The Lazarus threat group has stepped up its attacks on vulnerable Microsoft Internet Information Services (IIS) instances, using them not only as access points for target organizations but also to spread malware.
Microsoft IIS web servers are a popular attack vector for hackers and the what is believed to be the North Korean state-sponsored Lazarus advanced persistent threat (APT) group which has previously been observed targeting the Microsoft resource.
In a blog post published on Monday, AhnLab Security Emergency response Center (ASEC) researchers said they had recently observed attacks by Lazarus on South Korean websites where IIS servers were used as malware distribution points.
“After the Lazarus group attacks an IIS web server and obtains control, it will use the server to distribute malware used for INITECH vulnerability attacks,” the researchers said.
INITECH is an enterprise software vendor and ASEC has previously observed Lazarus exploiting vulnerabilities in its INISAFE CrossWeb EX V3 system management solution to inject DLL files into targeted systems.
The ASEC researchers said that, like Lazarus’ earlier IIS attacks, the most recent ones used an IIS worker process, w3wwp.exe, to deploy the group’s malware strain.
While they had not analyzed the latest payload, based on Lazarus’ past tactics, the researchers said, “the ultimately executed malware strains are mostly downloaders that download additional malware types or backdoors that can receive commands from the threat actor to perform malicious behaviors”.
AhnLab logs showed there were ongoing INISAFE vulnerability attacks against systems using older, unpatched versions of INISAFE CrossWeb EX.
“After these attacks, the threat actor attempted to install an additional malware ‘SCSKAppLink.dll’ in the infected system through INISAFE vulnerability attacks,” the ASEC researchers said.
“The download URL for ‘SCSKAppLink.dll’ was identified as being the aforementioned IIS web server. This signifies that the threat actor attacked and gained control over IIS web servers before using these as servers for distributing malware.”
They said SCSKAppLink.dll had previously been identified as malware that downloads and executes additional malware strains from an external source. “It can install malware types designated by the attacker in the system to gain control.”
ASEC advises organizations using a vulnerable version of INISAFE CrossWeb EX V3 to uninstall it and update to the latest version.