Lazarus Group Targeting Windows IIS Web Servers – ASEC BLOG

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Initial access via vulnerable Windows IIS web servers to install a web shell or execute malicious commands. ‘Ordinarily, when threat actors perform a scan and find a web server with a vulnerable version, they use the vulnerability suitable for the version to install a web shell or execute malicious commands.’
• [T1574.002] DLL Side-Loading – Wordconv.exe loads msvcr100.dll due to DLL search priority, causing the malicious DLL to run in the Wordconv.exe process memory. ‘The threat actor creates Wordconv.exe, msvcr100.dll, and msvcr100.dat… the first DLL file that is loaded when Wordconv.exe is executed is determined by the DLL search priority… malicious msvcr100.dll is run in the memory of the Wordconv.exe process.’
• [T1027] Obfuscated/Compressed Files and Information – Decrypts the encoded PE (msvcr100.dat) with Salsa20 before executing in memory. ‘decrypting an encoded PE file (msvcr100.dat) and the key… The decrypted PE file is then executed in the memory.’
• [T1055] Process Injection – The decrypted PE runs in the Wordconv.exe memory space; DLL unloading occurs via FreeLibraryAndExitThread. ‘The decrypted PE file is then executed in the memory… by utilizing the FreeLibraryAndExitThread WinAPI call before deleting itself (msvcr100.dll).’
• [T1003.001] Credential Dumping – Accessing lsass.exe memory space with possible use of a credential theft tool such as Mimikatz. ‘memory space of the lsass.exe process… credential theft tool such as Mimikatz.’
• [T1021.001] Remote Services – Lateral movement using remote access (port 3389) into the internal network. ‘utilizing remote access (port 3389) to perform lateral movement into the internal network.’
• [T1588.002] Acquire Capabilities – Use of open-source Notepad++ color picker plugin to foothold and stage diagn.dll. ‘exploiting the open-source “color picker plugin”, which is a plugin for Notepad++.’