The hacking group Lazarus, which is believed to be backed by North Korea, is now using an interesting technique to run malware on the target computers. The new technique was discovered by the Malwarebytes Threat Intelligence Team as a result of analyzing the campaign.
Don’t open Lockheed Martin related Word files
The malware comes with e-mail, in a Word file, runs with Windows startup, hides behind Windows Update
The Lazarus team is sending e-mails containing Microsoft Word files with the extensions of .doc or .docx. The current campaign impersonates Lockheed Martin where the company announces the job opportunities. The Word files’ names are “Lockheed_Martin_JobOpportunities.docx” and “Salary_Lockheed_Martin_job_opportunities_confidential.doc” to take attention of the victim.
As the user clicks one of those and allows macro execution, the macro creates a WindowsUpdateConf.lnk file in the Windows Startup folder. It also delivers a wuaueng.dll file into the System32 folder. When the .lnk file is run, it launches Windows Update to use the malicious .dll file in the System32 folder. The .lnk file is placed in the Startup folder to be able to start consistently since the files in that folder will run every time Windows starts.
Malwarebytes researchers state that the technique can bypass the security detection mechanisms; In normal circumstances, Windows Update is indeed a trustful source. However, this case shows us that the curiosity of Lockheed Martin’s salaries can make Windows Update a tool for hackers.