2022-02-01

Lazarus Uses Windows Update Client

Level: 
Tactical
  |  Source: 
Malwarebytes
Defense
Share:

Lazarus Uses Windows Update Client

Malwarebytes Threat Intelligence team has identified a new wave of threat activity from North Korean threat group Lazarus that was observed as early as January 18th, 2022. Similar to past campaigns the group's phishing theme involves new job opportunities to entice potential victims, particularly targeting victims in the defense industry as the job offers are posed to have originated from Lockheed Martin, BAE Systems, Boeing and Northrop Grumman. One of the two malicious documents makes use of multiple process injections for defense evasion and achieves persistence from the startup folder. A first also for a Lazarus campaign is the usage of GitHub as its C2. The second malicious document’s main difference is upon macro execution, mshta will execute a remote HTML page. The new campaign leverages the Windows Update client to evade security detection by utilizing the process to run a malicious DLL from an LNK file.

     

Get trending threats published weekly by the Anvilogic team.

Sign Up Now