Lazarus hackers target vulnerable Windows IIS web servers

SISA Weekly Threat Watch - 5 June 2023

Staying vigilant and actively monitoring ongoing attacks by sophisticated threat actors has become highly crucial for enterprises. This week, security researchers discovered targeted attacks on vulnerable web servers, web browsers, cryptocurrency wallets, and SSH servers. These incidents underscore the ever-changing nature of threat groups, which now pose risks beyond political espionage, including sabotage and financial threats. To protect sensitive data and maintain a strong defense, it is critical to deploy reliable security tools, raise user awareness, and remain diligent.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. GoldenJackal APT targeting South Asian government agencies

A relatively unknown cyberespionage group, named ‘GoldenJackal’, that has been active since 2019 has targeted government and diplomatic entities in the Middle East and South Asia. GoldenJackal employs a set of custom .NET malware tools that provide various functions, including credential dumping, data stealing, malware loading, lateral movement, file exfiltration, and more.

The APT group’s primary infection vectors are spear-phishing emails containing fake Skype installers and malicious Word documents that employ the remote template injection technique to exploit the Microsoft Office Follina vulnerability. The group has been carefully using an extensive set of custom tools against a limited number of victims to carry long-term espionage operations. To avoid being a victim to such attacks, it is recommended to avoid downloading attachments from unsolicited and untrusted email sources. Additionally, employ EDR tools to detect and prevent execution of such malware.

2. Lazarus group striking vulnerable Windows IIS web servers

The tireless and relentless Lazarus Group has been targeting out-of-date Microsoft IIS servers in recent weeks, planting webshells and malware, and stealing credentials to move around the network. Researchers reported that the latest round of espionage attacks used the Lazarus Group signature DLL side-loading technique during initial compromise.

The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe. They then execute the normal application to initiate the execution of the malicious DLL. The malicious msvcr100.dll library is designed to decrypt an encoded payload that is then executed in memory. It is recommended to monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement. When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.

3. New stealthy Bandit Stealer targeting web browsers and cryptocurrency wallets

Bandit Stealer, a recently discovered malware has garnered significant interest from both cybercriminals and security researchers due to its advanced capabilities. This malicious software is designed to specifically target well-known web browsers, along with browser extensions linked to cryptocurrency wallets, and various cryptocurrency wallet applications. This malware operates by stealing crucial information related to Telegram sessions, exploiting this access to read private messages and gather other sensitive data from compromised accounts.

It specifically targets popular web browsers like Google Chrome, Iridium, Amigo, and Microsoft Edge, extracting login credentials, credit card details, web browsing history, and cookies. The malware is typically delivered to targeted users’ machines through phishing emails or unintentional downloads from malicious websites. There are three different installation and execution methods employed by Bandit Stealer including two self-extracting archives and a fake installer that drops and executes the actual Bandit Stealer file named Lowkey[.]exe. To prevent such attacks, it is recommended to keep operating system and software up to date, exercise caution with email and downloads, use strong and unique passwords, and enable two-factor authentication (2FA) wherever possible.

4. Kimsuky unleashes the enhanced RandomQuery malware for targeted reconnaissance

Starting from May 5, a new wave of activity has been identified, involving Kimsuky, the North Korea-based APT group. This campaign utilizes a modified version of their known malware, RandomQuery, in conjunction with various other tools and strategies. Notably, the targets of this ongoing operation include information services focused on North Korea, organizations supporting defectors from the Democratic People’s Republic of Korea (DPRK), and human rights activists.

Kimsuky employs Microsoft Compiled HTML Help (CHM) files as a means of delivering RandomQuery. The attacks begin with phishing emails that masquerade as messages from Daily NK, an online publication specializing in North Korean affairs. These emails aim to entice targets into opening a CHM file. Furthermore, they utilize TutRAT and xRAT to gain remote control over compromised machines. It is recommended to implement robust security measures, including advanced threat detection systems, network segmentation, strong access controls, and timely patching of software vulnerabilities to safeguard sensitive data from threat actors. Develop and regularly test incident response plans to ensure a swift and coordinated response in the event of a security breach.

5. Legion malware upgraded to target SSH servers and AWS credentials

Legion, a Python-powered credential harvester has expanded its range of attacks by introducing new features to target cloud services. The malware is designed to steal credentials from web servers that have misconfigurations and are running PHP frameworks like Laravel. To achieve this, the malware scans for files called environment variables (.env) in default locations where these files are typically found on infected machines.

The updated version of the malware includes additional paths to search for these environment files, such as /lib/.env and /cron/.env. If the environment file is accessible to the public due to misconfigurations, the malware saves the file. It is recommended to conduct regular audits of digital resources exposed to the internet to identify any potential misconfigurations or vulnerabilities. Additionally, implement a guardrail to monitor and control any exposed privileged ports to minimize the risk of unauthorized access.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider