APT Group Lazarus Exploits High Severity Flaw in Dell Driver
The state-sponsored Lazarus group has been using a new strategy called Bring Your Own Vulnerable Driver (BYOVD) attack. The group was observed using a vulnerability in the Dell firmware driver to install a Windows rootkit. The high-severity flaw is tracked as CVE‑2021‑21551.
Researchers from ESET made the discovery while looking into spear-phishing attacks in August 2021.
Initial Access by Phishing
The attack targets were aerospace company employees in the Netherlands and a political journalist in Belgium. The targets were convinced to open the documents by fake job offers, which included the use of malicious Amazon documents.
During the attack, the Lazarus APT group distributed malicious droppers designed to steal data and conduct espionage. They additionally deployed an HTTPS backdoor remote access trojan named Blindingcan.
As droppers, trojanized versions of open-source projects like sslSniffer, lecui, and FingerText were used.
Rootkit Module Disables Security
The most notable tool used was FudModule, a rootkit module that enables to read and write kernel memory.
According to an ESET researcher, this attack shows the first documented abuse of CVE‑2021‑21551, which leads to privilege escalation due to the driver’s (dbutil_2_3.sys) flaw.
The tool disables monitoring all security solutions on affected machines when combined with the vulnerability.
FudModule accomplishes its aims through a variety of techniques that are “either not known before or familiar only to specialized security researchers and (anti-)cheat developers,” according to ESET.
The attackers then used their write access to kernel memory to disable the Windows operating system’s seven mechanisms to monitor its actions, such as the registry, file system, process creation, event tracing, etc.
The threat actor has previously leveraged a weak driver to amplify its rootkit attacks. A genuine driver called ene.sys was exploited just last month, according to AhnLab’s ASEC, to disable the computers’ security software.
The results show the Lazarus Group‘s perseverance and capacity to adapt and change its strategies over time.
All tools used in the attack and detection tips can be found on ESET’s blog.
Rootkit FudModule.dll (SHA-1):
Full IOCs by ESET are available on GitHub.
MITRE ATT&CK TTPs:
Command and Scripting Interpreter: Windows Command Shell
Deobfuscate/Decode Files or Information
Indicator Removal on Host: Timestomp
Hijack Execution Flow: DLL Side-Loading
Obfuscated Files or Information: Software Packing
System Binary Proxy Execution: Rundll32
Command and Control
Application Layer Protocol: Web Protocols
Encrypted Channel: Symmetric Cryptography
Data Encoding: Standard Encoding
Archive Collected Data: Archive via Library
Acquire Infrastructure: Server
User Execution: Malicious File
Phishing: Spearphishing via Service
Phishing: Spearphishing Attachment
Boot or Logon Autostart Execution: Kernel Modules and Extensions
Boot or Logon Autostart Execution: Startup Folder