Lazarus APT group has been observed abusing Windows Update Client to spread malware in a spear-phishing campaign geared toward obtaining military secrets. The attack was spotted on January 18.

About the campaign

According to Malwarebytes, the threat actor was using modified versions of the same job opportunities theme that it has used before. 
  • The group masqueraded as Lockheed Martin in spear-phishing campaigns—containing two macro-embedded decoy documents—with an aim to exfiltrate confidential military data.
  • Both documents had a compilation time of April 4, 2020. However, based on the domains used by threat actors and several additional indicators, researchers identified that the documents were used late last month and this month as well.

What's new this time?

  • The technique used in this campaign is particularly devious because hackers now execute their malicious code through the Microsoft Windows Update client and GitHub.
  • For the first time, the group had used GitHub as a C2 for targeted and short-term attacks. All this makes it harder for security tools to identify malicious and legitimate connections.

How does the malware bypass Windows security?

The attack begins with the execution of malicious macros added in the Word documents. After multiple injections, the malware tries to obtain startup persistence in the victim system.
  • Opening the malicious attachments enables execution of macros, which drops a file (WindowsUpdateConf[.]lnk) in the startup folder and a DLL file in a hidden system folder (Windows/System32).
  • The macro loads the shellcode, which arrives along with an encrypted DLL. The DLL is decrypted at runtime and mapped manually inside memory by the shellcode.
  • A .LNK file launches the WSUS/Windows Update client, which is a genuine process known as Windows automatic updates, located in C:\Windows\System32. 
  • The Update client is employed for running a malicious DLL to bypass security detection. By using this method, attackers can execute malicious code via Windows Update client.

Conclusion

Lazarus APT is a well-resourced threat group already known for targeting the defense industry. Moreover, the group keeps updating its tools and techniques regularly to bypass security mechanisms. Abuse of GitHub and Windows Updates indicates that this threat actor is striving hard to breach national security systems.

Cyware Publisher

Publisher

Cyware