A state-sponsored threat group is using Windows Update to deliver malware through a GitHub command-and-control (C2) server, security researchers warn. According to Malwarebytes Threat Intelligence, the Lazarus group poses as the American aerospace juggernaut Lockheed Martin.
If you are unfamiliar with Lazarus, it is an Advanced Persistent Threat (APT) group backed by and based in North Korea. The group has a history of targeting military organizations. Of course, although Lockheed Martin has other businesses, it is a great partner of the US military.
Active since at least 2009, Lazarus Group is one of the most persistent cybercriminal organizations. It is also known as Hidden Cobra in the US military and has a history of ransomware attacks and data theft for espionage purposes.
Malwarebytes Threat Intelligence discovered the new attack method earlier this month while investigating a spear phishing campaign.
In its report last week, this security firm found that the campaign provides malicious material that tricks users into clicking. Specifically, by providing the opportunity for employment with Lockheed Martin. A pair of documents containing macros serves as a decoy with filenames:
It starts with using Microsoft Word to create the malicious macros in the document. When on a system, malware archives begin to infiltrate. Once a user opens the document, the macros are granted permission and place a WindowsUpdateConf.link like in the startup folder along with a DLL file in a Windows/System32 folder that is hidden.
This .LNK file then launches the Windows Update service, which is of course a genuine file on Windows. It helps provide automatic updates to platforms and is located in C:/Windows/System32.
Windows Update is used to run the malicious DLL file. Because it runs in the legitimate file, the security measures cannot detect it.
“With this method, the threat actor can execute their malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malware DLL and /RunHandlerComServer argument after the DLL,” Malwarebytes explains.
“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update client to bypass security detection mechanisms”, adds the researcher “With this method, the threat actor can execute their malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to the malicious DLL, and the /RunHandlerComServer argument after the DLL.”
Tip of the day: After years of carrying around a laptop, you inevitably build up a menagerie of Wi-Fi networks. your computer already remembers. At this point, it may be beneficial to make Windows forget about a Wi-Fi network and delete its network profile.