- Get four Apple AirTags for just $73 with this Black Friday deal
- I tested Beats' new Pill speaker and it delivered gloriously smooth sound (and it's on sale for Black Friday)
- These Sony headphones are a fan favorite - and $150 off for Black Friday
- I tested a 'luxury' nugget ice maker, and it's totally worth it - plus it's $150 off for Black Friday
- The Dyson Airwrap is $120 off ahead of Black Friday - finally
Lazarus Group Targeting Microsoft Web Servers to Launch Espionage Malware
North Korea threat actor Lazarus group is targeting Windows IIS web servers to launch espionage attacks, according to a new analysis by AhnLab Security Emergency response Center (ASEC).
The researchers said the approach represents a variation on the dynamic-link library (DLL) side-loading technique, a tactic regularly utilized by the state-affiliated group.
Here, they believe the attackers use “poorly managed or vulnerable web servers as their initial breach routes before executing their malicious commands later.”
ASEC explained: “The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe. They then execute the normal application to initiate the execution of the malicious DLL. In MITRE ATT&CK, this method of attack is categorized as the DLL side-loading (T1574.002) technique.”
Following initial infiltration, Lazarus establish a foothold before creating additional malware (diagn.dll) by exploiting the open-source ‘color picker plugin,’ which is a plugin for Notepad++. This malware facilitates credential theft and lateral movement, ideal for carrying out espionage operations.
Last year, Microsoft published an advisory warning that North Korea-associated threat actors weaponizing legitimate open-source software targeting employees in organizations across multiple industries.
ASEC highlighted the growing sophistication of Lazarus group, and its abilities to utilize a range of attack vectors to perform their initial breach. These have been demonstrated in incidents like Log4Shell, public certificate vulnerability and the 3CX supply chain attack.
The researchers warned: “[Lazarus]is one of the highly dangerous groups that are actively launching attacks worldwide. Therefore, corporate security managers should utilize attack surface management to identify the assets that could be exposed to threat actors and practice caution by applying the latest security patches whenever possible.”
They added that due to Lazarus’ focus on the DLL side-loading technique during initial infiltrations, “companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement.”
This week (May 23, 2023), the US government announced sanctions on three entities because of their link with North Korea’s primary intelligence service, the Reconnaissance General Bureau (RGB), which US officials say is behind many of the country’s cyber espionage and cyber theft activities.