The Lazarus Group, a notorious hacking collective with ties to North Korea, has been exploiting vulnerabilities in Windows Internet Information Services (IIS) web servers as a means to infiltrate corporate networks. This discovery was made by researchers at the AhnLab Security Emergency Response Center (ASEC). Since these servers are commonly used for hosting web content, their poor management or outdated status can serve as an entry point for hackers. Lazarus, known for supporting North Korea’s weapons development programs, takes advantage of well-known vulnerabilities or misconfigurations to gain initial access. They then deploy stealthy malware that evades detection by antivirus tools. Additionally, the group leverages a Notepad++ plugin to create malware, suspected of aiding them in stealing credentials. These stolen credentials are utilized for network reconnaissance and lateral movement. ASEC advises organizations to closely monitor for any signs of abnormal process execution, as Lazarus frequently employs DLL sideloading techniques.
Relevant URL: https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-windows-iis-web-servers-for-initial-access/