Lazarus hackers exploit Dell driver bug for BYOVD attacks
ESET researchers have uncovered the malicious activities of Lazarus, a North Korean hacking group that exploits a Dell hardware driver flaw for Bring Your Own Vulnerable Driver attacks.
In order to carry out their nefarious malware campaign, the targets receive fake job offers via email. Once the document is opened, a remote template is downloaded from a hardcoded address, followed by infections that involve malware loaders, droppers, custom backdoors, and other types of malicious activity.
ESET identified a new FudModule rootkit that abuses a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver. Threat actors are now exploiting the driver vulnerabilities to launch commands with kernel-level privileges.
A Bring Your Own Vulnerable Driver (BYOVD) attack occurs when an attacker loads legitimate signed drivers into Windows that also contain known vulnerabilities.
“This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way,” ESET said.
Lazarus hackers are targeting mainly users in the EU, including an aerospace expert in the Netherlands and a political journalist in Belgium. The aim of the campaign is to conduct cyber espionage and steal data.
The vulnerabilities in the driver can also be exploited to launch commands with kernel privileges, and the group also used its proprietary HTTP(S) backdoor ‘BLINDINGCAN’, a remote access trojan (RAT) supported by an undocumented server-side dashboard that carries out parameter validation. The backdoor supports an extensive set of 25 commands and covers file actions, command execution, C2 communication configuration, screenshot capture, process creation and termination, and exfiltration of system information.
The sources for this piece include an article in BleepingComputer.