AhnLab Security Emergency Response Centre (ASEC) has revealed that the North Korean state-sponsored Lazarus hacking group is breaching Windows Internet Information Service (IIS) web servers to hijack them for malware distribution. This latest campaign takes advantage of a weakness in INISAFE CrossWeb EX V6 to transmit the Lazarus malware. INISAFE CrossWeb EX V6 is a software used to protect against malicious websites and malware attacks. However, it has been reported that the Lazarus group has exploited a vulnerability in the software to distribute malware. The malware is installed when a system using a vulnerable version of INISAFE CrossWeb EX V6 visits a website via a web browser.
Description & Consequence
IIS is a web server platform used to host websites and services such as Microsoft’s Outlook on the web (OWA). The attackers use what is known as a “watering hole attack” to target its potential victims by infecting websites or services they frequently visit or use.
Social engineering and/or phishing techniques are used to infect a target device with a malicious HTM file, which is then copied to a DLL file – SCSKAppLink.dll – and inserted into the INISAFE CrossWeb EX Client. So now when a device with a vulnerable version of the INISAFE connects to the compromised server, it becomes infected with the malicious SCSKAppLink.dll. The attacker then uses the ‘JuicyPotato’ privilege escalation malware to get higher privileges in the affected system and execute another malware – usoshared.dat – for decrypting downloaded data files and executing them so as to enable antivirus software circumvention.
Some of the consequences include:
Sensitive data theft.
Adverse effects on system performance.
Installation of additional malware.
i. Service operator: Replace with the latest version through Initech
INISAFE CrossWeb EX V3 126.96.36.199
ii. Product user: If a vulnerable version of INISAFE CrossWeb EX V3 is installed on the system, uninstall it and update to the recent version.
Check the INISAFE CrossWeb EX V3 version in [Control Panel]-[Programs]-[Programs and Applications] and click “Uninstall”