Windows Update deploying malware powered by GitHub C2 Server
According to a report from Malwarebytes on Thursday, North Korean cyber-espionage group’s latest attack was found to be very similar to other attacks from the group. Malwarebytes analysts have discovered that the APT group has been using a new technique that involves spear phishing to steal user data and cryptocurrency.
The focus of the phishing campaign is consistent with the APT group’s style – they impersonate big, global brands. In this case, they pretended to be a huge military and defense company.
Korean hackers are rampaging. They are one of the most active cyber-attackers in the world. The US considers them to be a huge threat. They have been caught red handed attacking companies and stealing secrets for years. Their leader is Lazarus, who has been active since at least 2009. This group is responsible for many cyber attacks, including the WannaCry ransomware attack that has been in the news.
The cyber-security company Malwarebytes was quoted in a Thursday report saying that the Jan. 18 spear-phishing attack used malicious documents to trick targets into clicking. The strategy was similar to the one used before by the hacking group, which has been known to target companies that it says are in need of jobs.
Malwarebytes found two fake job documents with malicious macros in them. The documents appear to be from Lockheed Martin, but they are not. They are being used in a spear phishing campaign focused on the aerospace and defense sector.
- Lockheed_Martin_JobOpportunities.docx
- Salary_Lockheed_Martin_job_opportunities_confidential.doc
These documents were compiled on April 4, 2020, but Malwarebytes discovered that the campaign was actually used in late March and early April. The threat actor used multiple domains to accomplish this.
It starts with Microsoft Word
The malware begins by injecting malicious macros in Microsoft Word documents. The injection process occurs after a series of steps. Once the malware achieves startup persistence, it can perform a variety of malicious actions.
If a target opens the malicious attachment and allows macros to run, the macro drops a WindowsUpdateConf.lnk file in the startup folder as a shortcut to a hidden location and wuaueng.dll in the Windows/System32 folder.
Next, the .LNK file launches the Windows Update client – wuauclt.exe, a legitimate process file that’s used to automatically update Windows. The Update client is used to run a malicious DLL, bypassing security detection.
Researchers stated “With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL,”
In October 2020, the Windows Update Client program was added to the list of Living Off the Land Binaries (LOLBins). These are executables signed by Microsoft that attackers use to execute malicious code on Windows systems while evading detection.
The treat team stated ”This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,”. “With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL.”
GitHub Used as the C2 server
The researchers observed a rare use of the C2 server. They have never seen Lazarus using the site before. However, using GitHub is an excellent choice for a short-term attack. The researchers said: “GitHub as a C2 has its own drawbacks but it is a clever choice for targeted and short-term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections.”