The Lazarus group, renowned for its cyber activities and associated with North Korean actors, has recently been identified using compromised IIS servers to deploy malicious ASP web shells. These sophisticated attacks, aimed at spreading malware like the LazarLoader variant, involve the utilization of privilege escalation tools to gain extensive control over infected systems.
The Lazarus group has a history of orchestrating high-profile cyber operations, ranging from financial heists to espionage missions. Their tactics often involve exploiting vulnerabilities in web servers and utilizing web shells to manage their command and control (C2) infrastructure.
Recent reports from the AhnLab Security Intelligence Center (ASEC) shed light on the Lazarus group’s latest techniques, particularly their use of IIS servers targeting South Korean entities. These servers act as first-stage C2 servers, serving as proxies to facilitate communication between malware and secondary C2 servers, allowing the group to operate stealthily and maintain longevity in their operations.
The newly identified C2 script, while different from past variants, serves a similar purpose of managing communication across different attack stages. The script supports various commands, including managing form data and cookie data, enhancing the group’s operational capabilities.
In addition to C2 scripts, the Lazarus group has employed web shells like the RedHat Hacker web shell found in files such as function2.asp, which require a password for access. These web shells offer functionalities like file management, process execution, and SQL queries, providing the group with versatile tools for their malicious activities.
The LazarLoader malware loader has been observed alongside these web shells, downloading, decrypting, and executing payloads from external sources in recent attacks. Additionally, a privilege escalation tool was identified, utilizing UAC bypass techniques to execute malware with elevated privileges, further enhancing the group’s control over infected systems.
The impact of the Lazarus group’s tactics underscores the importance of robust security measures for web servers. Recommendations include conducting regular security audits, implementing strong authentication measures, keeping software up-to-date, and monitoring network traffic to detect suspicious activity indicative of C2 operations.
As cyber adversaries like the Lazarus group continue to evolve their techniques, staying informed about the latest threats and implementing proactive defense strategies is crucial for effective cybersecurity. Organizations are advised to review server configurations, implement enhanced monitoring tools, and train personnel on recognizing and responding to security incidents to mitigate the threats posed by sophisticated cyber actors.
By taking these proactive steps, organizations can bolster their cybersecurity defenses and reduce their exposure to ongoing threats posed by groups like Lazarus. Stay informed, stay vigilant, and stay protected against evolving cyber threats.