Lazarus Group Exploits Dell Driver Vulnerability to Bypass Windows Security

The North Korea–backed menace actor identified as Lazarus Team has been noticed deploying a Windows rootkit by exploiting a Dell firmware driver.

The campaign, which demonstrates the hacker group’s ever–evolving tactics, was spotted by ESET security researchers in the autumn of 2021. 

“The campaign began with spearphishing email messages made up of destructive Amazon–themed files and targeted an staff of an aerospace organization in the Netherlands and a political journalist in Belgium,” ESET wrote in an advisory by Peter Kálnai, senior malware researcher, released in excess of the weekend.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

According to the business, the most important objective of the attackers was info exfiltration, which was executed by using the CVE–2021–21551 vulnerability.

The corporation patched the flaw, which affects Dell DBUtil motorists, in May well 2021. Prior to that, even so, ESET reported the vulnerability was exploited at minimum twice by way of a certain user–mode module.

“This instrument, in mixture with the vulnerability, disables the monitoring of all security methods on compromised devices,” reads the advisory. “It employs strategies towards Windows kernel mechanisms that have under no circumstances been observed in malware prior to.”

In equally conditions observed by ESET, targets were presented with work delivers: the personnel in the Netherlands through LinkedIn messaging and the man or woman in Belgium through email.

“Attacks started immediately after these documents were being opened. The attackers deployed several destructive equipment on every single method, such as droppers, loaders, completely featured HTTP(S) backdoors, HTTP(S) uploaders and downloaders,” Kálnai explained.

These reportedly integrated Lazarus’ well–known HTTP(S) backdoor known as BLINDINGCAN. The use of this certain piece of malware, together with other particular modules, the code–signing certificate and the intrusion approach were why ESET attributed the attacks to Lazarus.

“The diversity, quantity, and eccentricity in implementation of Lazarus strategies define this team, as perfectly as that it performs all a few pillars of cyber–criminal pursuits: cyber–espionage, cyber–sabotage, and pursuit of financial acquire.”

From the defenders’ position of watch, Kálnai wrote that in circumstances like this, it is less difficult to restrict first entry than to block the sturdy toolset installed following attackers attain accessibility to the procedure. 

“As in a lot of circumstances in the previous, an worker falling prey to the attackers’ entice was the initial place of failure in this article. In delicate networks, organizations need to insist that employees not pursue their individual agendas, like position searching, on units belonging to their company’s infrastructure.”

The marketing campaign unveiled by ESET comes times immediately after Microsoft revealed an advisory showcasing Lazarus–associated hackers weaponizing open–source instruments in opposition to a number of nations.