Lazarus Targets Windows IIS Web Servers for Malware Distribution

Diving into details

• Lazarus employs the watering hole technique to gain initial access. By compromising Korean websites and modifying their content, it exploits the vulnerability in the INISAFE CrossWeb EX V6. 
• When users with vulnerable versions of INISAFE CrossWeb EX V6 visit these sites, the Lazarus malware (SCSKAppLink.dll) is installed through the INISAFECrossWebEXSvc.exe vulnerability.
• To escalate privileges and facilitate malicious activities, Lazarus deploys the JuicyPotato malware packed with Themida. 
• After successfully infiltrating systems, the attackers attempt to install the "SCSKAppLink.dll" malware through these exploits. This malware acts as a downloader that fetches additional malware strains from external sources, allowing the attackers to gain control over compromised systems.

Latest on Lazarus

• The JumpCloud breach was attributed to the Lazarus APT group. The breach resulted in JumpCloud resetting its clients' API keys and taking precautionary measures to secure their systems.
• In June, Lazarus was believed to be responsible for the recent attack on Atomic Wallet, resulting in the theft of at least $35 million in cryptocurrency.
• In April, a new macOS malware called RustBucket was discovered, believed to be used by the North Korea-linked BlueNoroff group. BlueNoroff is a subset of Lazarus. 

The bottom line