A recent spear-phishing campaign involving the installation of a Windows rootkit via exploiation of signed Dell hardware driver has been attributed to North Korean state-sponsored threat group Lazarus. Reports of this campaign have indicated that known targets include an aerospace expert in the Netherlands and a political journalist in Belgium. ESET researchers believe that Lazarus was motivated by data theft and espionage in these attacks.
The threat group utilized an increasingly common vector for social engineering by creating false job offer emails with malicious attachments. In addition to the common types of malware one would expect to see in an attack – such as loaders, droppers, and backdoors – a novel component is the rootkit dubbed “FudModule.” This rootkit exploits a vulnerability (CVE-2021-21551) in a legitimate Dell hardware driver that allows an attacker to read and write kernel memory space. This attack represents the first known exploitation of this vulnerability in the wild. Lazarus uses this vulnerability to disable several internal system monitoring features in Windows allowing malicious functions to evade a wide range of endpoint security solutions.