Analysis of Lazarus Group’s Attack on Windows Web Servers
AhnLab SEcurity intelligence Center (ASEC) has identified attack cases of the Lazarus group breaching a normal server and using it as a C2. Attacks that install a web shell and C2 script on South Korean web servers continue to occur. Additionally, there are cases where LazarLoader malware and privilege escalation tools are identified.
1. C2 Script (Proxy)
In May 2024, a case was identified in which the Lazarus group attacked a Korean web server and used it as a first-stage C2 server. The first-stage C2 server acts as a proxy for the next-stage C2 server, mediating the communication between the malware and the second-stage C2 server. Note that the targeted web server was an IIS server, so a web shell in ASP format and a C2 script were used. This is the same type as the one disclosed by Kaspersky in December 2020.
Figure 1. The same type as the C2 script publicly disclosed by Kaspersky
The attack cases confirmed in January 2025 are also similar to past cases, where it is presumed that the Lazarus group exploited the infrastructure for the first stage’s C2 server. A C2 script for the first stage has been identified, and while it is not the same as the past cases, it serves the same practical purpose as it operates as a proxy. One difference from past cases is that the script supports cookie data in addition to form data during the communication process.
Figure 2. Newly identified C2 script
If the data is in form format, the command varies depending on the number transmitted in the ‘code’ field. If the data is received via a cookie, it is parsed internally and used.
| Code | Command | Function |
|---|---|---|
| 0 | MidRequest | Redirect data |
| 1 | ProxyCheck | Save Mid Info |
| 2 | ReadFile | Read file |
| 3 | WriteFile | Write file |
| 4 | ClientHello | Respond with Mid Info and Write Proxy Log |
| 5 | ProxyLog | Respond with Proxy Log |
| 6 | CheckFileTransfer | Look up file |
Table 1. Commands supported by the Form mode
| Code | Command | Function |
|---|---|---|
| 0 | MidRequest | Redirect data |
| 2 | ReadFile | Read file |
| 3 | WriteFile | Write file |
| 4 | ClientHello | Respond with Mid Info and write Proxy Log |
Table 2. Commands supported in the cookie method
In previous cases, files such as ‘_ICEBIRD007.dat’ and ‘~F05990302ERA.jpg’ were used; however, if you refer to the web shell variable names, the data used this time is as follows.
| Path | Purpose |
|---|---|
| Bottom1.gif | Mid Info (Mode and ID number) |
| Bottom2.gif | Proxy Log |
| Bottom3.gif | Response Page |
Table 3. Data files used
2. Analysis of WebShell
The attack case disclosed in January 2025 also used the RedHat Hacker webshell, similar to the case disclosed in May 2024, and it was installed under the name ‘function2.asp.’ In the previous case, the RedHat Hacker web shell used the same password, ‘1234qwer,’ as a report published by HvS-Consulting AG in the past. However, the web shell used in this case is characterized by the use of ‘2345rdx’ as the password.
Figure 3. RedHat Hacker web shell
In the infected system, in addition to RedHat Hacker, 2 web shells named ‘file_uploader_ok.asp’ and ‘find_pwd.asp’ were found to be the same web shell. The user interface (UI) is not provided, but it supports features such as file and process operations and queries like SQL. Additionally, all of the identified web shells and C2 scripts are in an encoded VBE format, and even after being decoded, they remain obfuscated.
The web shells ‘file_uploader_ok.asp’ and ‘find_pwd.asp’ check if the second and third bytes of the received data are the ‘OK’ string and use the first byte as the key for decrypting the packet data. The packet data not only uses the first byte as the key, but also uses a random string, which are ‘xdmCz1eQ:?EkQ0d%c%r%jgY!fjabTTA0’ and ‘#N@BGjn8g5!yCJAfiEFzq04Cqr%dFvcX’, respectively.
Figure 4. Routine for verifying initialization and transmission packets
This web shell operates by receiving data in JSON format and supports the following commands.
| Command | Function |
|---|---|
| check | Respond with OS version and WebShell version |
| index | Responds with the web server root path, current script path, and available drive information |
| dir | Look up directory |
| dn | Download file |
| up | Upload file |
| del | Delete file or directory |
| create | Create file or directory |
| mv | Move file |
| mtime | Change file modification time |
| mhash | Calculate file hash |
| read | Read file |
| write | Write file |
| run | Run command |
| test | SQL connection test for the received address |
| sql | SQL Query or Dump |
Table 4. Web shell commands supported
3. Analysis of LazarLoader and Privilege Escalation Tool
In another web server where the above-mentioned web shells were installed, the LazarLoader malware and a privilege escalation malware responsible for UAC Bypass feature were also found. In this context, LazarLoader refers to a type of loader malware that downloads payloads from external sources, reads payloads from files or registries stored in the system, and then decrypts and executes the payloads in the memory.
