Full Report
AhnLab SEcurity intelligence Center (ASEC) has identified attack cases of the Lazarus group breaching a normal server and using it as a C2. Attacks that install a web shell and C2 script on South Korean web servers continue to occur. Additionally, there are cases where LazarLoader malware and privilege escalation tools are identified. 1. […]
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
The threat actor identified is the **Lazarus group**. They are known for installing web shells and Command and Control (C2) scripts on compromised servers, specifically targeting South Korean web servers.
## Activity Summary
Recent activity identified in May 2024 and January 2025 involves the Lazarus group breaching typical web servers (including IIS servers) and using them as first-stage C2 proxies. Initial access appears to be achieved via exploiting file upload vulnerabilities to install web shells. Following exploitation, the actor installed **LazarLoader** malware and a privilege escalation tool to elevate access to administrator level, potentially using an existing backdoored executable (`ac_lst.exe`).
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Exploiting file upload vulnerabilities to install web shells (ASP format).
- **Persistence/Defense Evasion:** Utilization of multiple web shells, including "RedHat Hacker," "file\_uploader\_ok.asp," and "find\_pwd.asp," often encoded in VBE format and obfuscated even after decoding.
- **Command and Control (C2):** Using infected web servers as first-stage C2 proxies to relay communication to a second-stage C2 server.
- **C2 Script Functionality:** Scripts support communication via form data or cookie data, handling commands like `Redirect data`, `ReadFile`, `WriteFile`, `ProxyCheck`, etc.
- **Data Obfuscation:** Web shells use specific initialization sequences (e.g., checking for 'OK' string in bytes 2 and 3) and dynamic keys (first byte of received data, plus random strings) to decrypt packet data.
- **Execution/Persistence:** Installation of **LazarLoader** malware, which downloads and executes payloads in memory.
- **Privilege Escalation:** Use of a privilege escalation malware capable of **UAC Bypass** by manipulating the registry to execute a designated program (`ac_lst.exe`) via auto-elevate processes like `ComputerDefaults.exe` or `fodhelper.exe`.
## Targeting
- **Sectors:** Web servers (general infrastructure targeted).
- **Geography:** South Korea (specifically targeting Korean web servers).
- **Victims:** Poorly managed or unpatched vulnerable web servers.
## Tools & Infrastructure
- **Malware Families Used:**
- LazarLoader (loader malware)
- Privilege Escalation Malware (UAC Bypass functionality)
- RedHat Hacker web shell
- **Infrastructure/C2:**
- ASP format web shells and C2 scripts acting as proxies.
- Data files used for communication: `Bottom1.gif`, `Bottom2.gif`, `Bottom3.gif`.
- Web Shell Passwords identified: '1234qwer' (past), '2345rdx' (recent).
- Specific Executable linked to privilege escalation: `ac_lst.exe`.
## Implications
Lazarus continues to compromise web infrastructure, leveraging these systems not just for data theft but as staging points (C2 proxies) for further adversarial activity. The combination of web shells, LazarLoader, and known UAC bypass techniques indicates sophisticated, multi-stage intrusion designed to establish persistent, high-privilege access on compromised hosts.
## Mitigations
- Strengthen web server security, focusing specifically on preventing **file upload vulnerabilities** to block initial web shell installation.
- Implement regular security patching and configuration hardening for web servers (IIS/ASP environments).
- Regularly audit systems for suspicious web shells, encoded scripts (VBE), and unexpected registry modifications used for auto-elevation.
- Update security solutions (V3) to detect known malware strains like LazarLoader and associated files.
- Implement strong access controls and mandate regular password changes to disrupt lateral movement attempts using stolen credentials.