The Lazarus hacking group, reportedly backed by North Korea, is reportedly exploiting Windows Internet Information Service (IIS) servers, infiltrating them for malware dissemination.
IIS is a web server solution developed by Microsoft, which is predominantly used to host websites or application services such as Microsoft’s Outlook on the Web, part of their Exchange platform.
ASEC, South Korean security analysts, had previously indicated that Lazarus was targeting IIS servers to gain initial access to corporate networks. However, the latest reports reveal that the threat group is now also utilizing inadequately secured IIS services for malware distribution.
This strategy provides a straightforward route to infect the visitors of websites or users of services hosted on the compromised IIS servers that are owned by reputable organizations.
Recent Attacks on South Korean Infrastructure
In a series of recent attacks monitored by ASEC, Lazarus was found to exploit legitimate South Korean websites to conduct ‘Watering Hole’ attacks on visitors employing an unsecured version of the INISAFE CrossWeb EX V6 software.
This software is used extensively by both public and private organizations across South Korea for a range of applications, including electronic financial transactions, security certification, and internet banking.
Typical attack vectors include malicious HTM files, often received as a deceptive link in an email or downloaded from the web. These files are then copied to a DLL file called scskapplink.dll and subsequently injected into the legitimate system management software INISAFE Web EX Client, according to the Symantec report from 2022.
The vulnerability allows for the retrieval of a malicious ‘SCSKAppLink.dll’ payload from an already compromised IIS web server, which has been manipulated into acting as a malware distribution server.
Further Details on the Exploitation Method
ASEC’s latest report explains that the threat actor initially gains control over IIS web servers before using them as a platform for distributing malware. The specific payload was not analyzed by ASEC, but it is believed to be a malware downloader consistent with other recent Lazarus campaigns.
Further, Lazarus employs the ‘JuicyPotato’ privilege escalation malware (‘usopriv.exe’) to secure higher-level access to the compromised system. The JuicyPotato malware executes a second malware loader (‘usoshared.dat’) which decrypts downloaded data files and executes them into memory, thereby evading antivirus software.
ASEC advises that users of NISAFE CrossWeb EX V6 should update their software to the latest version to safeguard against Lazarus’ exploitation, which has been ongoing since at least April 2022. The company suggests an upgrade to version 184.108.40.206 or later and directs users to remediation instructions issued four months ago, which also highlight the growing Lazarus threat.
This incident emphasizes the increasing attractiveness of Microsoft application servers as targets for hackers, due to the servers’ trusted reputation. A recent report by CERT-UA and Microsoft showed that Russian Turla hackers had also been using compromised Microsoft Exchange servers to deliver backdoors to their targets.