Analysis of Lazarus Group's Attack Targeting Windows Web Servers
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
The Lazarus group has been targeting Windows web servers, particularly in South Korea, installing webshells and C2 scripts to use compromised servers as proxies. The attacks involve multiple stages, including the use of LazarLoader malware and privilege escalation tools. The C2 scripts act as proxies between the malware and secondary C2 servers. Various webshells were identified, including RedHat Hacker and custom ASP shells. The LazarLoader downloader was used to fetch additional payloads, while a privilege escalation tool exploited UAC bypass techniques. The attackers aim to establish persistence and gain elevated access on compromised systems.
OPENCTI LABELS :
windows,uac bypass,privilege escalation,webshell,iis,web servers,c2 proxy,lazarloader
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Analysis of Lazarus Group's Attack Targeting Windows Web Servers