August 12, 2022

TheCyberThrone

Thinking Security ! Always

Lazarus Hijacks Windows Update Client

Lazarus cybercrime group ties to the North Korean government is a well known one, now it has managed to abuse the Windows Update Client to distribute malware.

The researchers said they were investigating a phishing campaign impersonating Lockheed Martin, an American aerospace, arms, defense, information security, and technology corporation.

Advertisements

The group was distributing two files targeting people interested in getting a job at the company.

  • Lockheed_Martin_JobOpportunities.docx
  • Salary_Lockheed_Martin_job_opportunities_confidential.doc

The documents themselves carried malicious macros which, if activated, drop a WindowsUpdateConf.lnk file in the target endpoint’s startup folder, and a DLL file (wuaueng.dll) in the Windows/System32 folder.

The .lnk file launches the Windows Update Client which, in turn, launches the malicious DLL. This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client, to bypass antivirus solutions and other security mechanisms.

The threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and /RunHandlerComServer argument after the dll.

Advertisements

Indicators of Compromise

  • 0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b
  • 0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1
  • markettrendingcenter.com
  • lm-career.com
  • 4216f63870e2cdfe499d09fce9caa301f9546f60a69c4032cb5fb6d5ceb9af32
  • 829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1
  • f14b1a91ed1ecd365088ba6de5846788f86689c6c2f2182855d5e0954d62af3b
  • 660e60cc1fd3e155017848a1f6befc4a335825a6ae04f3416b9b148ff156d143
  • 11b5944715da95e4a57ea54968439d955114088222fd2032d4e0282d12a58abb
  • 9d18defe7390c59a1473f79a2407d072a3f365de9834b8d8be25f7e35a76d818
  • c677a79b853d3858f8c8b86ccd8c76ebbd1508cc9550f1da2d30be491625b744
  • 5098ec21c88e14d9039d232106560b3c87487b51b40d6fef28254c37e4865182
%d bloggers like this: