The government hacking North Korea's Lazarus group has added another tool to its arsenal. This time it's one Windows Update client that uses the living-off-the-land binaries (LoLBins) technique to run malicious code on Windows systems.
The new malware development method was discovered by the Malwarebytes Threat Intelligence team during the analysis of a spearphishing campaign in January that claimed to be the American security and aerospace company Lockheed Martin.
If victims open the maliciously attached Word documents and activate the implementation macros, one macro drops a WindowsUpdateConf.lnk file into the startup folder and a DLL file (wuaueng.dll) into a hidden Windows/System32 folder.
In the next step, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) which runs another command to load the malicious DLL of attackers.
"It's an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client and bypass security detection mechanisms." he says Malwarebytes.
Researchers linked these attacks to the Lazarus group with base many elements, such as their infrastructure-technical overlaps, document metadata, and similar targeting to previous campaigns.
This tactic was discovered by MDSec researcher David Middlehurst, who found that intruders could use a Windows Update client to run malicious code on Windows 10 systems.
This can be done by loading a custom DLL and using the following command line (the command Lazarus used to load its malicious load):
wuauclt.exe / UpdateDeploymentProvider [path_to_dll] / RunHandlerComServer
MITER ATT & CK reports that the attack uses a way of defensive avoidance strategy known as Signed Binary Proxy Execution and allows intruders to bypass security software, control applications, and protect digital certificate validation, since everything is done through Windows Update.
The Lazarus Group (also called HIDDEN COBRA by US intelligence) is a North Korean military hacking group that has been active for more than a decade, at least since 2009.
