Posted on October 3, 2022 at 11:36 AM
Lazarus Group, one of the largest hacking groups in North Korea, installed a Windows rootkit. The Windows rootkit abuses a Dell hardware driver using an attack dubbed Bring Your Own Vulnerable Driver.
Lazarus hacking group installs Windows rootkit to abuse a Dell driver
The spear-phishing campaign conducted by the hacking group was first detected in the autumn of last year. The campaign’s confirmed targets include an aerospace expert based in the Netherlands and a political journalist based in Belgium.
An ESET report said the phishing campaign’s objective was espionage and stealing data. Some of the targets of the campaign were also based in the EU. These targets were enticed by fake job offers sent via email.
The job offers in question were configured to look like they were from Amazon. Enticing people with such fake job offers as part of a phishing campaign is a social engineering strategy employed by the hackers this year.
The targets who open the documents with the job offers download a remote template from a hardcoded address. This is later followed by infections on the victim’s device ranging from malware loaders, droppers, and custom backdoors.
The report by ESET has also said that one of the most interesting tools deployed during this campaign is the FudModule Rootkit. This Rootkit uses the Bring Your Own Vulnerable Driver (BYOVD) strategy to exploit a bug in a Dell hardware driver.
ESET has also said that a user-mode module is one of the most notable tools used by hackers. The module could read and write kernel memory because of the CVE-2-21-21551 vulnerability within the legitimate Dell driver. ESET added that this was the first recorded abuse of this vulnerability by threat actors.
“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” the report added.
A BYOVD attack happens when the attacker deploys legitimate signed drivers in Windows. These drivers also contain known vulnerabilities. After the kernel drivers are signed, Windows permits the installation of the driver within the operating system.
It is now possible for the threat actors to exploit the vulnerabilities within the driver to initiate commands using kernel-level privileges.
In the recent attack, Lazarus exploited the CVE-2021-21551 vulnerability within the Dell hardware driver. The driver conforms to five flaws that could be exploited for 12 years before Dell released security updates.
In December last year, researchers at Rapid 7 warned about this driver. The researchers said that the diver attracted BYOVD attacks due to the failure of Dell to deploy the appropriate fixes. This allowed the execution of the kernel code on the recently signed versions.
It now seems like the Lazarus group was aware of the potential to exploit this vulnerability. The group exploited the Dell driver before security researchers could issue public warnings on the same.
ESET also said that the group used their write access to kernel memory to disable seven mechanisms offered by the Windows operating system to monitor its actions, just like in a registry, file system, process creation, and event tracing. Moreover, the attackers blinded security solutions through a generic but robust manner.
Lazarus group used the BLINDINGCAN HTTP(S) backdoor
The ESET group also added that the group deployed “BLINDINGCAN,” a trademark custom HTTP(S) backdoor. This backdoor was first detected by US intelligence in August 2020. In October 2021, Kaspersky associated the Lazarus group with the backdoor.
BLINDINGCAN is a remote access trojan (RAT). After being sampled by ESET, it appeared to have significant backing from a server-side dashboard that was undocumented and performed parameter validation.
The backdoor also supports a wide range of 25 commands. The commands include file actions, command execution, C2 communication configuration, creation and termination of processes, screenshots, and exfiltrating system information.
The other tools used by the threat actors during the campaign include the FudModule Rootkit, as aforementioned. The Rootkit is an HTTP(S) uploader that can be used to facilitate data exfiltration. The attackers also deployed several trojanized open-source applications such as wolfSSL and FingerText. The Lazarus group has continued to trojanize open-source tools. A report published by Microsoft yesterday mentioned this technique. It was used alongside others such as Sumatra PDF Reader, PuTTY, KiTTY, TightVNC, and the muPDF/Subliminal Recording software installer.