The North Korea-backed Lazarus Group has been noticed deploying a Home windows rootkit by profiting from an exploit in a Dell firmware driver, highlighting new techniques adopted by the state-sponsored adversary.
The Carry Your Personal Weak Driver (BYOVD) assault, which occurred within the autumn of 2021, is one other variant of the menace actor’s espionage-oriented exercise referred to as Operation In(ter)ception that is directed towards aerospace and protection industries.
“The marketing campaign began with spear-phishing emails containing malicious Amazon-themed paperwork and focused an worker of an aerospace firm within the Netherlands, and a political journalist in Belgium,” ESET researcher Peter Kálnai mentioned.
Assault chains unfolded upon the opening of the lure paperwork, resulting in the distribution of malicious droppers that had been trojanized variations of open supply tasks, corroborating latest studies from Google’s Mandiant and Microsoft.
ESET mentioned it uncovered proof of Lazarus dropping weaponized variations of FingerText and sslSniffer, a element of the wolfSSL library, along with HTTPS-based downloaders and uploaders.
The intrusions additionally paved the way in which for the group’s backdoor of alternative dubbed BLINDINGCAN – often known as AIRDRY and ZetaNile – which an operator can use to manage and discover compromised methods.
However what’s notable concerning the 2021 assaults was a rootkit module that exploited a Dell driver flaw to achieve the flexibility to learn and write kernel reminiscence. The problem, tracked as CVE-2021-21551, pertains to a set of essential privilege escalation vulnerabilities in dbutil_2_3.sys.
“[This] represents the primary recorded abuse of the CVE‑2021‑21551 vulnerability,” Kálnai famous. “This software, together with the vulnerability, disables the monitoring of all safety options on compromised machines.”
Named FudModule, the beforehand undocumented malware achieves its targets through a number of strategies “both not recognized earlier than or acquainted solely to specialised safety researchers and (anti-)cheat builders,” based on ESET.
“The attackers then used their kernel reminiscence write entry to disable seven mechanisms the Home windows working system provides to watch its actions, like registry, file system, course of creation, occasion tracing, and many others., mainly blinding safety options in a really generic and strong method,” Kálnai mentioned. “Undoubtedly this required deep analysis, growth, and testing abilities.”
This isn’t the primary time the menace actor has resorted to utilizing a weak driver to mount its rootkit assaults. Simply final month, AhnLab’s ASEC detailed the exploitation of a reliable driver often called “ene.sys” to disarm safety software program put in within the machines.
The findings are an indication of the Lazarus Group’s tenacity and talent to innovate and shift its techniques as required through the years regardless of intense scrutiny of the collective’s actions from each regulation enforcement and the broader analysis neighborhood.
“The variety, quantity, and eccentricity in implementation of Lazarus campaigns outline this group, in addition to that it performs all three pillars of cybercriminal actions: cyber espionage, cyber sabotage, and pursuit of monetary achieve,” the corporate mentioned.