Attackers are always searching for weak points to establish a foothold within your network. Today, we are uncovering one such group of attackers who have been observed exploiting Windows IIS servers to distribute malware. We’re referring to the Lazarus group, a notorious cyber assault organization known for its relentless attacks. They have now shifted their focus towards exploiting vulnerable Microsoft Internet Information Services (IIS) servers. Recently, the AhnLab Security Emergency Response Center (ASEC) published a report explaining how the Lazarus group abuses IIS servers to propagate malware. We’ve created this post to let security and Windows teams know about how to protect IIS servers from DLL Side-Loading Attacks.
A Short Introduction to Lazarus Group:
Lazarus group is one of the notorious North Korean-backed APT groups performing multiple attacks worldwide. Many analysts speculate that the Lazarus group, driven by financial motives, contributes to funding North Korea’s weapons development programs while also engaging in various espionage operations.
The Lazarus group gained global attention due to its involvement in various high-profile cyberattacks targeting financial institutions, cryptocurrency exchanges, government agencies, and other organizations. The group is known for its advanced hacking techniques, including spear-phishing, malware deployment, and network intrusion tactics. Lazarus has been linked to numerous significant cyber incidents, such as the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist, and the WannaCry ransomware attack in 2017.
What is a DLL Side-Loading Attack?
DLL Side-Loading, also known as binary planting, is a type of cyber attack that exploits the way some Windows applications search for Dynamic Link Libraries (DLLs). DLLs are files that contain code and data that multiple programs can use simultaneously on a Windows system.
When a program needs to use a DLL, it will look for it in a specific search order. This usually starts in the directory from which the application is loaded. If a malicious DLL is placed in this directory and has the same name as the DLL the application is looking for, the application may load the malicious DLL instead of the legitimate one. This is the basis of DLL side-loading.
Once the malicious DLL is loaded, it can execute harmful code in the context of the application, potentially leading to the compromise of the system. This type of attack is often used as a way to maintain persistence on a compromised system, or to bypass security measures, as the malicious code is run under the guise of a legitimate process.
How Lazarus Group Abuses IIS Servers to Spread Malware?
As per the report released by AhnLab Security Emergency Response Center (ASEC), Lazarus group is now targeting vulnerable and misconfigured versions of Windows Internet Information Services (IIS) web servers as entry points by the DLL side loading method. Windows IIS servers host web content for organizations, including sites, apps, and services like Microsoft Exchange’s Outlook on the Web. It’s a flexible solution available since Windows NT supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP protocols.
DLL side loading is to load malicious DLL in vulnerable software, and when the legitimate program is invoked, the malicious DLL also gets activated; this helps the malware to evade detection by security solutions and maintain persistence.
The attacker placed the malicious DLL (msvcr100.dll) in the same directory of the legitimate application (Wordconv.exe) through the Windows IIS web server process, w3wp.exe. Once the malicious DLL is successfully placed, the malicious DLL will also get executed along with the normal execution of the application. This method is known as the DLL side-loading attack.
Fig 1: Logs a Windows IIS web server exploited by Lazarus Group (Source: AhnLab Security)
DLL side-loading technique is one of the key methods in how Lazarus group targets their victims.
- The threat actor utilizes the Windows IIS web server process (w3wp.exe) to create Wordconv.exe, msvcr100.dll, and msvcr100.dat.
- Upon execution of Wordconv.exe, msvcr100.dll, which is included in Wordconv.exe’s import DLL list, is loaded based on the DLL search priority of the operating system, which allows the malicious msvcr100.dll is executed within the memory of the Wordconv.exe process.
- msvcr100.dll uses Salsa20 algorithm to decrypt the encoded PE file (msvcr100.dat) and the key (df2bsr2rob5s1f8788yk6ddi4x0wz1jq).
- The encoded data is transmitted via the command line argument when Wordconv.exe gets executed.
