TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: AhnLab Security Emergency Response Center (ASEC) published a report (weblink below) detailing North Korea-based Lazarus Group’s recent campaign that exploits vulnerable Windows Internet Information Services (IIS) web servers. Lazarus Group purportedly exploited poorly managed or vulnerable web servers to enable their initial infection phase. The Lazarus Group also used their usual DLL side-loading technique to run their malware within the vulnerable web server.
According to ASEC’s report, Lazarus Group deployed a malicious DLL (msvcr100.dll) alongside a normal application (Wordconv.exe) through the Windows IIS web server process (w3wp.exe). The malicious DLL was executed with the list of DLLs of the Wordconv.exe. The malicious DLL was executed first and loaded into the memory of the Wordconv.exe process via DLL search priority. ASEC assessed that msvcr100.dll is possibly a variant of the previously reported malware (cylvc.dll), due to code similarities. Notably, both malicious DLLs decrypt the data files with the Salsa20 algorithm, then execute the portable executable (PE) file in memory.
AhnLab Report: hxxps://asec.ahnlab[.]com/en/53132/
NYSIC CAU Analyst Note: Once the Lazarus Group establishes a foothold on the compromised web server, they create additional malware (diagn.dll) using a Notedpad++ plugin exploit. The diagn.dll received the aforementioned PE file and executed it in the memory. The PE file’s malicious behavior in the recent campaign is undetermined. However, ASEC surmised that the PE file is Mimikatz malware because Lazarus Group was observed accessing the memory of the lsass.exe process to obtain system data and credentials. Lastly, the Lazarus Group uses the stolen system credentials to remotely access the compromised web server to conduct internal reconnaissance and then perform lateral movement. ASEC did not observe any further malicious activities after Lazarus Group’s lateral movement.
Sources:
hxxps://www.darkreading[.]com/cloud/lazarus-group-striking-vulnerable-windows-iis-web-servers
hxxps://www.scmagazine[.]com/brief/threat-intelligence/new-lazarus-group-attacks-set-sight-on-microsoft-iis-servers
hxxps://thehackernews[.]com/2023/05/n-korean-lazarus-group-targets.html
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private Sector
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules,
TLP:CLEAR information may be shared without restriction.