Lazarus Hackers Target Dell Drivers With New Rootkit
The North Korea-backed Lazarus Group not only seems to target blockchain developers and artists areones with fake job offers. They are now also targeting Aerospace experts and political journalists in Europe. The point worth mentioning here is that it was the same form of social engineering attacks, with the same goal of corporate espionage and data exfiltration from business devices. The group has been observed deploying a Windows rootkit by taking advantage of an exploit in Dell drivers. So, what makes this campaign unique is the fact that the targets were infected with legitimate drivers.
HACKERS are Exploiting Dell Drivers’ Vulnerability
Recently, Cybersecurity researchers from ESET have seen Lazarus Group, a known North Korean state-sponsored threat actor that was seen approaching individuals with fake job offers from Amazon. Those unfortunate who accepted the offer, and downloaded fake job description PDF files, have had an old, vulnerable Dell driver installed. So, this opened the doors for the threat actors to compromise the endpoints, and exfiltrate whatever data they were looking for. ESET said that:
“The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild.”
As a result, the Lazarus group was given the ability to disable some of Windows’ monitoring mechanisms, allowing it to tweak the registry, file system, process creation, event tracing, and much more. ESET further stated that this “basically blinded security solutions in a very generic and robust way.”
CVE-2021-21551 vulnerability encompasses five different flaws that were flying under the radar for 12 years before Dell finally fixed it. The hacker’s group used it to deploy its HTTP(S) backdoor “BLINDINGCAN”, a remote access trojan (RAT) that is able to:
- execute various commands
- take screenshots from the compromised endpoints
- create and terminate various processes
- exfiltrate data and system information
Moreover, the threat actor used the vulnerabilities to deploy FudModule Rootkit, an HTTP(S) uploader, as well as compromised open-source apps wolfSSL and FingerText.
Also Read: Kim Kardashian Will Pay $1.26 Million For Promoting EthereumMax (phoneworld.com.pk)
