Researchers have identified a series of sophisticated attacks by the notorious Lazarus group targeting South Korean web servers.
The threat actors have been breaching IIS servers to deploy ASP-based web shells, which are subsequently used as first-stage Command and Control (C2) servers that proxy communications to second-stage C2 infrastructure.
These attacks, identified in January 2025, represent an evolution of similar techniques observed in May 2024, signaling persistent and adaptive tactics from this state-sponsored threat group.
The Lazarus group has demonstrated a consistent pattern of compromising legitimate web servers to establish their attack infrastructure.
AhnLab Security Intelligence Centre (ASEC) reports that in the recently discovered campaigns, the attackers installed multiple ASP-format web shells on vulnerable IIS servers, including the modified “RedHat Hacker” web shell saved under the filename “function2.asp”.
Unlike previous iterations that used the password “1234qwer,” the latest variant employs “2345rdx” as its authentication mechanism, indicating an evolution in their operational security measures.
Additional web shells named “file_uploader_ok.asp” and “find_pwd.asp” were also deployed, providing the attackers with comprehensive capabilities for file manipulation, process operations, and even SQL query execution.
These web shells utilize sophisticated obfuscation techniques, remaining encoded in VBE format even after initial decoding, making detection and analysis challenging for security teams.
The technical sophistication of these web shells is evident in their command structure. The malicious code verifies initialization packets by checking if the second and third bytes contain the string “OK” and uses the first byte as an encryption key.
Further security is implemented through random strings such as “xdmCz1eQ:?EkQ0d%c%r%jgY!fjabTTA0” and “#N@BGjn8g5!yCJAfiEFzq04Cqr%dFvcX” for the respective web shells.
C2 Script Functionality and Evolution
The C2 script deployed in the January 2025 attacks functions as a proxy between compromised systems and the attackers’ infrastructure.
Unlike previous variants, the new script supports both form data and cookie data during the communication process, demonstrating the group’s continued refinement of their tools.
The script processes various commands depending on the “code” field value in form data.
Commands include “MidRequest” for redirecting data, “ProxyCheck” for saving Mid Info, “ReadFile” and “WriteFile” for file operations, “ClientHello” for responding with Mid Info, and others that facilitate the attackers’ control over the compromised system.
Beyond web shells, the attackers deployed LazarLoader malware to download additional payloads. This sophisticated loader decrypts and executes payloads in memory using a 16-byte key identified as “Node.Js_NpmStart”.
The infection chain typically begins with web shell installation and LazarLoader deployment through the w3wp.exe IIS web server process.
The attackers implemented privilege escalation through a malware component named “sup.etl,” which functions as a packer for UAC bypass techniques.
The malware uses commands like “rundll32.exe C:ProgramDataUSOSharedsup.etl,SerializeMarketTable_32 x9nsB3iYUWiDT6BZKO5pgtMW -v 62 -m D:/www/[path]/ac_lst.exe” to execute privilege escalation.
The “-v 62” parameter indicates exploitation of “ComputerDefaults.exe” for UAC bypass, while other values would trigger the use of “fodhelper.exe
Recommendations
Security researchers advise administrators to thoroughly inspect their web servers for vulnerabilities that could enable file uploads, particularly focusing on ASP-based web shells.
Regular password rotation and strict access controls are essential to prevent lateral movement should an initial compromise occur.
Organizations should also implement robust monitoring for suspicious process creation chains, especially those involving w3wp.exe spawning unusual processes.
Regular updates to security solutions like V3 are recommended to ensure the detection of known Lazarus group indicators of compromise.
The continued evolution of Lazarus techniques underscores the importance of proactive security measures against this persistent advanced threat actor targeting critical infrastructure worldwide.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
