The group once again dangled fake job opportunities at engineers in a spear-phishing campaign that used Windows Update as a living-off-the-land technique and GitHub as a C2.
Lazarus Group is using Windows Update to spray malware in a campaign powered by a GitHub command-and-control (C2) server, researchers have found.
On Thursday, the Malwarebytes Threat Intelligence team reported that they discovered the North Korean state advanced persistent threat (APT) group’s latest living-off-the-land technique while analyzing a spear-phishing campaign that its researchers discovered 10 days ago, on Jan. 18.
The focus of the campaign – in which the APT masqueraded as American global security and aerospace giant Lockheed Martin – is in keeping with Lazarus’ taste for infiltrating the military.
Researchers consider Lazarus, which has been active since at least 2009, to be one of the world’s most active threat actors. The United States also refers to Lazarus as Hidden Cobra: a name used to refer to malicious cyber-activity by the North Korean government in general. “This APT group has been behind large-scale cyber-espionage and ransomware campaigns and has been spotted attacking the defense industry and cryptocurrency markets,” Kaspersky researchers have noted in the past.
According to Malwarebytes’