• Tue. Oct 10th, 2023

Lazarus Group Exploits Vulnerable Microsoft IIS Servers as Spying Tools

Avatar photo

ByEsme Greene

Aug 8, 2023
Lazarus Group Exploits Microsoft IIS for Spying
Esme Greene
Latest posts by Esme Greene (see all)

The renowned North Korean hacker crew, Lazarus Group, has focused its eyes on weak versions of Microsoft Internet Information Services (IIS) servers, according to a recent report from the ASEC. They seek to install sophisticated malware on targeted computers, which poses a serious risk to cybersecurity.

Sophisticated Techniques and Extensive Toolkit: Lazarus Group’s Multi-faceted Cyberattacks

To accomplish their malicious intent, Lazarus Group employs the DLL Sideloading method, strategically placing a malicious DLL file (msvcr100.dll) in the same folder path as a legitimate application (wordconv.exe) within the Windows IIS Web server process, w3wp.exe. By launching the normal application, the attackers effectively trigger the execution of the malicious DLL, enabling them to initiate their harmful activities.

The malicious “msvcr100.dll” library is specifically designed to decrypt encoded payload data, which is subsequently executed in the system’s memory. This variant of malware, previously identified by ASEC, acts as a backdoor, establishing covert communication with the group’s C2 server.

The Lazarus Group’s series of assaults also uses an open-source Notepad++ plugin called Quick Color Picker in addition to the DLL Sideloading approach. The organization uses this plugin, even though support for it has been cut off, to spread further malware, giving them more access to infected systems and a means of lateral movement.

This most recent revelation emphasizes the disturbing variety of assaults by the Lazarus Group, as well as their highly developed skills. Their use of a wide range of tools demonstrates their skill in carrying out long-term espionage operations, making them a powerful foe in the cybersecurity space.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.