HomeWinBuzzer NewsWindows Update Becomes Attack Vector for Lazarus Group’s Latest Threat Campaign

Windows Update Becomes Attack Vector for Lazarus Group’s Latest Threat Campaign

-

How to manage Tamper Protection feature on Windows 10How to manage Windows Security Tamper Protection feature on Windows 10
 

A state-sponsored threat group is using to deliver malware through a GitHub command-and-control (C2) server, security researchers warn. According to Malwarebytes Threat Intelligence, the Lazarus Group is masking itself as American aerospace juggernaut Lockheed Martin.

If you're unfamiliar with Lazarus, it is an advanced persistent threat (APT) group backed by, and based in, North Korea. The group has a history of targeting military organizations. Of course, while Lockheed Martin has other ventures, it is a big partner of the US military.

Active since at least 2009, Lazarus Group is one of the most persistent cybercriminal organizations around. It is also known as Hidden Cobra in the US military and has history of ransomware attacks and data theft for espionage purposes.

Malwarebytes Threat Intelligence found the new attack method earlier this month while investigating a spear-phishing campaign.

In its report last week, this security firm found that the campaign is delivering malicious documents that attract users into clicking. Specifically, by offering the opportunity of a job at Lockheed Martin. A pair of macro-embedded documents serve as decoys with the filenames:

  • Lockheed_Martin_JobOpportunities.docx
  • Salary_Lockheed_Martin_job_opportunities_confidential.doc

Attack Method

It starts with the use of Word to create the malicious macros in the document. When on a system, the malware archives start infiltrating. Once a user opens the document, the macros receive permission and they place a WindowsUpdateConf.link like in the startup folder along with a DLL file into a Windows/System32 folder that is hidden.

This .LNK file then launches the Windows Update service, which of course is a genuine file on Windows. It helps to deliver automatic updates to the platforms and is found in C:/Windows/System32.

Windows Update is used to run the malicious DLL file. Because it is operating in the legitimate file, security measures cannot detect it.

“With this method, the threat actor can execute its malicious code through the Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL,” Malwarebytes explains.

“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,” the researcher adds “With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL.”

Tip of the day: After years of hefting a laptop around, you inevitably build up a menagerie of Wi-Fi networks. For the most part, they'll sit on your PC, hardly used, but at times a change in configuration can make it difficult to connect to a network your computer already remembers. At this point, it can be beneficial to make Windows forget a Wi-Fi network and delete its network profile.

Last Updated on February 17, 2022 10:36 am CET

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News