{"id":18137,"date":"2022-02-02T11:11:01","date_gmt":"2022-02-02T19:11:01","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11870\/"},"modified":"2022-02-02T11:11:01","modified_gmt":"2022-02-02T19:11:01","slug":"news-11870","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/02\/02\/news-11870\/","title":{"rendered":"North Korea&#8217;s Lazarus APT leverages Windows Update client, GitHub in latest campaign"},"content":{"rendered":"<p><strong>Credit to Author: Threat Intelligence Team| Date: Thu, 27 Jan 2022 16:20:16 +0000<\/strong><\/p>\n<p><em>This blog was authored by Ankur Saini and Hossein Jazi<\/em><\/p>\n<p>Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a <a href=\"https:\/\/twitter.com\/h2jazi\/status\/1483521532433473536\">new campaign<\/a> on Jan 18th 2022. <\/p>\n<p>In this campaign, Lazarus conducted spear phishing attacks weaponized with malicious documents that use their <a href=\"https:\/\/www.clearskysec.com\/wp-content\/uploads\/2020\/08\/Dream-Job-Campaign.pdf\">known job opportunities theme<\/a>. We identified two decoy documents masquerading as American global security and aerospace giant Lockheed Martin. <\/p>\n<p>In this blog post, we provide technical analysis of this latest attack including a clever use of Windows Update to execute the malicious payload and GitHub as a command and control server. We have reported the rogue GitHub account for harmful content.<\/p>\n<h2>Analysis<\/h2>\n<p>The two macro-embedded documents seem to be luring the targets about new job opportunities at Lockheed Martin:<\/p>\n<ul>\n<li>Lockheed_Martin_JobOpportunities.docx<\/li>\n<li>Salary_Lockheed_Martin_job_opportunities_confidential.doc<\/li>\n<\/ul>\n<p>The compilation time for both of these documents is 2020-04-24, but we have enough indicators that confirm that they have been used in a campaign around late December 2021 and early 2022. Some of the indicators that shows this attack operated recently are the domains used by the threat actor. <\/p>\n<p>Both of the documents use the same attack theme and have some common things like embedded macros but the full attack chain seems to be totally different. The analysis provided in the blog is mainly based on the &#8220;Lockheed_Martin_JobOpportunities.docx&#8221; document but we also provide brief analysis for the second document (Salary_Lockheed_Martin_job_opportunities_confidential.doc) at the end of this blog.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1.jpg\" data-rel=\"lightbox-image-0\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53942\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-9-56-22-pm-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1.jpg\" data-orig-size=\"1592,896\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-9.56.22-PM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1-300x169.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1-600x338.jpg\" loading=\"lazy\" width=\"1592\" height=\"896\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1.jpg\" alt=\"\" class=\"wp-image-53942\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1.jpg 1592w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1-300x169.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1-600x338.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1-1536x864.jpg 1536w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1-900x506.jpg 900w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.56.22-PM-1-400x225.jpg 400w\" sizes=\"auto, (max-width: 1592px) 100vw, 1592px\" \/><\/a><figcaption>Figure 1: <em>Document Preview<\/em><\/figcaption><\/figure>\n<\/div>\n<h3>Attack Process<\/h3>\n<p>The below image shows the full attack process which we will discuss in detail in this article. The attack starts by executing the malicious macros that are embedded in the Word document. The malware performs a series of injections and achieves startup persistence in the target system. In the next section we will provide technical details about various stages of this attack and its payload capabilities.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.44.58-PM-1.jpg\" data-rel=\"lightbox-image-1\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53943\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-4-44-58-pm-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.44.58-PM-1.jpg\" data-orig-size=\"1828,1166\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-4.44.58-PM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.44.58-PM-1-300x191.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.44.58-PM-1-600x383.jpg\" loading=\"lazy\" width=\"1828\" height=\"1166\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.44.58-PM-1.jpg\" alt=\"\" class=\"wp-image-53943\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.44.58-PM-1.jpg 1828w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.44.58-PM-1-300x191.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.44.58-PM-1-600x383.