September 27, 2023

Lazarus cybercrime group ties to the North Korean government is a well known one, now it has managed to abuse the Windows Update Client to distribute malware.

The researchers said they were investigating a phishing campaign impersonating Lockheed Martin, an American aerospace, arms, defense, information security, and technology corporation.


The group was distributing two files targeting people interested in getting a job at the company.

  • Lockheed_Martin_JobOpportunities.docx
  • Salary_Lockheed_Martin_job_opportunities_confidential.doc

The documents themselves carried malicious macros which, if activated, drop a WindowsUpdateConf.lnk file in the target endpoint’s startup folder, and a DLL file (wuaueng.dll) in the Windows/System32 folder.

The .lnk file launches the Windows Update Client which, in turn, launches the malicious DLL. This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client, to bypass antivirus solutions and other security mechanisms.

The threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and /RunHandlerComServer argument after the dll.


Indicators of Compromise

  • 0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b
  • 0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1
  • 4216f63870e2cdfe499d09fce9caa301f9546f60a69c4032cb5fb6d5ceb9af32
  • 829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1
  • f14b1a91ed1ecd365088ba6de5846788f86689c6c2f2182855d5e0954d62af3b
  • 660e60cc1fd3e155017848a1f6befc4a335825a6ae04f3416b9b148ff156d143
  • 11b5944715da95e4a57ea54968439d955114088222fd2032d4e0282d12a58abb
  • 9d18defe7390c59a1473f79a2407d072a3f365de9834b8d8be25f7e35a76d818
  • c677a79b853d3858f8c8b86ccd8c76ebbd1508cc9550f1da2d30be491625b744
  • 5098ec21c88e14d9039d232106560b3c87487b51b40d6fef28254c37e4865182

Leave a Reply

%d bloggers like this: