The North Korea-backed Lazarus Group has been observed deploying a
Windows rootkit by taking advantage of an exploit in a Dell firmware
driver, highlighting new tactics adopted by the state-sponsored
adversary.
The Bring Your Own Vulnerable Driver (BYOVD) attack, which took place in the autumn of 2021, is another variant of the threat actor's espionage-oriented activity called Operation In(ter)ception that's directed against aerospace and defense industries.
"The campaign started with spear-phishing emails containing malicious
Amazon-themed documents and targeted an employee of an aerospace
company in the Netherlands, and a political journalist in Belgium," ESET
researcher Peter Kálnai said.
Attack chains unfolded upon the opening of the lure documents,
leading to the distribution of malicious droppers that were trojanized
versions of open source projects, corroborating recent reports from
Google's Mandiant and Microsoft.
ESET said it uncovered evidence of Lazarus dropping weaponized versions of FingerText and sslSniffer, a component of the wolfSSL library, in addition to HTTPs-based downloaders and uploaders.
The intrusions also paved the way for the group's backdoor of choice
dubbed BLINDINGCAN – also known as AIRDRY and ZetaNile – which an
operator can use to control and explore compromised systems.
But what's notable about the 2021 attacks was a rootkit module that
exploited a Dell driver flaw to gain the ability to read and write
kernel memory. The issue, tracked as CVE-2021-21551, relates to a set of critical privilege escalation vulnerabilities in dbutil_2_3.sys.
"[This] represents the first recorded abuse of the CVE‑2021‑21551
vulnerability," Kálnai noted. "This tool, in combination with the
vulnerability, disables the monitoring of all security solutions on
compromised machines."
Named FudModule, the previously undocumented malware achieves its
goals via multiple methods "either not known before or familiar only to
specialized security researchers and (anti-)cheat developers," according
to ESET.
"The attackers then used their kernel memory write access to disable
seven mechanisms the Windows operating system offers to monitor its
actions, like registry, file system, process creation, event tracing,
etc., basically blinding security solutions in a very generic and robust
way," Kálnai said. "Undoubtedly this required deep research,
development, and testing skills."
This is not the first time the threat actor has resorted to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab's ASEC detailed the exploitation of a legitimate driver known as "ene.sys" to disarm security software installed in the machines.
The findings are a demonstration of the Lazarus Group's tenacity and
ability to innovate and shift its tactics as required over the years
despite intense scrutiny of the collective's activities from both law
enforcement and the broader research community.
"The diversity, number, and eccentricity in implementation of Lazarus
campaigns define this group, as well as that it performs all three
pillars of cybercriminal activities: cyber espionage, cyber sabotage,
and pursuit of financial gain," the company said.
