North Korea is Attacking American Targets with Malware Through a Windows Update Service
Table of Contents
- By David Lukic
- Published: Jan 28, 2022
- Last Updated: Mar 18, 2022
The infamous hacking collective dubbed “Lazarus Group” has launched a new digital attack campaign. The hackers’ latest attack uses Windows Update to transmit a harmful payload, bolstering LotL through an APT group to advance its overarching aims. LotL is an acronym short for living-off-the-land.
What is the Lazarus Group all About?
The Lazarus Group, also referred to as “APT38”, and other pseudonyms ranging from “Zinc” to “Whois Hacking Team”, hails from North Korea. To be more specific, the Lazarus Group is a state-tied hacking collective that has compromised computers and networks dating back to 2009. Lazarus Group was tied to a social engineering campaign in 2021 that zeroed in on digital security researchers.
How is the Group’s Latest Hack Performed?
The Lazarus Group is using innovative spear-phishing attacks that Malwarebytes identified in late January. These attacks stem from weaponized documents with bait featuring job characteristics to impersonate American governmental security forces as well as the defense contractor Lockheed Martin.
A harmful macro is triggered when the targeted computer user opens the phony Microsoft Word file. This macro is contained within the document, setting the stage for the Base64 shellcode to execute and transmit malware components to the explorer.exe process.
The next part of the attack involves a loaded binary taking advantage of the Windows Update client to catalyze the second module. This second module is labeled as “wuaueng.dll.” Digital security professionals are intrigued by this attack technique for running the harmful DLL through the Windows Update client as it sidesteps computer mechanisms designed to detect threats.
When Did the Attack Begin?
The hacking collective responsible for this unique digital attack likely launched it in mid-January. If reports are accurate, the GitHub repository account that hosts the modules that are disguised as PNG files was generated on January 17 of 2022. This repository, also referred to as a command-and-control server, also referred to as a C2 server, receives communication from the “wuaueng.dll” module.
Why do Cyber Security Specialists Believe Lazarus is Behind the Attack?
According to Malwarebytes representatives, the attack’s alleged ties to the Lazarus Group stem from multiple pieces of evidence. The evidence connects prior attacks from the Lazarus Group along with overlaps in infrastructure, metadata stemming from documents and templates to pinpoint targets for exploitation.
Malwarebytes digital security gurus also pointed out the fact that Lazarus APT is one of the world’s most accomplished APT groups, especially when it comes to defense industry attacks. Lazarus APT makes a concerted effort to update its internal toolset to avoid detection from digital defense security mechanisms.
Though Lazarus APT used its prior job theme method for attacks, the group is also implementing new strategies to clandestinely attack defense contractors, government agencies, businesses, and other parties. You can do your part to prevent a potentially crippling digital attack with cyber defenses that protect against account takeovers.
