Security News > 2022 > January > Lazarus APT Uses Windows Update to Spew Malware

Lazarus APT Uses Windows Update to Spew Malware
2022-01-28 21:47

Lazarus Group is using Windows Update to spray malware in a campaign powered by a GitHub command-and-control server, researchers have found.

Lazarus did the same thing last July: At that time, the APT was identified as being behind a campaign that was spreading malicious documents to job-seeking engineers, impersonating defense contractors who were purportedly seeking job candidates at Airbus, General Motors and Rheinmetall.

LNK files are Windows shortcut files, as in, pointers to original files in Windows.

"With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL," the researchers explained.

"This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms," the threat-intelligence team noted.

"With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL.".


News URL

https://threatpost.com/lazarus-apt-windows-update-malware-github/178096/