A state-sponsored threat group is using Windows Update to deliver malware through a GitHub command-and-control (C2) server, security researchers warn. According to Malwarebytes Threat Intelligence, the Lazarus Group is masking itself as American aerospace juggernaut Lockheed Martin.
If you're unfamiliar with Lazarus, it is an advanced persistent threat (APT) group backed by, and based in, North Korea. The group has a history of targeting military organizations. Of course, while Lockheed Martin has other ventures, it is a big partner of the US military.
Active since at least 2009, Lazarus Group is one of the most persistent cybercriminal organizations around. It is also known as Hidden Cobra in the US military and has history of ransomware attacks and data theft for espionage purposes.
Malwarebytes Threat Intelligence found the new attack method earlier this month while investigating a spear-phishing campaign.
In its report last week, this security firm found that the campaign is delivering malicious documents that attract users into clicking. Specifically, by offering the opportunity of a job at Lockheed Martin. A pair of macro-embedded documents serve as decoys with the filenames:
- Lockheed_Martin_JobOpportunities.docx
- Salary_Lockheed_Martin_job_opportunities_confidential.doc
Attack Method
It starts with the use of Microsoft Word to create the malicious macros in the document. When on a system, the malware archives start infiltrating. Once a user opens the document, the macros receive permission and they place a WindowsUpdateConf.link like in the startup folder along with a DLL file into a Windows/System32 folder that is hidden.
This .LNK file then launches the Windows Update service, which of course is a genuine file on Windows. It helps to deliver automatic updates to the platforms and is found in C:/Windows/System32.
Windows Update is used to run the malicious DLL file. Because it is operating in the legitimate file, security measures cannot detect it.
“With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL,” Malwarebytes explains.
“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,” the researcher adds “With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL.”
Tip of the day: After years of hefting a laptop around, you inevitably build up a menagerie of Wi-Fi networks. For the most part, they'll sit on your PC, hardly used, but at times a change in configuration can make it difficult to connect to a network your computer already remembers. At this point, it can be beneficial to make Windows forget a Wi-Fi network and delete its network profile.
Last Updated on February 17, 2022 10:36 am CET by Markus Kasanmascheff
