Rewterz Threat Alert – Lazarus Threat Actor Group Abuses Microsoft IIS Servers for Widespread Malware Distribution

Severity

High

Analysis Summary

The Lazarus hacking group, a state-sponsored cybercrime collective from North Korea, has been engaging in a sophisticated campaign to breach Windows Internet Information Service (IIS) web servers for the distribution of malware. IIS, a widely used web server solution developed by Microsoft, serves as a crucial infrastructure for hosting websites and application services, including Microsoft Exchange’s Outlook on the Web.

The cybersecurity landscape has witnessed an increase in targeted attacks on IIS web servers, likely due to their trusted nature and prevalence in enterprise environments. Lazarus, known for its advanced hacking capabilities, is leveraging poorly protected IIS services to breach corporate networks and distribute malicious payloads, targeting unsuspecting visitors to websites and users of services hosted on compromised servers. The main advantage of this technique lies in the ease of infecting users who place trust in websites owned by reputable organizations.

In recent incidents documented by South Korean security analysts, Lazarus compromised legitimate South Korean websites, using a technique known as “Watering Hole” attacks, to exploit vulnerabilities in the INISAFE CrossWeb EX V6 software. This particular software is widely used in South Korea for electronic financial transactions, security certification, internet banking, and more. Lazarus exploited a known vulnerability in INISAFE to initiate its attacks.

Lazarus initiates its attack by using malicious HTML email attachments or malicious links in emails to deliver a compromised HTM file. This HTM file is then copied to a DLL file named ‘scskapplink.dll’ and injected into the legitimate system management software INISAFE Web EX Client. The exploitation of the INISAFE flaw provides the hackers with a foothold in the compromised system.

Once Lazarus gains control over the IIS web servers, they use these compromised servers to distribute malware. The analysis indicates that Lazarus used the compromised IIS servers to host the ‘SCSKAppLink.dll’ payload, which is subsequently downloaded onto the victim’s system during the attack. By employing this approach, the attackers can distribute malware to a broader audience without being directly traced back to their own servers.

To further escalate their access and ensure persistence, Lazarus utilizes the ‘JuicyPotato’ privilege escalation malware (‘usopriv.exe’) to attain higher-level privileges within the compromised system. This privilege escalation is essential for executing a second malware loader (‘usoshared.dat’). The second loader decrypts the downloaded data files and executes them into memory, allowing the malware to operate without being easily detected by traditional antivirus software.

Researchers advise users of INISAFE CrossWeb EX V6 to update the software to its latest version to mitigate the risk of Lazarus exploiting known vulnerabilities. The use of trusted Microsoft application servers, such as IIS and Exchange, by threat actors for malware distribution is becoming a common trend, making it essential for organizations to ensure proper security measures are in place.

Impact

• Privilege Escalation
• System Compromise

Remediation

• Patch Management and Software Updates: Regularly update and patch all software components, including IIS, OS, and third-party apps.
• Secure Configuration of IIS Servers: Apply industry best practices, disable unnecessary services, and use secure HTTP response headers.
• Web Application Firewall (WAF): Deploy a robust WAF to protect against web-based attacks.
• Regular Security Audits and Penetration Testing: Conduct periodic audits and penetration tests to identify vulnerabilities.
• Intrusion Detection and Prevention Systems (IDPS): Implement IDPS to monitor and detect anomalous network activity.
• User Education and Awareness: Educate users about cyber threats and caution when clicking links or downloading files.
• Multi-Factor Authentication (MFA): Enforce MFA for critical accounts and privileged users.
• Network Segmentation: Segment the network to limit lateral movement for attackers.
• Incident Response and Recovery Plan: Develop a comprehensive incident response plan and conduct regular exercises.