Lazarus Group, North Korea’s elite state-sponsored hacking group, has never been shy from adopting new techniques and tactics. In the past, the group has dabbled with ransomware blurring the lines between what was considered the realm of financially motivated hackers rather than their state-sponsored cousins. Now, according to a new report published by ESET, the group has adopted the Bring Your Own Vulnerable Driver (BYOVD) attack tactic to install Window’s based rootkits.
In such an attack the attacker after gaining administrative privileges to the victim’s system will look to install a legitimate driver with a known vulnerability.
The attacker will then look to exploit the vulnerability for their desired ends be it remote code execution or otherwise.
This method of attack proves difficult to detect and counter as the installation of legitimate drivers, albeit ones complete with vulnerabilities waiting to be executed, is standard practice within organizations no matter the size.
ESET discovered Lazarus using this method in 2021 along with a spear phishing campaign whose targets included an aerospace expert in the Netherlands and a political journalist in Belgium.
ESET believes that the campaign was conducted for espionage and data theft objectives.
The attack began with fake job offers aimed at snaring EU residents. As soon as the email is opened and one of the attached documents opened the process of downloading and installing malware, including custom backdoors, began.
The focus of ESET’s research was one of these malware packages which would install the FudModule rootkit through the attack method mentioned above.
The researchers noted the attackers used a vulnerable Dell hardware driver to install the rootkit undetected. Commenting on how Lazarus gained initial access to victim’s systems researchers noted,
“Both targets were presented with job offers – the employee in the Netherlands received an attachment via LinkedIn Messaging, and the person in Belgium received a document via email. Attacks started after these documents were opened. The attackers deployed several malicious tools on each system, including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders and downloaders. The commonality between the droppers was that they are trojanized open-source projects that decrypt the embedded payload using modern block ciphers with long keys passed as command line arguments. In many cases, malicious files are DLL components that were side-loaded by legitimate EXEs, but from an unusual location in the file system.”
As for how the BYOVD attack was carried researchers then noted,
“The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”
The vulnerability, CVE-2021-21551, has been described by Dell as an insufficient access control vulnerability that when exploited can result in the attacker escalating privileges, denial of service, or information disclosure.
To exploit the vulnerability the attacker needs local authenticated user access. However, as Lazarus first looks to gain administrative privileges before installing the vulnerable driver, it is safe to assume this prerequisite is met.
While the vulnerability has been patched, the collections of five separate flaws were exploitable for 12 years before researchers from Rapid7 warned that they could be used in a BYOVD attack.
One of the major factors that led to ESET attributing these attacks was the group's use of a miss of open source tools and their own custom malware and backdoors.
In the instances discovered by ESET one of the custom backdoors used is being tracked as BLINDINGCAN a fully featured remote access trojan (RAT). The malware was first discovered in 2020, by U.S Intelligence Services and was attributed to Lazarus by Kaspersky the following year. The RAT has the following capabilities:
- Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
- Create, start, and terminate a new process and its primary thread
- Search, read, write, move, and execute files
- Get and modify file or directory timestamps
- Change the current directory for a process or file
- Delete malware and artifacts associated with the malware from the infected system
As for the use of open source tools, Lazarus has developed quite a reputation regarding trojanizing said tools. In a recent report published by Microsoft that these heavily customized tools were used in attacks through 2021 against targets in the US, UK, India, and Russia.
Industries targeted are some of Lazarus’s historical favorites and include media, defense and aerospace, and IT services. Both ESET and Microsoft noted this tactic in their reports of trojanizing open source tools as one of the factors that can lead to attributing specific attacks to Lazarus.
As for other indicators that Lazarus was involved ESET researchers noted,
“An unusual type of encryption was leveraged in the tools of this Lazarus campaign: HC-128. Other less prevalent ciphers used by Lazarus in the past: a Spritz variant of RC4 in the watering hole attacks against Polish and Mexican banks; later Lazarus used a modified RC4 in Operation In(ter)ception; a modified A5/1 stream cipher was used in WIZVERA VeraPort supply-chain attack.”