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.44.58-PM-1-1536x980.jpg 1536w\" sizes=\"auto, (max-width: 1828px) 100vw, 1828px\" \/><\/a><figcaption>Figure 2: <em>Attack Process<\/em><\/figcaption><\/figure>\n<\/div>\n<h3>Macros: Control flow hijacking through KernelCallbackTable<\/h3>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-12.08.26-AM-1.jpg\" data-rel=\"lightbox-image-2\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53944\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-12-08-26-am-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-12.08.26-AM-1.jpg\" data-orig-size=\"1370,850\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-12.08.26-AM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-12.08.26-AM-1-300x186.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-12.08.26-AM-1-600x372.jpg\" loading=\"lazy\" width=\"1370\" height=\"850\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-12.08.26-AM-1.jpg\" alt=\"\" class=\"wp-image-53944\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-12.08.26-AM-1.jpg 1370w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-12.08.26-AM-1-300x186.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-12.08.26-AM-1-600x372.jpg 600w\" sizes=\"auto, (max-width: 1370px) 100vw, 1370px\" \/><\/a><figcaption>Figure 3: <em>Macros Snippet<\/em><\/figcaption><\/figure>\n<\/div>\n<p>The above code uses a very unusual and lesser known technique to hijack the control flow and execute malicious code. The malware retrieves the address of the <em>&#8220;WMIsAvailableOffline&#8221;<\/em> function from<em> &#8220;wmvcore.dll&#8221;<\/em>, then it changes the memory protection permissions for code in <em>&#8220;WMIsAvailableOffline&#8221;<\/em> and proceeds to overwrite the code in memory with the malicious base64 decoded shell-code. <\/p>\n<p>Another interesting thing happening in the above code is the control flow hijacking through the <em>KernelCallbackTable<\/em> member of the <em>PEB<\/em>. A call to <em>NtQueryInformationProcess<\/em> is made with <em>ProcessBasicInformation<\/em> class as the parameter which helps the malware to retrieve the address of <em>PEB<\/em> and thus retrieving the <em>KernelCallbackTable<\/em> pointer.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-3.18.11-AM-1.jpg\" data-rel=\"lightbox-image-3\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53945\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-3-18-11-am-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-3.18.11-AM-1.jpg\" data-orig-size=\"1060,318\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-3.18.11-AM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-3.18.11-AM-1-300x90.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-3.18.11-AM-1-600x180.jpg\" loading=\"lazy\" width=\"1060\" height=\"318\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-3.18.11-AM-1.jpg\" alt=\"\" class=\"wp-image-53945\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-3.18.11-AM-1.jpg 1060w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-3.18.11-AM-1-300x90.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-3.18.11-AM-1-600x180.jpg 600w\" sizes=\"auto, (max-width: 1060px) 100vw, 1060px\" \/><\/a><figcaption>Figure 4: <em>KernelCallbackTable in memory<\/em><\/figcaption><\/figure>\n<\/div>\n<p><em>KernelCallbackTable<\/em> is initialized to an array of <em>callback<\/em> functions when <em>user32.dll<\/em> is loaded into memory, which are used whenever a graphical call (GDI) is made by the process. To hijack the control flow, malware replaces the <em>USER32!_fnDWORD<\/em> callback in the table with the malicious <em>WMIsAvailableOffline<\/em> function. Once the flow is hijacked and malicious code is executed the rest of the code takes care of restoring the <em>KernelCallbackTable<\/em> to its original state.<\/p>\n<h3>Shellcode Analysis<\/h3>\n<p>The shellcode loaded by the macro contains an encrypted DLL which is decrypted at runtime and then manually mapped into memory by the shellcode. After mapping the DLL, the shellcode jumps to the entry point of that DLL. The shellcode uses some kind of custom hashing method to resolve the APIs. We used <a href=\"https:\/\/github.com\/hasherezade\/hollows_hunter\" target=\"_blank\" rel=\"noreferrer noopener\">hollows_hunter<\/a> to dump the DLL and reconstruct the IAT once it is fully mapped into memory. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.40.42-AM.jpg\" data-rel=\"lightbox-image-4\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53946\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-4-40-42-am\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.40.42-AM.jpg\" data-orig-size=\"1480,964\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-4.40.42-AM\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.40.42-AM-300x195.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.40.42-AM-600x391.jpg\" loading=\"lazy\" width=\"1480\" height=\"964\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.40.42-AM.jpg\" alt=\"\" class=\"wp-image-53946\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.40.42-AM.jpg 1480w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.40.42-AM-300x195.