New Lazarus Group attacks set sight on Microsoft IIS servers

Vulnerable Microsoft Internet Information Services instances have been targeted by the North Korean state-sponsored threat operation Lazarus Group to facilitate malware deployment efforts, reports The Hacker News. Lazarus Group has been using the Windows IIS web server process "w3wp.exe" to enable the placement of the malicious msvcr100.dll library in the Wordconv.exe application, according to a report from the AhnLab Security Emergency response Center. Execution of the app would trigger the execution of the DLL, which would perform the decryption and execution of an encoded payload prior to the exploitation of the defunct Notepad++ plugin 'Quick Color Picker' to allow delivery of credential-stealing malware, said researchers. "...[S]ince the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement," noted ASEC.