Lazarus APT Uses Windows Update to Spew Malware

3 months ago

The radical erstwhile again dangled fake occupation opportunities astatine engineers successful a spear-phishing run that utilized Windows Update arsenic a living-off-the-land method and GitHub arsenic a C2.

Lazarus Group is utilizing Windows Update to spray malware successful a run powered by a GitHub command-and-control (C2) server, researchers person found.

On Thursday, the Malwarebytes Threat Intelligence squad reported that they discovered the North Korean authorities precocious persistent menace (APT) group’s latest living-off-the-land method portion analyzing a spear-phishing run that its researchers discovered 10 days ago, connected Jan. 18.

The absorption of the run – successful which the APT masqueraded arsenic American planetary information and aerospace elephantine Lockheed Martin – is successful keeping with Lazarus’ sensation for infiltrating the military.

Infosec Insiders Newsletter

​​Researchers see Lazarus, which has been progressive since astatine slightest 2009, to beryllium 1 of the world’s astir progressive menace actors. The United States besides refers to Lazarus arsenic Hidden Cobra: a sanction utilized to notation to malicious cyber-activity by the North Korean authorities successful general. “This APT radical has been down large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defence industry and cryptocurrency markets,” Kaspersky researchers person noted successful the past.

According to Malwarebytes’ Thursday report, the Jan. 18 spear-phishing run was weaponized with malicious documents that effort to lure targets into clicking by utilizing the aforesaid “job-opportunities” baloney that the radical has dangled before.

Lazarus did the aforesaid happening past July: At that time, the APT was identified arsenic being down a run that was spreading malicious documents to job-seeking engineers, impersonating defence contractors who were purportedly seeking occupation candidates astatine Airbus, General Motors and Rheinmetall.

Malwarebytes recovered 2 specified macro-embedded decoy documents, pretending to connection caller occupation opportunities astatine Lockheed Martin, successful the Jan. 18 campaign. Their filenames:

  • Lockheed_Martin_JobOpportunities.docx
  • Salary_Lockheed_Martin_job_opportunities_confidential.doc

Both of the documents had a compilation clip of April 4, 2020, but Malwarebytes said that the run was really utilized precocious past period and into this month, arsenic indicated by the domains utilized by the menace actor.

It All Begins with Word

The onslaught starts by executing malicious macros embedded successful the Word documents, researchers described. After a bid of injections, the malware achieves startup persistence successful the victim’s system.

After a people opens the malicious attachments and enables execution of macros, an embedded macro drops a WindowsUpdateConf.lnk record successful the startup folder and a DLL record (wuaueng.dll) successful a hidden Windows/System32 folder. LNK files are Windows shortcut files, arsenic in, pointers to archetypal files successful Windows.

Next, the .LNK record is utilized to motorboat the WSUS / Windows Update lawsuit – wuauclt.exe, a morganatic process record popularly known arsenic Windows automatic updates that’s located successful C:\Windows\System32 by default. The Update lawsuit is utilized to tally a malicious DLL that bypasses information detection.

“With this method, the menace histrion tin execute its malicious codification done the Microsoft Windows Update lawsuit by passing the pursuing arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer statement aft the DLL,” the researchers explained.

Malware authors often make files with microorganism scripts and sanction them aft wuauclt.exe. In fact, successful October 2020, wuauclt.exe was added to the database of living disconnected the onshore binaries (LOLBins): executables signed by Microsoft that attackers usage to execute malicious codification connected Windows systems portion evading detection.

“”This is an absorbing method utilized by Lazarus to tally its malicious DLL utilizing the Windows Update Client to bypass information detection mechanisms,” the threat-intelligence squad noted. “With this method, the menace histrion tin execute its malicious codification done the Microsoft Windows Update lawsuit by passing the pursuing arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer statement aft the DLL.”

Attack process. Source: Malwarebytes Labs.

WindowsUpdateConf lnk file. Source: Malwarebytes Labs.

GitHub Used arsenic C2 ‘Rarely’

Use of GitHub arsenic a C2 is rare, the researchers observed, and this is the archetypal clip they’ve seen Lazarus doing so.

But it’s an apt prime for the task astatine hand, they said: “Using GitHub arsenic a C2 has its ain drawbacks but it is simply a clever prime for targeted and abbreviated word attacks arsenic it makes it harder for information products to differentiate betwixt morganatic and malicious connections.”

As for the rogue GitHub relationship being utilized arsenic a C2 successful the campaign, Malwarebytes Labs reported it “for harmful content,” according to its writeup.

Check retired our escaped upcoming unrecorded and on-demand online municipality halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.