Risk:	high
Damage:	high
Platform(s):	Microsoft® Windows OS
Advisory ID:	ngCERT-2023-0027
Version:	N/A
CVE:	N/A
Published:	July 27, 2023

Summary

---

AhnLab Security Emergency Response Centre (ASEC) has revealed that the North Korean state-sponsored Lazarus hacking group is breaching Windows Internet Information Service (IIS) web servers to hijack them for malware distribution. This latest campaign takes advantage of a weakness in INISAFE CrossWeb EX V6 to transmit the Lazarus malware. INISAFE CrossWeb EX V6 is a software used to protect against malicious websites and malware attacks. However, it has been reported that the Lazarus group has exploited a vulnerability in the software to distribute malware. The malware is installed when a system using a vulnerable version of INISAFE CrossWeb EX V6 visits a website via a web browser.

Description & Consequence

---

IIS is a web server platform used to host websites and services such as Microsoft’s Outlook on the web (OWA). The attackers use what is known as a “watering hole attack” to target its potential victims by infecting websites or services they frequently visit or use.

Social engineering and/or phishing techniques are used to infect a target device with a malicious HTM file, which is then copied to a DLL file – SCSKAppLink.dll – and inserted into the INISAFE CrossWeb EX Client. So now when a device with a vulnerable version of the INISAFE connects to the compromised server, it becomes infected with the malicious SCSKAppLink.dll. The attacker then uses the ‘JuicyPotato’ privilege escalation malware to get higher privileges in the affected system and execute another malware – usoshared.dat – for decrypting downloaded data files and executing them so as to enable antivirus software circumvention.

Some of the consequences include:

1. Sensitive data theft.
2. Adverse effects on system performance.
3. Installation of additional malware.
4. Financial Loss.

Solution

---

i.  Service operator: Replace with the latest version through Initech

• INISAFE CrossWeb EX V3 3.3.2.41

ii. Product user: If a vulnerable version of INISAFE CrossWeb EX V3 is installed on the system, uninstall it and update to the recent version.

• Check the INISAFE CrossWeb EX V3 version in [Control Panel]-[Programs]-[Programs and Applications] and click “Uninstall”
• Refer to the following link to install the latest version of INISAFE CrossWeb EX V3 for the corresponding OS. Windows client (v3.3.2.41_32bit):  http://demo.initech.com/initech/crosswebex_pack/3.3.2.41/INIS_EX_SHA2_3.3.2.41.exe  

iii.  Always update systems with the latest security patches.

 

Reference

---

• https://asec.ahnlab.com/en/55369/
• https://www.bleepingcomputer.com/news/security/lazarus-hackers-hijack-microsoft-iis-servers-to-spread-malware/
• https://www.csoonline.com/article/647022/lazarus-group-exploits-windows-iis-servers-to-distribute-malware.html 

 

Revision

---