The notorious Lazarus group has been identified as leveraging compromised IIS servers to deploy malicious ASP web shells.
These sophisticated attacks have been reported to facilitate the spread of malware, including the LazarLoader variant, and utilize privilege escalation tools to gain extensive control over infected systems.
The Lazarus group, associated with North Korean actors, has been active in orchestrating high-profile cyber operations, ranging from financial heists to espionage missions.
Their tactics often involve exploiting vulnerabilities in web servers and leveraging web shells to manage their command and control (C2) infrastructure.
Recent reports from AhnLab Security Intelligence Center (ASEC) highlight the Lazarus group’s latest tactics involving IIS servers.
These servers, specifically targeting South Korean entities, are used as first-stage C2 servers, acting as proxies to mediate communication between malware and secondary C2 servers.
This strategic setup allows the group to maintain stealth and longevity in their operations.
C2 Script Analysis
The newly identified C2 script, while differing from past variants, maintains a similar purpose—operating as a proxy to manage communication across different stages of the attack.
Notable enhancements include support for both form data and cookie data during communication. The script handles various commands:
Web Shell Analysis
In addition to C2 scripts, the Lazarus group has utilized web shells like the RedHat Hacker web shell.
The web shells, found in files such as function2.asp, are encrypted and require a password for access, which was recently identified as 2345rdx.
These shells provide extensive functionalities, including file management, process execution, and SQL queries.
Other web shells named file_uploader_ok.asp and find_pwd.asp were also identified, offering similar capabilities while using different encryption keys for packet decryption.
LazarLoader, a malware loader, has been observed in conjunction with these web shells. It downloads, decrypts, and executes payloads from external sources.
In recent attacks, LazarLoader was used to load additional malware, leveraging a hardcoded address for payload download and a specific key for decryption.
Alongside LazarLoader, a privilege escalation tool was identified, employing UAC bypass techniques through ComputerDefaults.exe or fodhelper.exe to execute malware with elevated privileges.
The Lazarus group’s ability to weaponize IIS servers and exploit vulnerabilities underscores the importance of robust security measures for web servers. Here are key recommendations:
In conclusion, the Lazarus group’s evolving tactics highlight the need for vigilance and proactive defense strategies against such sophisticated threats.
As cyber adversaries continue to innovate, staying informed about the latest attack techniques is crucial for effective cybersecurity.
For organizations concerned about these threats, the following actions are recommended:
By taking these proactive steps, organizations can significantly reduce their exposure to the ongoing threats posed by the Lazarus group and similar cyber actors.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new alert warning critical infrastructure…
A startling discovery by Hunted Labs has brought to light a potential security risk lurking…
Security researchers at Elastic have recreated the intricate details of the February 21, 2025, ByBit…
Unit 42 researchers at Palo Alto Networks, a highly targeted malicious campaign orchestrated by the…
DragonForce has swiftly risen as a formidable player in 2025, embodying a hybrid threat that…