The Malwarebytes Threat Intelligence cybersecurity team recently issued a warning to Windows users about a recently identified threat from a North Korean hacker group called Lazarus. The attack used Windows updates and GitHub itself to distribute the malware.
North Korean hackers used two fake MS Word files designed to take advantage of Windows Update to bypass Windows malware detection mechanisms. Malwarebytes considers this method quite clever
"This is a sophisticated cyberattack prepared by Lazarus to run a malicious DLL file using the Windows Update Client to bypass Windows security mechanisms," Malwarebytes said.
Team Lazarus also uses GitHub in their attacks. Using GitHub makes it difficult for anti-virus software to distinguish between malicious files and normal files.
This is the first time Malwarebytes has observed a group of hackers using GitHub in this way.
"We rarely see malware using GitHub as C2 and this is the first time we've seen Lazarus take advantage of it," explains Malwarebytes.
"Using GitHub as C2 has its drawbacks, but it's a smart choice for targeted, short-term attacks because it makes it harder for security products to distinguish between legitimate and malicious connections."
The hacking group Lazarus, which is sponsored by the North Korean government, has been suspected of carrying out previous cyberattacks such as WannaCry and various attacks on US media. In addition, the Lazarus team has previously used cyberattacks with the spear phishing method to obtain research on COVID-19.
Lazarus is also suspected of being involved in the theft of $400 million worth of cryptocurrency in 2021.