North Korean Attackers Use Windows Update to Deliver Malware
Highly experienced attackers with a big reputation
Popular North Korean activist group Lazarus is using the Windows Update client to deploy malicious code, thus avoiding security mechanisms, and leveraging Github to serve as a command and control server for its latest attacks, according to Malwarebytes Labs. Last week, the Malwarebytes Threat Intelligence team spotted the new campaign in two Word documents used in a spear-phishing campaign pertaining to fake Lockheed Martin job opportunities.
The goal of Lazarus is to infiltrate high-end government entities that specialize in defense and aerospace and steal as much intelligence data as possible.
The two documents are known as Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc. As the names suggest, both these documents appear to bait targets into new job opportunities at Lockheed Martin.
A series of malicious macro commands are embedded in the Word documents begin infiltrating the system once activated, immediately embedding code into the startup system of the computer to ensure a restart does not shut down the virus.
Interestingly, part of the injection process uses the Windows Update Client to install a malicious DLL. This is very clever since this technique evades security detection systems.
The method of attack is new, but the phishing strategy isn't. It's the same strategy Lazarus has used for over a year, known as operation "Dream Job." This attack method baits government employees into thinking they could be qualified for a highly coveted job, only to realize it was all a facade used to steal sensitive data from their workstations.
Malwarebytes, ESET, and MacAfee are all watching Lazarus carefully for its next move. The attacker's previous campaign was a big success, as it infiltrated dozens of companies and organizations on a global scale, including Israel.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Aaron Klotz is a contributing writer for Tom’s Hardware, covering news related to computer hardware such as CPUs, and graphics cards.
-
TheOtherOne
Does it mean you haven't updated Windows since first installed or you don't use built-in Windows Update feature? If later then how do you update Windows? 🤔Colif said:Glad I don't use Windows Up... I haven't heard of that version before? -
USAFRet
You miss the sarcasm.TheOtherOne said:Does it mean you haven't updated Windows since first installed or you don't use built-in Windows Update feature? If later then how do you update Windows? 🤔
Using the term "Up" instead of 'Update'. -
USAFRet
They are.hotaru251 said:you think that military machines would be offline with most fo the critical data... -
TheOtherOne
Doh! 🤦♂️USAFRet said:You miss the sarcasm.
Using the term "Up" instead of 'Update'.