When you open the malicious Microsoft Word document, it activates the macro attached in the document, which then executes a Base64-decoded shellcode that injects malware into the “explorer.exe” process. Then one of the loaded files, “drops lnk.dll,” uses the Windows Update Client (“wuauclt.exe”) to run a command that loads a second module called “wuaueng.dll,” which is used as a defense evasion method to blend bad activity with trusted Windows software.
This isn’t the first time the Windows Update Client has been used to spread malware; MDSec researcher David Middlehurst found the threat being exploited in October 2020. We’ll have to wait and see what Microsoft does about it, but meanwhile be cautious while downloading the attachment from the email, especially if they require macro activation.
If you receive an email with attachments that appears to be legitimate but you are unsure, turn to our blog and use the methods to assess the attachments.
Researchers, at last, reported that ”Lazarus APT is one of the advanced APT groups known to target the military industry. In order to escape security systems, the organization is constantly improving its toolkit.“
Reference :
shamili0508. (2022, January 29). North Korean hackers are infecting pcs with malware through the windows update service. CyberWorkx. Retrieved February 2, 2022, from https://cyberworkx.in/2022/01/29/north-korean-hackers-are-infecting-pcs-with-malware-through-the-windows-update-service/
North Korean hackers target cybersecurity researchers with Trojanized Ida Pro. The Hacker News. (2021, November 15). Retrieved February 2, 2022, from https://thehackernews.com/2021/11/north-korean-hackers-target.html