The notorious Lazarus group has been identified as leveraging compromised IIS servers to deploy malicious ASP web shells.
These sophisticated attacks have been reported to facilitate the spread of malware, including the LazarLoader variant, and utilize privilege escalation tools to gain extensive control over infected systems.
The Lazarus group, associated with North Korean actors, has been active in orchestrating high-profile cyber operations, ranging from financial heists to espionage missions.
Their tactics often involve exploiting vulnerabilities in web servers and leveraging web shells to manage their command and control (C2) infrastructure.
Recent reports from AhnLab Security Intelligence Center (ASEC) highlight the Lazarus group’s latest tactics involving IIS servers.
These servers, specifically targeting South Korean entities, are used as first-stage C2 servers, acting as proxies to mediate communication between malware and secondary C2 servers.
This strategic setup allows the group to maintain stealth and longevity in their operations.
C2 Script Analysis
The newly identified C2 script, while differing from past variants, maintains a similar purpose—operating as a proxy to manage communication across different stages of the attack.
Notable enhancements include support for both form data and cookie data during communication. The script handles various commands:
Web Shell Analysis
In addition to C2 scripts, the Lazarus group has utilized web shells like the RedHat Hacker web shell.
The web shells, found in files such as function2.asp, are encrypted and require a password for access, which was recently identified as 2345rdx.
These shells provide extensive functionalities, including file management, process execution, and SQL queries.
Other web shells named file_uploader_ok.asp and find_pwd.asp were also identified, offering similar capabilities while using different encryption keys for packet decryption.
LazarLoader, a malware loader, has been observed in conjunction with these web shells. It downloads, decrypts, and executes payloads from external sources.
In recent attacks, LazarLoader was used to load additional malware, leveraging a hardcoded address for payload download and a specific key for decryption.
Alongside LazarLoader, a privilege escalation tool was identified, employing UAC bypass techniques through ComputerDefaults.exe or fodhelper.exe to execute malware with elevated privileges.
The Lazarus group’s ability to weaponize IIS servers and exploit vulnerabilities underscores the importance of robust security measures for web servers. Here are key recommendations:
In conclusion, the Lazarus group’s evolving tactics highlight the need for vigilance and proactive defense strategies against such sophisticated threats.
As cyber adversaries continue to innovate, staying informed about the latest attack techniques is crucial for effective cybersecurity.
For organizations concerned about these threats, the following actions are recommended:
By taking these proactive steps, organizations can significantly reduce their exposure to the ongoing threats posed by the Lazarus group and similar cyber actors.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…