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.40.42-AM-600x391.jpg 600w\" sizes=\"auto, (max-width: 1480px) 100vw, 1480px\" \/><\/a><figcaption>Figure 5: <em>API resolving<\/em><\/figcaption><\/figure>\n<\/div>\n<p>The hashing function accepts two parameters: the hash of the DLL and the hash of the function we are looking for in that DLL. A very simple algorithm is used for hashing APIs. The following code block shows this algorithm: <\/p>\n<pre class=\"wp-block-code\"><code>def string_hashing(name):     hash = 0     for i in range(0, len(name)):         hash = 2 * (hash + (ord(name&#091;i]) | 0x60))     return hash<\/code><\/pre>\n<p>The shellcode and all the subsequent inter-process Code\/DLL injections in the attack chain use the same injection method as described below.<\/p>\n<h3>Code Injection<\/h3>\n<p>The injection function is responsible for resolving all the required API calls. It then opens a handle to the target process by using the <em>OpenProcess<\/em> API. It uses the <em>SizeOfImage<\/em> field in the NT header of the DLL to be injected into allocated space into the target process along with a separate space for the <em>init_dll<\/em> function. The purpose of the<em> init_dll<\/em> function is to initialize the injected DLL and then pass the control flow to the entry point of the DLL. One thing to note here is a simple CreateRemoteThread method is used to start a thread inside the target process unlike the KernelCallbackTable technique used in our macro.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1.jpg\" data-rel=\"lightbox-image-5\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53947\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-2-55-32-pm-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1.jpg\" data-orig-size=\"2198,696\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-2.55.32-PM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1-300x95.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1-600x190.jpg\" loading=\"lazy\" width=\"2198\" height=\"696\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1.jpg\" alt=\"\" class=\"wp-image-53947\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1.jpg 2198w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1-300x95.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1-600x190.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1-1536x486.jpg 1536w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-2.55.32-PM-1-2048x649.jpg 2048w\" sizes=\"auto, (max-width: 2198px) 100vw, 2198px\" \/><\/a><figcaption>Figure 6: <em>Target Process Injection through CreateRemoteThread<\/em><\/figcaption><\/figure>\n<\/div>\n<h3>Malware Components<\/h3>\n<ul>\n<li><em>stage1_winword.dll<\/em> &#8211; This is the DLL which is mapped inside the Word process. This DLL is responsible for restoring the original state of <em>KernelCallbackTable<\/em> and then injecting <em>stage2_explorer.dll<\/em> into the <em>explorer.exe<\/em> process.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.27.46-PM-1.jpg\" data-rel=\"lightbox-image-6\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53948\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-9-27-46-pm-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.27.46-PM-1.jpg\" data-orig-size=\"1784,132\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-9.27.46-PM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.27.46-PM-1-300x22.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.27.46-PM-1-600x44.jpg\" loading=\"lazy\" width=\"1784\" height=\"132\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.27.46-PM-1.jpg\" alt=\"\" class=\"wp-image-53948\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.27.46-PM-1.jpg 1784w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.27.46-PM-1-300x22.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.27.46-PM-1-600x44.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.27.46-PM-1-1536x114.jpg 1536w\" sizes=\"auto, (max-width: 1784px) 100vw, 1784px\" \/><\/a><figcaption>Figure 7: <em>Restoring KernelCallbackTable to original state<\/em><\/figcaption><\/figure>\n<\/div>\n<ul>\n<li><em>stage2_explorer.dll<\/em> &#8211; The <em>winword.exe<\/em> process injects this DLL into the <em>explorer.exe<\/em> process. With brief analysis we find out that the .data section contains two additional DLLs. We refer to them as <em>drops_lnk.dll<\/em> and <em>stage3_runtimebroker.dll<\/em>. By analyzing <em>stage2_explorer.dll<\/em> a bit further we can easily understand the purpose of this DLL.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.24.42-PM-1.jpg\" data-rel=\"lightbox-image-7\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53949\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-4-24-42-pm-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.24.42-PM-1.jpg\" data-orig-size=\"1178,1134\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-4.24.42-PM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.24.42-PM-1-300x289.