North Korean Hackers Abuse Windows Update Client In Attacks On Defense Industry

The North Korean threat group Lazarus was observed abusing the Windows Update client for the execution of malicious code during a campaign this month, Malwarebytes reports.

Active since at least 2009, Lazarus is the most active North Korean state-sponsored hacking group, with numerous factions operating under its umbrella. Believed to have orchestrated various high-profile cyberattacks, the group stole $400 million worth of crypto-assets last year.

Two different macro-enabled decoy documents masquerading as job opportunities at American global security and aerospace giant Lockheed Martin were used in the January 2022 Lazarus campaign, both carrying compilation timestamps of April 2020.

As part of the first of the observed attacks, malicious macros embedded within the Word document are executed to perform various injections and to achieve persistence. Furthermore, the code hijacks the control flow to execute code in memory.

The threat actor has employed a sophisticated code execution process that involves modifying various functions to ensure successful DLL injection into the explorer.exe process.

[READ: North Korean Hackers Targeting IT Supply Chain: Kaspersky]

Furthermore, the execution chain also involves passing certain parameters to the Windows Update Client to abuse it for code execution, which results in the bypass of security detection mechanisms.

Malwarebytes’ security researchers also discovered that one of the DLLs used in the attack was signed with a certificate issued to “SAMOYAJ LIMITED.” The file was embedded with a DLL containing the code module for the malware responsible for command and control (C&C) communication.

What’s more, the malware uses GitHub as a C&C, and Malwarebytes says that this is the first time Lazarus has used the code hosting platform in such a manner.

“Using Github as a C&C has its own drawbacks but it is a clever choice for targeted and short term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections. While analyzing the core module we were able to get the required details to access the C&C but unfortunately it was already cleaned and we were not able to get much except one of the additional modules,” the security researchers say.

[READ: Lazarus Group Targets South Korea via Supply Chain Attack]

The GitHUb account used to operate the malware was created on January 17, with the username of “DanielManwarningRep.”

A second document in the campaign was observed dropping a totally different malware as part of an infection chain that also involved the hijacking of the control flow, along with a similar injection technique used by the shellcode. This document, however, abuses mshta.exe in the process.

The use of job opportunities as lures for phishing and the targeting of entities in the defense industry are in line with previous Lazarus attacks, while the metadata of the two documents in this campaign links them to other Lazarus documents.

“Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template,” Malwarebytes says.