The Lazarus Group, a highly-capable and advanced persistent threat actor linked to North Korea, has been observed targeting vulnerable versions of Microsoft Internet Information Services (IIS) servers as an initial breach route to deploy malware on targeted systems. The AhnLab Security Emergency response Center (ASEC) reported that the group is using DLL side-loading techniques to deploy the malicious msvcr100.dll library, which is designed to decrypt an encoded payload that is then executed in memory. The attack chain further entailed the exploitation of a discontinued open source Notepad++ plugin called Quick Color Picker to deliver additional malware in order to facilitate credential theft and lateral movement. The U.S. Treasury Department recently sanctioned four entities and one individual involved in malicious cyber activities and fundraising schemes that aim to support North Korea’s strategic priorities. This includes the Pyongyang University of Automation, the Technical Reconnaissance Bureau and its subordinate cyber unit, the 110th Research Center, Chinyong Information Technology Cooperation Company, and a North Korean national named Kim Sang Man. The Lazarus Group is believed to be operated by the Technical Reconnaissance Bureau, which oversees North Korea’s development of offensive cyber tactics and tools. The South Korean government has warned that the nation is known to generate illicit revenue from a workforce of skilled IT workers who pose under fictitious identities to obtain jobs in the technology and virtual currency sectors across the world. These workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation to apply for jobs at these companies. Companies should proactively monitor abnormal process execution relationships and take preemptive measures to prevent the threat group from carrying out activities such as information exfiltration and lateral movement.
Source: Hackernews
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.