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.24.42-PM-1-600x578.jpg\" loading=\"lazy\" width=\"1178\" height=\"1134\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.24.42-PM-1.jpg\" alt=\"\" class=\"wp-image-53949\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.24.42-PM-1.jpg 1178w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.24.42-PM-1-300x289.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-4.24.42-PM-1-600x578.jpg 600w\" sizes=\"auto, (max-width: 1178px) 100vw, 1178px\" \/><\/a><figcaption>Figure 8: <em>stage2_explorer main routine<\/em><\/figcaption><\/figure>\n<\/div>\n<p>The above code snippet shows the main routine of <em>stage2_explorer<\/em>.dll. As you can see it checks for the existence of &#8220;<em>C:W\u00edndowssystem32wuaueng.dll<\/em>&#8221; and then if it doesn&#8217;t exist it takes its path to drop additional files. It executes the <em>drops_lnk.dll<\/em> in the current process and then tries to create the RuntimeBroker process and if successful in creating RuntimeBroker, it injects <em>stage3_runtimebroker.dll<\/em> into the newly created process. If for some reason process creation fails, it just executes <em>stage3_runtimebroker.dll<\/em> in the current <em>explorer.exe<\/em> process.<\/p>\n<ul>\n<li><em>drops_lnk.dll<\/em> &#8211; This DLL is loaded and executed inside the <em>explorer.exe<\/em> process, it mainly drops the lnk file (<em>WindowsUpdateConf.lnk<\/em>) into the startup folder and then it checks for the existence of <em>wuaueng.dll<\/em> in the malicious directory and manually loads and executes it from the disk if it exists. The lnk file (<em>WindowsUpdateConf.lnk<\/em>) executes <em>&#8220;C:Windowssystem32wuauclt.exe&#8221; \/UpdateDeploymentProvider C:W\u00edndowssystem32wuaueng.dll \/RunHandlerComServer<\/em>. This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms. With this method, the threat actor can execute its malicious code through the Microsoft Windows Update client by passing the following arguments: \/UpdateDeploymentProvider, Path to malicious dll and \/RunHandlerComServer argument after the dll.  <\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.25-PM-2.jpg\" data-rel=\"lightbox-image-8\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53954\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-5-04-25-pm-2\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.25-PM-2.jpg\" data-orig-size=\"1430,134\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-5.04.25-PM-2\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.25-PM-2-300x28.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.25-PM-2-600x56.jpg\" loading=\"lazy\" width=\"1430\" height=\"134\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.25-PM-2.jpg\" alt=\"\" class=\"wp-image-53954\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.25-PM-2.jpg 1430w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.25-PM-2-300x28.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.25-PM-2-600x56.jpg 600w\" sizes=\"auto, (max-width: 1430px) 100vw, 1430px\" \/><\/a><figcaption>Figure 9: <em>Startup folder path<\/em><\/figcaption><\/figure>\n<\/div>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.37-PM.jpg\" data-rel=\"lightbox-image-9\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53950\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-5-04-37-pm\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.37-PM.jpg\" data-orig-size=\"1838,406\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-5.04.37-PM\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.37-PM-300x66.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.37-PM-600x133.jpg\" loading=\"lazy\" width=\"1838\" height=\"406\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.37-PM.jpg\" alt=\"\" class=\"wp-image-53950\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.37-PM.jpg 1838w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.37-PM-300x66.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.37-PM-600x133.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.04.37-PM-1536x339.jpg 1536w\" sizes=\"auto, (max-width: 1838px) 100vw, 1838px\" \/><\/a><figcaption>Figure 10: <em>WindowsUpdateConf lnk<\/em><\/figcaption><\/figure>\n<\/div>\n<ul>\n<li><em>stage3_runtimebroker.dll<\/em> &#8211; This DLL is responsible for creating the malicious directory (<em>&#8220;C:W\u00edndowssystem32&#8221;<\/em>) and then drops the <em>wuaueng.dll<\/em> in that directory, furthermore it sets the attributes of the directory to make it hidden.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/stage3.png\" data-rel=\"lightbox-image-10\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"54025\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/stage3\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/stage3.png\" data-orig-size=\"1374,246\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"stage3\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/stage3-300x54.