• Mon. Oct 16th, 2023

Lazarus Strikes South Korean Websites

Avatar photo

ByEsme Greene

Aug 29, 2023
Lazarus Strikes South Korean Websites
Esme Greene
Latest posts by Esme Greene (see all)

Lazarus, a North Korean hacker organization, has started targeting Microsoft’s IIS (Internet Information Service) web servers as they use a new technique to disseminate malware.

A vulnerable version of the INISAFE CrossWeb EX V6 software is used by Lazarus hackers to infiltrate reliable South Korean websites and launch Watering hole attacks on unaware users.

A watering hole attack involves hackers inserting harmful code into widely used websites, which then becomes active when people visit the infected websites. In 2023, this technique exposed user data on notable Israeli logistics and delivery websites.

The primary target for the attackers has been INISAFE CrossWeb EX V6, which is widely utilized by many public and commercial entities in South Korea for financial transactions, security certification, and online banking.

A malicious HTM file is first spread via links or email in the assault. The INISAFE Web EX Client system administration program is then used to inject the HTM file, which has now been transformed into a DLL file.

Stealthy Malware Distribution and Elevated Privileges: Lazarus Strikes Again

The flaw enables the acquisition of a malicious payload by the attackers from an IIS server that has already been hacked, acting as a hub for the malware. Since past Lazarus efforts have utilized malware downloaders, the precise payload has not been examined by ASEC.

By employing JuicyPotato to raise privileges and get higher-level access to the targeted machine, Lazarus makes use of the malware it has obtained. By decrypting the downloaded files in memory and avoiding antivirus detection, the attackers use JuicyPotato to launch a second malware downloader.

Users of INISAFE CrossWeb EX are urged by ASEC to upgrade to the most recent version of the program ( or later), as Lazarus has been actively exploiting the program’s known security flaws since at least April 2022.

The INISAFE vulnerability was originally described by Symantec, an IS firm, in 2022, with network activity indicating efforts to attack South Korean chemical organizations. The assaults started with a malicious HTML file, which ultimately made the INISAFE Web EX Client vulnerable.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.