May 23, 2022
Cybercrime Group Lazarus Hijacks Windows Update Client to Infect PCs with Malware

Hackers Hijack Windows Update to Infect PCs with Malware

Cyber-criminal ring Lazarus, with ties to the North Korean government, is abusing a Windows Update Client to distribute dangerous PC malware…

Lazarus, a cyber-crimnal group known to have ties with the North Korean government, has managed to abuse a Windows Update Client to distribute malware, cybersecurity researchers from Malwarebytes have found. Experts said they were actively investigating a phishing campaign impersonating Lockheed Martin, an American aerospace, arms, defense, information security, and technology corporation.

Cybercrime Group Lazarus Hijacks Windows Update Client to Infect PCs with Malware

The group was distributing two files. One, Lockheed_Martin_JobOpportunities.docx, and the other, Salary_Lockheed_Martin_job_opportunities_confidential.doc, obviously targeting people interested in getting a job at the company. The documents themselves carried malicious macros which, if activated, drop a WindowsUpdateConf.lnk file in the target endpoint’s startup folder, and a DLL file (wuaueng.dll) in the Windows/System32 folder. Thereafter, the .lnk file launches the Windows Update Client which, in turn, launches the malicious DLL.

This isn’t the first time hackers have taken advantage of the Windows Update Client. In October of 2020, MDSec researcher David Middlehurst discovered a flaw and documented its abuse in the wild. Lazarus is also known for its involvement in the WannaCry fiasco, as well as the attack on Sony that occurred in September of 2018.

Owen E. Richason IV

Covers social media, apps, search, and similar news. History buff, movie, and theme park lover. Blessed dad and husband.     

View all posts by Owen E. Richason IV →