The North Korea-backed Lazarus Team has been observed deploying a Windows rootkit by taking gain of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary.
The EU-based targets of this campaign were emailed fake job offers, this time for Amazon, a typical and common social engineering trick employed by the hackers in 2022.
The spear-phishing campaign unfolded in the autumn of 2021, and the confirmed targets, an aerospace expert in the Netherlands and a political journalist in Belgium, were emailed fake job offers at Amazon. ESET reports that among the tools deployed in this campaign, the most interesting is a new FudModule rootkit that abuses a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver for the first time.
But what is actually noteworthy about the 2021 attacks was a rootkit module that exploited a Dell driver flaw to obtain the capability to go through and publish kernel memory. The issue, tracked as CVE-2021-21551, relates to a set of critical privilege escalation vulnerabilities in dbutil_2_3.sys.
“[This] signifies the initial recorded abuse of the CVE‑2021‑21551 vulnerability,” Kálnai pointed out. “This device, in mix with the vulnerability, disables the monitoring of all security alternatives on compromised equipment.”
Named FudModule, the earlier undocumented malware achieves its ambitions by means of multiple techniques “either not regarded prior to or familiar only to specialised security researchers and (anti-)cheat builders,” according to ESET.
“The attackers then utilised their kernel memory publish accessibility to disable 7 mechanisms the Windows working procedure gives to watch its actions, like registry, file procedure, course of action generation, party tracing, and so on., basically blinding security answers in a really generic and strong way,” Kálnai reported. “Definitely this expected deep research, advancement, and screening skills.”
This is not the first time the danger actor has resorted to using a susceptible driver to mount its rootkit attacks. Just previous thirty day period, AhnLab’s ASEC in-depth the exploitation of a authentic driver recognised as “ene.sys” to disarm security computer software installed in the equipment.
The results are a demonstration of the Lazarus Group’s tenacity and skill to innovate and shift its practices as necessary more than the years regardless of powerful scrutiny of the collective’s functions from both legislation enforcement and the broader study community.