Attackers from North Korea use Windows Update to spread malware

According to Malwarebytes Labs, the popular North Korean activist group Lazarus is leveraging the Windows Update programme to distribute malicious code, circumventing security safeguards, and using GitHub as a command and control server for its current attacks. The latest campaign was discovered last week in two Word documents used in a spear-phishing attempt involving false Lockheed Martin job offers, according to Malwarebytes Threat Intelligence.

Lazarus’ mission is to infiltrate high-tech government organisations specialising in military and aerospace and steal as much intelligence data as possible.

Lockheed Martin JobOpportunities.docx and Salary Lockheed Martin job opportunities confidential.doc are the names of the two documents. Both of these materials appear to be baiting targets into new Lockheed Martin job openings, as their names suggest.

Once triggered, a sequence of malicious macro commands embedded in Word documents begin infiltrating the system, embedding code into the computer’s start-up system to ensure that a restart does not kill down the virus.

Surprisingly, a malicious DLL is installed through the Windows Update Client as part of the injection procedure. This is incredibly clever because it gets beyond security detecting systems.

Although the attack approach is novel, the phishing strategy is not. It’s the same tactic Lazarus has been employing for over a year, codenamed “Dream Job.” This attacking strategy dupe’s government personnel into believing they are suitable for a highly sought-after position, only to discover that it was all a ruse to steal sensitive data from their computers.

Malwarebytes, ESET, and MacAfee are all keeping a close eye on Lazarus to see what it will do next. The attacker’s last campaign was a huge success, with hundreds of firms and organisations around the world, including Israel, being compromised.