Analysis of Lazarus Group’s Attack on Windows Web Servers
Contents
Analysis of Lazarus Group’s Attack on Windows Web Servers
AhnLab SEcurity intelligence Center (ASEC) has identified attack cases of the Lazarus group breaching a normal server and using it as a C2. Attacks that install a web shell and C2 script on South Korean web servers continue to occur. Additionally, there are cases where LazarLoader malware and privilege escalation tools are identified.
1. C2 Script (Proxy)
In May 2024, a case was identified in which the Lazarus group attacked a Korean web server and used it as a first-stage C2 server. The first-stage C2 server acts as a proxy for the next-stage C2 server, mediating the communication between the malware and the second-stage C2 server. Note that the targeted web server was an IIS server, so a web shell in ASP format and a C2 script were used. This is the same type as the one disclosed by Kaspersky in December 2020.
Figure 1. …
AhnLab SEcurity intelligence Center (ASEC) has identified attack cases of the Lazarus group breaching a normal server and using it as a C2. Attacks that install a web shell and C2 script on South Korean web servers continue to occur. Additionally, there are cases where LazarLoader malware and privilege escalation tools are identified.
1. C2 Script (Proxy)
In May 2024, a case was identified in which the Lazarus group attacked a Korean web server and used it as a first-stage C2 server. The first-stage C2 server acts as a proxy for the next-stage C2 server, mediating the communication between the malware and the second-stage C2 server. Note that the targeted web server was an IIS server, so a web shell in ASP format and a C2 script were used. This is the same type as the one disclosed by Kaspersky in December 2020.
Figure 1. …