Lazarus Group Targets Windows IIS Web Servers in Recent Cyber Attacks

• The Lazarus Group, a hacker collective backed at a national level, has been identified as the perpetrator behind recent attacks on Windows IIS web servers. Their methods involve sophisticated techniques such as DLL side-loading and exploitation of open-source plugins for Notepad++ to establish a foothold, gain system credentials, and perform lateral movement within the network.
• AhnLab, a leader in cybersecurity, has provided countermeasures and detection tools to combat this threat. The company has urged corporate security managers to maintain up-to-date security patches and proactively monitor abnormal process execution relationships. Indicators of Compromise (IOCs) have been provided to assist in the detection and mitigation of these attacks.

The Lazarus Group, a hacker collective known to receive national-level support, has been spotted in new attacks targeting Windows IIS web servers. AhnLab Security Emergency Response Center (ASEC) recently confirmed this activity, highlighting the group’s continued use of sophisticated techniques to compromise vulnerable systems.

The group’s initial infiltration method relies on DLL side-loading, a technique in which a malicious DLL is placed in the same folder as a normal application via the Windows IIS web server process, w3wp.exe. They then execute the normal application, initiating the execution of the malicious DLL, known as msvcr100.dll. This method is classified as the DLL side-loading (T1574.002) technique according to the MITRE ATT&CK framework

The msvcr100.dll is very similar to the cylvc.dll malware, both in appearance and features, which was covered in an earlier ASEC blog post from 2022. Both pieces of malware involve decrypting an encoded PE file and then executing it in the memory. The PE executed within the memory space in 2022 was a backdoor that communicated with the threat actor’s C&C server.

After establishing a foothold, the threat actor creates additional malware, diagn.dll, by exploiting an open-source “color picker plugin” for Notepad++. The diagn.dll then receives a PE file encoded with the RC6 algorithm as an execution argument value before using an internally hard-coded key to decrypt the data file and execute the PE file in the memory. It was observed that the threat actor accessed the memory space of the lsass.exe process through this module, suggesting the use of a credential theft tool such as Mimikatz.

Following the initial infiltration and establishment of a foothold, the threat actor performed internal reconnaissance before using remote access (port 3389) to perform lateral movement into the internal network. No further malicious activities by the threat actor have been uncovered since then​.

In response to these threats, AhnLab’s products detect and block the malware identified in the attack case. Corporate security managers are urged to identify the assets that could be exposed to threat actors and practice caution by applying the latest security patches whenever possible. Given the Lazarus group’s frequent use of the DLL side-loading technique, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent activities such as information exfiltration and lateral movement​.

AhnLab has provided IOCs for this attack, which include the DLL side-loading file paths and the MD5 hash values of the malware used in the attack

[File Detection]
– Trojan/Win.LazarLoader.C5427612 (2023.05.15.02)
– Trojan/Win.LazarLoader.C5427613 (2023.05.15.03)

[IOC]
[DLL Side-loading File Path]
– C:\ProgramData\USOShared\Wordconv.exe
– C:\ProgramData\USOShared\msvcr100.dll

[MD5]
– e501bb6762c14baafadbde8b0c04bbd6: diagn.dll
– 228732b45ed1ca3cda2b2721f5f5667c: msvcr100.dll
– 47d380dd587db977bf6458ec767fee3d: ? (Variant malware of msvcr100.dll)
– 4d91cd34a9aae8f2d88e0f77e812cef7: cylvc.dll (Variant malware of msvcr100.dll)