Lazarus Group, the North Korean hackers are using Windows Update service to infect PCs with malware. With this, the group is expanding its arsenal of living-off-the-land (LotL) techniques leveraged by the APT group to further its objectives.
The North Korean-based hacking group also known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, has been active since 2009. Earlier last year, they were linked to an elaborate social engineering campaign targeting security researchers.
Earlier Malwarebytes on January 18 detected spear-phishing attacks originating from weaponized documents with job-themed lures impersonating the American global security and aerospace company Lockheed Martin.
The bad actors use a Microsoft Word file to trigger the execution of a malicious macro embedded within the document. It then executes a Base64-decoded shellcode to inject a number of malware components into the explorer.exe process. During its next phase, it loads one of the binaries, “drops_lnk.dll,” which leverages the Windows Update client to run a second module called “wuaueng.dll.”
According to researchers Ankur Saini and Hossein Jazi, “This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms.”Malwarebytes researchers further characterized “wuaueng.dll” as “one of the most important DLLs in the attack chain.” Its main purpose is to establish communications with a command-and-control (C2) server – a GitHub repository hosting malicious modules masquerading as PNG image files. According to the GitHub account, it was created on January 17, 2022.
The security firm said, links to the Lazarus Group are based on several pieces of evidence which tie them to past attacks by the same actor, this includes infrastructure overlaps, document metadata, and the use of job opportunities template to single out its victims.
The researchers concluded by saying, “Lazarus APT is one of the advanced APT groups that is known to target the defense industry. The group keeps updating its toolset to evade security mechanisms. Even though they have used their old job theme method, they employed several new techniques to bypass detections.”
Shipment Delivery Scams – Popular Way to Spread Malware
Linux Distros Haunted by Polkit Bug for 12 years – Grants Root Access to any User
New DazzleSpy Backdoor in Watering-Hole Attacks infects macOS