APT Group Lazarus Exploits High Severity Flaw in Dell Driver
The state-sponsored Lazarus group has been using a new strategy called Bring Your Own Vulnerable Driver (BYOVD) attack. The group was observed using a vulnerability in the Dell firmware driver to install a Windows rootkit. The high-severity flaw is tracked as CVE‑2021‑21551.
Researchers from ESET made the discovery while looking into spear-phishing attacks in August 2021.
Initial Access by Phishing
The attack targets were aerospace company employees in the Netherlands and a political journalist in Belgium. The targets were convinced to open the documents by fake job offers, which included the use of malicious Amazon documents.
During the attack, the Lazarus APT group distributed malicious droppers designed to steal data and conduct espionage. They additionally deployed an HTTPS backdoor remote access trojan named Blindingcan.
As droppers, trojanized versions of open-source projects like sslSniffer, lecui, and FingerText were used.
Rootkit Module Disables Security
The most notable tool used was FudModule, a rootkit module that enables to read and write kernel memory.
According to an ESET researcher, this attack shows the first documented abuse of CVE‑2021‑21551, which leads to privilege escalation due to the driver’s (dbutil_2_3.sys) flaw.
The tool disables monitoring all security solutions on affected machines when combined with the vulnerability.
FudModule accomplishes its aims through a variety of techniques that are “either not known before or familiar only to specialized security researchers and (anti-)cheat developers,” according to ESET.
The attackers then used their write access to kernel memory to disable the Windows operating system’s seven mechanisms to monitor its actions, such as the registry, file system, process creation, event tracing, etc.
The threat actor has previously leveraged a weak driver to amplify its rootkit attacks. A genuine driver called ene.sys was exploited just last month, according to AhnLab’s ASEC, to disable the computers’ security software.
The results show the Lazarus Group‘s perseverance and capacity to adapt and change its strategies over time.
The best practice is to raise awareness of phishing scams to prevent initial access and further risks.
All tools used in the attack and detection tips can be found on ESET’s blog.
IOCs
Samples (SHA-1):
- 001386CBBC258C3FCC64145C74212A024EAA6657
- 085F3A694A1EECDE76A69335CD1EA7F345D61456
- 4AA48160B0DB2F10C7920349E3DCCE01CCE23FE3
- 55CAB89CB8DABCAA944D0BCA5CBBBEB86A11EA12
- 569234EDFB631B4F99656529EC21067A4C933969
- 735B7E9DFA7AF03B751075FD6D3DE45FBF0330A2
- 806668ECC4BFB271E645ACB42F22F750BFF8EE96
- 83CF7D8EF1A241001C599B9BCC8940E089B613FB
- 97DAAB7B422210AB256824D9759C0DBA319CA468
- BD5DCB90C5B5FA7F5350EA2B9ACE56E62385CA65
- C71C19DBB5F40DBB9A721DC05D4F9860590A5762
- FD6D0080D27929C803A91F268B719F725396FE79
Rootkit FudModule.dll (SHA-1):
- 296D882CB926070F6E43C99B9E1683497B6F17C4
C2 Servers:
- hxxps://turnscor[.]com/wp-includes/feedback[.]php
- hxxps://aquaprographix[.]com/patterns/Map/maps[.]php
- hxxp://www.stracarrara[.]org/images/img[.]asp
Full IOCs by ESET are available on GitHub.
MITRE ATT&CK TTPs:
Tactic |
ID |
Name |
Execution |
Native API |
|
Command and Scripting Interpreter: Windows Command Shell |
||
Defense Evasion |
Deobfuscate/Decode Files or Information |
|
Indicator Removal on Host: Timestomp |
||
Hijack Execution Flow: DLL Side-Loading |
||
Rootkit |
||
Obfuscated Files or Information: Software Packing |
||
System Binary Proxy Execution: Rundll32 |
||
Command and Control |
Application Layer Protocol: Web Protocols |
|
Encrypted Channel: Symmetric Cryptography |
||
Data Encoding: Standard Encoding |
||
Exfiltration |
Archive Collected Data: Archive via Library |
|
Resource Development |
Acquire Infrastructure: Server |
|
Develop Capabilities |
Malware |
|
Execution |
User Execution: Malicious File |
|
Initial Access |
Phishing: Spearphishing via Service |
|
Phishing: Spearphishing Attachment |
||
Persistence |
Boot or Logon Autostart Execution: Kernel Modules and Extensions |
|
Boot or Logon Autostart Execution: Startup Folder |