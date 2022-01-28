The Lazarus hacker group, known for its links to the WannaCry ransomware, or attacks on large firms such as Sony and multiple banks internationally, has resurfaced with a new method of spreading malware by taking advantage of Windows Update.

The victim in this case has been the multinational company specializing in the aerospace industry, Lockheed Martin, where North Korean hacker group posed as this company through a campaign of spearphishing, according to the analysis carried out by Malwarebytes.

How Lazarus took advantage of Windows Update to inject malware



Imagen: Malwarebytes

The process described by the security firm involves the opening of a document with malicious code by the victim. After this, a file named ‘WindowsUpdateConf.lnk’ is sent to the startup folder and a DLL file (wuaueng.dll) to the Windows/System32 folder.

The aforementioned LNK file opens the Windows Update client (wuauclt.exe), allowing you to execute a command that loads the attacker’s malicious DLL file. As they affirm from Malwarebytes, this technique makes use of Windows Update to avoid all kinds of mechanisms of detection and security by the system, hiding and executing the code.

Since Windows Update allows this, the executable becomes what is known as ‘LoLBins’ (from English living-off-the-land binaries). These are executables signed by Microsoft that can be exploited to execute malicious code.

The investigation carried out by Malwarebytes accuses the Lazarus group due to certain evidence and metadata previously used by this group of hackers. According to the BleepingComputer medium, this method was first found in October 2020, when researcher David Middlehurst discovered that a security hole in Windows Update could be exploited to inject malware.