Lazarus Group Weaponizes IIS Servers for Deploying Malicious ASP Web Shells

The notorious Lazarus group has been identified as leveraging compromised IIS servers to deploy malicious ASP web shells.

These sophisticated attacks have been reported to facilitate the spread of malware, including the LazarLoader variant, and utilize privilege escalation tools to gain extensive control over infected systems.

The Lazarus group, associated with North Korean actors, has been active in orchestrating high-profile cyber operations, ranging from financial heists to espionage missions.

Their tactics often involve exploiting vulnerabilities in web servers and leveraging web shells to manage their command and control (C2) infrastructure.

Recent Attack Techniques

Recent reports from AhnLab Security Intelligence Center (ASEC) highlight the Lazarus group’s latest tactics involving IIS servers.

These servers, specifically targeting South Korean entities, are used as first-stage C2 servers, acting as proxies to mediate communication between malware and secondary C2 servers.

This strategic setup allows the group to maintain stealth and longevity in their operations.

C2 Script Analysis

The newly identified C2 script, while differing from past variants, maintains a similar purpose—operating as a proxy to manage communication across different stages of the attack.

The same type as the C2 script publicly disclosed by Kaspersky

Notable enhancements include support for both form data and cookie data during communication. The script handles various commands:

Form Mode:
- MidRequest: Redirect data
- ProxyCheck: Save mid info
- ReadFile, WriteFile: Manipulate files
- ClientHello: Respond with mid info and write proxy log
- ProxyLog: Respond with proxy log
- CheckFileTransfer: Look up file
Cookie Method:
- Similar commands are supported, with MidRequest, ReadFile, WriteFile, and ClientHello

Web Shell Analysis

In addition to C2 scripts, the Lazarus group has utilized web shells like the RedHat Hacker web shell.

The web shells, found in files such as function2.asp, are encrypted and require a password for access, which was recently identified as 2345rdx.

These shells provide extensive functionalities, including file management, process execution, and SQL queries.

Other web shells named file_uploader_ok.asp and find_pwd.asp were also identified, offering similar capabilities while using different encryption keys for packet decryption.

LazarLoader and Privilege Escalation

LazarLoader, a malware loader, has been observed in conjunction with these web shells. It downloads, decrypts, and executes payloads from external sources.

In recent attacks, LazarLoader was used to load additional malware, leveraging a hardcoded address for payload download and a specific key for decryption.

Alongside LazarLoader, a privilege escalation tool was identified, employing UAC bypass techniques through ComputerDefaults.exe or fodhelper.exe to execute malware with elevated privileges.

Impact and Recommendations

The Lazarus group’s ability to weaponize IIS servers and exploit vulnerabilities underscores the importance of robust security measures for web servers. Here are key recommendations:

Regular Security Audits: Conduct frequent audits to detect any unauthorized access or changes in server configurations.
Strong Authentication: Ensure strong passwords are used for all web related access points, and consider multi-factor authentication.
Up-to-Date Software: Keep operating systems, web servers, and security software updated to prevent exploitation of known vulnerabilities.
Monitor Network Traffic: Implement monitoring tools to detect suspicious communication patterns indicative of C2 activity.

In conclusion, the Lazarus group’s evolving tactics highlight the need for vigilance and proactive defense strategies against such sophisticated threats.

As cyber adversaries continue to innovate, staying informed about the latest attack techniques is crucial for effective cybersecurity.

For organizations concerned about these threats, the following actions are recommended:

Review Server Configurations to ensure they are not exposed to unnecessary vulnerabilities.
Implement Enhanced Monitoring tools to catch anomalies in real-time.
Train Personnel on recognizing and responding to potential security incidents.

By taking these proactive steps, organizations can significantly reduce their exposure to the ongoing threats posed by the Lazarus group and similar cyber actors.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.