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/stage3-600x107.png\" loading=\"lazy\" width=\"1374\" height=\"246\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/stage3.png\" alt=\"\" class=\"wp-image-54025\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/stage3.png 1374w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/stage3-300x54.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/stage3-600x107.png 600w\" sizes=\"auto, (max-width: 1374px) 100vw, 1374px\" \/><\/a><figcaption>Figure 11: <em>stage3_runtimebroker main routine<\/em><\/figcaption><\/figure>\n<\/div>\n<ul>\n<li><em>wuaueng.dll<\/em> &#8211; This is one of the most important DLLs in the attack chain. This malicious DLL is signed with a certificate which seems to belong to <em>&#8220;SAMOYAJ LIMITED&#8221;<\/em>, Till 20 January 2022, the DLL had (0\/65) AV detections and presently only 5\/65 detect it as malicious. This DLL has embedded inside another DLL which contains the core module (<em>core_module.dll<\/em>) of this malware responsible for communicating with the Command and Control (C2) server. This DLL can be loaded into memory in two ways: <br \/>&#8211; If <em>drops_lnk.dll<\/em> loads this DLL into <em>explorer.exe<\/em> then it loads the <em>core_module.dll<\/em> and then executes it<br \/>&#8211; If it is being executed from <em>wuauclt.exe<\/em>, then it retrieves the PID of explorer.exe and injects the <em>core_module.dll<\/em> into that process.<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.41.56-PM-1.jpg\" data-rel=\"lightbox-image-11\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53952\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-5-41-56-pm-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.41.56-PM-1.jpg\" data-orig-size=\"1292,574\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-5.41.56-PM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.41.56-PM-1-300x133.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.41.56-PM-1-600x267.jpg\" loading=\"lazy\" width=\"1292\" height=\"574\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.41.56-PM-1.jpg\" alt=\"\" class=\"wp-image-53952\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.41.56-PM-1.jpg 1292w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.41.56-PM-1-300x133.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-5.41.56-PM-1-600x267.jpg 600w\" sizes=\"auto, (max-width: 1292px) 100vw, 1292px\" \/><\/a><figcaption>Figure 12: <em>wuaueng.dll main routine<\/em><\/figcaption><\/figure>\n<\/div>\n<h3>The Core module and GitHub as a C2<\/h3>\n<p>Rarely do we see malware using GitHub as C2 and this is the first time we&#8217;ve observed Lazarus leveraging it. Using Github as a C2 has its own drawbacks but it is a clever choice for targeted and short term attacks as it makes it harder for security products to differentiate between legitimate and malicious connections. While analyzing the core module we were able to get the required details to access the C2 but unfortunately it was already cleaned and we were not able to get much except one of the additional modules loaded by the <em>core_module.dll<\/em> remotely (thanks to <a href=\"https:\/\/twitter.com\/jaydinbas\">@jaydinbas<\/a> who shared the module with us).<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-8.45.43-PM-1.jpg\" data-rel=\"lightbox-image-12\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53955\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-8-45-43-pm-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-8.45.43-PM-1.jpg\" data-orig-size=\"1112,984\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-8.45.43-PM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-8.45.43-PM-1-300x265.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-8.45.43-PM-1-600x531.jpg\" loading=\"lazy\" width=\"1112\" height=\"984\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-8.45.43-PM-1.jpg\" alt=\"\" class=\"wp-image-53955\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-8.45.43-PM-1.jpg 1112w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-8.45.43-PM-1-300x265.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-8.45.43-PM-1-600x531.jpg 600w\" sizes=\"auto, (max-width: 1112px) 100vw, 1112px\" \/><\/a><figcaption>Figure 13: <em>core_module.dll C2 communication loop<\/em><\/figcaption><\/figure>\n<\/div>\n<p>There seems to be no type of string encoding used so we can clearly see the strings which makes the analysis easy. <em>get_module_from_repo<\/em> uses the hardcoded <em>username<\/em>, <em>repo_name<\/em>, <em>directory<\/em>, <em>token<\/em> to make a http request to GitHub and retrieves the files present in the <em>&#8220;images&#8221;<\/em> directory of the repository.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/git-1.png\" data-rel=\"lightbox-image-13\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"54007\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/git-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/git-1.png\" data-orig-size=\"1958,1146\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"git-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/git-1-300x176.