Vulnerable Microsoft Internet Information Services instances have been targeted by the North Korean state-sponsored threat operation Lazarus Group to facilitate malware deployment efforts, reports The Hacker News.
Lazarus Group has been using the Windows IIS web server process "w3wp.exe" to enable the placement of the malicious msvcr100.dll library in the Wordconv.exe application, according to a report from the AhnLab Security Emergency response Center.
Execution of the app would trigger the execution of the DLL, which would perform the decryption and execution of an encoded payload prior to the exploitation of the defunct Notepad++ plugin 'Quick Color Picker' to allow delivery of credential-stealing malware, said researchers.
"...[S]ince the threat group primarily utilizes the DLL side-loading technique during their initial infiltrations, companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement," noted ASEC.
Ukraine has been targeted by Russian threat actors in the new Operation Texontodisinformation campaign that also involved spear-phishing and credential exfiltration tactics, according to The Hacker News.
Record high ransomware and data extortion incidents experienced by Western nations last year have prompted former National Security Agency Director Michael Rogers to call for a reevaluation of their cybersecurity defense strategy.