ASEC discovered that the North Korean state-sponsored Lazarus APT group is attacking Windows Internet Information Service (IIS) web servers and using them to distribute malware. The attackers are using the watering hole technique to gain initial access by hacking Korean websites and modifying the content.
Diving into details
Lazarus employs the watering hole technique to gain initial access. By compromising Korean websites and modifying their content, it exploits the vulnerability in the INISAFE CrossWeb EX V6.
When users with vulnerable versions of INISAFE CrossWeb EX V6 visit these sites, the Lazarus malware (SCSKAppLink.dll) is installed through the INISAFECrossWebEXSvc.exe vulnerability.
To escalate privileges and facilitate malicious activities, Lazarus deploys the JuicyPotato malware packed with Themida.
After successfully infiltrating systems, the attackers attempt to install the "SCSKAppLink.dll" malware through these exploits. This malware acts as a downloader that fetches additional malware strains from external sources, allowing the attackers to gain control over compromised systems.
Latest on Lazarus
The JumpCloud breach was attributed to the Lazarus APT group. The breach resulted in JumpCloud resetting its clients' API keys and taking precautionary measures to secure their systems.
In June, Lazarus was believed to be responsible for the recent attack on Atomic Wallet, resulting in the theft of at least $35 million in cryptocurrency.
In April, a new macOS malware called RustBucket was discovered, believed to be used by the North Korea-linked BlueNoroff group. BlueNoroff is a subset of Lazarus.
The bottom line
The Lazarus group's activities targeting Windows IIS web servers pose significant risks to organizations and individuals alike. As such, it is imperative for organizations to adopt stringent measures, including attack surface management, to identify exposed assets and continuously apply the latest security patches. Proactive security practices are crucial to mitigating the risks posed by such state-funded threat actors.