Pierluigi Paganini October 04, 2022

North Korea-linked Lazarus APT has been spotted deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver.

The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by relying on exploit in a Dell firmware driver dbutil_2_3.sys, ESET researchers warn.

The discovery was made by ESET researchers while investigating attacks conducted by the APT group against an employee of an aerospace company in the Netherlands, and a political journalist in Belgium during the autumn of 2021. Threat actors sent spear-phishing emails using malicious Amazon-themed documents as lures.

The attacks outstand for the use of a tool that represents the first recorded abuse of the CVE-2021-21551 vulnerability in Dell DBUtil drivers, which Dell addressed in May 2021.

ESET experts presented their findings at this year’s Virus Bulletin conference highlighting the use of vulnerable drivers in the attack chain, defining the technique as Bring Your Own Vulnerable Driver (BYOVD).

The experts spotted a dynamically linked library, codenamed FudModule.dll, that tries to disable various Windows monitoring features. The library modify kernel variables and remove kernel callbacks in the attempt to disable the features.

The experts pointed out that the attackers used the tool, in combination with the vulnerability, to disable the monitoring of all security solutions on compromised machines. It uses techniques against Windows kernel mechanisms that have never been observed in malware before.

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.” reads the post published by the experts.

Threat actors sent job offers to the targets, the employee of the aerospace company in the Netherlands received an attachment via LinkedIn Messaging, while the journalists in Belgium received a document via email. Upon opening the documents that attack chain started, threat actors were able to deploy multiple malicious tools on each system, including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders and downloaders. The droppers were trojanized open-source projects that decrypt the embedded payload, in many cases the attackers side-loaded binaries to run the malicious code.

ESET also reported that the Lazarus group was dropping weaponized versions of FingerText and sslSniffer, a component of the wolfSSL project.

The attackers also employed known malware like BLINDINGCAN that was used to establish a backdoor into the compromised infrastructure.

“In this attack, as well as in many others attributed to Lazarus, we saw that many tools were distributed even on a single targeted endpoint in a network of interest. Without a doubt, the team behind the attack is quite large, systematically organized, and well prepared. For the first time in the wild, the attackers were able to leverage CVE-2021-21551 for turning off the monitoring of all security solutions.” concludes the report. “It was not just done in kernel space, but also in a robust way, using a series of little- or undocumented Windows internals. Undoubtedly this required deep research, development, and testing skills.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]