The North Korean nation-state hacking outfit known as the Lazarus Group, also known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, has been operating since at least 2009. The threat actor was tied to an advanced social engineering campaign aimed at security experts last year.
The famous Lazarus Group actor has been seen mounting a new campaign that uses the Windows Update service to execute its malicious payload, adding to the APT group’s arsenal of living-off-the-land (LotL) approaches to further its objectives.
The most recent spear-phishing attempts, discovered by Malwarebytes on January 18, are based on weaponized documents with job-themed lures imitating Lockheed Martin, an American worldwide security and aerospace corporation.
When you open the fake Microsoft Word file, it activates a malicious macro embedded in the document, which then executes a Base64-decoded shellcode that injects a variety of malware components into the “explorer.exe” process.
In the next phase, one of the loaded binaries, “drops lnk.dll,” uses the Windows Update Client (“wuauclt.exe”) to perform a command that loads a second module named “wuaueng.dll,” which is employed as a defence evasion tactic to blend-in harmful activity with legal Windows software.
Researchers Ankur Saini and Hossein Jazi reported that , “This is an innovative trick employed by Lazarus to run its malicious DLL via the Windows Update Client to avoid security detection measures. The threat actor can use this way to run its malicious code through the Microsoft Windows Update Client.“
According to the cybersecurity firm, and its major goal is to establish contacts with a command-and-control (C2) server — a GitHub repository housing malicious modules disguised as PNG image files. On January 17, 2022, the GitHub account is claimed to have been created.
The links to Lazarus Group, according to Malwarebytes, are based on numerous pieces of evidence linking them to previous assaults by the same actor, such as infrastructure overlaps, document metadata, and the usage of a job opportunities template to identify its victims.
Finally the researchers concluded that ,” Lazarus APT is one of the advanced APT groups known to target the military industry. In order to escape security systems, the organisation is constantly improving its toolkit.“