North Korean-backed hacking group Lazarus has added the Windows Update client to its list of living-off-the-land binaries (LoLBins) and is now actively using it to execute malicious code on Windows systems. Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention.
“In this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use their known job opportunities theme. We identified two decoy documents masquerading as American global security and aerospace giant Lockheed Martin.”: Malwarebytes said.
Attack Process
The below image shows the full attack process which we will discuss in detail in this article. The attack starts by executing the malicious macros that are embedded in the Word document. The malware performs a series of injections and achieves startup persistence in the target system.
The new malware deployment method was discovered by the Malwarebytes Threat Intelligence team while analyzing a January spearphishing campaign impersonating the American security and aerospace company Lockheed Martin.
After the victims open the malicious attachments and enable macro execution, an embedded macro drops a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder.
In the next stage, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers’ malicious DLL.
“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,” Malwarebytes said.
The researchers linked these attacks to Lazarus based on several pieces of evidence, including infrastructure overlaps, document metadata, and targeting similar to previous campaigns.
IOCs:
Maldocs: 0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b Lockheed_Martin_JobOpportunities.docx 0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1 Salary_Lockheed_Martin_job_opportunities_confidential.doc Domains: markettrendingcenter.com lm-career.com
Payloads:
| Name | Sha256 |
| readme.png | 4216f63870e2cdfe499d09fce9caa301f9546f60a69c4032cb5fb6d5ceb9af32 |
| wuaueng.dll | 829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1 |
| stage1_winword.dll | f14b1a91ed1ecd365088ba6de5846788f86689c6c2f2182855d5e0954d62af3b |
| stage2_explorer.dll | 660e60cc1fd3e155017848a1f6befc4a335825a6ae04f3416b9b148ff156d143 |
| drops_lnk.dll | 11b5944715da95e4a57ea54968439d955114088222fd2032d4e0282d12a58abb |
| stage3_runtimebroker.dll | 9d18defe7390c59a1473f79a2407d072a3f365de9834b8d8be25f7e35a76d818 |
| core_module.dll | c677a79b853d3858f8c8b86ccd8c76ebbd1508cc9550f1da2d30be491625b744 |
| GetBaseInfo.dll | 5098ec21c88e14d9039d232106560b3c87487b51b40d6fef28254c37e4865182 |
Microsoft patches are crucial but they have been causing some hickkups for enterprise IT personnels, as seen earlier this month. We hope that microsoft defender utilizes these IOCs and protect the end user computers against such campaigns.
If you like our posts, please feel free to tag us and share the content with your connections on linkedin.
