North Korea risk actor Lazarus group is focusing on Windows IIS web servers to launch espionage attacks, according to a new investigation by AhnLab Security Unexpected emergency response Center (ASEC).
The researchers said the tactic represents a variation on the dynamic-connection library (DLL) aspect-loading approach, a tactic routinely used by the state-affiliated group.
In this article, they believe that the attackers use “poorly managed or susceptible web servers as their preliminary breach routes in advance of executing their destructive instructions later.”
ASEC defined: “The menace actor destinations a destructive DLL (msvcr100.dll) in the exact same folder path as a normal application (Wordconv.exe) through the Windows IIS web server method, w3wp.exe. They then execute the regular software to initiate the execution of the malicious DLL. In MITRE ATT&CK, this process of attack is classified as the DLL aspect-loading (T1574.002) approach.”
Subsequent original infiltration, Lazarus set up a foothold prior to generating more malware (diagn.dll) by exploiting the open-source ‘color picker plugin,’ which is a plugin for Notepad++. This malware facilitates credential theft and lateral motion, ideal for carrying out espionage functions.
Very last yr, Microsoft printed an advisory warning that North Korea-associated danger actors weaponizing genuine open-resource computer software targeting personnel in companies throughout many industries.
ASEC highlighted the expanding sophistication of Lazarus team, and its skills to utilize a range of attack vectors to carry out their original breach. These have been shown in incidents like Log4Shell, public certificate vulnerability and the 3CX source chain attack.
The researchers warned: “[Lazarus]is a single of the really risky teams that are actively launching attacks around the world. Thus, corporate security supervisors must employ attack surface administration to identify the assets that could be exposed to risk actors and exercise warning by implementing the latest security patches anytime achievable.”
They extra that because of to Lazarus’ concentration on the DLL aspect-loading approach during first infiltrations, “companies must proactively monitor irregular procedure execution interactions and just take preemptive steps to avert the menace team from carrying out pursuits these as information exfiltration and lateral movement.”
This week (Might 23, 2023), the US federal government announced sanctions on three entities mainly because of their hyperlink with North Korea’s principal intelligence assistance, the Reconnaissance Typical Bureau (RGB), which US officers say is driving many of the country’s cyber espionage and cyber theft routines.
Some parts of this article are sourced from: