Lazarus: They hijack Microsoft’s IIS servers to distribute malware

Lazarus: They hijack Microsoft’s IIS servers to distribute malware

Lazarus, a state-backed North Korean hacker group, targets Windows Internet Information Service (IIS) web servers to use them as a platform for distributing malware.

IIS serves as Microsoft’s web server solution, facilitating the hosting of websites and application services, including Outlook on the Web for Microsoft Exchange.

Previously, South Korean security analysts from ASEC revealed Lazarus’ focus on targeting IIS servers as a means to gain initial access to corporate networks. Presently, the cybersecurity firm reports that hackers are exploiting inadequately protected IIS services to distribute malware.

Attacks Against Windows IIS Web Servers

In a previous blog post (May 2023) titled “Lazarus Group Targeting Windows IIS Web Servers,” there were documented instances of the Lazarus threat group targeting IIS servers. The attackers gained initial access by exploiting poorly managed or vulnerable web servers. Additionally, there were cases where RDP (Remote Desktop Protocol) was used for lateral movement after internal reconnaissance.

Typically, attackers discover web servers with vulnerable versions through scanning and then exploit the suitable vulnerability to install a WebShell or execute malicious commands. When the threat actor exploits this vulnerability to execute malicious commands or uses WebShell for file download/upload and remote command execution, these malicious actions are performed by the w3wp.exe process, which is the IIS web server process.

ASEC did not analyze the specific payload, but says it is likely a malware downloader that has been seen in other recent Lazarus campaigns.

Lazarus then uses the “JuicyPotato” privilege escalation malware (“usopriv.exe”) to gain higher-level access to the compromised system.

JuicyPotato is utilized to execute a secondary malware transporter named ‘usoshared.dat,’ responsible for decrypting downloaded data files and executing them in memory as a tactic to evade antivirus detection (AV).

ASEC urges NISAFE CrossWeb EX V6 users to update to the latest version ( or newer) due to ongoing Lazarus exploitation of known vulnerabilities since April 2022. The security firm refers to previously published remediation instructions highlighting the Lazarus threat.

Microsoft application servers are increasingly targeted by hackers for distributing malware, likely exploiting their trusted reputation.

Security Update Recommendation: Ensure V3 is updated to the latest version to prevent malware infections.

File Detection:

  • Exploit/Win.JuicyPotato.C5452409 (2023.07.12.03)
  • Trojan/Win.Loader.C5452411 (2023.07.12.03)

Behavior Detection:

  • InitialAccess/MDP.Event.M4242

Indicators of Compromise (IOC): MD5:

  • 280152dfeb6d3123789138c0a396f30d: JuicyPotato (usopriv.exe)
  • d0572a2dd4da042f1c64b542e24549d9: Loader (usoshared.dat)

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!