September 22, 2023

Researchers have spotted Lazarus Group – North Korean state-sponsored threat approaching individuals with fake job offers from Amazon. 

Those accepted the offer, and downloaded fake job description PDF files, have had an old, vulnerable Dell driver installed. That opened the doors for the threat actors to compromise the endpoints, and exfiltrate the data.

Advertisements

The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild.

This enabled the threat actors ability to disable some of Windows’ monitoring mechanisms, allowing it to tweak the registry, file system, process creation, event tracing. This basically blinded security solutions in a very generic and robust way.

CVE-2021-21551 is a vulnerability encompasses five different flaws that were flying under the radar for 12 years, before Dell fixed it.

The threat actor also used the vulnerabilities to deploy FudModule Rootkit, an HTTP(S) uploader, as well as compromised open-source apps wolfSSL and FingerText.

This research was documented by researchers from ESET.

Advertisements

Indicators of Compromise

  • 296D882CB926070F6E43C99B9E1683497B6F17C4
  • 001386CBBC258C3FCC64145C74212A024EAA6657
  • 569234EDFB631B4F99656529EC21067A4C933969
  • 735B7E9DFA7AF03B751075FD6D3DE45FBF0330A
  • 4AA48160B0DB2F10C7920349E3DCCE01CCE23FE3
  • C71C19DBB5F40DBB9A721DC05D4F9860590A5762
  • 97DAAB7B422210AB256824D9759C0DBA319CA468
  • FD6D0080D27929C803A91F268B719F725396FE79N
  • 83CF7D8EF1A241001C599B9BCC8940E089B613FBN
  • C948AE14761095E4D76B55D9DE86412258BE7AFD
  • 085F3A694A1EECDE76A69335CD1EA7F345D61456
  • 55CAB89CB8DABCAA944D0BCA5CBBBEB86A11EA12
  • 806668ECC4BFB271E645ACB42F22F750BFF8EE96
  • BD5DCB90C5B5FA7F5350EA2B9ACE56E62385CA65

Leave a Reply

%d bloggers like this: