Lazarus hackers use Home windows Update to deploy malware

North Korean-backed hacking group Lazarus has additional the Windows Update customer to its list of dwelling-off-the-land binaries (LoLBins) and is now actively employing it to execute malicious code on Windows programs.

The new malware deployment system was discovered by the Malwarebytes Threat Intelligence staff while examining a January spearphishing marketing campaign impersonating the American stability and aerospace corporation Lockheed Martin.

Just after the victims open up the destructive attachments and permit macro execution, an embedded macro drops a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/Program32 folder.

In the subsequent stage, the LNK file is utilised to launch the WSUS / Windows Update customer (wuauclt.exe) to execute a command that masses the attackers’ malicious DLL.

“This is an intriguing procedure utilised by Lazarus to operate its malicious DLL making use of the Home windows Update Shopper to bypass security detection mechanisms,” Malwarebytes claimed.

The researchers connected these attacks to Lazarus dependent on numerous items of proof, including infrastructure overlaps, doc metadata, and focusing on very similar to earlier campaigns.

Protection evasion strategy revived in new attacks

As BleepingComputer reported in October 2020, this tactic was identified MDSec researcher David Middlehurst, who uncovered that attackers could use the Home windows Update customer to execute malicious code on Windows 10 units (he also spotted a sample using it in the wild).

This can be done by loading an arbitrary specially crafted DLL employing the pursuing command-line alternatives (the command Lazarus made use of to load their destructive payload):

wuauclt.exe /UpdateDeploymentProvider [path_to_dll] /RunHandlerComServer

MITRE ATT&CK classifies this variety of defense evasion method as Signed Binary Proxy Execution, and it permits attackers to bypass security software package, application manage, and digital certificate validation protection.

In this scenario, risk actors do it by executing malicious code from a previously dropped destructive DLL, loaded employing the Windows Update client’s Microsoft-signed binary.

Notorious North Korean hacking group

The Lazarus Team (also tracked as Concealed COBRA by US intel businesses) is a North Korean military hacking group active for much more than a decade, because at minimum 2009.

Its operators coordinated the 2017 global WannaCry ransomware marketing campaign and have been behind attacks against large-profile organizations this kind of as Sony Films and various banks all over the world.

Final 12 months, Google spotted Lazarus targeting safety researchers in January as component of advanced social engineering attacks and a related campaign during March.

They have been also noticed applying the earlier undocumented ThreatNeedle backdoor in a massive-scale cyber-espionage campaign against the defense industry of extra than a dozen countries.

US Treasury sanctioned 3 DPRK-sponsored hacking groups (Lazarus, Bluenoroff, and Andariel) in September 2019, and the US government offers a reward of up to $5 million for data on Lazarus exercise.