North Korea’s Lazarus group uses vulnerable Dell driver to blind security solutions

The notorious North Korean state-sponsored hacker group Lazarus has begun exploiting a known vulnerability in an OEM driver developed by Dell to evade detection by security solutions. This is a prime example of why it’s important to always keep third-party PC manufacturer software, which is often neglected, up to date, as well as to add vulnerable versions to blocklists.

“The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver,” security researchers from antivirus firm ESET said in a recent report. “This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”

Attackers used fake job offers as entry point

In the new attacks that ESET detected and attributed to Lazarus, also known as Hidden Cobra, the hackers targeted the employee of an aerospace company in the Netherlands and the employee of a media organization in Belgium. The aerospace employee was targeted via LinkedIn with a message that involved a document called Amzon_Netherlands.docx. While the researchers weren’t able to recover the contents of the document, they believe it was likely a fake job offer related to Amazon’s space program, Project Kuiper. The media employee in Belgium was targeted via email with a document called AWS_EMEA_Legal_.docx that they speculate masqueraded as a job offer related to a legal position at Amazon Web Services.

These lures would be consistent with previous attack campaigns attributed to Lazarus in 2019 and 2020 such as Operation In(ter)ception and Operation DreamJob that targeted employees from the aerospace and defense industries.

The malicious documents used the remote template technique to fetch and load malicious code from an external server and then deploy a malware dropper that initiates the multi-stage payload.

Trojanized applications and DLL hijacking

Keeping with Lazarus techniques and procedures seen in the past, the attackers abused legitimate applications that have a DLL search path weakness, meaning they look for a specifically named DLL and prioritize user-writable directories before system library folders. This means attackers delivered these legitimate applications together with a malicious DLL and then executed them to load the DLL into memory to evade detection by security programs.

In one attack, the hackers used a malicious coloui.dll together with colorcpl.exe (Color Control Panel), a legitimate system application, but placed it in a folder called C:ProgramDataPTC. This application is normally found in %WINDOWS%System32. In another instance they used credui.dll together with WFS.exe which is a plug-in for the Notepad++ text editing application. Another example is cryptsp.dll together with SMSvcHost.exe, which is part of the lecui user interface library for developing C++ applications.

These malware droppers were executed with a command line parameter that specified a decryption key to decrypt their payload, which served as the second stage of the attack. The attackers also used Trojanized applications, usually open-source ones, including libpcre, SQLite and SSLsniffer.

One of the payloads was a HTTPS backdoor previously associated with Lazarus attacks and dubbed BLINDINGCAN in previous reports by the US Cybersecurity and Infrastructure Security Agency (CISA). One of the droppers was digitally signed with a legitimate certificate issued to a US company called “A” MEDICAL OFFICE, PLLC, and was seen used in Lazarus campaigns in the past. The attackers also deployed an HTTPS downloader and an HTTP uploader used for data exfiltration and these, too, were delivered via Trojanized applications.

Rootkit uses bring-your-own-vulnerable-driver (BYOVD) technique

The attackers also deployed a rootkit module dubbed FudModule whose primary process is to disable various system monitoring features that security products rely on. To do this, the module deployed a legitimate and digitally signed driver called DBUtil_2_3.sys. This driver was developed by Dell and is used by several of its software applications. Last year Dell patched an insufficient access control vulnerability (CVE-2021-21551) in the driver that could allow for privilege escalation.

Even if the system doesn’t have this vulnerable driver present, the malware attempts to install it itself by dropping it in the C:WINDOWSSystem32drivers folder under a name randomly chosen from circlassmgr.sys, dmvscmgr.sys, hidirmgr.sys, isapnpmgr.sys, mspqmmgr.sys, and umpassmgr.sys. This operation already requires the attackers to have administrative privileges on the system, so the driver is not use for privilege escalation but rather to abuse its functionality and interact with the kernel in a way that’s hard for security solutions to detect.

“​​To complete this mission successfully, one must undergo an undoubtedly sophisticated and time-consuming process: choosing an appropriate vulnerable driver; researching Windows’ internals, as the functioning of the kernel is not well documented; working with a code base that is unfamiliar to most developers; and finally testing, as any unhandled error is the last step before a BSOD [blue screen of death], which might trigger a subsequent investigation and the loss of access,” the ESET researchers said in a paper analyzing this component.

This module uses the driver to disable seven system monitoring functions. While some of these techniques have been documented before by security researchers and game cheaters, they have never been seen used in malware in the wild before. This could set a precedent for other malware developers, especially since they cripple security and monitoring solutions that rely on these kernel functions.

“From the defenders’ point of view, it seems easier to limit the possibilities of initial access than to block the robust toolset that would be installed after determined attackers gain a foothold in the system,” the researchers said. “As in many cases in the past, an employee falling prey to the attackers’ lure was the initial point of failure here. In sensitive networks, companies should insist that employees not pursue their personal agendas, like job hunting, on devices belonging to their company’s infrastructure.”