Lazarus hackers target Dell drivers with new rootkit

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

It seems as blockchain developers and artists are not the only ones Lazarus Group targets with fake job offers. 

Aerospace experts and political journalists in Europe have also been recently targeted with the same form of social engineering attacks, with the same goal - corporate espionage and data exfiltration from business devices. 

What makes this campaign unique, however, is the fact that the targets were infected with legitimate drivers.

Disabling monitoring mechanisms

Cybersecurity researchers from ESET have recently seen Lazarus Group - a known North Korean state-sponsored threat actor, approaching the abovementioned individuals with fake job offers from Amazon

Those that accepted the offer, and downloaded fake job description PDF files, have had an old, vulnerable Dell driver installed. That opened the doors for the threat actors to compromise the endpoints, and exfiltrate whatever data they were looking for.

"The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver," ESET said. "This is the first ever recorded abuse of this vulnerability in the wild."

This gave Lazarus the ability to disable some of Windows’ monitoring mechanisms, allowing it to tweak the registry, file system, process creation, event tracing, and similar, ESET further said. This “basically blinded security solutions in a very generic and robust way."

CVE-2021-21551 is a vulnerability that encompasses five different flaws that were flying under the radar for 12 years, before Dell finally fixed it, BleepingComputer reminds. Lazarus used it to deploy its HTTP(S) backdoor “BLINDINGCAN”, a remote access trojan (RAT) that is able to execute various commands, take screenshots from the compromised endpoints, create and terminate various processes, exfiltrate data and system information, and more.

The threat actor also used the vulnerabilities to deploy FudModule Rootkit, an HTTP(S) uploader, as well as compromised open-source apps wolfSSL and FingerText.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.