- Lazarus Strikes South Korean Websites - August 25, 2023
- How to Enhance Cyber Security Using Artificial Intelligence - August 24, 2023
- US Bans Spyware Vendors - August 24, 2023
Lazarus, a North Korean hacker organization, has started targeting Microsoft’s IIS (Internet Information Service) web servers as they use a new technique to disseminate malware.
A vulnerable version of the INISAFE CrossWeb EX V6 software is used by Lazarus hackers to infiltrate reliable South Korean websites and launch Watering hole attacks on unaware users.
A watering hole attack involves hackers inserting harmful code into widely used websites, which then becomes active when people visit the infected websites. In 2023, this technique exposed user data on notable Israeli logistics and delivery websites.
The primary target for the attackers has been INISAFE CrossWeb EX V6, which is widely utilized by many public and commercial entities in South Korea for financial transactions, security certification, and online banking.
A malicious HTM file is first spread via links or email in the assault. The INISAFE Web EX Client system administration program is then used to inject the HTM file, which has now been transformed into a DLL file.
Stealthy Malware Distribution and Elevated Privileges: Lazarus Strikes Again
The flaw enables the acquisition of a malicious payload by the attackers from an IIS server that has already been hacked, acting as a hub for the malware. Since past Lazarus efforts have utilized malware downloaders, the precise payload has not been examined by ASEC.
By employing JuicyPotato to raise privileges and get higher-level access to the targeted machine, Lazarus makes use of the malware it has obtained. By decrypting the downloaded files in memory and avoiding antivirus detection, the attackers use JuicyPotato to launch a second malware downloader.
Users of INISAFE CrossWeb EX are urged by ASEC to upgrade to the most recent version of the program (126.96.36.199 or later), as Lazarus has been actively exploiting the program’s known security flaws since at least April 2022.
The INISAFE vulnerability was originally described by Symantec, an IS firm, in 2022, with network activity indicating efforts to attack South Korean chemical organizations. The assaults started with a malicious HTML file, which ultimately made the INISAFE Web EX Client vulnerable.