The North Korean state-backed threat actor Lazarus Group has reinvented its ongoing espionage campaign by exploiting known vulnerabilities in unpatched Windows IIS Web servers to deploy its reconnaissance malware.
Researchers with AhnLab Security Response Center (ASEC) reported that the latest round of espionage attacks used the Lazarus Group signature DLL side-loading technique during initial compromise.
"The AhnLab Smart Defense (ASD) log ... (showed) that Windows server systems are being targeted for attacks, and malicious behaviors are being carried out through w3wp.exe, an IIS Web server process," the ASEC researchers explained. "Therefore, it can be assumed that the threat actor uses poorly managed or vulnerable Web servers as their initial breach routes before executing their malicious commands later."
Initial attack vectors for the intelligence-gathering campaign include unpatched machines with known vulnerabilities like Log4Shell, public certificate vulnerabilities, and 3CX supply chain attack, the ASEC team advised.
"In particular, since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement," the AhnLab report added.