Vulnerable Microsoft IIS Servers Became a Spying Tool for Lazarus Group Hackers

AhnLab Security Emergency Response Center (ASEC) informs that the North Korean hacker group Lazarus Group is targeting vulnerable versions of Microsoft Internet Information Services servers (IIS) to deploy malware on target systems.

According to AhnLab Securit, the group uses a sideloading method DLL (DLL Sideloading) to launch arbitrary payloads. Hackers place a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) through the Windows IIS web server process, w3wp.exe. The attackers then launch a normal application to initiate the execution of the malicious DLL.

The malicious library “msvcr100.dll” is designed to decrypt encoded payloads, which are then executed in memory. The malware is said to be a variant that was discovered by ASEC last year and acted as a backdoor to communicate with the C2 server.

The chain of attacks also involved the use of an open source Notepad++ plugin called Quick Color Picker which is now deprecated, to deliver additional malware to facilitate credential theft and lateral movement.

The latest development demonstrates the variety of Lazarus attacks and the group’s ability to use a wide range of tools for long-term espionage operations.