They added that due to Lazarus’ focus on the DLL side-loading technique during initial infiltrations, “companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement.” Therefore, corporate security managers should utilize attack surface management to identify the assets that could be exposed to threat actors and practice caution by applying the latest security patches whenever possible.” The researchers warned: “is one of the highly dangerous groups that are actively launching attacks worldwide. These have been demonstrated in incidents like Log4Shell, public certificate vulnerability and the 3CX supply chain attack.
Lazarus isaac software#
Last year, Microsoft published an advisory warning that North Korea-associated threat actors weaponizing legitimate open-source software targeting employees in organizations across multiple industries.ĪSEC highlighted the growing sophistication of Lazarus group, and its abilities to utilize a range of attack vectors to perform their initial breach. This malware facilitates credential theft and lateral movement, ideal for carrying out espionage operations. In MITRE ATT&CK, this method of attack is categorized as the DLL side-loading ( T1574.002) technique.”įollowing initial infiltration, Lazarus establish a foothold before creating additional malware (diagn.dll) by exploiting the open-source ‘color picker plugin,’ which is a plugin for Notepad++. They then execute the normal application to initiate the execution of the malicious DLL.
Lazarus isaac windows#
Here, they believe the attackers use “poorly managed or vulnerable web servers as their initial breach routes before executing their malicious commands later.”ĪSEC explained: “The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe. The researchers said the approach represents a variation on the dynamic-link library ( DLL) side-loading technique, a tactic regularly utilized by the state-affiliated group. North Korea threat actor Lazarus group is targeting Windows IIS web servers to launch espionage attacks, according to a new analysis by AhnLab Security Emergency response Center (ASEC).
0 kommentar(er)
