Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Lazarus APT employed an exploit in a Dell firmware driver in recent attacks

North Korea-linked Lazarus APT has been spotted deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver. The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by relying on exploit in a Dell firmware driver dbutil_2_3.sys, ESET researchers warn. The discovery was made by ESET researchers while […]

North Korea Lazarus APT

North Korea-linked Lazarus APT has been spotted deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver.

The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by relying on exploit in a Dell firmware driver dbutil_2_3.sys, ESET researchers warn.

The discovery was made by ESET researchers while investigating attacks conducted by the APT group against an employee of an aerospace company in the Netherlands, and a political journalist in Belgium during the autumn of 2021. Threat actors sent spear-phishing emails using malicious Amazon-themed documents as lures.

The attacks outstand for the use of a tool that represents the first recorded abuse of the CVE-2021-21551 vulnerability in Dell DBUtil drivers, which Dell addressed in May 2021.

ESET experts presented their findings at this year’s Virus Bulletin conference highlighting the use of vulnerable drivers in the attack chain, defining the technique as Bring Your Own Vulnerable Driver (BYOVD).

The experts spotted a dynamically linked library, codenamed FudModule.dll, that tries to disable various Windows monitoring features. The library modify kernel variables and remove kernel callbacks in the attempt to disable the features.

The experts pointed out that the attackers used the tool, in combination with the vulnerability, to disable the monitoring of all security solutions on compromised machines. It uses techniques against Windows kernel mechanisms that have never been observed in malware before.

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.” reads the post published by the experts.

Threat actors sent job offers to the targets, the employee of the aerospace company in the Netherlands received an attachment via LinkedIn Messaging, while the journalists in Belgium received a document via email. Upon opening the documents that attack chain started, threat actors were able to deploy multiple malicious tools on each system, including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders and downloaders. The droppers were trojanized open-source projects that decrypt the embedded payload, in many cases the attackers side-loaded binaries to run the malicious code.

ESET also reported that the Lazarus group was dropping weaponized versions of FingerText and sslSniffer, a component of the wolfSSL project.

The attackers also employed known malware like BLINDINGCAN that was used to establish a backdoor into the compromised infrastructure.

“In this attack, as well as in many others attributed to Lazarus, we saw that many tools were distributed even on a single targeted endpoint in a network of interest. Without a doubt, the team behind the attack is quite large, systematically organized, and well prepared. For the first time in the wild, the attackers were able to leverage CVE-2021-21551 for turning off the monitoring of all security solutions.” concludes the report. “It was not just done in kernel space, but also in a robust way, using a series of little- or undocumented Windows internals. Undoubtedly this required deep research, development, and testing skills.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lazarus)

[adrotate banner=”5″]

[adrotate banner=”13″]