New analysis from the AhnLab Security Emergency Response Center (ASEC) reveals North Korean threat actor Lazarus group targeting Windows IIS web servers for spying attacks.
The researchers found that this approach dynamic link library (DLLs) sideloading technique, a tactic regularly used by state-affiliated groups.
Here, they believe, attackers are using “poorly maintained or vulnerable web servers as an initial entry point before executing malicious commands later.”
As explained by ASEC: “An attacker places a malicious DLL (msvcr100.dll) in the same folder path as a regular application (Wordconv.exe) through the Windows IIS Web server process, w3wp.exe. Then the regular application to start executing a malicious DLL.The MITER ATT&CK classifies this attack method as a DLL Sideloading (T1574.002) technique.”
After the initial intrusion, Lazarus exploits a plugin for Notepad++, an open-source “color picker plugin”, to establish a foothold before creating additional malware (diagn.dll). This malware facilitates credential theft and lateral movement, making it ideal for performing espionage activities.
Last year, Microsoft issued an advisory warning that North Korea-related attackers were targeting employees of organizations across multiple industries and weaponizing legitimate open source software.
ASEC highlighted the increasing sophistication of the Lazarus group and its ability to utilize various attack vectors to carry out its initial compromise. These are demonstrated in incidents such as Log4Shell, public certificate vulnerabilities, and 3CX supply chain attacks.
The researchers cautioned that:[Lazarus]is one of the most dangerous groups actively carrying out attacks around the world. Therefore, enterprise security administrators should take precautions by leveraging attack surface management to identify assets that may be exposed to threat actors and applying the latest security patches whenever possible. “
Additionally, because Lazarus focuses on DLL sideloading techniques during initial intrusion, “enterprises should proactively monitor for anomalous process execution relationships to prevent threat groups from performing activities such as information leaks and lateral movement. We should take preemptive measures to
This week (May 23, 2023), the U.S. government announced sanctions against three groups for their ties to North Korea’s main intelligence agency, the Reconnaissance General Bureau (RGB). U.S. officials say the group is behind much of the country’s cyber espionage and cyber crimes. Theft activity.
