Posted on May 30, 2023 at 7:39 PM

Lazarus Hacking Group Obtains Initial Access By Exploiting Vulnerable Windows IIS Web Servers

The notorious North Korean hacking group, the Lazarus Group, is now launching attacks targeting vulnerable Windows Internet Information Services (IIS) web servers. The exploits in question are being done to give the threat actors initial access to hijack corporate networks.

Lazarus hacking group targets vulnerable Windows IIS web servers

The Lazarus hacking group is one of the most notorious hacking groups based in North Korea. The hacking group usually conducts its hacking exploits because of financial motivation. Some analysts have said that the hacking exploits conducted by the group go towards funding the weapons development programs in North Korea.

While the majority of the hacking exploits done by the group are financially motivated, the group has also been engaged in espionage operations. The latest tactic that was used by the group included targeting Windows IIS servers. This hacking activity was detected by South Korean researchers at the AhnLab Security Emergency Response Center (ASEC).

The Windows Internet Information Services (IIS) servers are largely used by all kinds of organizations. These servers are used to host web content, including apps, sites, and services, including Microsoft Exchange’s Outlook that runs on the Web.

The IIS web servers offer a flexible solution that has been readily available since the launch of Windows NT. The solution supports different protocols such as HTTP, HTTPs, FTP, FTPs, SMTP, and NNTP protocols.

However, in cases where the servers are outdated or not managed in the right manner, the servers can be exploited and served as an initial access point by hackers, as seen in the recent activity by the North Korean Lazarus hacking group.

The recent activity detected by South Korean hackers comes after a report by Symantec about hackers installing malware on IIS. The malware is then used to execute commands on the affected systems through web requests. The hackers are also able to exploit this malware by avoiding detection by security systems.

Another report published by Symantec said that a hacking group known as Cranfly was using an unknown technique to control malware. The threat actor group used IIS web server logs to conduct the malware campaigns.

How the Lazarus hacking group exploited Windows IIS servers

The Lazarus hacking group first obtained access to the Windows IIS servers by exploiting known vulnerabilities and misconfigurations. These vulnerabilities allow the threat actors to generate files within the IIS server through the w3wp.exe process.

When the hackers launch this malicious activity, they will drop ‘Wordconv.exe, which is a malicious code within the DLL loads alongside a malicious DLL known as the ‘msvcr100.dll’ within the same folder. It will also support an encoded file known as ‘msvcr100.dat.’

After the ‘Wordconv.exe’ has been launched, the malicious code within the DLL loads will be used to decrypt the Salsa20-encode executable from the msvcr100.dat. The hacker then executes it within the device’s memory at a location where it will not be detected by antivirus programs.

The ASEC researchers also noted that there were a few code similarities between the ‘msvcr100.dll’ and another malware that was detected last year, known as the ‘cylvc.dll. The latter was also exploited by the Lazarus hacking group and used to disable anti-malware through a “bring your own vulnerable” driver technique.

Given the nature of these hacking activities, the ASEC researchers have said that the newly detected DLL file is a new variant of similar malware. During the second phase of the attack, the Lazarus hacking group created a second malware known as ‘diagn.dll’ by exploiting a plugin within Notepad++.

The second malware obtains a payload that has been encoded with the RC6 algorithm. It will then decrypt the malware using a hard-coded key and then execute it within the device’s memory to avoid detection.

The research conducted by ASEC could not determine what the payload did within the breached system, but there were signs of LSASS dumping showing the theft of credentials. The last step taken by the Lazarus hackers was to conduct a network reconnaissance and lateral movement using port 3389 while relying on valid user credentials that were presumably stolen.

The ASEC researchers have not detected more malicious campaigns by hackers. The hackers are heavily reliant on DLL sideloading as part of their exploit. The ASEC researchers have recommended that organizations be on the lookout for any suspicious process execution.

“Since the threat actor group primarily utilizes the DLL sideloading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take pre-emptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement,” the ASEC report said.