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/git-1-600x351.png\" loading=\"lazy\" width=\"1958\" height=\"1146\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/git-1.png\" alt=\"\" class=\"wp-image-54007\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/git-1.png 1958w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/git-1-300x176.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/git-1-600x351.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/git-1-1536x899.png 1536w\" sizes=\"auto, (max-width: 1958px) 100vw, 1958px\" \/><\/a><figcaption>Figure 14: <em>get_module_from_repo function<\/em><\/figcaption><\/figure>\n<\/div>\n<p>The HTTP request retrieves contents of the files present in the repository with an interesting validation which checks that the retrieved file is a PNG. The file that was earlier retrieved was named <em>&#8220;readme.png&#8221;<\/em>; this PNG file has one of the malicious modules embedded in it. The strings in the module reveal that the module&#8217;s original name is <em>&#8220;GetBaseInfo.dll&#8221;<\/em>. Once the malware retrieves the module it uses the<em> map_module <\/em>function to map the DLL and then looks for an exported function named <em>&#8220;GetNumberOfMethods&#8221;<\/em> in the malicious module. It then executes <em>GetNumberOfMethods<\/em> and saves the result obtained by the module. This result is committed to the remote repo under the metafiles directory with a filename denoting the time at which the module was executed. This file committed to the repo contains the result of the commands executed by the module on the target system. To commit the file the malware makes a PUT HTTP request to Github.<\/p>\n<h3>Additional Modules (GetBaseInfo.dll)<\/h3>\n<p>This was the only module which we were able to get our hands on. Only a single module does limit us in finding all the capabilities this malware has. Also its a bit difficult to hunt for these modules as they never really touch the disk which makes them harder to detect by AVs. The only way to get the modules would be to access the C2 and download the modules while they are live. Coming back to this module, it has very limited capabilities. It retrieves the <em>Username<\/em>, <em>ComputerName<\/em> and a list of all the <em>running processes<\/em> on the system and then returns the result so it can be committed to the C2. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" data-attachment-id=\"53957\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-9-11-59-pm\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.11.59-PM.jpg\" data-orig-size=\"798,402\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-9.11.59-PM\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.11.59-PM-300x151.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.11.59-PM-600x302.jpg\" loading=\"lazy\" width=\"798\" height=\"402\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.11.59-PM.jpg\" alt=\"\" class=\"wp-image-53957\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.11.59-PM.jpg 798w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.11.59-PM-300x151.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.11.59-PM-600x302.jpg 600w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\" \/><figcaption>Figure 15: <em>GetBaseInfo module retrieving the information<\/em><\/figcaption><\/figure>\n<\/div>\n<h3>GitHub Account<\/h3>\n<p>The account with the username &#8220;<em>DanielManwarningRep<\/em>&#8221; is used to operate the malware. The account was created on January 17th, 2022 and other than this we were not able to find any information related to the account.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.14.25-PM-1.jpg\" data-rel=\"lightbox-image-14\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"53958\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/screenshot-2022-01-25-at-9-14-25-pm-1\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.14.25-PM-1.jpg\" data-orig-size=\"2018,1210\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"Screenshot-2022-01-25-at-9.14.25-PM-1\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.14.25-PM-1-300x180.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.14.25-PM-1-600x360.jpg\" loading=\"lazy\" width=\"2018\" height=\"1210\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.14.25-PM-1.jpg\" alt=\"\" class=\"wp-image-53958\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.14.25-PM-1.jpg 2018w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.14.25-PM-1-300x180.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.14.25-PM-1-600x360.jpg 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/Screenshot-2022-01-25-at-9.14.25-PM-1-1536x921.jpg 1536w\" sizes=\"auto, (max-width: 2018px) 100vw, 2018px\" \/><\/a><figcaption>Figure 16: <em>Account details from the token used<\/em><\/figcaption><\/figure>\n<\/div>\n<h2>Second Malicious Document used in the campaign<\/h2>\n<p><strong>Malicious Document<\/strong> &#8211; Salary_Lockheed_Martin_job_opportunities_confidential.doc (0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1)<\/p>\n<p>The initial attack vector used in this document is similar to the first document but the malware dropped by the macro is totally different. Sadly, the C2 for this malware was down by the time we started analyzing it.