North Korean hackers continue to update their hacking repertoire by targeting “abnormal process execution…”

Lazarus is an infamous North Korean threat actor group who have been targeting vulnerable versions of the Microsoft Internet Services server (ISS). Now, they have updated their tactics to target this newly discovered vulnerability.

The group has been placing a malicious DLL (Dynamic Link Library) in the same folder path as a normal application via the Windows IIS web server process, to run arbitrary payloads. The group then executes the normal application to initiate the execution of the malicious DLL. This technique has been used to perform various operations, including the targeting of the enterprise communications service provider 3CX.

What is Lazarus doing differently?

What Lazarus is doing differently is that they have a whole country backing them up, and are not obligated to any sense of moral responsibility. They are also sophisticated and generally use current or new unheard-of methods of hacking and ransomware.

The latest development demonstrates the diversity of Lazarus attacks and its ability to employ an extensive set of tools against victims to carry out long-term espionage operations.

This quote from AhnLab Security Emergency Response Center (ASEC) demonstrates the need for current up-to-date and proactive protection:

“In particular, since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement.”

If you have any questions about any of this information and how it can affect you, your business and/or your team. Please reach out to us at Britec.