ESET researchers have spotted the infamous Lazarus APT group installing a Windows rootkit that exploits a Dell hardware driver in a Bring Your Own Vulnerable Driver (BYOVD) attack.
In a spear-phishing campaign that began in the autumn of 2021 and ran until March 2022, the hackers targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium.
Exploiting Dell driver for BYOVD assaults
According to ESET, the malicious campaign was mostly geared toward attacking European contractors with fake job offers. The hackers exploited LinkedIn and WhatsApp by posing as recruiters to deliver malicious components disguised as job descriptions or application forms.
Upon clicking on these documents, a remote template was downloaded from a hardcoded address, followed by infections involving malware loaders, droppers, custom backdoors, and more.
The most notable tool delivered in this campaign was a new FudModule rootkit that employs a BYOVD (Bring Your Own Vulnerable Driver) methodology to exploit a security bug in a Dell hardware driver.
The hackers were exploiting the vulnerability tracked CVE-2021-21551 in a Dell hardware driver (“dbutil_2_3.sys”), which corresponds to a set of five flaws that remained susceptible for 12 years before the computer vendor finally published security patches for it.
The APT group employed Bring Your Own Vulnerable Driver (BYOVD) technique to install authentic, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows allowed the driver to be installed in the operating system. However, the hackers can now exploit the driver’s flaws to launch commands with kernel-level privileges.
Last year in December, Rapid 7 researchers issued a warning regarding this specific driver being a perfect match for BYOVD assaults due to Dell’s inadequate fixes, allowing kernel code execution even on recent, signed versions. It appears that Lazarus was familiar with this potential for exploitation and abused the Dell driver well before threat analysts issued their public warnings.
“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” researchers explained.
The APT group also delivered its trademark custom HTTP(S) backdoor ‘BLINDINGCAN,’ first unearthed by U.S. intelligence in August 2020 and linked to Lazarus by Kaspersky in October last year.
Other tools deployed in the spear-phishing campaign are the FudModule Rootkit, an HTTP(S) uploader employed for secure data theft, and multiple trojanized open-source apps like wolfSSL and FingerText.
