Researchers discovered that Lazarus Group is leveraging Windows Update to spread malware in a campaign backed by a GitHub command-and-control (C2) server. The Malwarebytes Threat Intelligence team announced on Thursday that they identified the North Korean state advanced persistent threat (APT) group's latest living-off-the-land strategy while investigating a spear-phishing campaign discovered on Jan. 18.
The campaign's emphasis – in which the APT posed as the American global security and aerospace company Lockheed Martin – is consistent with Lazarus' preference for penetrating the military.
Lazarus, which has been active since at least 2009, is regarded by researchers as one of the world's most active threat actors. The US also refers to Lazarus as Hidden Cobra, a term used to describe the North Korean government's cyber-activity in general.
“This APT group has been behind large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defence industry and cryptocurrency markets,” Kaspersky researchers have noted in the past.
In the Jan. 18 campaign, Malwarebytes discovered two macro-embedded decoy documents purporting to offer new job openings at Lockheed Martin. Their filenames: Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc.
Both of these documents were created on April 24, 2020, but researchers have enough evidence to believe they were utilized in a campaign in late December 2021 or early 2022. The domains utilized by the threat actor are some of the evidence that this assault was carried out recently. Both documents employ the same attack theme and share some features, such as embedded macros, but the entire attack chain appears to be completely different.
According to the researchers, the attack begins by running malicious macros embedded in Word documents. The malware achieves startup persistence in the victim's system after a series of injections. When a victim opens the malicious attachments and allows macro execution, an embedded macro places a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a secret Windows/System32 folder. LNK files are Windows shortcut files, meaning they are pointers to original files in Windows.
Then comes the .LNK file which is needed to launch the WSUS / Windows Update client - wuauclt.exe, a genuine process file generally known as Windows automatic updates and is located in C:WindowsSystem32. The Update client is used to execute a malicious DLL that avoids detection by security software.
“With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL,” the researchers explained.