Lazarus Stars in ‘BYOVD’ Campaign
Following a ‘Bring Your Own Vulnerable Driver’ assault, the notorious North Korean hacker organization “Lazarus” was caught redhanded, installing none other than a custom-made Window’s rootkit capable of not only compromising Dell device drivers but abusing them for their nefarious purposes as well.
According to ESET’s findings, the hack has already made waves as a famous political journalist of Belgian origin, as well as an aerospace expert in the Netherlands – both of who remain anonymous at this time – are among the verified targets of the hackers’ phishing effort, which began in the fall of 2021. ESET then went on to verify that data theft and espionage were among the key objectives of this attack.
The cyber security breach began as a phishing scam, in which emails posing as Amazon job offers were sent to EU-affiliated targets. Upon opening these files, malware loaders, droppers, custom backdoors, and other infections were launched immediately after downloading the remote template from a hardcoded address.
ESET has noted, that the most uncanny weapon used in this operation, was the Window’s rootkit. A brand new, state-of-the-art software called FUDModule – was successfully used to turn the BYOVD (Bring Your Own Vulnerable Driver) approach into more than just a cybercriminal’s fantasy, but an actual scamming attack.
Hackers Target Dell Devices
The rootkit works by exploiting a total of five vulnerabilities in the Dell DBUtil driver systems, which enabled the hackers to deploy the malicious tools stated above. Once this happens, the CVE-2021-21551 vulnerability in a genuine Dell driver allowed an attacker-delivered user-mode module to read and write kernel memory. This is the very first hack of its kind, all thanks to the innocent FUDModule, now utilized in a plethora of hacking campaigns.
While Windows Operating System offers seven fail stops for monitoring its actions, such as the registry, file system, process creation, event tracing, and more, the attackers simply used their kernel memory write access to disable these mechanisms, essentially rendering security solutions blind in a very general and reliable manner.
The Bring Your Own Vulnerable Driver (BYOVD) in all of this, comes from hackers being able to install genuinely certified drivers that also contain known vulnerabilities – which Windows’ blindly permits as they are signed.