Analysis of Lazarus Group’s Attack on Windows Web Servers
APT Malware

Analysis of Lazarus Group’s Attack on Windows Web Servers

AhnLab SEcurity intelligence Center (ASEC) has identified attack cases of the Lazarus group breaching a normal server and using it as a C2. Attacks that install a web shell and C2 script on South Korean web servers continue to occur. Additionally, there are cases where LazarLoader malware and privilege escalation

  • Mar 05 2025
Distribution of Godzilla WebShell Abusing ViewState (Targeting Financial Sector)
Malware Vulnerabilities

Distribution of Godzilla WebShell Abusing ViewState (Targeting Financial Sector)

Overview   AhnLab SEcurity intelligence Center (ASEC) has recently detected an attack targeting financial sector companies. The threat actor primarily targeted ASP.NET environments with vulnerable configurations, abusing the ViewState feature supported by ASP.NET.  ViewState is a fundamental feature of ASP.NET that allows the handling of user input or other data

  • Aug 27 2024
Initial Access to IIS Web Servers Detected by AhnLab EDR
EndPoint

Initial Access to IIS Web Servers Detected by AhnLab EDR

In the modern Internet society, one can easily obtain information on devices all over the world connected to the Internet using network and device search engines such as Shodan. Threat actors can use these search engines to engage in malicious behaviors such as collecting information on attack targets or performing

  • Apr 29 2024
Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server
Malware

Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server

AhnLab SEcurity intelligence Center (ASEC) has discovered evidence of a malware strain being distributed to web servers in South Korea, leading users to an illegal gambling site. After initially infiltrating a poorly managed Windows Internet Information Services (IIS) web server in Korea, the threat actor installed the Meterpreter backdoor, a

  • Apr 24 2024
Lazarus Threat Group Attacking Windows Servers to Use as Malware Distribution Points
APT Malware

Lazarus Threat Group Attacking Windows Servers to Use as Malware Distribution Points

AhnLab Security Emergency response Center (ASEC) has discovered that Lazarus, a threat group deemed to be nationally funded, is attacking Windows Internet Information Service (IIS) web servers and using them as distribution points for their malware. The group is known to use the watering hole technique for initial access. [1] The

  • Jul 14 2023
Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies
APT Malware

Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies

Recently, there have been frequent incidents where attackers infiltrated and took control of the internal network of Korean companies, starting with vulnerable servers externally exposed. Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers Meterpreter Distributed to Vulnerable Server of Korean Medical Institution AsyncRAT Being Distributed to Vulnerable MySQL Servers This

  • Aug 16 2022