Lazarus, a threat group believed to be nationally funded, is targeting Windows IIS web servers and repurposing them as malware distribution points via watering hole attacks and INISAFE CrossWeb EX vulnerabilities. The group uses w3wp.exe to run malware, escalates privileges with JuicyPotato, and employs loader and encrypted data files to download additional payloads, highlighting the need for patching INISAFE CrossWeb EX and INITECH products. #Lazarus #JuicyPotato #SCSKAppLink.dll #INISAFE #CrossWebEX #INITECH #IIS
Keypoints
- Lazarus targets Windows IIS web servers and uses them as distribution points for malware.
- Initial access is achieved via watering hole attacks against Korean websites and exploiting INISAFE CrossWeb EX vulnerabilities.
- IIS web server process w3wp.exe is used to execute malicious commands and drive downloader behavior.
- JuicyPotato (usopriv.exe) is used for privilege escalation, enabling further malicious actions.
- A loader (usoshared.dat) decrypts and loads additional malware into memory, often via rundll32 calls.
- The attacker disguises data files (e.g., as GIF) and uses encrypted data structures to conceal payloads, with a pattern of downloaders/backdoors.
- Ongoing INISAFE vulnerability exploitation emphasizes patching and defense-in-depth to prevent infection.
MITRE Techniques
- [T1189] Watering Hole – The group “hack Korean websites and modify the content provided from the site” and, when a system with a vulnerable INISAFE CrossWeb EX visits, the malware is installed via the INISAFECrossWebEXSvc.exe vulnerability. “The group first hacks Korean websites and modifies the content provided from the site… the Lazarus malware (SCSKAppLink.dll) is installed from the distribution site through the INISAFECrossWebEXSvc.exe vulnerability.”
- [T1190] Exploit Public-Facing Application – INISAFE vulnerability attacks against unpatched systems using INISAFECrossWebEX are ongoing to install SCSKAppLink.dll. “vulnerability attacks against systems that have not yet been patched” and “SCSKAppLink.dll” via the vulnerability.
- [T1105] Ingress Tool Transfer – The attackers install WebShell or download/upload tools and execute remote commands using the vulnerable site; the malware is downloaded and executed from a distribution point. “install a WebShell or execute malicious commands… uses WebShell to download/upload files and execute remote commands.”
- [T1059] Command and Scripting Interpreter – Commands such as “whoami” and “rundll32” are executed to run loaders and verify privilege escalation. “whoami” and “rundll32 c:programdatausoshared.dat ,usoprivfunc”
- [T1068] Privilege Escalation – JuicyPotato (usopriv.exe) is used for privilege escalation to enable further malicious actions. “The malware generated by the w3wp.exe process, usopriv.exe is the JuicyPotato malware packed with Themida.”
- [T1027] Obfuscated/Compressed Files and Information – The loader decrypts data and loads a PE into memory, with encrypted configuration data and a disguised file structure. “decrypts the file name of the data… {20D1BF68-64EE-489D-9229-95FEFE5F12A4}”
- [T1036] Masquerading – The data/file is disguised as a GIF image: “the first 3 bytes are read to determine if it is the string ‘GIF’. It appears that the threat actor disguised the data file as a GIF image file.”
- [T1021.001] Remote Services – RDP is used for lateral movement in some cases after internal reconnaissance. “There were also circumstances of RDP being used for lateral movement after the internal reconnaissance process.”
Indicators of Compromise
- [MD5] 280152dfeb6d3123789138c0a396f30d, d0572a2dd4da042f1c64b542e24549d9 – JuicyPotato (usopriv.exe) and Loader (usoshared.dat)
- [File Name] SCSKAppLink.dll – installed via INISAFE vulnerability attack
- [File Name] usopriv.exe – JuicyPotato component used for privilege escalation
- [File Name] usoshared.dat – loader payload used by JuicyPotato flow
- [File Name] {20D1BF68-64EE-489D-9229-95FEFE5F12A4} – decrypted/verified data file name used by loader
- [Signature] Exploit/Win.JuicyPotato.C5452409 and Trojan/Win.Loader.C5452411 – file detection signatures
Read more: https://asec.ahnlab.com/en/55369/