The recent cybersecurity landscape has been shaken by the emergence of sophisticated attacks carried out by the notorious Lazarus group, specifically targeting South Korean web servers. Researchers have uncovered a series of breaches on IIS servers by these threat actors, who have been deploying ASP-based web shells as their primary method of establishing Command and Control (C2) servers.
These attacks, which came to light in January 2025, showcase an evolution of tactics previously observed in May 2024, highlighting the adaptability and persistence of this state-sponsored threat group. The Lazarus group has a track record of compromising legitimate web servers to lay the groundwork for their malicious activities.
According to reports from the AhnLab Security Intelligence Centre (ASEC), the attackers installed multiple ASP-format web shells on vulnerable IIS servers. Notably, they utilized a modified “RedHat Hacker” web shell under the filename “function2.asp,” deviating from their usual password “1234qwer” to a more secure “2345rdx” authentication mechanism.
Moreover, additional web shells named “file_uploader_ok.asp” and “find_pwd.asp” were employed, granting the attackers a broad range of capabilities for file manipulation, process operations, and even SQL query execution. The sophisticated obfuscation techniques used in these web shells, such as remaining encoded in VBE format after decoding, pose significant challenges for security analysts in detection and analysis.
The complexity of these web shells is further demonstrated in their command structure, which includes encryption keys and random strings for enhanced security. In the realm of C2 functionality and evolution, the attackers deployed a script that acts as a proxy between compromised systems and their infrastructure, supporting various commands for data redirection, file operations, and system control.
In addition to web shells, the Lazarus group introduced LazarLoader malware in their attacks, aiming to download additional payloads and execute them in memory using a specific encryption key. The infection chain typically commences with web shell installation and LazarLoader deployment through the IIS web server process.
Further exacerbating the threat, the attackers incorporated privilege escalation through a malware component called “sup.etl,” employing UAC bypass techniques to elevate system privileges and execute malicious commands. These tactics underscore the advanced capabilities and strategic approach of the Lazarus group in compromising and controlling web servers.
To mitigate the risks posed by such attacks, security researchers emphasize the importance of comprehensive vulnerability assessments on web servers, particularly concerning ASP-based web shells. Regular password rotations, strict access controls, and vigilant monitoring for suspicious processes are also recommended to preemptively thwart any compromise attempts.
Organizations are advised to prioritize security updates and implement proactive measures to defend against evolving threats from sophisticated threat actors like Lazarus. The significance of these recommendations cannot be overstated in safeguarding critical infrastructure from potentially devastating cyberattacks.