In a spear-phishing campaign aimed at gathering military secrets, the Lazarus APT organisation has been discovered misusing Windows Update Client to propagate malware. On January 18, the attack was discovered.
Concerning The Campaign
The threat actor was reportedly utilising modified variations of the same job opportunities theme that it had previously used, according to Malwarebytes.
The gang pretended to be Lockheed Martin in spear-phishing attacks that included two macro-embedded fake papers in order to steal sensitive military information.
The deadline for both documents was April 4, 2020. Researchers discovered that the documents were utilised late last month and again this month based on the domains used by threat actors and various other signs.
So, What’s New This Time Around?
Because hackers now execute their malicious code through the Microsoft Windows Update client and GitHub, the method utilised in this operation is exceptionally ingenious.
The organisation has used GitHub as a C2 for targeted and short-term attacks for the first time. All of this makes it more difficult for security software to distinguish between malicious and genuine connections.
What is the malware’s method of evading Windows security?
Malicious macros embedded in Word documents are used to launch the attack. The malware tries to gain startup persistence in the victim system after several injections.
Opening the malicious attachments allows macros to run, resulting in the creation of a file (WindowsUpdateConf[.]lnk) in the startup folder and a DLL file in the Windows/System32 hidden system folder.
The shellcode is loaded by the macro, which comes with an encrypted DLL. The shellcode decrypts the DLL at runtime and manually maps it into memory.
The WSUS/Windows Update client, which is a real process known as Windows automatic updates and is located in C:WindowsSystem32, is launched by a.LNK file.
To get around security detection, the Update client is used to run a malicious DLL.
Assailants can use this method to execute malicious code using the Windows Update client.
Conclusion
Lazarus APT is a well-funded threat outfit that has a history of focusing on the defence industry. Furthermore, the gang is constantly improving its tools and procedures in order to get beyond security measures. This threat actor is attempting to compromise national security systems by abusing GitHub and Windows Updates.