Analysis of Lazarus Group's Attack Targeting Windows Web Servers

March 11, 2025, 4:53 p.m.

Description

The Lazarus group has been targeting Windows web servers, particularly in South Korea, installing webshells and C2 scripts to use compromised servers as proxies. The attacks involve multiple stages, including the use of LazarLoader malware and privilege escalation tools. The C2 scripts act as proxies between the malware and secondary C2 servers. Various webshells were identified, including RedHat Hacker and custom ASP shells. The LazarLoader downloader was used to fetch additional payloads, while a privilege escalation tool exploited UAC bypass techniques. The attackers aim to establish persistence and gain elevated access on compromised systems.

External References

https://asec.ahnlab.com/ko/86631/
https://otx.alienvault.com/pulse/67d046ba5b8e5cade96959d8
Tags
windows
privilege escalation
webshell
iis
uac bypass
web servers
2025-03-11
c2 proxy
lazarloader

Date

  • Created: March 11, 2025, 2:20 p.m.
  • Published: March 11, 2025, 2:20 p.m.
  • Modified: March 11, 2025, 4:53 p.m.

Attack Patterns

  • LazarLoader
  • Lazarus
  • T1505.003
  • T1548.002
  • T1059.001
  • T1547.001
  • T1105
  • T1071
  • T1134
  • T1190

Additional Informations

  • Government