North Korean Attackers Use Windows Update to Deliver Malware

A hacker with a hood up looking at a computer screen.
(Image credit: Shutterstock)

Popular North Korean activist group Lazarus is using the Windows Update client to deploy malicious code, thus avoiding security mechanisms, and leveraging Github to serve as a command and control server for its latest attacks, according to Malwarebytes Labs. Last week, the Malwarebytes Threat Intelligence team spotted the new campaign in two Word documents used in a spear-phishing campaign pertaining to fake Lockheed Martin job opportunities. 

The goal of Lazarus is to infiltrate high-end government entities that specialize in defense and aerospace and steal as much intelligence data as possible.

The two documents are known as Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc. As the names suggest, both these documents appear to bait targets into new job opportunities at Lockheed Martin.

A series of malicious macro commands are embedded in the Word documents begin infiltrating the system once activated, immediately embedding code into the startup system of the computer to ensure a restart does not shut down the virus.

Interestingly, part of the injection process uses the Windows Update Client to install a malicious DLL. This is very clever since this technique evades security detection systems.

The method of attack is new, but the phishing strategy isn't. It's the same strategy Lazarus has used for over a year, known as operation "Dream Job." This attack method baits government employees into thinking they could be qualified for a highly coveted job, only to realize it was all a facade used to steal sensitive data from their workstations.

Malwarebytes, ESET, and MacAfee are all watching Lazarus carefully for its next move. The attacker's previous campaign was a big success, as it infiltrated dozens of companies and organizations on a global scale, including Israel.

Aaron Klotz
Contributing Writer

Aaron Klotz is a contributing writer for Tom’s Hardware, covering news related to computer hardware such as CPUs, and graphics cards.

  • Colif
    Glad I don't use Windows Up... I haven't heard of that version before?
    Reply
  • TheOtherOne
    Colif said:
    Glad I don't use Windows Up... I haven't heard of that version before?
    Does it mean you haven't updated Windows since first installed or you don't use built-in Windows Update feature? If later then how do you update Windows? 🤔
    Reply
  • USAFRet
    TheOtherOne said:
    Does it mean you haven't updated Windows since first installed or you don't use built-in Windows Update feature? If later then how do you update Windows? 🤔
    You miss the sarcasm.

    Using the term "Up" instead of 'Update'.
    Reply
  • GenericUser
    I really want the term "up" or "ups" to die.
    Reply
  • hotaru251
    you think that military machines would be offline with most fo the critical data...
    Reply
  • USAFRet
    hotaru251 said:
    you think that military machines would be offline with most fo the critical data...
    They are.
    Reply
  • TheOtherOne
    USAFRet said:
    You miss the sarcasm.

    Using the term "Up" instead of 'Update'.
    Doh! 🤦‍♂️
    Reply