The Windows Update client has been added to the list of living-off-the-land binaries (LoLBins) by the North Korean-backed hacker organization Lazarus, which is now actively exploiting it to run malicious malware on Windows PCs. The Malwarebytes Threat Intelligence team identified the new malware distribution strategy while researching a January spearphishing attempt imitating the American security and aerospace firm Lockheed Martin.
An embedded macro dumps a WindowsUpdateConf.lnk file in the startup folder and a DLL file (wuaueng.dll) in a secret Windows/System32 folder once the victims open the infectious attachments and allow macro execution. The LNK file is then used to start the WSUS/Windows Update client (wuauclt.exe) and run a command that loads the attackers’ malicious DLL.
“This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms,” as stated by Malwarebytes.
According to researchers, Infrastructure overlaps, document information, and targeting similar to past operations were all used to link these attacks to Lazarus. As reported in October 2020, MDSec researcher David Middlehurst revealed that attackers might leverage the Windows Update client to run malicious malware on Windows 10 devices (he also saw a sample exploiting it in the wild).
This may be done by using the following command-line parameters to load an arbitrary custom-built DLL (the command Lazarus used to load their malicious payload):
wuauclt.exe /UpdateDeploymentProvider [path_to_dll] /RunHandlerComServer
This defensive evasion approach is classified as Signed Binary Proxy Execution by MITRE ATT&CK. It allows attackers to get beyond security software, application control, and digital certificate validation protection. In this instance, threat actors execute malicious code from a previously dumped malicious DLL loaded employing Microsoft-signed binary of the Windows Update client.
The Lazarus Group (also known by US intelligence services as HIDDEN COBRA) is a North Korean military hacking group operating since at least 2009. Its operators were behind attacks on high-profile firms like Sony Films and various banks across the world in 2017, and they coordinated the global WannaCry ransomware campaign.