Malware through Windows Update and yet it is possible

North Korea's government hacking group Lazarus has added another tool to its arsenal. This time it is a Windows Update client that uses the living-off-the-land binaries (LoLBins) technique to run malicious code on Windows systems.

The new malware development method was discovered by the Malwarebytes Threat Intelligence team during the analysis of a spearphishing campaign in January that claimed to be the American security and aerospace company Lockheed Martin.

If victims open malicious Word attachments and enable macros to run, a macro drops a WindowsUpdateConf.lnk file into the startup folder and a DLL file (wuaueng.dll) into a hidden Windows / System32 folder.

attackflow

In the next step, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) which runs another command to load the malicious DLL of attackers.

"It's an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client and bypass security detection mechanisms." he says Malwarebytes.

The researchers linked these attacks to the Lazarus team based on a number of factors, including overlaps in their infrastructure, metadata of documents, and similar targeting of previous campaigns.

This tactic was discovered by MDSec researcher David Middlehurst, who found that intruders could use a Windows Update client to run malicious code on Windows 10 systems.

This can be done by loading a custom DLL and using the following command line (the command Lazarus used to load its malicious load):

wuauclt.exe / UpdateDeploymentProvider [path_to_dll] / RunHandlerComServer

MITER ATT & CK reports that the attack uses a way of defensive avoidance strategy known as Signed Binary Proxy Execution and allows intruders to bypass security software, control applications, and protect digital certificate validation, since everything is done through Windows Update.

The Lazarus group (also known as HIDDEN COBRA by US intelligence services) is a North Korean military hacking group that has been active for more than a decade, at least since 2009.

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).