The North Korean state-sponsored group, Lazarus Group, leveraged a rootkit in two attacks that abused a known vulnerability in a Dell driver in order to disable various Windows monitoring features.
Researchers observed the attackers targeting two victims last year, including a political journalist at a media outlet in Belgium and an employee at an aerospace company in the Netherlands. Both targets received malicious attachments purporting to be Amazon-themed job offers (one sent via LinkedIn messaging and the other sent via email) that, once opened, started the chain of attack. The most noteworthy aspect of the attack chain was a rootkit (called FudModule.dll) that targeted a Dell vulnerability (CVE-2021-21551), which was previously fixed by Dell in May 2021 and impacts the DBUtil firmware update driver module that comes pre-installed on most Dell machines running Windows. If exploited, the flaw allows attackers to read and write kernel memory.
“This is the first ever recorded abuse of this vulnerability in the wild,” said Peter Kálnai, senior malware researcher with ESET, in an analysis last week. “The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”
After victims opened these malicious documents, several malicious tools were deployed within hours, over a sequence of stages that marks a typical trait for the Lazarus Group. One of these tools was an HTTP(S) backdoor, with similarities to Lazarus Group’s previously identified BlindingCan RAT. This backdoor has several capabilities, including the ability to send system information back to the command-and-control (C2), download files, terminate processes and files, take screenshots and more. Attackers also used a dropper, which is a trojanized GOnpp plug-in for Notepad++, an intermediate loader, used to load and execute additional payloads in memory, as well as an HTTP(S) downloader and uploader responsible for data exfiltration.
Researchers attributed the attack to the Lazarus Group with a “high level of confidence,” due to several factors, including the HTTP(S) backdoor’s similarities to Lazarus Group's BlindingCan backdoor, the use of a code-signing certificate for signing one of the droppers that was previously used by the group, and more.
The Lazarus Group has been highly active over the past year and leveraged a number of initial access vectors and targets, with Microsoft recently highlighting the activity of a Lazarus affiliate called Zinc that was posing as job recruiters on LinkedIn with the goal of delivering a trojanized versions of legitimate open source applications. Earlier in September, researchers with Cisco Talos also noted that the state-sponsored actor was compromising VMware Horizon servers by exploiting the Log4j flaw in order to target energy companies in the U.S., Canada and Japan. ESET researchers said that the complexity of this specific attack provides further indication that Lazarus consists of a large team that is ”systematically organized and well prepared.”
“From the defenders’ point of view, it seems easier to limit the possibilities of initial access than to block the robust toolset that would be installed after determined attackers gain a foothold in the system,” said Kálnai. “As in many cases in the past, an employee falling prey to the attackers’ lure was the initial point of failure here. In sensitive networks, companies should insist that employees not pursue their personal agendas, like job hunting, on devices belonging to their company’s infrastructure.”