The notorious Lazarus Group has launched a new campaign that uses the Windows Update service to execute its malicious loads, expanding the library of off-the-ground (LotL) technologies that the APT group exploits to achieve its goals. The latest spear phishing attack, detected by Malwarebytes on January 18, stems from a job-themed decoy impersonating weaponized documents from U.S. global security and aerospace company Lockheed Martin. Researchers note that this is an interesting technique used by Lazarus, which uses Windows Update clients to run its malicious DLLs to bypass security detection mechanisms. The evidence links them to past attacks by the same participants, including infrastructure overlaps, document metadata, and the use of job offer templates to select victims.
https://thehackernews.com/2022/01/north-korean-hackers-using-windows.html
Dan Xu
Leave a Reply