Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Lazarus hackers use Windows Update to deploy malware
#1
North Korean-backed hacking group Lazarus has added the Windows Update client to its list of living-off-the-land binaries (LoLBins) and is now actively using it to execute malicious code on Windows systems.

The new malware deployment method was discovered by the Malwarebytes Threat Intelligence team while analyzing a January spearphishing campaign impersonating the American security and aerospace company Lockheed Martin.

After the victims open the malicious attachments and enable macro execution, an embedded macro drops a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder.

In the next stage, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers' malicious DLL.
"This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,"


Source: https://www.bleepingcomputer.com/news/se...y-malware/
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  New BLISTER Malware Update Fuelling Stealthy Network Infiltration dhruv2193 0 579 09-05-2023 , 07:22 PM
Last Post: dhruv2193
  Hackers now use Microsoft OneNote attachments to spread malware tarekma7 0 818 01-24-2023 , 10:21 AM
Last Post: tarekma7
  Hackers are targeting industrial systems with malware mrtrout 0 848 07-16-2022 , 06:46 PM
Last Post: mrtrout
  New malware DarkWatchman uses Windows Registry to evade detection mrtrout 0 1,245 12-25-2021 , 12:23 AM
Last Post: mrtrout
  AMD confirms its Windows driver was at the mercy of hackers due to a dozen security mrtrout 0 812 11-14-2021 , 11:58 PM
Last Post: mrtrout



Users browsing this thread: 2 Guest(s)