Last Updated on 28/01/2022 by Nidhi Khandelwal
The renowned Lazarus Group actor has been seen mounting a new campaign that uses the Windows Update service to execute its malicious payload, adding to the APT group’s arsenal of living-off-the-land (LotL) approaches to further its objectives.
The North Korean nation-state hacking outfit known as the Lazarus Group, previously known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, has been operating since at least 2009. The threat actor was tied to a sophisticated social engineering campaign aimed at security experts last year.
The most recent spear-phishing attempts, discovered by Malwarebytes on January 18, are based on weaponized documents with job-themed lures imitating Lockheed Martin, an American worldwide security and aerospace corporation.
When you open the fake Microsoft Word file, it activates a malicious macro embedded in the document, which then executes a Base64-decoded shellcode that injects a variety of malware components into the explorer.exe process.
One of the loaded files, “drops lnk.dll,” uses the Windows Update client to launch a second module called “wuaueng.dll” in the next phase. Researchers Ankur Saini and Hossein Jazi stated, “This is an innovative trick employed by Lazarus to run its malicious DLL via the Windows Update Client to avoid security detection measures.”
“Wuaueng.dll” is “one of the most significant DLLs in the attack chain,” according to the cybersecurity firm, and its major goal is to establish contacts with a command-and-control (C2) server — a GitHub repository housing malicious modules disguised as PNG image files. On January 17, 2022, the GitHub account is claimed to have been created.
The links to Lazarus Group, according to Malwarebytes, are based on numerous pieces of evidence linking them to previous assaults by the same actor, such as infrastructure overlaps, document metadata, and the usage of a job opportunities template to identify its victims.