Windows Update hijacked to infect PCs with malware
A Word macro downloads it, Windows Update client runs it
Lazarus, a known cybercrime group with ties to the North Korean government, has managed to abuse the Windows Update Client to distribute malware, cybersecurity researchers from Malwarebytes have found.
In a blog post detailing their findings, the researchers said they were investigating a phishing campaign impersonating Lockheed Martin, an American aerospace, arms, defense, information security, and technology corporation.
The group was distributing two files - Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc, obviously targeting people interested in getting a job at the company.
Malicious macros
The documents themselves carried malicious macros which, if activated, drop a WindowsUpdateConf.lnk file in the target endpoint’s startup folder, and a DLL file (wuaueng.dll) in the Windows/System32 folder.
After that, the .lnk file launches the Windows Update Client which, in turn, launches the malicious DLL.
“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client," to bypass antivirus solutions and other security mechanisms.
“With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and /RunHandlerComServer argument after the dll.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
This is not the first time someone’s taken advantage of the Windows Update Client to run malware as back in October 2020, MDSec researcher David Middlehurst discovered the flaw, and even its abuse in the wild.
We are yet to see what Microsoft will do about it but, as usual, one should be extra careful when downloading and running documents coming in through the mail, especially if they require the activation of macros.
Lazarus is one of the world’s most dangerous cybercrime groups, notorious for their involvement in the WannaCry fiasco, as well as the attack on Sony, after the company released a comedy movie set in a fictitious North Korea.
- Here's our take on the best ransomware protection right now
Via: BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.