Attackers are always searching for weak points to establish a foothold within your network. Today, we are uncovering one such group of attackers who have been observed exploiting Windows IIS servers to distribute malware. We’re referring to the Lazarus group, a notorious cyber assault organization known for its relentless attacks. They have now shifted their focus towards exploiting vulnerable Microsoft Internet Information Services (IIS) servers. Recently, the AhnLab Security Emergency Response Center (ASEC) published a report explaining how the Lazarus group abuses IIS servers to propagate malware. We’ve created this post to let security and Windows teams know about how to protect IIS servers from DLL Side-Loading Attacks.
Lazarus group is one of the notorious North Korean-backed APT groups performing multiple attacks worldwide. Many analysts speculate that the Lazarus group, driven by financial motives, contributes to funding North Korea’s weapons development programs while also engaging in various espionage operations.
The Lazarus group gained global attention due to its involvement in various high-profile cyberattacks targeting financial institutions, cryptocurrency exchanges, government agencies, and other organizations. The group is known for its advanced hacking techniques, including spear-phishing, malware deployment, and network intrusion tactics. Lazarus has been linked to numerous significant cyber incidents, such as the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist, and the WannaCry ransomware attack in 2017.
DLL Side-Loading, also known as binary planting, is a type of cyber attack that exploits the way some Windows applications search for Dynamic Link Libraries (DLLs). DLLs are files that contain code and data that multiple programs can use simultaneously on a Windows system.
When a program needs to use a DLL, it will look for it in a specific search order. This usually starts in the directory from which the application is loaded. If a malicious DLL is placed in this directory and has the same name as the DLL the application is looking for, the application may load the malicious DLL instead of the legitimate one. This is the basis of DLL side-loading.
Once the malicious DLL is loaded, it can execute harmful code in the context of the application, potentially leading to the compromise of the system. This type of attack is often used as a way to maintain persistence on a compromised system, or to bypass security measures, as the malicious code is run under the guise of a legitimate process.
As per the report released by AhnLab Security Emergency Response Center (ASEC), Lazarus group is now targeting vulnerable and misconfigured versions of Windows Internet Information Services (IIS) web servers as entry points by the DLL side loading method. Windows IIS servers host web content for organizations, including sites, apps, and services like Microsoft Exchange’s Outlook on the Web. It’s a flexible solution available since Windows NT supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP protocols.
DLL side loading is to load malicious DLL in vulnerable software, and when the legitimate program is invoked, the malicious DLL also gets activated; this helps the malware to evade detection by security solutions and maintain persistence.
The attacker placed the malicious DLL (msvcr100.dll) in the same directory of the legitimate application (Wordconv.exe) through the Windows IIS web server process, w3wp.exe. Once the malicious DLL is successfully placed, the malicious DLL will also get executed along with the normal execution of the application. This method is known as the DLL side-loading attack.
Fig 1: Logs a Windows IIS web server exploited by Lazarus Group (Source: AhnLab Security)
DLL side-loading technique is one of the key methods in how Lazarus group targets their victims.
The threat actor utilizes the Windows IIS web server process (w3wp.exe) to create Wordconv.exe, msvcr100.dll, and msvcr100.dat.
Upon execution of Wordconv.exe, msvcr100.dll, which is included in Wordconv.exe’s import DLL list, is loaded based on the DLL search priority of the operating system, which allows the malicious msvcr100.dll is executed within the memory of the Wordconv.exe process.
msvcr100.dll uses Salsa20 algorithm to decrypt the encoded PE file (msvcr100.dat) and the key (df2bsr2rob5s1f8788yk6ddi4x0wz1jq).
The encoded data is transmitted via the command line argument when Wordconv.exe gets executed.
Fig 2: Execution log of Wordconv.exe
Once the initial access is established, the attacker deploys malware (diagn.dll by exploiting the open-source “color picker plugin,” which serves as a plugin for Notepad+.Diagn.dll receives the encoded PE file and the command line argument and by utilizing an internally hard-coded key, the data file is decrypted, allowing for the execution of the PE file in the computer’s memory.
