
Researchers have spotted Lazarus Group – North Korean state-sponsored threat approaching individuals with fake job offers from Amazon.
Those accepted the offer, and downloaded fake job description PDF files, have had an old, vulnerable Dell driver installed. That opened the doors for the threat actors to compromise the endpoints, and exfiltrate the data.
The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild.
This enabled the threat actors ability to disable some of Windows’ monitoring mechanisms, allowing it to tweak the registry, file system, process creation, event tracing. This basically blinded security solutions in a very generic and robust way.
CVE-2021-21551 is a vulnerability encompasses five different flaws that were flying under the radar for 12 years, before Dell fixed it.
The threat actor also used the vulnerabilities to deploy FudModule Rootkit, an HTTP(S) uploader, as well as compromised open-source apps wolfSSL and FingerText.
This research was documented by researchers from ESET.
Indicators of Compromise
- 296D882CB926070F6E43C99B9E1683497B6F17C4
- 001386CBBC258C3FCC64145C74212A024EAA6657
- 569234EDFB631B4F99656529EC21067A4C933969
- 735B7E9DFA7AF03B751075FD6D3DE45FBF0330A
- 4AA48160B0DB2F10C7920349E3DCCE01CCE23FE3
- C71C19DBB5F40DBB9A721DC05D4F9860590A5762
- 97DAAB7B422210AB256824D9759C0DBA319CA468
- FD6D0080D27929C803A91F268B719F725396FE79N
- 83CF7D8EF1A241001C599B9BCC8940E089B613FBN
- C948AE14761095E4D76B55D9DE86412258BE7AFD
- 085F3A694A1EECDE76A69335CD1EA7F345D61456
- 55CAB89CB8DABCAA944D0BCA5CBBBEB86A11EA12
- 806668ECC4BFB271E645ACB42F22F750BFF8EE96
- BD5DCB90C5B5FA7F5350EA2B9ACE56E62385CA65