1/15/2024 0 Comments Lazarus group history![]() Treasury Department sanctioned four entities and one individual involved in malicious cyber activities and fundraising schemes that aim to support North Korea's strategic priorities. "In particular, since the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement," ASEC said. The latest development demonstrates the diversity of Lazarus attacks and its ability to employ an extensive set of tools against victims to carry out long-term espionage operations. The attack chain further entailed the exploitation of a discontinued open source Notepad++ plugin called Quick Color Picker to deliver additional malware in order to facilitate credential theft and lateral movement. The malware is said to be a variant of a similar artifact that was discovered by ASEC last year and which acted as a backdoor to communicate with an actor-controlled server. The malicious msvcr100.dll library, for its part, is designed to decrypt an encoded payload that's then executed in memory. Lazarus, a highly-capable and relentless nation-state group linked to North Korea, was most recently spotted leveraging the same technique in connection with the cascading supply chain attack on enterprise communications service provider 3CX. "They then execute the normal application to initiate the execution of the malicious DLL."ĭLL side-loading, similar to DLL search-order hijacking, refers to the proxy execution of a rogue DLL via a benign binary planted in the same directory. "The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe," ASEC explained. ![]() The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat's (APT) continued abuse of DLL side-loading techniques to run arbitrary payloads. ![]() The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services ( IIS) servers as an initial breach route to deploy malware on targeted systems. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |