North Korean hackers started spreading virus via Windows Update

North Korean hackers started spreading virus via “Windows Update”.

According to cybersecurity firm Malwarebytes Labs, North Korean hacking group Lazarus uses Windows Update to inject malicious code into victims’ computers. This allows attackers to bypass basic security mechanisms and use GitHub as a server to spread malicious code.

Image source: Shutterstock

Image source: Shutterstock

Last week, Malwarebytes’ threat intelligence team discovered an attack using two Word documents linked to fake jobs at aerospace company Lockheed Martin. Lazarus’ goal is to infiltrate US government structures involved in the defense and aerospace industries and steal as much classified data as possible.

Documents used for attacks Salary_Lockheed_Martin_Jobs_Confidential.doc and Lockheed_Martin_Vacancies. docx. As their names suggest, both documents are intended to lure victims with the prospect of a job at Lockheed Martin. A series of malicious macros embedded in Word documents begin to infiltrate the system after the file is opened and immediately inject code into the computer’s startup mechanism to ensure that the restart does not interfere with the virus’s actions. Interestingly, part of the process of injecting malicious code into the system uses the Windows Update client to install malicious DLLs. This is very clever as this method bypasses most security measures.

Notably, Lazarus has a history of performing attacks codenamed “Dream Job.” The hackers tricked officials into thinking they were being hired by large global corporations while stealing data from their workstations. This campaign was a huge success, allowing attackers to infiltrate the networks of dozens of government organizations around the world.


About the author

Robbie Elmers

Robbie Elmers is a staff writer for Tech News Space, covering software, applications and services.

Add Comment

Click here to post a comment