Fig 3: Log of credential theft (Source: AhnLab Security)
Lateral Movement
Once the credentials are obtained, the attacker establishes a remote desktop connection for internal data collection. No further activity was discovered by the researchers after this.
[File Detection]
Trojan/Win.LazarLoader.C5427612 (2023.05.15.02)
Trojan/Win.LazarLoader.C5427613 (2023.05.15.03)
[DLL Side-loading File Path]
C:\ProgramData\USOShared\Wordconv.exe
C:\ProgramData\USOShared\msvcr100.dll
[MD5]
e501bb6762c14baafadbde8b0c04bbd6: diagn.dll
228732b45ed1ca3cda2b2721f5f5667c: msvcr100.dll
47d380dd587db977bf6458ec767fee3d:? (Variant malware of msvcr100.dll)
4d91cd34a9aae8f2d88e0f77e812cef7: cylvc.dll (Variant malware of msvcr100.dll)
T1003.001 (LSASS Memory)
T1005 (Data from Local System)
T1027 (Obfuscated Files or Information)
T1055.002 (Portable Executable Injection)
T1082 (System Information Discovery)
T1083 (File and Directory Discovery)
T1105 (Ingress Tool Transfer)
T1140 (Deobfuscate/Decode Files or Information)
T1190 (Exploit Public-Facing Application)
T1204.002 (Malicious File)
T1574.001 (DLL Search Order Hijacking)
T1574.002 (DLL Side-Loading)
The best practice to protect your IIS servers from DLL side-loading attacks is to block identified or captured IoCs on all your security applications like Firewalls, EndPoints, IDS/IPS, web proxies, or any devices that you deployed to protect the network.
Detecting DLL side-loading attacks can be challenging due to their stealthy nature, but there are several strategies that can help identify these types of attacks:
File Creation: This suggests that monitoring for newly created files in common folders on the computer system can help detect malicious activity. If a new file is created in an unexpected location or at an unusual time, it might indicate that an attacker is trying to hide a malicious DLL for a side-loading attack.
File Modification: This suggests that monitoring for unexpected changes to file permissions and attributes can also help detect malicious activity. If a file’s permissions or attributes are changed in a way that allows it to be executed, it might indicate that an attacker is preparing to launch a DLL side-loading attack.
Module Load: This suggests that monitoring DLL/PE file events, specifically the creation of these binary files and the loading of DLLs into processes, can help detect DLL side-loading attacks. If a DLL that is not recognized or not normally loaded into a process is loaded, it might indicate that an attack is in progress.
Process Creation: This suggests that monitoring newly created processes for unusual activity can help detect DLL side-loading attacks. For example, if a process that does not normally use the network begins to do so, or if new files or programs are introduced, it might indicate that an attack is in progress.
From the user standpoint, there is nothing much to do to protect other than monitor and block IOCs and upgrade to the new available versions.
Application Developer Guidance: This strategy suggests that developers should, whenever possible, include hash values in their application’s manifest files. A manifest file provides metadata about the components of an application. By including a hash value of the correct DLL file in the manifest, the application can verify that the DLL hasn’t been tampered with before loading it. If the DLL’s actual hash value doesn’t match the one in the manifest, the application can refuse to load the DLL, thereby preventing a side-loading attack.
Update Software: This strategy emphasizes the importance of keeping software up to date. Developers regularly release patches that fix known vulnerabilities, including those that could be exploited in DLL side-loading attacks. By updating your software regularly, you can ensure that you’re protected against these known vulnerabilities.
The researchers observed the frequent exploitation of improperly configured, public-facing infrastructure by the Lazarus Group, which enables initial infections through vulnerabilities such as “Log4Shell,” public certificate vulnerabilities, or the 3CX supply chain attack. To counter these attacks, organizations should understand the importance of employing attack-surface management services as preventive measures.
We hope this article helped in understanding how the Lazarus group abuses IIS servers to spread Malware. And how should you protect your IIS servers from DLL side-loading attacks? Please share this post if you find this interested. Visit our blog thesecmaster.com and social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.