N0rth K0rean-backed hacking gr0up Lazarus has added the Wind0ws Update client t0 its list 0f living-0ff-the-land binaries (L0LBins) and is n0w actively using it t0 execute malici0us c0de 0n Wind0ws systems.
The new malware depl0yment meth0d was disc0vered by the Malwarebytes Threat Intelligence team while analyzing a January spearphishing campaign impers0nating the American security and aer0space c0mpany L0ckheed Martin. After the victims 0pen the malici0us attachments and enable macr0 executi0n, an embedded macr0 dr0ps a Wind0wsUpdateC0nf.lnk file in the startup f0lder and a DLL file (wuaueng.dll) in a hidden Wind0ws/System32 f0lder. In the next stage, the LNK file is used t0 launch the WSUS / Wind0ws Update client (wuauclt.exe) t0 execute a c0mmand that l0ads the attackers’ malici0us DLL. “This is an interesting technique used by Lazarus t0 run its malici0us DLL using the Wind0ws Update Client t0 bypass security detecti0n mechanisms,” Malwarebytes said. The researchers linked these attacks t0 Lazarus based 0n several pieces 0f evidence, including infrastructure 0verlaps, d0cument metadata, and targeting similar t0 previ0us campaigns.
Defense evasi0n meth0d revived in new attacks
As BleepingC0mputer rep0rted in 0ct0ber 2020, this tactic was disc0vered MDSec researcher David Middlehurst, wh0 f0und that attackers c0uld use the Wind0ws Update client t0 execute malici0us c0de 0n Wind0ws 10 systems (he als0 sp0tted a sample using it in the wild).
This can be d0ne by l0ading an arbitrary specially crafted DLL using the f0ll0wing c0mmand-line 0pti0ns (the c0mmand Lazarus used t0 l0ad their malici0us payl0ad): wuauclt.exe /UpdateDepl0ymentPr0vider [path_t0_dll] /RunHandlerC0mServer MITRE ATT&CK classifies this type 0f defense evasi0n strategy as Signed Binary Pr0xy Executi0n, and it all0ws attackers t0 bypass security s0ftware, applicati0n c0ntr0l, and digital certificate validati0n pr0tecti0n. In this case, threat act0rs d0 it by executing malici0us c0de fr0m a previ0usly dr0pped malici0us DLL, l0aded using the Wind0ws Update client’s Micr0s0ft-signed binary.
N0t0ri0us N0rth K0rean hacking gr0up
The Lazarus Gr0up (als0 tracked as HIDDEN C0BRA by US intel agencies) is a N0rth K0rean military hacking gr0up active f0r m0re than a decade, since at least 2009. Its 0perat0rs c00rdinated the 2017 gl0bal WannaCry rans0mware campaign and have been behind attacks against high-pr0file c0mpanies such as S0ny Films and multiple banks w0rldwide. Last year, G00gle sp0tted Lazarus targeting security researchers in January as part 0f c0mplex s0cial engineering attacks and a similar campaign during March.
They were als0 0bserved using the previ0usly und0cumented ThreatNeedle backd00r in a large-scale cyber-espi0nage campaign against the defense industry 0f m0re than a d0zen c0untries. US Treasury sancti0ned three DPRK-sp0ns0red hacking gr0ups (Lazarus, Bluen0r0ff, and Andariel) in September 2019, and the US g0vernment 0ffers a reward 0f up t0 $5 milli0n f0r inf0 0n Lazarus activity.
For solution, online support and query.