North Korean group Lazarus uses vulnerable Dell driver to blind security solutions


Notorious state-sponsored North Korean hacker group Lazarus has begun exploiting a known vulnerability in a Dell-developed OEM driver to evade detection by security solutions. This is a great example of why it’s important to always keep software from third-party PC manufacturers, which is often overlooked, up to date, as well as adding vulnerable versions to blocklists.

“The most notable tool provided by the attackers was a user-mode module that gained the ability to read and write to kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver,” security researchers from antivirus firm ESET said in a recent report. “This is the first ever recorded abuse of this vulnerability in the wild. Attackers then used their write access to kernel memory to disable seven mechanisms offered by the Windows operating system to monitor its actions, such as the registry, filesystem, process creation, event tracking, etc., essentially blinding security solutions in a very generic and robust way.

Attackers used fake job postings as an entry point

In new attacks that ESET detected and attributed to Lazarus, also known as Hidden Cobra, hackers targeted an aerospace company employee in the Netherlands and a media employee in Belgium. The aerospace employee was targeted via LinkedIn with a post involving a document called Amzon_Netherlands.docx. Although researchers were unable to recover the contents of the document, they believe it was likely a fake job posting related to Amazon’s space program, Project Kuiper. The media worker in Belgium was targeted via email with a document called AWS_EMEA_Legal_.docx which they claim was disguised as a job posting related to a legal position at Amazon Web Services.

These decoys are said to be consistent with previous attack campaigns attributed to Lazarus in 2019 and 2020 such as Operation In(ter)ception and Operation DreamJob which targeted employees in the aerospace and defense industries.

The malicious docs used the remote model technique to fetch and load the malicious code from an external server, then deploy a malware launcher that launches the payload in multiple stages.

Trojan applications and DLL hijacking

Consistent with Lazarus techniques and procedures seen in the past, attackers have abused legitimate applications that have a DLL search path weakness, meaning they search for a specifically named DLL and prioritize user-writable directories. before the system library folders. This means that the attackers bundled these legitimate apps with a malicious DLL and then ran them to load the DLL into memory to evade detection by security programs.

In one attack, hackers used a malicious coloui.dll with colorcpl.exe (Color Control Panel), a legitimate system application, but placed it in a folder called C:ProgramDataPTC. This application is normally located in %WINDOWS%System32. In another case, they used credui.dll with WFS.exe which is a plug-in for the Notepad++ text editing application. Another example is cryptsp.dll with SMSvcHost.exe, which is part of the lecui user interface library for developing C++ applications.

These malware droppers were run with a command line parameter that specified a decryption key to decrypt their payload, which served as the second stage of the attack. Attackers also used Trojan horse applications, usually open source, including libpcre, SQLite and SSLsniffer.

One of the payloads was an HTTPS backdoor previously associated with the Lazarus attacks and dubbed BLINDINGCAN in previous reports from the US Cybersecurity and Infrastructure Security Agency (CISA). One of the droppers was digitally signed with a legitimate certificate issued to an American company called “A” MEDICAL OFFICE, PLLC, and has been seen used in Lazarus campaigns in the past. The attackers also deployed an HTTPS downloader and an HTTP downloader used for data exfiltration and these too were delivered through trojan applications.

Rootkit uses BYOVD technique (bring your own vulnerable driver)

The attackers also deployed a rootkit module called FudModule whose main process is to disable various system monitoring features that security products rely on. To do this, the module deployed a legitimate, digitally signed driver called DBUtil_2_3.sys. This driver was developed by Dell and is used by many of its software applications. Last year, Dell fixed an insufficient access control vulnerability (CVE-2021-21551) in the driver that could allow elevation of privilege.

Even if the system does not have this vulnerable driver, the malware tries to install it itself by dropping it in the C:WINDOWSSystem32drivers folder under a name chosen at random from circlassmgr.sys, dmvscmgr .sys, hidirmgr.sys, isapnpmgr.sys, mspqmmgr.sys, and umpassmgr.sys. This operation already requires attackers to have administrative privileges on the system, so the driver is not used for privilege escalation, but rather to abuse its functionality and interact with the kernel in a way that is hard to understand. detect for security solutions.

“​​To accomplish this mission, one must go through an undoubtedly sophisticated and time-consuming process: choosing an appropriate vulnerable driver; research Windows internals, as kernel operation is not well documented; work with a codebase that is unfamiliar to most developers; and finally test, because any unhandled error is the last step before a BSOD [blue screen of death]which could trigger further investigation and loss of access,” ESET researchers said in a document analyze this component.

This module uses the driver to disable seven system monitoring functions. Although some of these techniques have already been documented by security researchers and game cheaters, they have never been used in malware in the wild before. This could set a precedent for other malware developers, especially as they cripple security and surveillance solutions that rely on these kernel functions.

“From the perspective of defenders, it seems easier to limit opportunities for initial access than to block the set of robust tools that would be installed after determined attackers gain a foothold in the system,” the researchers said. . “As in many cases in the past, an employee who fell prey to attackers was the first point of failure here. In sensitive networks, companies should insist that employees do not pursue personal agendas, such as job hunting, on devices belonging to their company’s infrastructure.

Copyright © 2022 IDG Communications, Inc.


Comments are closed.