Posted on July 25, 2023 at 8:05 AM

Lazarus Hacking Group Launches Hacking Attacks Targeting Microsoft IIS Servers

The Lazarus hacking group, which is a state-sponsored hacker group in North Korea, has continued to launch hacking attacks. This group has been accused of infiltrating the Windows Internet Information Service (IIS) web servers to illegally gain access to them in order to distribute malware.

Lazarus hackers use Microsoft IIS servers to deploy malware

The Internet Information Service (IIS) is a web server solution that is offered by Microsoft. IIS is used to host websites and application services like Microsoft Exchange Outlook on the Web. North Korean hackers are now targeting the servers to launch hacking campaigns.

According to security analysts at a South Korean cybersecurity company known as ASEC, the Lazarus hacking group has been targeting IIS servers to obtain initial access to corporate networks.

ASEC researchers have also said that the Lazarus hacking group has been targeting IIS services that were not well-protected. These services were being used to distribute malware and cause harm to the targeted devices.

The main goal behind using this technique to launch these hacking attacks was the ease at which the visitors of different websites could be infected. The technique also targeted those using different services that are hosted on compromised IIS servers. These servers are owned by organizations that are trustworthy.

North Korean hackers target South Korea

The recent hacking campaigns that were detected by the researchers at ASEC noted that the Lazarus hacking group had compromised legitimate websites operating in South Korea. These websites were compromised to conduct “Watering Hole” hacking attacks on website visitors.

The attacks in question were being conducted using a vulnerable version of the INISAFE CrossWeb EX V6 software, which the hackers exploited to gain initial access. The majority of private and public organizations based in South Korea have been using this software to conduct a wide range of functions.

Some of the services made possible by this software include electronic financial transactions, internet banking, and security certification, among others. The INISAFE security flaw has previously been revealed by researchers at ASEC and Symantec, who exposed the possibility of hacking exploits in a report that was published last year.

Researchers at ASEC and Symantec said that the security vulnerability was exploited through HTML email attachments. The attacks conducted through this vulnerability start whenever a malicious HTML file has been received. The file in question contains a malicious link within the email, or the link has possibly been downloaded from the web.

“A typical attack begins when a malicious HTML file is received, likely as a malicious link in an email or downloaded from the web. The HTML file is copied to a DLL file called scskapplink.dll and injected into the legitimate system management software INISAFE Web EX Client,” the Symantec researchers said.

Whenever this flaw is exploited, it triggers a malicious “SCSKAppLink.dll” payload from the IIS web server that has already been compromised. This compromise happens before a hacking attack is exploited and used as a malware distribution server.

The researchers noted that the technique used by the hackers indicated that they had exploited and gained control of the IIS web servers before these servers could be used to distribute malware.

The researchers at ASEC failed to analyze the payload that was used to conduct these hacking campaigns. However, there is a likelihood that a malware downloader detected in other Lazarus campaigns was behind this recent exploit.

The Lazarus hacking group also relies on the “JuicyPotato” privilege escalation malware to achieve more access to the affected system. JuicyPotato is used to deploy a second malware loader that will decrypt the downloaded data files before executing them within the memory to support AV evasion.

The researchers at ASEC have recommended that users at NISAFE CrossWeb EX V6 update the software to the latest version. The Lazarus hacking group has been actively exploiting the vulnerabilities in this product since at least April last year.

The security company has also sent an advisory to users urging them to upgrade to version 3.3.2.41 or the later versions. The company has also urged users to remediate the instructions released previously to show the threat posed by these state-sponsored hackers.

Microsoft application servers are increasingly being targeted by hackers that want to use them to distribute malware. These servers are likely being used because they are largely trusted.

The other hacker group that has also been launching similar campaigns is the Russian Turla group. Last week, a report by CERT-UA and Microsoft said that the Turla hacker group had compromised Microsoft Exchange servers to create backdoors to targets.