Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

North Korean Hackers Abuse Windows Update Client in Attacks on Defense Industry

The North Korean threat group Lazarus was observed abusing the Windows Update client for the execution of malicious code during a campaign this month, Malwarebytes reports.

The North Korean threat group Lazarus was observed abusing the Windows Update client for the execution of malicious code during a campaign this month, Malwarebytes reports.

Active since at least 2009, Lazarus is the most active North Korean state-sponsored hacking group, with numerous factions operating under its umbrella. Believed to have orchestrated various high-profile cyberattacks, the group stole $400 million worth of crypto-assets last year.

Two different macro-enabled decoy documents masquerading as job opportunities at American global security and aerospace giant Lockheed Martin were used in the January 2022 Lazarus campaign, both carrying compilation timestamps of April 2020.

As part of the first of the observed attacks, malicious macros embedded within the Word document are executed to perform various injections and to achieve persistence. Furthermore, the code hijacks the control flow to execute code in memory.

The threat actor has employed a sophisticated code execution process that involves modifying various functions to ensure successful DLL injection into the explorer.exe process.

[READ: North Korean Hackers Targeting IT Supply Chain: Kaspersky]

Furthermore, the execution chain also involves passing certain parameters to the Windows Update Client to abuse it for code execution, which results in the bypass of security detection mechanisms.

Malwarebytes’ security researchers also discovered that one of the DLLs used in the attack was signed with a certificate issued to “SAMOYAJ LIMITED.” The file was embedded with a DLL containing the code module for the malware responsible for command and control (C&C) communication.

Advertisement. Scroll to continue reading.

What’s more, the malware uses GitHub as a C&C, and Malwarebytes says that this is the first time Lazarus has used the code hosting platform in such a manner.

“Using Github as a C&C has its own drawbacks but it is a clever choice for targeted and short term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections. While analyzing the core module we were able to get the required details to access the C&C but unfortunately it was already cleaned and we were not able to get much except one of the additional modules,” the security researchers say.

[READ: Lazarus Group Targets South Korea via Supply Chain Attack]

The GitHUb account used to operate the malware was created on January 17, with the username of “DanielManwarningRep.”

A second document in the campaign was observed dropping a totally different malware as part of an infection chain that also involved the hijacking of the control flow, along with a similar injection technique used by the shellcode. This document, however, abuses mshta.exe in the process.

The use of job opportunities as lures for phishing and the targeting of entities in the defense industry are in line with previous Lazarus attacks, while the metadata of the two documents in this campaign links them to other Lazarus documents.

“Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template,” Malwarebytes says.

Related: UN Experts: North Korea Using Cyber Attacks to Update Nukes

Related: U.S. Charges North Korean Hackers Over $1.3 Billion Bank Heists

Related: U.S. Charges North Korean Over Lazarus Group Hacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.