Security News > 2022 > January > Lazarus APT Uses Windows Update to Spew Malware
Lazarus Group is using Windows Update to spray malware in a campaign powered by a GitHub command-and-control server, researchers have found.
Lazarus did the same thing last July: At that time, the APT was identified as being behind a campaign that was spreading malicious documents to job-seeking engineers, impersonating defense contractors who were purportedly seeking job candidates at Airbus, General Motors and Rheinmetall.
LNK files are Windows shortcut files, as in, pointers to original files in Windows.
"With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL," the researchers explained.
"This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms," the threat-intelligence team noted.
"With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL and /RunHandlerComServer argument after the DLL.".
News URL
https://threatpost.com/lazarus-apt-windows-update-malware-github/178096/
Related news
- Hackers abuse Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics (source)
- Detecting Windows-based Malware Through Better Visibility (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)