Lazarus Group Exploits Dell Driver Vulnerability to Bypass Windows Security

The North Korea–backed threat actor known as Lazarus Group has been observed deploying a Windows rootkit by exploiting a Dell firmware driver.

The campaign, which shows the hacker group’s ever–evolving techniques, was spotted by ESET security researchers in the autumn of 2021. 

“The campaign started with spearphishing emails containing malicious Amazon–themed documents and targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium,” ESET wrote in an advisory by Peter Kálnai, senior malware researcher, published over the weekend.

According to the company, the primary goal of the attackers was data exfiltration, which was executed via the CVE–2021–21551 vulnerability.

The company patched the flaw, which affects Dell DBUtil drivers, in May 2021. Before that, however, ESET said the vulnerability was exploited at least twice via a specific user–mode module.

“This tool, in combination with the vulnerability, disables the monitoring of all security solutions on compromised machines,” reads the advisory. “It uses techniques against Windows kernel mechanisms that have never been observed in malware before.”

In both cases observed by ESET, targets were presented with job offers: the employee in the Netherlands via LinkedIn messaging and the person in Belgium via email.

“Attacks started after these documents were opened. The attackers deployed several malicious tools on each system, including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders and downloaders,” Kálnai explained.

These reportedly included Lazarus’ well–known HTTP(S) backdoor known as BLINDINGCAN. The use of this particular piece of malware, along with other specific modules, the code–signing certificate and the intrusion approach were why ESET attributed the attacks to Lazarus.

“The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that it performs all three pillars of cyber–criminal activities: cyber–espionage, cyber–sabotage, and pursuit of financial gain.”

From the defenders’ point of view, Kálnai wrote that in cases like this, it is easier to limit initial access than to block the robust toolset installed after attackers gain access to the system. 

“As in many cases in the past, an employee falling prey to the attackers’ lure was the initial point of failure here. In sensitive networks, companies should insist that employees not pursue their personal agendas, like job hunting, on devices belonging to their company’s infrastructure.”

The campaign unveiled by ESET comes days after Microsoft published an advisory showcasing Lazarus–associated hackers weaponizing open–source tools against several countries.

What’s Hot on Infosecurity Magazine?