A recent spear-phishing campaign involving the installation of a Windows rootkit via exploiation of signed Dell hardware driver has been attributed to North Korean state-sponsored threat group Lazarus. Reports of this campaign have indicated that known targets include an aerospace expert in the Netherlands and a political journalist in Belgium. ESET researchers believe that Lazarus was motivated by data theft and espionage in these attacks.
The threat group utilized an increasingly common vector for social engineering by creating false job offer emails with malicious attachments. In addition to the common types of malware one would expect to see in an attack – such as loaders, droppers, and backdoors – a novel component is the rootkit dubbed “FudModule.” This rootkit exploits a vulnerability (CVE-2021-21551) in a legitimate Dell hardware driver that allows an attacker to read and write kernel memory space. This attack represents the first known exploitation of this vulnerability in the wild. Lazarus uses this vulnerability to disable several internal system monitoring features in Windows allowing malicious functions to evade a wide range of endpoint security solutions.
This type of attack is called a Bring Your Own Driver (BYOVD) attack, allowing malicious code to be run via a legitimate signed Windows driver at the kernel level. In late 2021, Rapid7 researchers issued a warning about the specific Dell driver used by Lazarus in this attack, citing the driver as being an excellent candidate for a BYOVD attack. The vulnerability persisted even after Dell’s attempts to patch the driver. It is recommended that organizations do not solely rely on the legitimate signing of drivers, but examine atypical driver installations, and closely monitor any drivers vulnerable to BYOVD attacks. A defense in depth strategy with a focus on detecting post exploitation malicious behaviors, exemplified by the Threat Hunting, MDR, and SOC services offered by Binary Defense, is highly recommended.