The Malwarebytes Threat Intelligence team have discovered a new campaign being run by the North Korean hacking group Lazarus. The campaign was discovered while analyzing a spear-phishing campaign in January that was impersonating the American company Lockheed Martin. After victims opened the malicious attachments in the phishing email and enabled macro execution, an embedded macro dropped a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder. In the next stage, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers’ malicious DLL. These attacks were linked to the Lazarus group based on several overlaps in infrastructure, document metadata, and targeting that was seen in similar campaigns. The use of the Windows Update feature in this attack is meant for the malware deployment to go unrecognized by standard anti-virus solutions.
This threat group has been the primary hacking group for North Korean government activities and has been known since at least 2009. Also tracked as Hidden Cobra, the group works on infiltrating companies and stealing sensitive data. They were also behind a number of notorious hacks around the world including the WannaCry ransomware, the Sony Film hack, and numerous bank attacks for monetary gain. It is always important for companies to have proper security training in place for employees, including teaching employees how to spot a phishing attack. It is also recommended to keep macros disabled in Microsoft applications and only enable them when the document is coming from a trusted source.