New Lazarus activity: bring-your-own-vulnerable-driver.
the cyberwire logoOct 3, 2022

A Pyongyang spearphishing expedition.

New Lazarus activity: bring-your-own-vulnerable-driver.

Researchers at ESET say that North Korea’s Lazarus Group used Amazon-themed spearphishing documents to target “an employee of an aerospace company in the Netherlands, and a political journalist in Belgium.” The goal of the campaign, which occurred last autumn, was data theft. The researchers note that the attackers exploited a vulnerability in Dell DBUtil drivers, which was patched in May 2021:

“The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”

BleepingComputer notes that the threat actor utilized a “Bring Your Own Vulnerable Driver” technique:

“A Bring Your Own Vulnerable Driver (BYOVD) attack is when threat actors load legitimate, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows will allow the driver to be installed in the operating system. However, the threat actors can now exploit the driver's vulnerabilities to launch commands with kernel-level privileges.”