lazarus: North Korean hacker group is using Windows Update Client to infect PCs in new phishing attack

Lazarus cybercrime group has reportedly managed to alter the Windows Update Client to spread malware. As per a report by cybersecurity researchers from Malwarebytes, the group has been distributing malicious files to job seekers. According to the blog post shared by the researchers, they found out about the malware when they were investigating a phishing campaign that was impersonating US-based firm Lockheed Martin.
The report further reveals that the group was targeting users who applied for jobs in the company. Lazarus distributed two files – Lockheed_Martin_JobOpportunities.docx, and Salary_Lockheed_Martin_job_opportunities_confidential.doc. Both the files carried malicious macros which drop files in the endpoint’s startup folder and Windows/System32 folder when activated.
The .Ink file in the Windows subfolder then launches the Windows Update Client that triggers the malicious DLL (Dynamic Link Library). It is worth noting that these malicious DLL can also bypass antivirus and other security measures. This is not the first time someone has used Windows Update Client to spread malware. Similar flaw was discovered by MDSec researcher David Middlehurst back in October 2020. This time the risk seems to be huge as Lazarus is involved.
What is Lazarus
For those who don’t know, Lazarus is an infamous cybercrime group that has links with the North Korean government. The group was involved in the WannaCry ransomware attack as well. The notorious group also attacked Sony when the company released a comedy movie that was based on fictitious North Korea.
As of now, Microsoft has not yet released any official statement on the incident. To stay safe from these kinds of malwares, you should also be extra careful when downloading or opening a file attached in the mail.