RedHat Hacker web shell | Image: ASEC
The notorious North Korean threat actor Lazarus Group has been identified breaching Windows web servers to establish command-and-control (C2) infrastructure, leveraging compromised machines as proxy servers for further attacks. Researchers at the AhnLab Security Intelligence Center (ASEC) have uncovered a multi-stage attack chain that involves web shell deployment, the installation of the LazarLoader malware, and the use of privilege escalation tools.
The investigation revealed that Lazarus has been exploiting Internet Information Services (IIS) servers, planting ASP-based web shells and C2 scripts to mediate communication between infected machines and secondary command servers. ASEC notes that similar proxy tactics have been used in the past, stating:
“In May 2024, a case was identified in which the Lazarus group attacked a Korean web server and used it as a first-stage C2 server. The first-stage C2 server acts as a proxy for the next-stage C2 server, mediating the communication between the malware and the second-stage C2 server.”
Interestingly, the newly identified C2 script now supports cookie-based data exchange, in addition to traditional form data transmission, marking an evolution in Lazarus’ methodology. The commands supported by the C2 script range from file operations to proxy log management, reinforcing the group’s efforts to maintain covert persistence.
ASEC researchers found that multiple web shells were deployed in the compromised servers. One notable variant is the RedHat Hacker web shell, which has been seen in prior Lazarus attacks. Unlike previous campaigns where the password was ‘1234qwer’, this iteration used a modified credential, ‘2345rdx’.
“In the infected system, in addition to RedHat Hacker, two web shells named ‘file_uploader_ok.asp’ and ‘find_pwd.asp’ were found to be the same web shell.”
These web shells function without a user interface but support file operations, SQL queries, and remote command execution, enabling attackers to establish deeper footholds within compromised environments. Additionally, the obfuscation techniques applied to these shells make detection more difficult for security tools.
Beyond web shells, the attack campaign also involves LazarLoader, a downloader malware responsible for retrieving payloads from external sources and executing them in-memory. ASEC’s analysis indicates that Lazarus deployed LazarLoader using the IIS process (w3wp.exe):
“According to the AhnLab Smart Defense (ASD) infrastructure, it is presumed that the threat actor installed a web shell during the initial access stage and then exploited it to install LazarLoader.”
LazarLoader is equipped with a hardcoded URL for downloading additional malware. Its decryption routine uses a 16-byte key labeled “Node.Js_NpmStart”, hinting at a possible reference to Node.js.
Moreover, the attackers leveraged a privilege escalation malware disguised as sup.etl. This tool exploits User Account Control (UAC) bypass techniques, specifically abusing registry manipulations to execute payloads with elevated privileges. The attackers primarily exploited ComputerDefaults.exe and fodhelper.exe, both of which automatically execute child processes with administrator privileges.
Related Posts:
- New Golang Backdoor Employs Telegram for Command and Control
- Temptation from Money: Lazarus APT extended to cryptocurrencies
- Microsoft Graph API Exploited for Stealthy Attacks
