North Korea's Lazarus uses Windows Update, GitHub to infect PCs in latest campaign

The spear-phishing campaign impersonates the American security and aerospace firm Lockheed Martin to target people interested in getting a job at the company

Lazarus, the notorious cybercrime group with links to the North Korean government, has been using the Windows Update client to deploy malware as part of a new spear-phishing campaign, according to the researchers from cyber security firm Malwarebytes.

In a blog post detailing their findings, the researchers said they observed Lazarus' new malware deployment method and its use of living-off-the-land (LotL) techniques this month while analysing a new spear-phishing campaign that impersonated the American security and aerospace firm Lockheed Martin.

The researchers said they discovered two Word documents that targeted people interested in getting a job at Lockheed Martin.

The documents contained malicious macros which, when enabled, dropped a WindowsUpdateConf.lnk file in the start-up folder, and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder.

In the next stage, the LNK file launched the WSUS / Windows Update client (wuauclt.exe) which, in turn, triggered the malicious DLL file.

The researchers also found evidence of the threat group leveraging GitHub to serve as a command and control (C2) server for its attacks. The use of GitHub as a C2 by Lazarus is rare, and the researchers said this is the first time they have seen the group doing so.

The researchers described wuaueng.dll as "one of the most important DLLs in the attack chain", whose primary purpose is to establish communication with the C2 server, a GitHub repository hosting malicious modules masked as PNG image files.

The infection technique used by Lazarus hackers is "interesting" as it enables them to run malicious DLL using the Windows Update Client while evading detection by antivirus software and other security mechanisms, according to researchers.

"With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and /RunHandlerComServer argument after the dll," they said.

The campaign can be linked to Lazarus based on multiple pieces of evidence, including document metadata and infrastructure overlaps, according to Malwarebytes. It also targets similar types of victims as targeted in the previous campaigns.

The Lazarus Group, also known as Hidden Cobra, APT38 and Zinc, is the moniker assigned to the North Korea state-backed threat group that has been active since at least 2009. The group became widely known in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.

According to cyber security firm Group-IB, this notorious group stole more than $600 million worth of cryptocurrency in 2017 and 2018.

In July 2020, researchers from cyber security firm Sansec warned that Lazarus was planting skimmers on US and European retail websites in efforts to steal payment card details of unsuspecting shoppers. It claimed that the group had developed a global exfiltration network that used hijacked websites to transfer stolen assets to attackers. The researchers identified many exfiltration nodes in the hackers' network, including a New Jersey-based book store, a vintage music store from Tehran and a modelling agency in Milan.

Cyber security firm Kaspersky also warned in 2020 that Lazarus had significantly updated its attack tactics in an effort to remain undetected during cryptocurrency stealing campaigns. The researchers said they had found evidence suggesting that Lazarus was using messaging app Telegram to deliver malicious files to potential targets in order to steal cryptocurrency.