Lazarus Threat Group Attacking Windows Servers to Use as Malware Distribution Points
Contents
AhnLab Security Emergency response Center (ASEC) has discovered that Lazarus, a threat group deemed to be nationally funded, is attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware.
The group is known to use the watering hole technique for initial access. [1] The group first hacks Korean websites and modifies the content provided from the site. When a system using a vulnerable version of INISAFE CrossWeb EX V6 visits this website via a web browser, the Lazarus malware (SCSKAppLink.dll) is installed from the distribution site through the INISAFECrossWebEXSvc.exe vulnerability.
While the INITECH vulnerability has already been patched, vulnerability attacks against systems that have not yet been patched still continue to this day. After the Lazarus group attacks an IIS web server and obtains control, it will use the server to distribute malware used for INITECH vulnerability attacks. If a system has a vulnerable version …
The group is known to use the watering hole technique for initial access. [1] The group first hacks Korean websites and modifies the content provided from the site. When a system using a vulnerable version of INISAFE CrossWeb EX V6 visits this website via a web browser, the Lazarus malware (SCSKAppLink.dll) is installed from the distribution site through the INISAFECrossWebEXSvc.exe vulnerability.
While the INITECH vulnerability has already been patched, vulnerability attacks against systems that have not yet been patched still continue to this day. After the Lazarus group attacks an IIS web server and obtains control, it will use the server to distribute malware used for INITECH vulnerability attacks. If a system has a vulnerable version …
IoC
280152dfeb6d3123789138c0a396f30d
d0572a2dd4da042f1c64b542e24549d9
d0572a2dd4da042f1c64b542e24549d9