According to the AhnLab Smart Defense (ASD) infrastructure, it is presumed that the threat actor installed a web shell during the initial access stage and then exploited it to install LazarLoader. Below is a log showing the installation of LazarLoader through w3wp.exe, an IIS web server process.
Figure 5. Installation log of LazarLoader confirmed by AhnLab Smart Defense (ASD)
In the attack cases, the identified LazarLoader is of the downloader type, and it is characterized by having the address used to download the payload hard-coded. The process of decrypting and checking if it is a PE and the final part of loading it in the memory is the same as other types of LazarLoader. In the process of decrypting the downloaded payload, a 16-byte key called “Node.Js_NpmStart” is used.
Figure 6. String used for decryption
The LazarLoader used in the attack is currently unavailable for download, but it is suspected to have downloaded a type of backdoor. After installation, logs have been found showing the additional malware being executed as shown below.
> rundll32.exe C:\ProgramData\USOShared\sup.etl,SerializeMarketTable_32 x9nsB3iYUWiDT6BZKO5pgtMW -v 62 -m D:/www/**********/********/******/****/ac_lst.exe > C:\ProgramData\USOShared\log.txt
Figure 7. LazarLoader executing privilege escalation tool
“sup.etl” is a privilege escalation malware that looks like a packer. When it is first executed, it uses the key “x9nsB3iYUWiDT6BZKO5pgtMW” that is passed as an argument to decrypt the original malware encrypted inside it, and then executes it in the memory.
The first argument is used to decrypt the internal payload, and the value after the second argument, which is “-v”, is 62. The decrypted payload is suspected to have been taken from a specific feature in UACMe and used by the threat actor. When the argument 62 is used, it means that the UAC bypass technique that utilizes “ComputerDefaults.exe” is being used. This is because the number corresponds to the one supported by the actual UACMe. When the “-v” option is set to 62, “ComputerDefaults.exe” is utilized. Otherwise, “fodhelper.exe” is utilized. If the value is “11259375” (0xABCDEF in hexadecimal), it does not execute and terminates instead.
| Order | Argument | Function |
|---|---|---|
| 1 | N/A | Key Used for Decrypting Internal Payload |
| 2 | -v | UACMe ID |
| 3 | -m | Path of the file to execute |
Table 5. Arguments of the privilege escalation tool
The UAC bypass techniques that exploit “ComputerDefaults.exe” and “fodhelper.exe” both involve the registry key “HKCU\Software\Classes\ms-settings\Shell\Open\command”. As shown below, a malware path (in this case, “ac_lst.exe” with the “-m” argument) is set in the registry, and when “ComputerDefaults.exe” or “fodhelper.exe” is executed, the program executes the designated malware (“ac_lst.exe”) with administrator privileges.
Figure 8. Malware path set in the registry
“ComputerDefaults.exe” and “fodhelper.exe” are both autoElevate programs that are executed with administrator privileges without a UAC popup. When these programs are executed, they refer to the above registry path and execute the program specified as a child process. As a child process of a process that is executed with administrator privileges, the program is automatically able to escalate its privileges.
Additionally, the process executed through privilege escalation malware is “ac_lst.exe” which executed the malware itself. Therefore, it is presumed that the threat actor used the malware as a backdoor, installing “ac_lst.exe” during the initial access, and then exploiting it to elevate privileges to administrator.
4. Conclusion
ASEC has recently identified the Lazarus group attacking South Korean web servers to install WebShell and LazarLoader. After performing these attacks, the threat actor installed a C2 script to exploit the C&C address of other attacks.
Threat actors can attack poorly managed or unpatched vulnerable web servers to install web shells. Administrators should check for file upload vulnerabilities on their web servers to prevent the initial breach method, which is uploading a web shell. They should also regularly change passwords and set access controls to prevent lateral movement attacks using stolen account credentials. In addition, V3 should be updated to the latest version and efforts should be made to prevent malware infection.
File Detection
– Trojan/ASP.Proxy.SC198862 (2025.01.16.02)
– WebShell/ASP.Generic (2025.01.20.02)
– WebShell/ASP.Generic (2025.01.20.02)
– WebShell/ASP.Generic (2025.01.17.01)
– Trojan/Win.LazarLoader.C5730315 (2025.02.14.03)
– Trojan/Win.LazarLoader.R692195 (2025.02.14.03)
– Trojan/Win.UACMe.R455616 (2021.12.28.00)
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
