North Korean Hackers Using Windows Update Service to Infect PCs with Malware
The notorious Lazarus Group actor has been observed mounting a new campaign that makes use of the Windows Update service to execute its malicious payload, expanding the arsenal of living-off-the-land (LotL) techniques leveraged by the APT group to further its objectives.
The Lazarus Group, also known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, is the moniker assigned to the North Korea-based nation-state hacking group that’s been active since at least 2009. Last year, the threat actor was linked to an elaborate social engineering campaign targeting security researchers.
The latest spear-phishing attacks, which Malwarebytes detected on January 18, originate from weaponized documents with job-themed lures impersonating the American global security and aerospace company Lockheed Martin.
Opening the decoy Microsoft Word file triggers the execution of a malicious macro embedded within the document that, in turn, executes a Base64-decoded shellcode to inject a number of malware components into the “explorer.exe” process.
In the next phase, one of the loaded binaries, “drops_lnk.dll,” leverages the Windows Update Client (“wuauclt.exe“) – which is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software – to run a command that loads a second module called “wuaueng.dll.”
“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,” researchers Ankur Saini and Hossein Jazi noted. “With this method, the threat actor can execute its malicious code through the Microsoft Windows Update Client.”
The cybersecurity firm characterized “wuaueng.dll” as “one of the most important DLLs in the attack chain,” whose main purpose is to establish communications with a command-and-control (C2) server – a GitHub repository hosting malicious modules masquerading as PNG image files. The GitHub account is said to have been created on January 17, 2022.
Malwarebytes said that the links to Lazarus Group are based on several pieces of evidence tying them to past attacks by the same actor, including infrastructure overlaps, document metadata, and the use of job opportunities template to single out its victims.
“Lazarus APT is one of the advanced APT groups that is known to target the defense industry,” the researchers concluded. “The group keeps updating its toolset to evade security mechanisms. Even though they have used their old job theme method, they employed several new techniques to bypass detections.”