North Korean hackers use Windows Update to distribute malware

North Korean hackers use Windows Update to distribute malware

According to reports from MalwareBytes Labs, the popular North Korean activist group Lazarus used the Windows Update client to distribute malicious code, thus bypassing security mechanisms and using Github as a command and control server for its latest attacks. Last week, Malwarebytes 'Threat Intelligence team spotted the issue in two Word documents used in a spear-phishing operation related to Lockheed Martin's false job opportunities.

Lazarus' goal is to to infiltrate high-level government entities specializing in defense and aerospace and steal as much intelligence data as possible. The two documents are known as Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc. As the names suggest, they both seem to want to lure targets with new job opportunities at Lockheed Martin.

A series of malicious macro commands are embedded in Word documents and start infiltrating the system once activated, embedding immediately the code in the computer's startup system to ensure that a reboot does not interrupt the action of the virus. Interestingly, part of the injection process uses the Windows update client to install a malicious DLL. This is very clever as this technique bypasses security detection systems.

if (jQuery ("# ​​crm_srl-th_hardware_d_mh2_1"). is (": visible")) {console.log ("Edinet ADV adding zone: tag crm_srl-th_hardware_d_mh2_1 slot id: th_hardware_d_mh2"); } The attack method is new, but the phishing strategy is not. It is the same one that Lazarus has been using for over a year, known as Operation "Dream Job". It allows in luring government employees into thinking they might be qualified for a highly coveted job, only to realize it was all a facade used to steal sensitive data from their locations.

Malwarebytes, ESET and McAfee they are all watching Lazarus closely for his next move. The group's previous campaign was a great success, as it infiltrated dozens of companies and organizations on a global scale, including Israel.






Powered by Blogger.