<\/p>\n<p>This document uses KernelCallbackTable as well to hijack the control flow just like our first module, the injection technique used by the shellcode also resembles the first document. The major difference in this document is that it tries to retrieve a remote HTML page and then executes it using <em>mshta.exe<\/em>. The remote HTML page is located at <em>https[:]\/\/markettrendingcenter[.]com\/member.htm<\/em> and throws a 404 Not Found which makes it difficult for us to analyze this document any further.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/seconddoc.jpg\" data-rel=\"lightbox-image-15\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"54002\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/seconddoc\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/seconddoc.jpg\" data-orig-size=\"1232,657\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"seconddoc\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/seconddoc-300x160.jpg\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/seconddoc-600x320.jpg\" loading=\"lazy\" width=\"1232\" height=\"657\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/seconddoc.jpg\" alt=\"\" class=\"wp-image-54002\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/seconddoc.jpg 1232w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/seconddoc-300x160.jpg 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/seconddoc-600x320.jpg 600w\" sizes=\"auto, (max-width: 1232px) 100vw, 1232px\" \/><\/a><figcaption>Figure 17: Shellcode<\/figcaption><\/figure>\n<\/div>\n<h2>Attribution<\/h2>\n<p>There are multiple indicators that suggest that this campaign has been operated by the Lazarus threat actor. In this section we provide some of the indicators that confirm the actor behind this attack is Lazarus:<\/p>\n<ul>\n<li>Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template. <\/li>\n<li>In this campaign the actor has targeted people that are looking for job opportunities at Lockheed Martin. Targeting the defense industry and specifically Lockheed Martin is a known target for this actor.<\/li>\n<li>The document&#8217;s metadata used in this campaign links them to several other documents used by this actor in the past. <\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/attrib.png\" data-rel=\"lightbox-image-16\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"54008\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/attrib\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/attrib.png\" data-orig-size=\"1567,494\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"attrib\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/attrib-300x95.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/attrib-600x189.png\" loading=\"lazy\" width=\"1567\" height=\"494\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/attrib.png\" alt=\"\" class=\"wp-image-54008\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/attrib.png 1567w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/attrib-300x95.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/attrib-600x189.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/attrib-1536x484.png 1536w\" sizes=\"auto, (max-width: 1567px) 100vw, 1567px\" \/><\/a><figcaption>Figure 18: Attribution based on metadata<\/figcaption><\/figure>\n<\/div>\n<ul>\n<li>Using Frame1_Layout for macro execution and using lesser known API calls for shellcode execution is known to be used by <a href=\"https:\/\/research.nccgroup.com\/2021\/01\/23\/rift-analysing-a-lazarus-shellcode-execution-method\/\">Lazarus<\/a>. <\/li>\n<li>We also were able to find infrastructure overlap between this campaign and past campaigns of Lazarus (Figure 19).<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/connection_.png\" data-rel=\"lightbox-image-17\" data-rl_title=\"\" data-rl_caption=\"\" title=\"\"><img decoding=\"async\" data-attachment-id=\"54029\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/connection_\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/connection_.png\" data-orig-size=\"1109,590\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"connection_\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/connection_-300x160.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/connection_-600x319.png\" loading=\"lazy\" width=\"600\" height=\"319\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/connection_-600x319.png\" alt=\"\" class=\"wp-image-54029\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/connection_-600x319.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/connection_-300x160.