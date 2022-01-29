the criminal group Lazarus created a tool that uses the client of the Windows Update to install malicious code. The gateway to the attack is macro code inside Word documents.

Researchers identified the attack when investigating phishing scams from an alleged campaign with job openings. Lockheed Martin. The scam was aimed at groups of people interested in getting a job in the technology, defense and information security company.

Attack via macroSource: MalwareBytes

DLL access via macro

The criminals were distributing the documents Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc. both had macros that installed the files WindowsUpdateConf.lnk in the system boot directory and the DLL wuaueng.dll in the Windows/System32 folder.

Attack path via macroSource: MalwareBytes

Once activated, the shortcut used the system update tool to install the malicious DLL. As it is a code that uses functions of the system itself, from the entry via macro to the allocation of the virus, the attack goes unnoticed by several security solutions.

User attention is first barrier

As obvious as it may seem, it is always extremely important to be aware of links, documents, attachments and messages from unknown or unsolicited sources. A good part of opportunistic attacks rely more on user weaknesses than on the systems themselves.

It’s always wise to be wary of tempting proposals with easy rewards, or situations that seem like the opportunity of a lifetime, especially unsolicited messages. Before clicking on any link or attachment, the most recommended thing is to always search the official channels of the company or group making the offer.

Another interesting measure is to search for terms related to the files or links received. Often these scams are already identified and documented, making it relatively easy to avoid scams with these healthy browsing practices.