Threat Research

North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign

Securonix

Lazarus Group’s latest campaign rounds up a spearphishing effort using Lockheed Martin-themed doc lures to drop a multi-stage payload. The operation hijacks execution via KernelCallbackTable, uses Windows Update Client for malicious runtime, and employs GitHub as a covert C2 channel. #Lazarus #LockheedMartin #WindowsUpdateClient #GitHub

Keypoints

  • Spearphishing attacks weaponized with malicious documents themed around job opportunities at Lockheed Martin.
  • Two decoy documents masquerade as Lockheed Martin job opportunities: Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc.
  • Macros embedded in the documents initiate the attack and enable control-flow hijacking through KernelCallbackTable.
  • Attack chain involves multiple staged DLLs (stage1_winword.dll, stage2_explorer.dll, stage3_runtimebroker.dll, etc.) and sophisticated code injection into explorer.exe.
  • Windows Update Client (wuauclt.exe) is used to run malicious DLLs, bypassing some security controls.
  • GitHub is used as a C2/file distribution channel, including retrieval of modules and reporting results back to a repository.
  • IOCs include maldocs, domains like markettrendingcenter.com and lm-career.com, and a set of DLL/file hashes associated with the campaign.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – Attacker uses spearphishing with malicious documents masquerading as Lockheed Martin, see: “The two decoy documents masquerading as American global security and aerospace giant Lockheed Martin.” – ‘The two macro-embedded documents seem to be luring the targets about new job opportunities at Lockheed Martin.’
  • [T1036] Masquerading – The documents are crafted to appear as legitimate Lockheed Martin opportunities. – ‘two decoy documents masquerading as American global security and aerospace giant Lockheed Martin.’
  • [T1059.005] Visual Basic – Macros – Macros embedded in Word to initiate the infection. – ‘The attack starts by executing the malicious macros that are embedded in the Word document.’
  • [T1055] Process Injection – Stage2_explorer.dll injected into explorer.exe – ‘The winword.exe process injects this DLL into the explorer.exe process.’
  • [T1574] Hijack Execution Flow – KernelCallbackTable – Control-flow hijacking to execute payloads via KernelCallbackTable. – ‘control flow hijacking through the KernelCallbackTable… a call to NtQueryInformationProcess… to retrieve the KernelCallbackTable pointer.’
  • [T1218] Signed Binary Proxy Execution: Windows Update Client – Use of Windows Update client to run malicious DLLs. – ‘This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms.’
  • [T1071.001] Web Protocols – GitHub as C2 – GitHub used as a command-and-control channel. – ‘Rarely do we see malware using GitHub as C2…’: ‘get_module_from_repo uses the hardcoded username, repo_name, directory, token to make a http request to GitHub and retrieves the files present in the “images” directory of the repository.’
  • [T1105] Ingress Tool Transfer – Downloading modules from GitHub – The malware fetches modules from a GitHub repo and executes them locally. – ‘The HTTP request retrieves contents of the files present in the repository… and maps the DLL into memory…’

Indicators of Compromise

  • [File hash] 0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b – Lockheed_Martin_JobOpportunities.docx (malicious doc)
  • [File hash] 0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1 – Salary_Lockheed_Martin_job_opportunities_confidential.doc
  • [Domain] markettrendingcenter.com – C2/resource hosting domain used by the campaign
  • [Domain] lm-career.com – Related domain used in the campaign
  • [File hash] 4216f63870e2cdfe499d09fce9caa301f9546f60a69c4032cb5fb6d5ceb9af32 – readme.png (embedded malicious module)
  • [File hash] 829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1 – wuaueng.dll
  • [File hash] f14b1a91ed1ecd365088ba6de5846788f86689c6c2f2182855d5e0954d62af3b – stage1_winword.dll
  • [File hash] 660e60cc1fd3e155017848a1f6befc4a335825a6ae04f3416b9b148ff156d143 – stage2_explorer.dll
  • [File hash] 11b5944715da95e4a57ea54968439d955114088222fd2032d4e0282d12a58abb – drops_lnk.dll
  • [File hash] 9d18defe7390c59a1473f79a2407d072a3f365de9834b8d8be25f7e35a76d818 – stage3_runtimebroker.dll
  • [File hash] c677a79b853d3858f8c8b86ccd8c76ebbd1508cc9550f1da2d30be491625b744 – core_module.dll
  • [File hash] 5098ec21c88e14d9039d232106560b3c87487b51b40d6fef28254c37e4865182 – GetBaseInfo.dll

Read more: https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/