Hijacked Microsoft IIS Servers Used to Distribute Malware

Microsoft® Windows OS
Advisory ID:
July 27, 2023


AhnLab Security Emergency Response Centre (ASEC) has revealed that the North Korean state-sponsored Lazarus hacking group is breaching Windows Internet Information Service (IIS) web servers to hijack them for malware distribution. This latest campaign takes advantage of a weakness in INISAFE CrossWeb EX V6 to transmit the Lazarus malware. INISAFE CrossWeb EX V6 is a software used to protect against malicious websites and malware attacks. However, it has been reported that the Lazarus group has exploited a vulnerability in the software to distribute malware. The malware is installed when a system using a vulnerable version of INISAFE CrossWeb EX V6 visits a website via a web browser.

Description & Consequence

IIS is a web server platform used to host websites and services such as Microsoft’s Outlook on the web (OWA). The attackers use what is known as a “watering hole attack” to target its potential victims by infecting websites or services they frequently visit or use.

Social engineering and/or phishing techniques are used to infect a target device with a malicious HTM file, which is then copied to a DLL file – SCSKAppLink.dll – and inserted into the INISAFE CrossWeb EX Client. So now when a device with a vulnerable version of the INISAFE connects to the compromised server, it becomes infected with the malicious SCSKAppLink.dll. The attacker then uses the ‘JuicyPotato’ privilege escalation malware to get higher privileges in the affected system and execute another malware – usoshared.dat – for decrypting downloaded data files and executing them so as to enable antivirus software circumvention.

Some of the consequences include:

  1. Sensitive data theft.
  2. Adverse effects on system performance.
  3. Installation of additional malware.
  4. Financial Loss.


i.  Service operator: Replace with the latest version through Initech

  • INISAFE CrossWeb EX V3

ii. Product user: If a vulnerable version of INISAFE CrossWeb EX V3 is installed on the system, uninstall it and update to the recent version.

iii.  Always update systems with the latest security patches.





Related Articles