infamous Lazarus Group Attackers are targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial entry point for deploying malware on targeted systems.
The findings, from the AhnLab Security Emergency Response Center (ASEC), detail how Advanced Persistent Threats (APTs) continue to exploit DLL sideloading techniques to deploy malware. doing.
“Through the Windows IIS web server process w3wp.exe, an attacker places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe),” ASEC explained. “Then they run normal applications and start executing malicious DLLs.”
Sideloading DLLsis similar to DLL search order hijacking, proxy execution It infects a malicious DLL via a benign binary planted in the same directory.
Lazarus, a highly effective and persistent nation-state group with ties to North Korea, was recently discovered to be using the same technique in connection with a cascading supply chain attack against enterprise communications service provider 3CX. I was.
The malicious msvcr100.dll library is designed to decrypt the encoded payload and execute it in memory. This malware is said to be a variant of similar artifacts created earlier. discovered It was introduced by ASEC last year and acted as a backdoor to communicate with attacker-controlled servers.
The attack chain also included the exploitation of a deprecated open-source Notepad++ plugin. quick color picker Delivers additional malware to facilitate credential theft and lateral movement.
The latest developments demonstrate the versatility of the Lazarus attack and its ability to use an extensive set of tools against the victim to carry out long-term espionage.
“In particular, since threat groups primarily utilize DLL sideloading techniques during initial intrusions, enterprises should actively monitor for anomalous process execution relationships, allowing threat groups to perform activities such as information leaks and lateral movement. We need to take pre-emptive measures to prevent it from happening,” ASEC said.
US Treasury imposes sanctions on North Korean companies
The findings also show that the U.S. Treasury Department has sanctioned four entities and one individual involved in malicious cyber activities and fundraising schemes aimed at supporting North Korea’s strategic priorities. announced after receiving
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
This includes the Pyongyang Automation University, the Technology Reconnaissance Bureau and its subordinate cyber unit, the 110 Research Center, the Jinnyeong Information Technology Cooperation Company, and a North Korean named Kim Sang-man.
Lazarus Group and its various clusters are believed to be operated by the Technical Reconnaissance Bureau, which oversees the development of offensive cyber tactics and tools by North Korea.
The sanctioned country is known for making illegal profits from its workforce of skilled IT workers, in addition to stealing cryptocurrencies and engaging in espionage. pose under a fictional character You can get jobs in technology and cryptocurrencies all over the world.
“North Korea engages in malicious cyber activities and fraudulently obtains employment for income, including cryptocurrency, in support of the Kim regime and its priorities such as its illegal weapons of mass destruction and ballistic missile programs. staffed with information technology (IT) workers. Said.
“These workers typically use fake personas, proxy accounts, stolen identities, and forged or forged documents to apply for jobs at these companies, thus exposing their identity, location, Nationality is intentionally vague.”
The South Korean government said, “After obtaining freelance employment contracts from companies around the world, they will engage in a wide range of IT development work such as freelance work platforms (websites and applications) and virtual currency development, earning hundreds of millions of dollars annually. I’m earning,” he said. warned In December 2022.