The infamous Lazarus Group actor has been targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial breach route to deploy malware on targeted systems.
The findings come from the AhnLab Security Emergency response Center (ASEC), which detailed the advanced persistent threat’s (APT) continued abuse of DLL side-loading techniques to run arbitrary payloads.
“The threat actor places a malicious DLL (msvcr100.dll) in the same folder path as a normal application (Wordconv.exe) via the Windows IIS web server process, w3wp.exe,” ASEC explained. “They then execute the normal application to initiate the execution of the malicious DLL.”
