North Korea Lazarus APT leverages Windows Update client

January 30, 2022

The two macro-embedded documents seem to be luring the targets about new job opportunities at Lockheed Martin. The compilation time for both of these documents is 2020-04-24, but Malwarebytes have enough indicators that confirm that they have been used in a campaign around late December 2021 and early 2022. Some of the indicators that shows this attack operated recently are the domains used by the threat actor. Both of the documents use the same attack theme and have some common things like embedded macros but the full attack chain seems to be totally different. The analysis provided is mainly based on the “Lockheed_Martin_JobOpportunities.docx” document but Malwarebytes also provide brief analysis for the second document (Salary_Lockheed_Martin_job_opportunities_confidential.doc). The attack starts by executing the malicious macros that are embedded in the Word document. The malware performs a series of injections and achieves startup persistence in the target system.
Subscribe