Lazarus, a known cybercrime group with ties to the North Korean government, has managed to abuse the Windows Update Client to distribute malware, cybersecurity researchers from Malwarebytes have found. In a blog post detailing their findings, the researchers said they were investigating a phishing campaign impersonating Lockheed Martin, an American aerospace, arms, defense, information security, and technology corporation.
The group was distributing two files – Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc, obviously targeting people interested in getting a job at the company.
The documents themselves carried malicious macros which, if activated, drop a WindowsUpdateConf.lnk file in the target endpoint’s startup folder, and a DLL file (wuaueng.dll) in the Windows/System32 folder.
After that, the .lnk file launches the Windows Update Client which, in turn, launches the malicious DLL.
“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client,” to bypass antivirus solutions and other security mechanisms.
“With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and /RunHandlerComServer argument after the dll.”
This is not the first time someone’s taken advantage of the Windows Update Client to run malware as back in October 2020, MDSec researcher David Middlehurst discovered the flaw, and even its abuse in the wild.
We are yet to see what Microsoft will do about it but, as usual, one should be extra careful when downloading and running documents coming in through the mail, especially if they require the activation of macros.
Lazarus is one of the world’s most dangerous cybercrime groups, notorious for their involvement in the WannaCry fiasco, as well as the attack on Sony, after the company released a comedy movie set in a fictitious North Korea.