Wednesday, July 24, 2024
HomeCyber CrimeLazarus Pushes Malware by Placing Job Offers

Lazarus Pushes Malware by Placing Job Offers


In a spear-phishing campaign aimed at gathering military secrets, the Lazarus APT organisation has been discovered misusing Windows Update Client to propagate malware. On January 18, the attack was discovered.


Concerning The Campaign

The threat actor was reportedly utilising modified variations of the same job opportunities theme that it had previously used, according to Malwarebytes.

The gang pretended to be Lockheed Martin in spear-phishing attacks that included two macro-embedded fake papers in order to steal sensitive military information.

The deadline for both documents was April 4, 2020. Researchers discovered that the documents were utilised late last month and again this month based on the domains used by threat actors and various other signs.

So, What’s New This Time Around?

Because hackers now execute their malicious code through the Microsoft Windows Update client and GitHub, the method utilised in this operation is exceptionally ingenious.

The organisation has used GitHub as a C2 for targeted and short-term attacks for the first time. All of this makes it more difficult for security software to distinguish between malicious and genuine connections.

What is the malware’s method of evading Windows security?

Malicious macros embedded in Word documents are used to launch the attack. The malware tries to gain startup persistence in the victim system after several injections.

Opening the malicious attachments allows macros to run, resulting in the creation of a file (WindowsUpdateConf[.]lnk) in the startup folder and a DLL file in the Windows/System32 hidden system folder.

The shellcode is loaded by the macro, which comes with an encrypted DLL. The shellcode decrypts the DLL at runtime and manually maps it into memory.

The WSUS/Windows Update client, which is a real process known as Windows automatic updates and is located in C:WindowsSystem32, is launched by a.LNK file.

To get around security detection, the Update client is used to run a malicious DLL.

Assailants can use this method to execute malicious code using the Windows Update client.


Lazarus APT is a well-funded threat outfit that has a history of focusing on the defence industry. Furthermore, the gang is constantly improving its tools and procedures in order to get beyond security measures. This threat actor is attempting to compromise national security systems by abusing GitHub and Windows Updates.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us