The Lazarus Group, a prominent North Korean hacking organization, has recently launched a new campaign employing the Windows Update service to execute its malicious payload. This development reflects an ongoing expansion of the group’s utilization of living-off-the-land (LotL) techniques to achieve its objectives. Known by several aliases, including APT38 and Hidden Cobra, this cyber threat actor has been actively targeting various sectors since at least 2009.
Last year, the group was involved in a complex social engineering initiative aimed at security researchers, demonstrating its sophisticated approach to cyber operations. The latest wave of spear-phishing attacks, reported by Malwarebytes on January 18, leveraged weaponized documents designed to impersonate Lockheed Martin, a major player in global security and aerospace.
When victims open these decoy Microsoft Word files, embedded macro scripts activate, executing Base64-decoded shellcode. This triggers the injection of multiple malware components into the “explorer.exe” process, facilitating further malicious activities. One of these components, identified as “drops_lnk.dll,” exploits the Windows Update Client (wuauclt.exe) to obscure its actions within legitimate software operations.
The utilization of the Windows Update Client as a camouflage for executing a malicious DLL underscores a strategic maneuver by the Lazarus Group to evade detection by security mechanisms. Researchers Ankur Saini and Hossein Jazi noted the significance of this tactic, suggesting that it allows the adversary to execute code undetected amid standard Windows operations.
Critical to the success of the attack is the role of “wuaueng.dll,” which is described as essential for establishing a connection to a command-and-control (C2) server discreetly hosted on GitHub, where malicious modules masquerade as PNG image files. Evidence connecting Lazarus Group to this operation includes links to their previous attacks, overlapping infrastructures, and the characteristic use of job-themed lures targeting specific victims.
The Lazarus Group’s operations reflect an advanced understanding of cybersecurity tactics, particularly their ongoing efforts to adapt and refine their toolset to navigate evolving defense mechanisms. By retaining certain old methodologies, such as job-related phishing schemes, while concurrently incorporating new evasion techniques, they continually evade detection.
This incident underscores a larger trend within the cybersecurity landscape. Organizations must stay vigilant against sophisticated threat actors who employ complex techniques to compromise networks. Understanding the tactics outlined in the MITRE ATT&CK framework, which includes elements like initial access, persistence, and privilege escalation, is crucial for organizations looking to fortify their defenses against such advanced threats.
