Security Experts:

Connect with us

Hi, what are you looking for?



North Korean Hackers Abuse Windows Update Client in Attacks on Defense Industry

The North Korean threat group Lazarus was observed abusing the Windows Update client for the execution of malicious code during a campaign this month, Malwarebytes reports.

The North Korean threat group Lazarus was observed abusing the Windows Update client for the execution of malicious code during a campaign this month, Malwarebytes reports.

Active since at least 2009, Lazarus is the most active North Korean state-sponsored hacking group, with numerous factions operating under its umbrella. Believed to have orchestrated various high-profile cyberattacks, the group stole $400 million worth of crypto-assets last year.

Two different macro-enabled decoy documents masquerading as job opportunities at American global security and aerospace giant Lockheed Martin were used in the January 2022 Lazarus campaign, both carrying compilation timestamps of April 2020.

As part of the first of the observed attacks, malicious macros embedded within the Word document are executed to perform various injections and to achieve persistence. Furthermore, the code hijacks the control flow to execute code in memory.

The threat actor has employed a sophisticated code execution process that involves modifying various functions to ensure successful DLL injection into the explorer.exe process.

[READ: North Korean Hackers Targeting IT Supply Chain: Kaspersky]

Furthermore, the execution chain also involves passing certain parameters to the Windows Update Client to abuse it for code execution, which results in the bypass of security detection mechanisms.

Malwarebytes’ security researchers also discovered that one of the DLLs used in the attack was signed with a certificate issued to “SAMOYAJ LIMITED.” The file was embedded with a DLL containing the code module for the malware responsible for command and control (C&C) communication.

What’s more, the malware uses GitHub as a C&C, and Malwarebytes says that this is the first time Lazarus has used the code hosting platform in such a manner.

“Using Github as a C&C has its own drawbacks but it is a clever choice for targeted and short term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections. While analyzing the core module we were able to get the required details to access the C&C but unfortunately it was already cleaned and we were not able to get much except one of the additional modules,” the security researchers say.

[READ: Lazarus Group Targets South Korea via Supply Chain Attack]

The GitHUb account used to operate the malware was created on January 17, with the username of “DanielManwarningRep.”

A second document in the campaign was observed dropping a totally different malware as part of an infection chain that also involved the hijacking of the control flow, along with a similar injection technique used by the shellcode. This document, however, abuses mshta.exe in the process.

The use of job opportunities as lures for phishing and the targeting of entities in the defense industry are in line with previous Lazarus attacks, while the metadata of the two documents in this campaign links them to other Lazarus documents.

“Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template,” Malwarebytes says.

Related: UN Experts: North Korea Using Cyber Attacks to Update Nukes

Related: U.S. Charges North Korean Hackers Over $1.3 Billion Bank Heists

Related: U.S. Charges North Korean Over Lazarus Group Hacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.