Lazarus Group hacks vulnerable Microsoft IIS servers for spying

Center for Emergency Situations Ahnlab Security (ASEC) reports that the North Korean hacker group Lazarus Group is aimed at vulnerable versions servers Microsoft Internet Information Services (IIS) for deploying malware in target systems.

According to AHNLAB Securit, the group uses the DLL side loading method (DLL Sideloading) to start arbitrary loading loads. Hackers place the harmful DLL (MSVCR100.dll) on the same path to the folder as the usual application (WordConv.exe) through the Windows IIS, W3WP.exe web server process. Then the attackers launch an ordinary application to initiate the implementation of the malicious DLL.

Malicious library “MSVCR100.dll” is designed to decipher the encoded useful data, which are then performed in memory. It is claimed that the malicious software is an option that ASEC was discovered last year and acted as a backdor for communication with the C2 server.

The attack chain also entailed the use of NOTEPAD ++ plugin with an open source called Quick Color Picker , for which the support of which has already been stopped, for delivery of additional malware to facilitate theft of accounting data and lateral movement.

The latest development demonstrates the variety of Lazarus attacks and the ability of the group to use an extensive set of tools for long -term spy operations.

/Reports, release notes, official announcements.