The North Korea state-sponsored group- Lazarus used a trojanized pirated version of the popular IDA Pro reverse engineering software (which translates machine language into assembly language) to target security researchers with available backdoors and remote access trojans.
IDA Pro enables security researchers to analyze the malicious and debugger to detect errors. According to the Slovak cybersecurity firm, “attackers bundled the original IDA Pro 7.5 software developed by [Hex-Rays] with two malicious components.”
During the installation of the application, an internal module called “win fw.dll” is executed. After that, a second component named “idahelper.dll” from the IDA plugins folder on the system is loaded. The “idahelper.dll” program connects to a remote server at “www[.]devguardmap[.]org” to obtain further payloads after successful execution.
The IP was previously tied to a similar North Korean-backed campaign aiming at security professionals, as revealed by Google’s Threat Analysis Group earlier this year. This North Korean nation-state hacking group APT38, also known as Hidden Cobra, Whois Hacking Team, and Zinc, has been active since at least 2009. The hacker was sending two files: Lockheed Martin JobOpportunities.docx and Salary Lockheed Martin job opportunities confidential.doc, which were clearly aimed towards people looking for work at Lockheed Martin.
The malicious macros once it is activated the documents drop a WindowsUpdateConf.lnk file in the target endpoint’s startup folder and a DLL file (wuaueng.dll) in the Windows/System32 folder. The .lnk file then launches the Windows Update Client and starts the malicious DLL. Also in order to get through antivirus and other security measures, Lazarus runs its malicious DLL using the Windows Update Client by passing the following arguments: /UpdateDeploymentProvider, Path to malicious DLL, and /RunHandlerComServer.
Malwarebytes detected the most recent spear-phishing attempt on January 18 based on weaponized documents with job-themed lures emulating Lockheed Martin, an American global security and aerospace business.
When you open the malicious Microsoft Word document, it activates the macro attached in the document, which then executes a Base64-decoded shellcode that injects malware into the “explorer.exe” process. Then one of the loaded files, “drops lnk.dll,” uses the Windows Update Client (“wuauclt.exe”) to run a command that loads a second module called “wuaueng.dll,” which is used as a defense evasion method to blend bad activity with trusted Windows software.
This isn’t the first time the Windows Update Client has been used to spread malware; MDSec researcher David Middlehurst found the threat being exploited in October 2020. We’ll have to wait and see what Microsoft does about it, but meanwhile be cautious while downloading the attachment from the email, especially if they require macro activation.
If you receive an email with attachments that appears to be legitimate but you are unsure, turn to our blog and use the methods to assess the attachments.
Researchers, at last, reported that ”Lazarus APT is one of the advanced APT groups known to target the military industry. In order to escape security systems, the organization is constantly improving its toolkit.“
shamili0508. (2022, January 29). North Korean hackers are infecting pcs with malware through the windows update service. CyberWorkx. Retrieved February 2, 2022, from https://cyberworkx.in/2022/01/29/north-korean-hackers-are-infecting-pcs-with-malware-through-the-windows-update-service/
North Korean hackers target cybersecurity researchers with Trojanized Ida Pro. The Hacker News. (2021, November 15). Retrieved February 2, 2022, from https://thehackernews.com/2021/11/north-korean-hackers-target.html