The Lazarus APT group, known for its malicious activities, has been actively targeting Microsoft Internet Information Services (IIS) servers to carry out its attacks. AhnLab Security Emergency Response Center (ASEC) researchers have recently confirmed that Lazarus operators are using vulnerable Windows servers as distribution points for malware.
Lazarus group employs various tactics, including watering hole attacks, manipulation of domestic websites, and exploitation of INISAFE CrossWeb EX V6 vulnerabilities for malware distribution. Despite the patch for the INITECH vulnerability, these recent exploits continue to leverage compromised IIS servers to distribute malware.
The attack on IIS servers by the Lazarus group was first discovered in May 2023, shedding light on the exploitation of insecure web servers and attempts to move laterally via RDP. Attackers exploit vulnerable web servers by installing web shells or executing malicious commands, taking advantage of matching vulnerabilities that are performed by the w3wp.exe process, which is an IIS web server process.
During the attack, the w3wp.exe process spawns usopriv.exe, a Themida-packed JuicyPotato malware responsible for privilege escalation. This is one of the multiple Potato-based malicious codes used by the group. However, the web shells controlled by the attackers or dictionary attacks do not have enough privileges to execute desired malicious actions within the w3wp.exe process or the sqlservr.exe process of the MS-SQL server.
To overcome this obstacle, threat actors often utilize privilege escalation malware. In the case of Lazarus, they use JuicyPotato to execute Loader malware, which employs rundll32 with a random string argument to execute the DLL-formatted payload. Loader decodes a data file name to obtain ‘{20D1BF68-64EE-489D-9229-95FEFE5F12A4}’, confirming its presence in multiple paths. An unsecured file in the relevant path confirms the presence of Loader malware, which decrypts and executes the encoded data file in memory.
The combination of Loader malware and encrypted data files allows Lazarus to decode and execute them in memory. While the specific data files remain unverified, past cases indicate that the final executed malware is typically a downloader or backdoor.
In the recent Lazarus attack, the group exploited the INISAFE vulnerability to install “SCSKAppLink.dll” as additional malicious code, with the IIS web server serving as the download source. Although it is not confirmed, “SCSKAppLink.dll” appears to be similar to Lazarus Attack Group’s previous malicious code that exploited the INITECH process. This code functions as a downloader and enables remote control through the installation of specified malware.
Lazarus is known for its sophisticated attack techniques, and therefore, security analysts have urged users to remain vigilant and deploy an up-to-date patch management system to protect their systems.
In terms of Indicators of Compromise (IOC), the MD5 hashes for JuicyPotato (usopriv.exe) and Loader (usoshered.dat) are:
– 280152dfeb6d3123789138c0a396f30d
– d0572a2dd4da042f1c64b542e24549d9
These IOCs can be useful in identifying and detecting the presence of the Lazarus group’s malware in affected systems.
Overall, the Lazarus group’s targeting of vulnerable Windows servers to distribute malware highlights the need for organizations to prioritize cybersecurity measures and stay updated with the latest patches and security solutions to defend against such advanced threats.