Lazarus APT used an old attack strategy to spread malware

February 18, 2022

The North Korean-based Lazarus APT group has been observed distributing their malware using a spear-phishing attack to acquire other nations’ secret military knowledge. The APT group utilised the same job offer they used before in attacking but slightly modified it.

The group disguised themselves as a Lockheed Martin in spear-phishing attempts which consists of two lure macro-embedded documents. The objective of the hackers in deploying these lures is to exfiltrate military secrets from their targeted nation.

The decoy documents had a compilation time identified by the researchers last April 2020. However, according to the domains used by Lazarus and multiple indicators, experts determined that the group utilised the macro-embedded documents in January and February this year.

 

The strategy used by the Lazarus APT is specifically dishonourable since hackers now run their malicious code via GitHub and Microsoft Windows Update.

 

For the first time in Lazarus’s hacking history, they had used GitHub as a command-and-control server for targeted and brief attacks. Therefore, cybersecurity tools are more challenging to classify whether the connections are malicious or legitimate.

The malicious act starts with executing compromised macros attached to the MS Word documents. After several injections, the malware will acquire startup persistence in the target’s system.

If the victim opens the malicious attachments, it will enable the execution of macros which will also drop a file coded as WindowsUpdateConf[.]lnk in the startup folder and a DLL file in an obfuscated system folder.

Moreover, the macro will load the shellcode, which will arrive with an encrypted DLL. The DLL will then be decrypted by the shellcode at runtime and mapped manually inside its memory.

A simple process known as Windows automatic updates will be launched by an [.]LNK file that will trigger the Windows Update client.

The hackers activate the Update client to operate a malicious DLL to avoid Windows Defender security detections. Using this strategy, the Lazarus group can run malicious code through the Windows Update client.

The Lazarus APT group has again shown a well-resourced threat group already notorious for targeting the defence sector. They have constantly updated their TTPs to bypass several securities and AV solutions.

Lazarus’s abuse of Windows Update and GitHub implies that they are committed to breaching military and defence security systems.

About the author

Leave a Reply