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/connection_.png 1109w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><figcaption>Figure 19: Connection with past campaigns<\/figcaption><\/figure>\n<\/div>\n<h2>Conclusion<\/h2>\n<p>Lazarus APT is one of the advanced APT groups that is known to target the defense industry. The group keeps updating its toolset to evade security mechanisms. In this blog post we provided a detailed analysis about the new campaign operated by this actor. Even though they have used their old job theme method, they employed several new techniques to bypass detections:<\/p>\n<ul>\n<li>Use of <em>KernelCallbackTable<\/em> to hijack the control flow and shellcode execution<\/li>\n<li>Use of the Windows Update client for malicious code execution<\/li>\n<li>Use of GitHub for C2 communication<\/li>\n<\/ul>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" data-attachment-id=\"54003\" data-permalink=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/attachment\/lazarusblock\/\" data-orig-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/lazarusBlock.png\" data-orig-size=\"1400,874\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"lazarusBlock\" data-image-description=\"\" data-image-caption=\"\" data-medium-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/lazarusBlock-300x187.png\" data-large-file=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/lazarusBlock-600x375.png\" loading=\"lazy\" width=\"600\" height=\"375\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/lazarusBlock-600x375.png\" alt=\"\" class=\"wp-image-54003\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/lazarusBlock-600x375.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/lazarusBlock-300x187.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2022\/01\/lazarusBlock.png 1400w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/figure>\n<\/div>\n<h2>IOCs:<\/h2>\n<p><strong>Maldocs:<br \/><\/strong>0d01b24f7666f9bccf0f16ea97e41e0bc26f4c49cdfb7a4dabcc0a494b44ec9b Lockheed_Martin_JobOpportunities.docx<\/p>\n<p>0160375e19e606d06f672be6e43f70fa70093d2a30031affd2929a5c446d07c1<br \/>Salary_Lockheed_Martin_job_opportunities_confidential.doc<\/p>\n<p><strong>Domains:<\/strong><br \/>markettrendingcenter.com<br \/>lm-career.com<\/p>\n<p><strong>Payloads:<\/strong><\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table>\n<tbody>\n<tr>\n<td>Name<\/td>\n<td>Sha256<\/td>\n<\/tr>\n<tr>\n<td>readme.png<\/td>\n<td>4216f63870e2cdfe499d09fce9caa301f9546f60a69c4032cb5fb6d5ceb9af32<\/td>\n<\/tr>\n<tr>\n<td>wuaueng.dll<\/td>\n<td>829eceee720b0a3e505efbd3262c387b92abdf46183d51a50489e2b157dac3b1<\/td>\n<\/tr>\n<tr>\n<td>stage1_winword.dll<\/td>\n<td>f14b1a91ed1ecd365088ba6de5846788f86689c6c2f2182855d5e0954d62af3b   <\/td>\n<\/tr>\n<tr>\n<td>stage2_explorer.dll<\/td>\n<td>660e60cc1fd3e155017848a1f6befc4a335825a6ae04f3416b9b148ff156d143<\/td>\n<\/tr>\n<tr>\n<td>drops_lnk.dll<\/td>\n<td>11b5944715da95e4a57ea54968439d955114088222fd2032d4e0282d12a58abb<\/td>\n<\/tr>\n<tr>\n<td>stage3_runtimebroker.dll<\/td>\n<td>9d18defe7390c59a1473f79a2407d072a3f365de9834b8d8be25f7e35a76d818<\/td>\n<\/tr>\n<tr>\n<td>core_module.dll<\/td>\n<td>c677a79b853d3858f8c8b86ccd8c76ebbd1508cc9550f1da2d30be491625b744<\/td>\n<\/tr>\n<tr>\n<td>GetBaseInfo.dll<\/td>\n<td>5098ec21c88e14d9039d232106560b3c87487b51b40d6fef28254c37e4865182<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong><\/p>\n<p><\/strong><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/\">North Korea&#8217;s Lazarus APT leverages Windows Update client, GitHub in latest campaign<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Threat Intelligence Team| Date: Thu, 27 Jan 2022 16:20:16 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/' title='North Korea's Lazarus APT leverages Windows Update client, GitHub in latest campaign'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2021\/02\/shutterstock_1096871756.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>How one of North Korea&#8217;s most sophisticated APTs tries to avoid detection by using legitiate tools during its attacks. <\/p>\n<p>Categories: <a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-intelligence\/\" rel=\"category tag\">Threat Intelligence<\/a><\/p>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/apt\/\" rel=\"tag\">APT<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/github\/\" rel=\"tag\">GitHub<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/lazarus\/\" rel=\"tag\">Lazarus<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/' title='North Korea's Lazarus APT leverages Windows Update client, GitHub in latest campaign'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-intelligence\/2022\/01\/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign\/\">North Korea&#8217;s Lazarus APT leverages Windows Update client, GitHub in latest campaign<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11029,11863,12223,12040],"class_list":["post-18137","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-apt","tag-github","tag-lazarus","tag-threat-intelligence"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18137"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18137\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}