The Lazarus hacking group, a state-sponsored cybercrime collective from North Korea, has been engaging in a sophisticated campaign to breach Windows Internet Information Service (IIS) web servers for the distribution of malware. IIS, a widely used web server solution developed by Microsoft, serves as a crucial infrastructure for hosting websites and application services, including Microsoft Exchange’s Outlook on the Web.
The cybersecurity landscape has witnessed an increase in targeted attacks on IIS web servers, likely due to their trusted nature and prevalence in enterprise environments. Lazarus, known for its advanced hacking capabilities, is leveraging poorly protected IIS services to breach corporate networks and distribute malicious payloads, targeting unsuspecting visitors to websites and users of services hosted on compromised servers. The main advantage of this technique lies in the ease of infecting users who place trust in websites owned by reputable organizations.
In recent incidents documented by South Korean security analysts, Lazarus compromised legitimate South Korean websites, using a technique known as “Watering Hole” attacks, to exploit vulnerabilities in the INISAFE CrossWeb EX V6 software. This particular software is widely used in South Korea for electronic financial transactions, security certification, internet banking, and more. Lazarus exploited a known vulnerability in INISAFE to initiate its attacks.
Lazarus initiates its attack by using malicious HTML email attachments or malicious links in emails to deliver a compromised HTM file. This HTM file is then copied to a DLL file named ‘scskapplink.dll’ and injected into the legitimate system management software INISAFE Web EX Client. The exploitation of the INISAFE flaw provides the hackers with a foothold in the compromised system.
Once Lazarus gains control over the IIS web servers, they use these compromised servers to distribute malware. The analysis indicates that Lazarus used the compromised IIS servers to host the ‘SCSKAppLink.dll’ payload, which is subsequently downloaded onto the victim’s system during the attack. By employing this approach, the attackers can distribute malware to a broader audience without being directly traced back to their own servers.
To further escalate their access and ensure persistence, Lazarus utilizes the ‘JuicyPotato’ privilege escalation malware (‘usopriv.exe’) to attain higher-level privileges within the compromised system. This privilege escalation is essential for executing a second malware loader (‘usoshared.dat’). The second loader decrypts the downloaded data files and executes them into memory, allowing the malware to operate without being easily detected by traditional antivirus software.
Researchers advise users of INISAFE CrossWeb EX V6 to update the software to its latest version to mitigate the risk of Lazarus exploiting known vulnerabilities. The use of trusted Microsoft application servers, such as IIS and Exchange, by threat actors for malware distribution is becoming a common trend, making it essential for organizations to ensure proper security measures are in place.