Windows Update hijacked to infect PCs with malware

A Word macro downloads it, Windows Update client runs it

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Lazarus, a known cybercrime group with ties to the North Korean government, has managed to abuse the Windows Update Client to distributemalware, cybersecurity researchers from Malwarebytes have found.

In ablog postdetailing their findings, the researchers said they were investigating a phishing campaign impersonating Lockheed Martin, an American aerospace, arms, defense, information security, and technology corporation.

The group was distributing two files - Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc, obviously targeting people interested in getting a job at the company.

Malicious macros

The documents themselves carried malicious macros which, if activated, drop a WindowsUpdateConf.lnk file in the targetendpoint’sstartup folder, and a DLL file (wuaueng.dll) in the Windows/System32 folder.

After that, the .lnk file launches the Windows Update Client which, in turn, launches the malicious DLL.

“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client," to bypassantivirussolutions and other security mechanisms.

“With this method, the threat actor can execute its malicious code through theMicrosoftWindows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and /RunHandlerComServer argument after the dll.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Hackers are using DDoS attacks to squeeze victims for ransom>North Korean malware could still pose major threat>Linux users beware - you could be facing more cyber threats than ever before

This is not the first time someone’s taken advantage of the Windows Update Client to run malware as back in October 2020, MDSec researcher David Middlehurst discovered the flaw, and even its abuse in the wild.

We are yet to see what Microsoft will do about it but, as usual, one should be extra careful when downloading and running documents coming in through the mail, especially if they require the activation of macros.

Lazarus is one of the world’s most dangerous cybercrime groups, notorious for their involvement in the WannaCry fiasco, as well as the attack onSony, after the company released a comedy movie set in a fictitious North Korea.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

OLED vs Mini-LED: which TV type is best?