Connect with us

Hi, what are you looking for?


Lazarus hackers use Windows Update to deploy malware

Windows headpic

Lazarus hackers use Windows Update to deploy malware

North Korean-backed hacking group Lazarus has added the Windows Update client to its list of living-off-the-land binaries (LoLBins) and is now actively using it to execute malicious code on Windows systems.

The new malware deployment method was discovered by the Malwarebytes Threat Intelligence team while analyzing a January spearphishing campaign impersonating the American security and aerospace company Lockheed Martin.

After the victims open the malicious attachments and enable macro execution, an embedded macro drops a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder.

In the next stage, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers’ malicious DLL.

“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,” Malwarebytes said.

The researchers linked these attacks to Lazarus based on several pieces of evidence, including infrastructure overlaps, document metadata, and targeting similar to previous campaigns.

Attack flow
Attack flow (Malwarebytes)

Defense evasion method revived in new attacks

As BleepingComputer reported in October 2020, this tactic was discovered MDSec researcher David Middlehurst, who found that attackers could use the Windows Update client to execute malicious code on Windows 10 systems (he also spotted a sample using it in the wild).

This can be done by loading an arbitrary specially crafted DLL using the following command-line options (the command Lazarus used to load their malicious payload):

Advertisement. Scroll to continue reading.
wuauclt.exe /UpdateDeploymentProvider [path_to_dll] /RunHandlerComServer

MITRE ATT&CK classifies this type of defense evasion strategy as Signed Binary Proxy Execution, and it allows attackers to bypass security software, application control, and digital certificate validation protection.

In this case, threat actors do it by executing malicious code from a previously dropped malicious DLL, loaded using the Windows Update client’s Microsoft-signed binary.

Notorious North Korean hacking group

The Lazarus Group (also tracked as HIDDEN COBRA by US intel agencies) is a North Korean military hacking group active for more than a decade, since at least 2009.

Its operators coordinated the 2017 global WannaCry ransomware campaign and have been behind attacks against high-profile companies such as Sony Films and multiple banks worldwide.

Last year, Google spotted Lazarus targeting security researchers in January as part of complex social engineering attacks and a similar campaign during March.

They were also observed using the previously undocumented ThreatNeedle backdoor in a large-scale cyber-espionage campaign against the defense industry of more than a dozen countries.

US Treasury sanctioned three DPRK-sponsored hacking groups (Lazarus, Bluenoroff, and Andariel) in September 2019, and the US government offers a reward of up to $5 million for info on Lazarus activity.

Source link

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply


Online Business Success

A general view of electricity pylons in Mumbai, India, October 13, 2021. — Reuters NEW DELHI: India is facing its worst power crisis in...

Loan And Finance

Business & FinanceGovernmentPolitics 07 May 2022, 2:03 am. 1 minute Reuters exclusively reported that US and Chinese regulatory officials are in talks to settle...

Loan And Finance

Julia Hummel has been named Vice President, Digital Strategy & Business Development, at Warner Music Canada. Hummel will help the label’s artists leverage opportunities...

Online Business Success

By Andrew Schrage, CEO of Money Crashers, helping consumers and small businesses build strong foundations on the path to financial and personal success. getty...

Top Stories

As the fall of Terra (LUNA) and TerraUSD (UST) may have a noticeable short-term impact on the decision-making of both retail and institutional investors,...

Loan And Finance

Business & FinanceDealsEnergy 09 May 2022, 4:49 am. 1 minute Reuters exclusively revealed Germany’s VNG will transfer euro payments for Russian gas to Gazprombank...


You May Also Like


Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...