The famous Lazarus Group actors have targeted vulnerable versions of Microsoft Internet Information Services (IIS) servers as an early breach route to spread malware on targeted systems.
These findings come from the AhnLab Security Emergency Response Center (ASEC), which details persistent threat (APT) continued misuse of DLL side-loading techniques to spread malware.
“The threat actor placed a malicious DLL (msvcr100.dll) in the same folder path as the normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe,” ASEC explained. “They then run the normal application to start the execution of the malicious DLL.”
Lazarus, a highly capable group of nation-states with longstanding ties to North Korea, was recently seen leveraging a similar technique in connection with a cascading supply chain attack on enterprise communications service provider 3CX.
The malicious msvcr100.dll library, for its part, is designed to decrypt encoded payloads which are then executed in memory. The malware is said to be a variant of an earlier similar artifact have found by ASEC last year and which acts as a backdoor to communicate with actor-controlled servers.
The next chain of attack required exploitation of the deprecated open source Notepad++ plugin called Quick Color Picker to deliver additional malware to facilitate credential theft and lateral movement.
Recent developments demonstrate the diversity of Lazarus attacks and its ability to use an extensive set of tools against victims to carry out long-term espionage operations.
“In particular, because threat groups mainly use DLL sideloading techniques during their initial infiltration, enterprises must proactively monitor process execution relationships for abnormalities and take countermeasures to prevent threat groups from carrying out activities such as information exfiltration and lateral movement,” said ASEC.
US Treasury Department Sanctions North Korean Entities
The findings also come as the US Treasury Department sanctions four entities and one individual involved in malicious cyber activity and fundraising schemes aimed at supporting North Korea’s strategic priorities.
These include the Pyongyang Automation University, the Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center, the Chinyong Information Technology Cooperation Corporation, and a North Korean national named Kim Sang Man.
The Lazarus Group and its various groups are believed to be operated by the Technical Reconnaissance Bureau, which oversees North Korea’s development of offensive cyber tools and tactics.
Sanctioned countries, apart from engaging in cryptocurrency theft and espionage operations, are known to generate illegal income from the labor force of skilled IT workers who posing under a fictitious identity to get jobs in the technology sector and virtual currency around the world.
The DPRK conducts malicious cyber activities and deploys information technology (IT) workers who fraudulently obtain jobs to generate revenue, including in virtual currency, to support the Kim regime and its priorities, such as its weapons of mass destruction and unlawful ballistic missile programs. ” Department said.
“These workers intentionally obscure their identity, location, and nationality, usually using fake personas, proxy accounts, stolen identities, and fake or fake documentation to apply for jobs at these companies.”
“They make hundreds of millions of dollars a year engaging in various IT development jobs, including freelancing platforms (websites/apps) and cryptocurrency development, after securing freelancing contracts from companies around the world,” the South Korean government be warned in December 2022.