Rewterz Threat Alert – Lazarus APT Group Exploit Dell Driver Vulnerability Using New FudModule Rootkit – Active IOCs

Severity

High

Analysis Summary

The North Korean-backed Lazarus Group has been seen distributing a Windows rootkit that exploits a Dell hardware driver in a Bring Your Own Vulnerable Driver attack.
ESET researchers found the revelation while looking into APT group attacks on an aerospace company’s employee in the Netherlands and a political journalist in Belgium in the autumn of 2021. Threat actors used fraudulent Amazon-themed files as bait in spear-phishing emails.

source

A typical social engineering approach was used by the threat actors in the latest EU based campaign in 2022, by sending fraudulent job offers for Amazon. These documents download a remote template, which is then followed by infections that use malware loaders, HTTP(S) backdoors, HTTP(S) uploaders, and other tools.

“The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver,”

They also claimed that the Lazarus group was distributing weaponized versions of FingerText and sslSniffer, a component of the wolfSSL project, as well as HTTPS-based downloaders and uploaders.

The specialists highlighted their findings by emphasizing the malicious component utilized in this attack, which employs the Bring Your Own Vulnerable Driver (BYOVD) approach and exploits the aforementioned CVE-2021-215551 vulnerability.

Named FudModule, the previously undocumented malware achieves its goals via multiple methods “either not known before or familiar only to specialized security researchers and (anti-)cheat developers,” according to ESET.

A dynamically linked library with the codename FudModule.dll attempts to turn off numerous Windows monitoring features. To disable the functionality, the library modifies kernel variables and deletes kernel callbacks.

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,

The threat actors employed the BLINDINGCAN backdoor (aka AIRDRY and ZetaNile), a custom HTTP(S) backdoor that was used to create a backdoor into the compromised infrastructure attributed to Lazarus in October 2021.

The research shows the Lazarus Group’s tenacity and capacity to adapt and change its strategies over time, despite extensive scrutiny of the collective’s operations from law enforcement and the broader research community.

“We attribute these attacks to Lazarus with high confidence, based on the specific modules, the code-signing certificate, and the intrusion approach in common with previous Lazarus campaigns like Operation In(ter)ception and Operation DreamJob. The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that it performs all three pillars of cybercriminal activities: cyber espionage, cybersabotage, and pursuit of financial gain.” they conclude

Impact

• Cyber Espionage
• Cyber Sabotage

Indicators of Compromise

IP

• 67[.]225[.]140[.]4
• 50[.]192[.]28[.]29
• 31[.]11[.]32[.]79

MD5

• c996d7971c49252c582171d9380360f2

SHA-256

• 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5

SHA-1

• c948ae14761095e4d76b55d9de86412258be7afd

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs)  in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Maintain daily backups of all computer networks and servers.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
• Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.