Fig 2: Execution log of Wordconv.exe
Gaining Foothold and Stealing Certificates
Once the initial access is established, the attacker deploys malware (diagn.dll by exploiting the open-source “color picker plugin,” which serves as a plugin for Notepad+.Diagn.dll receives the encoded PE file and the command line argument and by utilizing an internally hard-coded key, the data file is decrypted, allowing for the execution of the PE file in the computer’s memory.
Fig 3: Log of credential theft (Source: AhnLab Security)
Once the credentials are obtained, the attacker establishes a remote desktop connection for internal data collection. No further activity was discovered by the researchers after this.
- Trojan/Win.LazarLoader.C5427612 (2023.05.15.02)
- Trojan/Win.LazarLoader.C5427613 (2023.05.15.03)
[DLL Side-loading File Path]
- e501bb6762c14baafadbde8b0c04bbd6: diagn.dll
- 228732b45ed1ca3cda2b2721f5f5667c: msvcr100.dll
- 47d380dd587db977bf6458ec767fee3d:? (Variant malware of msvcr100.dll)
- 4d91cd34a9aae8f2d88e0f77e812cef7: cylvc.dll (Variant malware of msvcr100.dll)
MITRE ATT&CK Enterprise Identifiers
- T1003.001 (LSASS Memory)
- T1005 (Data from Local System)
- T1027 (Obfuscated Files or Information)
- T1055.002 (Portable Executable Injection)
- T1082 (System Information Discovery)
- T1083 (File and Directory Discovery)
- T1105 (Ingress Tool Transfer)
- T1140 (Deobfuscate/Decode Files or Information)
- T1190 (Exploit Public-Facing Application)
- T1204.002 (Malicious File)
- T1574.001 (DLL Search Order Hijacking)
- T1574.002 (DLL Side-Loading)
How Should You Detect and Protect Your IIS Servers from DLL Side-loading Attacks?
The best practice to protect your IIS servers from DLL side-loading attacks is to block identified or captured IoCs on all your security applications like Firewalls, EndPoints, IDS/IPS, web proxies, or any devices that you deployed to protect the network.
Detecting DLL side-loading attacks can be challenging due to their stealthy nature, but there are several strategies that can help identify these types of attacks:
- File Creation: This suggests that monitoring for newly created files in common folders on the computer system can help detect malicious activity. If a new file is created in an unexpected location or at an unusual time, it might indicate that an attacker is trying to hide a malicious DLL for a side-loading attack.
- File Modification: This suggests that monitoring for unexpected changes to file permissions and attributes can also help detect malicious activity. If a file’s permissions or attributes are changed in a way that allows it to be executed, it might indicate that an attacker is preparing to launch a DLL side-loading attack.
- Module Load: This suggests that monitoring DLL/PE file events, specifically the creation of these binary files and the loading of DLLs into processes, can help detect DLL side-loading attacks. If a DLL that is not recognized or not normally loaded into a process is loaded, it might indicate that an attack is in progress.
- Process Creation: This suggests that monitoring newly created processes for unusual activity can help detect DLL side-loading attacks. For example, if a process that does not normally use the network begins to do so, or if new files or programs are introduced, it might indicate that an attack is in progress.
From the user standpoint, there is nothing much to do to protect other than monitor and block IOCs and upgrade to the new available versions.
- Application Developer Guidance: This strategy suggests that developers should, whenever possible, include hash values in their application’s manifest files. A manifest file provides metadata about the components of an application. By including a hash value of the correct DLL file in the manifest, the application can verify that the DLL hasn’t been tampered with before loading it. If the DLL’s actual hash value doesn’t match the one in the manifest, the application can refuse to load the DLL, thereby preventing a side-loading attack.
- Update Software: This strategy emphasizes the importance of keeping software up to date. Developers regularly release patches that fix known vulnerabilities, including those that could be exploited in DLL side-loading attacks. By updating your software regularly, you can ensure that you’re protected against these known vulnerabilities.
The researchers observed the frequent exploitation of improperly configured, public-facing infrastructure by the Lazarus Group, which enables initial infections through vulnerabilities such as “Log4Shell,” public certificate vulnerabilities, or the 3CX supply chain attack. To counter these attacks, organizations should understand the importance of employing attack-surface management services as preventive measures.