North Korean state-sponsored hacking group Lazarus has been engaging in a Bring Your Own Vulnerable Driver spear-phishing attack exploiting a Dell hardware driver since last autumn, BleepingComputer reports.
Fraudulent Amazon job offers have been sent to EU-based campaign targets, which when opened prompts a remote template download from a hardcoded address followed by malware loader, dropper, and custom backdoor infections, a report from ESET revealed. Researchers noted the delivery of a FudModule rootkit triggers exploitation of the legitimate Dell driver flaw, tracked as CVE-2021-21551, which is the first-ever reported in the wild.
"The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way," said researchers. Moreover, Lazarus also distributed its proprietary custom HTTP(S) backdoor BLINDINGCAN in the attack, according to ESET.