The AhnLab Security Intelligence Center has reported ongoing attacks by the Lazarus group, which breaching South Korean web servers to install web shells and control scripts, notably LazarLoader malware for privilege escalation. The attackers utilize structured methodologies for command execution through newly defined C2 scripts. Affected: South Korean web servers, IT infrastructure
Keypoints :
- The Lazarus group continues to exploit South Korean web servers to establish command and control (C2) infrastructure.
- First-stage C2 servers act as proxies for subsequent C2 communication.
- Newly identified C2 scripts support cookie data in addition to form data.
- Web shells identified include ‘function2.asp’ and others with hardcoded passwords for unauthorized access.
- LazarLoader malware used for downloading payloads and privilege escalation techniques for UAC Bypass.
- The threat actor uses web shells to install additional malware for enhanced capabilities.
- Ensuring regular password updates and file upload vulnerability checks are essential for prevention.
MITRE Techniques :
- T1065: Server Software Component – The Lazarus group uses an IIS server to host its C2 scripts.
- T1071: Application Layer Protocol – Communication between malware and C2 occurs via HTTP/HTTPS, utilizing web shell commands.
- T1203: Exploitation for Client Execution – Exploits vulnerabilities in web servers to gain initial access.
- T1078: Valid Accounts – Uses compromised credentials (e.g., passwords) to maintain access through web shells.
- T1059.003: PowerShell – Uses scripts for command execution from within web shells.
Indicator of Compromise :
- [File] _ICEBIRD007.dat
- [File] ~F05990302ERA.jpg
- [MD5] 0620fa617bc9ef32b93adcf40fe291a4
- [MD5] 0734a2c3e827ccf558daf48290d06d8c
- [MD5] 41ffc15c24259156db000af297c71703
Full Story: https://asec.ahnlab.com/en/86687/