Posted on January 31, 2022 at 8:05 AM

North Korean hacking group launches several attacks using Windows update and GitHub

A report from Malwarebytes’ Threat Intelligence Team has pointed towards an attack launched by North Korean hackers. The team issued a warning that noted that the Lazarus hacking group posed a threat to companies and individuals.

The attack was launched through exploits conducted on Windows Update and GitHub. The attackers were targeting unsuspecting users that were easily vulnerable to these exploits.

North Korean hacking group launching attacks

The attackers were exploiting fake documents using embedded macros designed to look similar to the Lockheed Martin employment details. After the macro is executed, the attacker exploits Windows update and GitHub to deliver payloads to user devices, thereby infecting the devices of unsuspecting users.

Lazarus group is a state-sponsored hacking group. It has been involved in a wide range of attacks in the past. Some of these attacks include one on WannaCry and several attacks on media outlets based in the US.

The attacks were done through Windows Update, where they delivered malicious payloads while using GitHub as the primary command and control (C2) server. While the attacks were initially random, they later diverted towards actual targets.

The Lazarus hacking group is affiliated with launching several campaigns that target various government institutions. Some of the target groups by these hackers include defence ministries, aerospace companies and civilian government contracting sectors. This shows that the hacking group could gain critical information about these agencies.

The report noted that the attack was a spear-phishing exploit. The attack was conducted using two MS Word documents that acted as decoys. The two documents had embedded macros under the names Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_cxonfidential.doc.

The documents in question were made to appear like they were valid job announcements from Lockheed Martin. However, the attackers configured these documents to lure attackers into opening and executing these documents.

Attacks were persistent

When an unsuspecting user opens and loads the document on their device, it will run malicious macros. The action will also contain a malware package that will complete a series of injections on the target device. By executing these attacks simultaneously, the attacker will be persistent and ensure that the objective is achieved.

The persistence of the attack was done during startups, ensuring that a device will execute the payloads and the attackers can gain access to the devices and launch their attacks.

The startup in question was done through a link file deployed during a Windows update. The announcement noted that the attack was executed through “wuauclt.exe.” in a Twitter post, the researchers added several details about the attack.

They noted that the attack “creates a hidden Windows/System32 directory and drops wuaueng.dll (through the dll looks benign.” They also added that “this could be related to #Lazarus $APT.”

The blog published by Malwarebytes Lab Threats Intelligence Team gives a comprehensive report of the features that comprised the attack. The researchers have step-by-step details of how the attackers launched these attacks.

This is not the first research by Malwarebytes that look into the Lazarus group affiliated with North Korea. Previously, these attacks by the Lazarus group have been noted through unique features. The researchers managed to link the current attack with this hacking group through previous components linked to the previous attacks.

The North Korea hacking group is popular for launching sophisticated attacks that contain various features. Some of these features include using job opportunity documents. These documents are well-designed, such that they will lure a user into executing the payloads without verifying the contents first.

The opportunity documents are usually branded with logos from various defence contractors. Some of the most used contractor icons in the job opportunity documents include Lockheed Martin, Northrop Grumman and Boeing.

The documents target job seekers who are desperate to find new opportunities in the defence and aerospace sectors. Having this target group ensures that there is a high chance that an unsuspecting user will execute these payloads on their devices.

Moreover, the metadata used in this exploit is similar to the metadata used in previous attacks conducted by the group. Additionally, the spear-phishing campaign also correlates with others happening in the past.

The activity of this group has been studied in the past. In April 2002, a Cyber Threat Advisory from the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security was released. The report notes that individuals should report any information related to North Korea in cyberspace. Those who report activities that will prevent any attacks against the US government will receive rewards of up to $5 million.