reconnaissance Bureau, which oversees the development of offensive cyber tactics and tools by North Korea.
In addition to engaging in cryptocurrency theft and espionage, the sanctioned country is also recruiting skilled IT workers under fictitious identities to gain jobs in the technology and cryptocurrency sectors around the world. known for making illegal profits from
“North Korea engages in malicious cyber activities and fraudulently obtains employment for income, including cryptocurrency, in support of the Kim regime and its priorities such as its illegal weapons of mass destruction and ballistic missile programs. We are deploying qualified information technology (IT) workers,” the ministry said.
“These employees commonly use false personas, proxy accounts, stolen identities, and forged or forged documents to apply for jobs at these companies, thereby exposing their identity, location, Nationality is intentionally vague.”
The South Korean government said, “After obtaining freelance employment contracts from companies around the world, they are engaged in a wide range of IT development work such as freelance work platforms (websites and applications) and virtual currency development, and earn hundreds of millions of dollars annually. are earning.” Warning December 2022.
