North Korean Hackers Use Windows Update Service to Infect PCs with Malware

Lavanya Rao K

February 2, 2022

TThe Lazarus Group, also known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, is a known cybercrime group with ties to the North Korean government that recently abused the Windows Update Client to distribute malware. The researchers said they were investigating a phishing campaign mimicking Lockheed Martin, American aerospace, information security, and technology corporation. The group was distributing two files Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc. The documents themselves carried malicious macros, which, if activated, drop a WindowsUpdateConf.lnk file in the target endpoint's start-up folder and a DLL file (wuaueng.dll) in the Windows/System32 folder. After that, the .lnk file launches the Windows Update Client, which, in turn, launches the malicious DLL. Lazarus used this interesting technique to run its malicious DLL using the Windows Update Client to bypass antivirus solutions and other security mechanisms. With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious dll, and /RunHandlerComServer argument after the dll. We are yet to see what Microsoft will do about it, but, as usual, one should be extra careful when downloading and running documents coming in through the mail, especially if they require the activation of macros. "Lazarus APT is one of the advanced APT groups that is known to target the defense industry," the researchers concluded.en vulnerabilities in HP Support Assistant, a utility pre-installed on all HP computers sold after October 2012, were found by a security researcher. Computers running Windows 7, Windows 8, and Windows 10, were affected, which included five local privilege escalation flaws, two arbitrary file deletion bugs, and three remote code execution bugs.

Abridged fromThe Hacker News