In a new spear-phishing campaign performed by the Lazarus gang, it was discovered that they have been installing a Windows rootkit and several other malicious tools inside targets’ computers to abuse Dell drivers, with a primary goal of spying and stealing data.
Based on the news about this new Lazarus campaign, two confirmed targets were victimised already, including an aerospace analyst from the Netherlands and a journalist from Belgium. These targets received an email containing fake job offers purportedly from Amazon.
Inside the malicious emails are attached documents that, if opened, will download a remote template from a hardcoded address. Then, a series of infections will transpire as several malware loaders, droppers, and custom backdoors will be spread inside the compromised machine.
A security flaw in Dell drivers had been exploited for the first time.
Security researchers noted that a vulnerability in Dell drivers, dubbed CVE-2021-21551, has been abused by the threat actors in the wild for the first time using a new toolkit called the FudModule. This new rootkit abuses a ‘Bring Your Own Vulnerable Driver’ (BYOVD) technique to abuse the said security flaw.
As the attackers exploited the vulnerability, it allowed them to disable seven monitoring mechanisms inside the Windows OS, including registry, event tracing, and process creation. Ultimately, this abuse has helped the Lazarus gang to evade detection from security solutions.
The CVE-2021-21551 vulnerability in Dell’s hardware driver corresponds to five other exploitable security flaws for about 12 years before being fixed with proper security patches. The Lazarus gang had taken advantage of this flaw through the BYOVD attack since Dell seemed passive in releasing patches for it.
In related news, security experts also found that the Lazarus gang used its trademark custom HTTPS backdoor, BLINDINGCAN, in their attacks. BLINDINGCAN is a remote access trojan that supports approximately 25 commands from the attackers, such as taking screenshots, file actions, C2 communication configuration, process creation and termination, and data exfiltration.
According to reports about the Lazarus gang, the group will continue to trojanise open-source tools for their campaigns. Thus, all users must remain vigilant about suspicious emails and avoid downloading unknown file attachments, as they can lead to cyberattacks.