North Korean Attackers Use Windows Update to Deliver Malware

Popular North Korean activist group Lazarus is using the Windows Update client to deploy malicious code, thus avoiding security mechanisms, and leveraging Github to serve as a command and control server for its latest attacks, according to Malwarebytes Labs. Last week, the Malwarebytes Threat Intelligence team spotted the new campaign in two Word documents used in a spear-phishing campaign pertaining to fake Lockheed Martin job opportunities. 

The goal of Lazarus is to infiltrate high-end government entities that specialize in defense and aerospace and steal as much intelligence data as possible.

The two documents are known as Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc. As the names suggest, both these documents appear to bait targets into new job opportunities at Lockheed Martin.

A series of malicious macro commands are embedded in the Word documents begin infiltrating the system once activated, immediately embedding code into the startup system of the computer to ensure a restart does not shut down the virus.

Interestingly, part of the injection process uses the Windows Update Client to install a malicious DLL. This is very clever since this technique evades security detection systems.

The method of attack is new, but the phishing strategy isn't. It's the same strategy Lazarus has used for over a year, known as operation "Dream Job." This attack method baits government employees into thinking they could be qualified for a highly coveted job, only to realize it was all a facade used to steal sensitive data from their workstations.

Malwarebytes, ESET, and MacAfee are all watching Lazarus carefully for its next move. The attacker's previous campaign was a big success, as it infiltrated dozens of companies and organizations on a global scale, including Israel.