The Lazarus Group’s notorious actor was seen mounting a new campaign using the Windows Update service. This malicious payload expands the APT group’s arsenal of Living-off-the Land (LotL), techniques to achieve its goals.
The Lazarus Group, also known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, is the moniker assigned to the North Korea-based nation-state hacking group that’s been active since at least 2009. The threat actor was implicated in a sophisticated social engineering campaign that targeted security researchers last year.
The latest spear-phishing attacks, which Malwarebytes detected on January 18, originate from weaponized documents with job-themed lures impersonating the American global security and aerospace company Lockheed Martin.
Opening the decoy Microsoft Word file triggers the execution of a malicious macro embedded within the document that, in turn, executes a Base64-decoded shellcode to inject a number of malware components into the explorer.exe process.
In the next phase, one of the loaded binaries, “drops_lnk.dll,” leverages the Windows Update client to run a second module called “wuaueng.dll. “https://thehackernews.com/2022/01/”This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,” researchers Ankur Saini and Hossein Jazi noted.
The cybersecurity firm characterized “wuaueng.dll” as “one of the most important DLLs in the attack chain,” whose main purpose is to establish communications with a command-and-control (C2) server – a GitHub repository hosting malicious modules masquerading as PNG image files. The GitHub account is said to have been created on January 17, 2022.
Malwarebytes stated that links to Lazarus Group were based upon several pieces of evidence linking them to previous attacks by the same actor. These include document metadata and use of job opportunity templates to identify its victims.
“Lazarus APT group is one of many advanced APT groups known to attack the defense industry,” researchers said. To evade security systems, the group is constantly updating their toolset. Even though they have used their old job theme method, they employed several new techniques to bypass detections. “