Windows Updates are used to spread malware by Lazarus hackers

2 min. read

Published onJanuary 28, 2022

published onJanuary 28, 2022

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Key notes

Owning an official, up-to-date copy of the Windows operating system gives us a certain degree of safety, considering that we get security updates on a regular basis.

But have you ever thought, that the updates themselves could be used against us one day? Well, it seems like that day has finally come, and experts warn us about the possible implications.

Recently, North Korean hacking group called Lazarus managed to use the Windows Update client to execute malicious code on Windows systems.

North Korean hacker group compromised Windows Updates

Now, you’re probably wondering in what circustances this latest ingenious cyberattack scheme was uncovered.

The Malwarebytes Threat Intelligence team did, while analyzing a January spearphishing campaign impersonating the American security and aerospace company Lockheed Martin.

Attackers instrumenting this campaign made sure that, after the victims open the malicious attachments and enable macro execution, an embedded macro drops a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a hidden Windows/System32 folder.

The next strep is for the LNK file to be used used to launch the WSUS / Windows Update client (wuauclt.exe) to execute a command that loads the attackers’ malicious DLL.

The team behind uncovering these attacks linked them to Lazarus based on existing evidence, including infrastructure overlaps, document metadata, and targeting similar to previous campaigns.

Lazarus keeps updating its toolset to evade security mechanisms and will surely continue to do so, by employing techniques such as the use ofKernelCallbackTableto hijack the control flow and shellcode execution.

Couple that with the usage of the Windows Update client for malicious code execution, along with GitHub for C2 communication, and you have the recipee for a complete and utter disaster.

Now that you know that this threat is real, you can take more safety precautions and avoid falling victim to malicious third parties.

Has your machine ever been infected with dangerous malware through a Windows update? Share your experience with us in the comments section below.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Windows Updates are used to spread malware by Lazarus hackers#

North Korean hacker group compromised Windows Updates#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Windows Updates are used to spread malware by Lazarus hackers

North Korean hacker group compromised Windows Updates