November 14, 2024

Windows Update hijacked to infect PCs with malware

January 28, 2022 0

Lazarus, a known cybercrime group with ties to the North Korean government, has managed to abuse the Windows Update Client to distribute malware, cybersecurity researchers from Malwarebytes have found.

In a blog post detailing their findings, the researchers said they were investigating a phishing campaign impersonating Lockheed Martin, an American aerospace, arms, defense, information security, and technology corporation.

The group was distributing two files – Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc, obviously targeting people interested in getting a job at the company.

Malicious macros

The documents themselves carried malicious macros which, if activated, drop a WindowsUpdateConf.lnk file in the target endpoint’s startup folder, and a DLL file (wuaueng.dll) in the Windows/System32 folder.

After that, the .lnk file launches the Windows Update Client which, in turn, launches the malicious DLL. 

“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client,” to bypass antivirus solutions and other security mechanisms. 

“With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll and /RunHandlerComServer argument after the dll.”

Read More

> Hackers are using DDoS attacks to squeeze victims for ransom

> North Korean malware could still pose major threat

> Linux users beware – you could be facing more cyber threats than ever before

This is not the first time someone’s taken advantage of the Windows Update Client to run malware as back in October 2020, MDSec researcher David Middlehurst discovered the flaw, and even its abuse in the wild. 

We are yet to see what Microsoft will do about it but, as usual, one should be extra careful when downloading and running documents coming in through the mail, especially if they require the activation of macros.

Lazarus is one of the world’s most dangerous cybercrime groups, notorious for their involvement in the WannaCry fiasco, as well as the attack on Sony, after the company released a comedy movie set in a fictitious North Korea. 

Here’s our take on the best ransomware protection right now

Via: BleepingComputer

More Stories

Odistar Desktop Vacuum Cleaner review: Small but mighty

Odistar Desktop Vacuum Cleaner review: Small but mighty

November 14, 2024 0
Apple Releases Final Cut Pro 11 for Mac

Apple Releases Final Cut Pro 11 for Mac

November 14, 2024 0
Apple Releases Logic Pro 11.1 for Mac

Apple Releases Logic Pro 11.1 for Mac

November 14, 2024 0

You may have missed

Odistar Desktop Vacuum Cleaner review: Small but mighty

Odistar Desktop Vacuum Cleaner review: Small but mighty

November 14, 2024 0
Apple Releases Final Cut Pro 11 for Mac

Apple Releases Final Cut Pro 11 for Mac

November 14, 2024 0
Apple Releases Logic Pro 11.1 for Mac

Apple Releases Logic Pro 11.1 for Mac

November 14, 2024 0
6 uses for the reMarkable Paper Pro that aren’t taking notes

6 uses for the reMarkable Paper Pro that aren’t taking notes

November 14, 2024 0
Change this Google Maps now so you don’t get lost on the way to Grandma’s

Change this Google Maps now so you don’t get lost on the way to Grandma’s

November 14, 2024 0