South Korean websites fall victim to ‘water hole attack’

Company specialists ASEC AhnLab report that the North Korean group Lazarus is hacking web servers Microsoft IIS (Internet Information Service, IIS) to use them to spread malware.

IIS (Internet Information Service) is a Microsoft web server solution used to host websites or application services such as Microsoft Exchange Outlook on the web.

In the attacks discovered, Lazarus hackers compromised legitimate South Korean websites in order to perform waterhole attacks (Water hole) on visitors using a vulnerable version of the INISAFE CrossWeb EX V6 software.

A watering hole attack involves hackers compromising a website that is frequently visited by targeted victims. Once hacked, attackers inject malicious code into the site, which is activated when users visit the site. Thus, in 2023, several Israeli sites in the field of logistics and delivery were hacked to collect information about their users.

Many public and private organizations in South Korea use INISAFE CrossWeb EX V6 for financial transactions, security certification, internet banking, and more.

The attack begins with receiving a malicious HTM-file via a link in an email or by downloading a file from the Internet. The .htm file is then copied to DLL-file and is embedded in the INISAFE Web EX Client system management software.

An exploitation of the vulnerability allows a malicious payload to be obtained from an IIS server that has already been compromised before the attack, to be used as a server for distributing malware. ASEC has not analyzed the specific payload, but claims it could be a malware loader seen in other Lazarus campaigns.

Lazarus then uses the JuicyPotato privilege escalation malware to gain higher level access to the compromised system. JuicyPotato is used to run a second malware downloader that decrypts downloaded files and executes them in memory to bypass the antivirus.

ASEC recommends INISAFE CrossWeb EX users update to the latest version (3.3.2.41 or later) as Lazarus has been exploiting known vulnerabilities in the product since at least April 2022.

INISAFE vulnerability previously has been documented information security company Symantec in 2022. Information security specialists discovered network activity of hackers in South Korean chemical organizations. The attacks began by sending a malicious HTML-file that is copied into the DLL file to compromise the INISAFE Web EX Client.