SOCRadar® Cyber Intelligence Inc. | APT Group Lazarus Exploits High Severity Flaw in Dell Driver
Home

Resources

Blog
Oct 05, 2022
4 Mins Read

APT Group Lazarus Exploits High Severity Flaw in Dell Driver

The state-sponsored Lazarus group has been using a new strategy called Bring Your Own Vulnerable Driver (BYOVD) attack. The group was observed using a vulnerability in the Dell firmware driver to install a Windows rootkit. The high-severity flaw is tracked as CVE‑2021‑21551.

Researchers from ESET made the discovery while looking into spear-phishing attacks in August 2021. 

Initial Access by Phishing 

The attack targets were aerospace company employees in the Netherlands and a political journalist in Belgium. The targets were convinced to open the documents by fake job offers, which included the use of malicious Amazon documents. 

During the attack, the Lazarus APT group distributed malicious droppers designed to steal data and conduct espionage. They additionally deployed an HTTPS backdoor remote access trojan named Blindingcan.

As droppers, trojanized versions of open-source projects like sslSnifferlecui, and FingerText were used.

Rootkit Module Disables Security 

The most notable tool used was FudModule, a rootkit module that enables to read and write kernel memory. 

According to an ESET researcher, this attack shows the first documented abuse of CVE‑2021‑21551, which leads to privilege escalation due to the driver’s (dbutil_2_3.sys) flaw.

The tool disables monitoring all security solutions on affected machines when combined with the vulnerability. 

FudModule accomplishes its aims through a variety of techniques that are “either not known before or familiar only to specialized security researchers and (anti-)cheat developers,” according to ESET. 

The attackers then used their write access to kernel memory to disable the Windows operating system’s seven mechanisms to monitor its actions, such as the registry, file system, process creation, event tracing, etc. 

The threat actor has previously leveraged a weak driver to amplify its rootkit attacks. A genuine driver called ene.sys was exploited just last month, according to AhnLab’s ASEC, to disable the computers’ security software. 

The results show the Lazarus Group‘s perseverance and capacity to adapt and change its strategies over time. 

The best practice is to raise awareness of phishing scams to prevent initial access and further risks. 

All tools used in the attack and detection tips can be found on ESET’s blog.

IOCs

Samples (SHA-1):

  • 001386CBBC258C3FCC64145C74212A024EAA6657
  • 085F3A694A1EECDE76A69335CD1EA7F345D61456
  • 4AA48160B0DB2F10C7920349E3DCCE01CCE23FE3
  • 55CAB89CB8DABCAA944D0BCA5CBBBEB86A11EA12
  • 569234EDFB631B4F99656529EC21067A4C933969
  • 735B7E9DFA7AF03B751075FD6D3DE45FBF0330A2
  • 806668ECC4BFB271E645ACB42F22F750BFF8EE96
  • 83CF7D8EF1A241001C599B9BCC8940E089B613FB
  • 97DAAB7B422210AB256824D9759C0DBA319CA468
  • BD5DCB90C5B5FA7F5350EA2B9ACE56E62385CA65
  • C71C19DBB5F40DBB9A721DC05D4F9860590A5762
  • FD6D0080D27929C803A91F268B719F725396FE79

Rootkit FudModule.dll (SHA-1):

  • 296D882CB926070F6E43C99B9E1683497B6F17C4

C2 Servers:

  • hxxps://turnscor[.]com/wp-includes/feedback[.]php
  • hxxps://aquaprographix[.]com/patterns/Map/maps[.]php
  • hxxp://www.stracarrara[.]org/images/img[.]asp

Full IOCs by ESET are available on GitHub.

MITRE ATT&CK TTPs:

Tactic

ID

Name

Execution

T1106

Native API

T1059.003

Command and Scripting Interpreter: Windows Command Shell

Defense Evasion

T1140

Deobfuscate/Decode Files or Information

T1070.006

Indicator Removal on Host: Timestomp

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1014

Rootkit

T1027.002

Obfuscated Files or Information: Software Packing

T1218.011

System Binary Proxy Execution: Rundll32

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

T1573.001

Encrypted Channel: Symmetric Cryptography

T1132.001

Data Encoding: Standard Encoding

Exfiltration

T1560.002

Archive Collected Data: Archive via Library

Resource Development

T1584.004

Acquire Infrastructure: Server

Develop Capabilities

T1587.001

Malware

Execution

T1204.002

User Execution: Malicious File

Initial Access

T1566.003

Phishing: Spearphishing via Service

T1566.001

Phishing: Spearphishing Attachment

Persistence

T1547.006

Boot or Logon Autostart Execution: Kernel Modules and Extensions

T1547.001

Boot or Logon Autostart Execution: Startup Folder