The Malwarebytes Threat Intelligence team have discovered a new campaign being run by the North Korean hacking group Lazarus. The campaign was discovered while analyzing a spear-phishing campaign in January that was impersonating the American company Lockheed Martin. After victims opened the malicious attachments in the phishing email and enabled macro execution, an embedded macro dropped a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder. In the next stage, the LNK file is used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers’ malicious DLL. These attacks were linked to the Lazarus group based on several overlaps in infrastructure, document metadata, and targeting that was seen in similar campaigns. The use of the Windows Update feature in this attack is meant for the malware deployment to go unrecognized by standard anti-virus solutions.
When evaluating a Managed Detection & Response (MDR) service there are 5 critical components that