North Korean Group Uses Watering Hole Techniques to Access, Distribute Malware
The highly active, North Korea-linked Lazarus Group is targeting unpatched Microsoft Internet Information Services servers to escalate privileges and distribute malware.
The advanced persistent threat group compromised and modified the content of South Korean websites to perform watering hole techniques on the sites’ visitors and trick them into downloading the malware, according to security researchers.
IIS is a Microsoft web server that runs on the Windows operating system for exchanging static and dynamic web content with internet users. IIS is used to host, deploy and manage web applications.
Researchers at AhnLab Security Emergency Response Center said that attackers had been exploiting a vulnerable version of INISAFE CrossWeb EX V6, which is a software program used for electronic financial transactions and financial security certification in the public sector.
INISAFE is a Web EX client popular in South Korea and developed by Initech. It is used by various companies and individuals for internet banking, according to the researchers.
The attackers compromised the unnamed South Korean website that was using a vulnerable version of INISAFE CrossWeb EX V6.
The threat actor then attempted to install malware
SCSKAppLink.dll in the infected system through INISAFE vulnerability attacks. The download line for the malware was an IIS web server that had been hacked by Lazarus Group.
“While the Initech vulnerability has already been patched, vulnerability attacks against systems that have not yet been patched still continue to this day,” the researchers said.
“This signifies that the threat actor attacked and gained control over IIS web servers before using these as servers for distributing malware,” the researchers said. “The ‘malware’ was previously identified as a downloader malware that executes additional malware strains from an external source. It can install malware types designated by the attacker in the system to gain control,” the report says.
This is not the first instance of attackers using IIS. The hacking group Cranefly or UNC3524 has abused this service to deliver an undocumented dropper used to install a new backdoor and other tools.
That group used a new backdoor called Danfuan, which uses a dropper called Geppei, according to researchers at Symantec (see: Espionage Hackers Use Microsoft IIS to Plant Malware).
Lazarus Group has targeted Microsoft IIS servers earlier. In May, attackers used poorly managed servers as the initial access point and used RDP for lateral movement after the internal reconnaissance process.
Installing JuicyPotato in Latest Attack
To escalate privilege in the latest attack, Lazarus Group uses JuicyPotato privilege escalation malware. The
w3wp.exe process generates
usopriv.exe, which is the JuicyPotato malware packed with Themida. The Potato malware strains are responsible for privilege escalation.
The malware execute a loader in a DLL format to decrypt the file name of the data to be used and obtains the string, which is the name of the data file.
“While the files in these paths have not been procured as of yet, it could be identified through the loader malware routine that this malware type is a loader that decrypts encrypted data files and executes them in the memory area,” the researchers said.
The Lazarus group is known for using a loader malware and an encrypted data file together. The process also involves a loader in the PE format finding a data file in a certain path. The malware strains used by Lazarus are mostly “downloaders that download additional malware types or backdoors that can receive commands from the threat actor to perform malicious behaviors,” the researchers said.