New Lazarus APT campaign targets Windows IIS Web Servers

A new cybercriminal campaign from the notorious Lazarus APT group targets the Windows Internet Information Service (IIS) web server and uses it to disseminate malware. Based on reports, this infamous North Korean state-sponsored advanced persistent threat group adopted a watering hole technique to acquire initial access by hacking Korean websites and altering their content.

The Lazarus APT employs the watering hole strategy to obtain initial access to its targeted server. Next, it exploits the vulnerability in the INISAFE CrossWeb EX V6 by compromising Korean websites and altering their content.

The threat actors install the malware strain through the INISAFECrossWebEXSvc[.]exe flaw once a user with flawed versions of INISAFE CrossWeb EX V6 visits the attacker-controlled websites.

 

The Lazarus APT group leveraged a malware strain with special features to gain more advantage on the targeted system.

 

According to investigations, the Lazarus APT group deploys the JuicyPotato malware, including Themida, to escalate their privileges and facilitate cybercriminal operations.

The threat actors will then try to install a dll file called SCSKAppLink[.]dll after a successful intrusion into the targeted systems. In addition, the malware will behave like a downloader that recovers additional malware strains from external sources, enabling the malware operators to acquire control of the compromised systems.

The Lazarus group have also participated in several attacks in the past few months. Reports stated that the group was the culprit in the breach of JumpCloud. The breach resulted in JumpCloud resetting its customers’ API keys and executing precautionary measures to secure their systems.

Furthermore, separate research last June claimed that this North Korean state-sponsored threat group is responsible for the attack against the Atomic Wallet. The campaign resulted in losing about $35 million worth of cryptocurrency.

The Lazarus APT group’s cybercriminal activities that target Windows IIS web servers display significant threats to users and organisations. Therefore, everyone should adopt a potent security measure, such as attack surface management, to remain safe against such attacks.

These features could identify exposed assets and apply the latest security patches. Consistent and proper cybersecurity hygiene is essential to lessen the risks posed by nation-backed threat groups.