Malwarebytes discovered new attacks carried out by the Lazarus group that used the Windows Update client to run the malware. Malwarebytes Labs experts discovered several spear phishing attacks carried out using two Word documents that appeared to come from Lockheed Martin. The macro included in the .doc / docx files hides the malware that used GitHub as a C2 (command and control) server and used Windows Update to go undetected. The attacks were attributed to Lazarus, a well-known group of North Korean cybercriminals.
Windows Update to run the malwareThe attack begins when the unsuspecting victim opens the Word document received via email, thinking it is a job offer. Running the macro causes the drops_lnk.dll file to be loaded into the explorer.exe process. This DLL copies the WindowsUpdateConf.lnk file to the autorun directory and the wuaueng.dll file to the C: \ Wíndows \ system32 \ directory. Subsequently, the .lnk file starts the execution of the wuauclt.exe file, which is the Windows Update client with a command that loads the malware hidden in the wuaueng.dll file into memory. This is a rather ingenious technique because running the Windows Update client allows you to bypass security checks. After analyzing the code, Malwarebytes Labs experts found several clues that allow the attack to be attributed to the Lazarus group, such as the use of the bogus job offer and some metadata already detected in other attacks. North Korean cybercriminals are best known for the 2017 WannaCry attack. The ransomware, which exploited the EternalBlue exploit developed by the NSA (National Security Agency), has affected over 200,000 computers worldwide, including those of the University of Milan. Bicocca.