Security News > 2022 > January > North Korean Hackers Using Windows Update Service to Infect PCs with Malware

The notorious Lazarus Group actor has been observed mounting a new campaign that makes use of the Windows Update service to execute its malicious payload, expanding the arsenal of living-off-the-land techniques leveraged by the APT group to further its objectives.
The Lazarus Group, also known as APT38, Hidden Cobra, Whois Hacking Team, and Zinc, is the moniker assigned to the North Korea-based nation-state hacking group that's been active since at least 2009.
Last year, the threat actor was linked to an elaborate social engineering campaign targeting security researchers.
In the next phase, one of the loaded binaries, "Drops lnk.dll," leverages the Windows Update client to run a second module called "Wuaueng.dll." "This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms," researchers Ankur Saini and Hossein Jazi noted.
"Lazarus APT is one of the advanced APT groups that is known to target the defense industry," the researchers concluded.
"The group keeps updating its toolset to evade security mechanisms. Even though they have used their old job theme method, they employed several new techniques to bypass detections."
News URL
https://thehackernews.com/2022/01/north-korean-hackers-using-windows.html
Related news
- North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- Chinese hackers use custom malware to spy on US telecom networks (source)
- North Korean hackers linked to $1.5 billion ByBit crypto heist (source)
- OpenAI bans ChatGPT accounts used by North Korean hackers (source)
- North Korean Hackers Steal $1.5B in Cryptocurrency (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Safe{Wallet} Confirms North Korean TraderTraitor Hackers Stole $1.5 Billion in Bybit Heist (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)