Summary: The Lazarus Group, a North Korean threat actor, has breached Windows web servers to establish command-and-control (C2) infrastructure, deploying multiple web shells, including the RedHat Hacker variant, to conduct a sophisticated multi-stage attack. This campaign involves the use of LazarLoader malware for further payload retrieval and privilege escalation techniques to maintain control over compromised systems. ASEC’s research indicates an evolution in the group’s methods, including cookie-based data exchange and advanced obfuscation techniques to evade detection.
Affected: Windows web servers, AhnLab Security Intelligence Center (ASEC)
Keypoints :
- The Lazarus Group exploits IIS servers to deploy ASP-based web shells and C2 scripts.
- RedHat Hacker web shell and other variants support file operations, SQL queries, and remote command execution.
- LazarLoader malware is used for in-memory execution of payloads, aided by privilege escalation techniques abusing UAC.
Source: https://securityonline.info/lazarus-breaches-iis-web-shells-evolving-c2-tactics-unveiled/