ClickCease Lazarus hackers exploit Dell driver bug for BYOVD attacks
Cybersecurity News, Malware & Exploits,

Lazarus hackers exploit Dell driver bug for BYOVD attacks

October 17, 2022
Lazarus hackers exploit Dell

ESET researchers have uncovered the malicious activities of Lazarus, a North Korean hacking group that exploits a Dell hardware driver flaw for Bring Your Own Vulnerable Driver attacks.

In order to carry out their nefarious malware campaign, the targets receive fake job offers via email. Once the document is opened, a remote template is downloaded from a hardcoded address, followed by infections that involve malware loaders, droppers, custom backdoors, and other types of malicious activity.

ESET identified a new FudModule rootkit that abuses a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver. Threat actors are now exploiting the driver vulnerabilities to launch commands with kernel-level privileges.

A Bring Your Own Vulnerable Driver (BYOVD) attack occurs when an attacker loads legitimate signed drivers into Windows that also contain known vulnerabilities.

“This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way,” ESET said.

Lazarus hackers are targeting mainly users in the EU, including an aerospace expert in the Netherlands and a political journalist in Belgium. The aim of the campaign is to conduct cyber espionage and steal data.

The vulnerabilities in the driver can also be exploited to launch commands with kernel privileges, and the group also used its proprietary HTTP(S) backdoor ‘BLINDINGCAN’, a remote access trojan (RAT) supported by an undocumented server-side dashboard that carries out parameter validation. The backdoor supports an extensive set of 25 commands and covers file actions, command execution, C2 communication configuration, screenshot capture, process creation and termination, and exfiltration of system information.

The sources for this piece include an article in BleepingComputer.

Summary
Lazarus hackers exploit Dell driver bug for BYOVD attacks
Article Name
Lazarus hackers exploit Dell driver bug for BYOVD attacks
Description
Researchers have uncovered the activities of Lazarus, a North Korean hacking group exploiting a Dell hardware driver flaw for BYOVD attacks.
Author
Publisher Name
Tuxcare
Publisher Logo

TuxCare can help you reduce your risk window to data exfiltration and other cyber security threats.

TALK TO A CYBERSECURITY EXPERT

Expert knowledge of Linux security tips,
live patching education, and Cybersecurity news.

Stay updated with the latest news and announcements from TuxCare.com

Related Articles

Bahamut deploys fake VPN apps...

ESET researchers discovered an ongoing campaign by the Bahamut APT...

December 9, 2022

Windows Server updates causes LSASS...

A memory leak bug on Local Security Authority Subsystem Service...

December 8, 2022

1,650 malicious Docker Hub images...

After discovering malicious behaviors in 1,652 of 250,000 unverified Linux...

December 7, 2022

Arm’s Mali GPU driver flaws...

Despite fixes released by the chipmaker, a set of five...

December 6, 2022

RansomExx malware offers new features...

The APT group DefrayX has launched a new version of...

December 5, 2022

DuckDuckGo launches beta version of...

DuckDuckGo, a privacy-focused search engine, has added an App Tracking...

December 2, 2022

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching