![]() As a result, the malicious msvcr100.dll is run in the memory of the Wordconv.exe process.įigure 9. As shown in the below figure, msvcr100.dll is contained within the import DLL list of Wordconv.exe, so the first DLL file that is loaded when Wordconv.exe is executed is determined by the DLL search priority of the operating system. The threat actor creates Wordconv.exe, msvcr100.dll, and msvcr100.dat through the Windows IIS web server process (w3wp.exe) before executing Wordconv.exe. Initial Infiltration: DLL Side-Loading Using Windows IIS Web Servers (Wordconv.exe, msvcr100.dll) This post will cover the DLL side-loading technique used by the threat actor during their initial infiltration process as well as their follow-up behaviors. The threat actor has been continuously changing the name of the normal process used in the DLL side-loading technique. The Lazarus group’s use of the DLL side-loading technique to run malware has been confirmed many times already. Initial infiltration behavior log of the Lazarus group exploiting a poorly managed Windows IIS web server In MITRE ATT&CK, this method of attack is categorized as the DLL side-loading ( T1574.002) technique.įigure 1. They then execute the normal application to initiate the execution of the malicious DLL. The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe. Therefore, it can be assumed that the threat actor uses poorly managed or vulnerable web servers as their initial breach routes before executing their malicious commands later. The AhnLab Smart Defense (ASD) log displayed below in Figure 1 shows that Windows server systems are being targeted for attacks, and malicious behaviors are being carried out through w3wp.exe, an IIS web server process. Ordinarily, when threat actors perform a scan and find a web server with a vulnerable version, they use the vulnerability suitable for the version to install a web shell or execute malicious commands. ![]() Posted By muhan, Lazarus Group Targeting Windows IIS Web ServersĪhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |