Pierluigi Paganini January 27, 2022

North Korea-linked Lazarus APT group uses Windows Update client to deliver malware on Windows systems.

North Korea-linked Lazarus APT started using Windows Update to execute the malicious payload and GitHub as a command and control server in recent attacks, Malwarebytes researchers reported.

The activity of the Lazarus APT group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.

The spear-phishing messages analyzed by Malwarebytes employed two weaponized documents (Lockheed_Martin_JobOpportunities.docx, Salary_Lockheed_Martin_job_opportunities_confidential.doc) that lure recipients with new job opportunities at Lockheed Martin.

Both documents were compiled on 2020-04-24, but experts believe that they have been used in a campaign around late December 2021 and early 2022.

Upon opening the documents and enabling macros, the embedded code drops WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder.

In the next stage of the attack chain, threat actors used the LNK file to launch the Windows Update client (wuauclt.exe) to execute a command that loads a malicious DLL.

“drops_lnk.dll – This DLL is loaded and executed inside the explorer.exe process, it mainly drops the lnk file (WindowsUpdateConf.lnk) into the startup folder and then it checks for the existence of wuaueng.dll in the malicious directory and manually loads and executes it from the disk if it exists. The lnk file (WindowsUpdateConf.lnk) executes “C:\Windows\system32\wuauclt.exe” /UpdateDeploymentProvider C:\Wíndows\system32\wuaueng.dll /RunHandlerComServer. This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms.” reads the analysis published by Malwarebytes. “With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and /RunHandlerComServer argument after the dll.”

Experts also discovered that the malware is using GitHub as C2, which is an uncommon choice for malware authors and this is the first time that Lazarus leveraging it. The use of Github as a C2 aims at evading detection.

The attribution of the campaign to the Lazarus APT is based on multiple evidence, including:

• the use of job opportunities as template, a technique used by Lazarus in the past.
• the targets in the defense industry, and specifically Lockheed Martin, are known targets for North Korea-linked APT.
• The document’s metadata used in this campaign links them to several other documents used by Lazarus in the past.

“Lazarus APT is one of the advanced APT groups that is known to target the defense industry. The group keeps updating its toolset to evade security mechanisms.” concludes the report that also included IoCs. “Even though they have used their old job theme method, they employed several new techniques to bypass detections:

• Use of KernelCallbackTable to hijack the control flow and shellcode execution
• Use of the Windows Update client for malicious code execution
• Use of GitHub for C2 communication

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus APT)

[adrotate banner=”5″]

[adrotate banner=”13″]