A recent report from the Advanced Security Center (ASEC) highlights a concerning trend among threat actors who exploit vulnerabilities in web servers. According to the report, attackers often use vulnerable versions of web servers to install a WebShell or execute malicious commands. This allows them to gain unauthorized access to a server and carry out various malicious activities.
ASEC points out that when a web server with a vulnerable version is discovered, threat actors take advantage of the vulnerability by executing malicious commands or using a WebShell to download/upload files and execute remote commands. The report specifically mentions cases involving the Lazarus threat group’s malware strains, which have been observed to target the IIS web server process, known as w3wp.exe, to perform these malicious behaviors.
However, while threat actors may successfully gain access to a server, they often face a hurdle when it comes to carrying out their intended malicious activities. This is because the w3wp.exe process does not possess the necessary privileges to perform such actions. To overcome this limitation, attackers often employ privilege escalation tools, such as the JuicyPotato malware.
JuicyPotato malware, as explained by ASEC, is commonly used in attacks against IIS web servers and MS-SQL database servers for privilege escalation purposes. This type of malware abuses certain processes that have specific privileges activated, allowing threat actors to escalate their privileges and gain the ability to carry out malicious behaviors using the elevated privilege.
To execute the JuicyPotato malware, the threat actor first decrypts the file name of the data they wish to utilize. This decrypted string represents the name of the data file. The malware then searches for files with this name in three different paths. While the report does not mention whether the files in these paths have been obtained, it does suggest that the JuicyPotato malware is a loader that decrypts encrypted data files and executes them in the memory area.
The use of privilege escalation tools like JuicyPotato highlights the sophistication and persistence of threat actors in their attempts to exploit vulnerabilities in web servers. By combining vulnerability exploitation with privilege escalation, attackers are able to penetrate server defenses and carry out a wide range of malicious activities.
ASEC’s report serves as a reminder for organizations to regularly update and patch their web servers to prevent vulnerabilities from being exploited. It also underscores the importance of implementing strong security measures, such as multi-factor authentication, to mitigate the risk of unauthorized access.
Ultimately, staying ahead of threat actors requires constant vigilance and a proactive approach to cybersecurity. By understanding the tactics and techniques used by attackers, organizations can better protect their web servers and the sensitive data they hold.