Lazarus hackers target Dell drivers with new rootkit By Mobile Malls October 3, 2022 0 261 views It appears as blockchain builders and artists usually are not the one ones Lazarus Group targets with pretend job affords. Aerospace consultants and political journalists in Europe have additionally been lately focused with the identical type of social engineering assaults, with the identical purpose – company espionage and information exfiltration from enterprise (opens in new tab) gadgets. What makes this marketing campaign distinctive, nevertheless, is the truth that the targets had been contaminated with reliable drivers.Disabling monitoring mechanismsCybersecurity researchers from ESET have lately seen Lazarus Group – a identified North Korean state-sponsored menace actor, approaching the abovementioned people with pretend job affords from Amazon. Those who accepted the provide, and downloaded pretend job description PDF recordsdata, have had an previous, susceptible Dell driver put in. That opened the doorways for the menace actors to compromise the endpoints, and exfiltrate no matter information they had been in search of.“Probably the most notable instrument delivered by the attackers was a user-mode module that gained the flexibility to learn and write kernel reminiscence as a result of CVE-2021-21551 vulnerability in a reliable Dell driver,” ESET stated. “That is the primary ever recorded abuse of this vulnerability within the wild.”This gave Lazarus the flexibility to disable a few of Home windows’ monitoring mechanisms, permitting it to tweak the registry, file system, course of creation, occasion tracing, and related, ESET additional stated. This “mainly blinded safety options in a really generic and sturdy method.”CVE-2021-21551 is a vulnerability that encompasses 5 totally different flaws that had been flying beneath the radar for 12 years, earlier than Dell lastly fastened it, BleepingComputer reminds. Lazarus used it to deploy its HTTP(S) backdoor “BLINDINGCAN”, a distant entry trojan (RAT) that is ready to execute varied instructions, take screenshots from the compromised endpoints, create and terminate varied processes, exfiltrate information and system data, and extra.The menace actor additionally used the vulnerabilities to deploy FudModule Rootkit, an HTTP(S) uploader, in addition to compromised open-source apps wolfSSL and FingerText.Try the most effective firewalls (opens in new tab) proper nowBy way of: BleepingComputer (opens in new tab)Share this:Click to share on Twitter (Opens in new window)Click to share on Facebook (Opens in new window)MoreClick to print (Opens in new window)Click to email a link to a friend (Opens in new window)Click to share on Reddit (Opens in new window)Click to share on LinkedIn (Opens in new window)Click to share on Tumblr (Opens in new window)Click to share on Pinterest (Opens in new window)Click to share on Pocket (Opens in new window)Click to share on Telegram (Opens in new window)Click to share on WhatsApp (Opens in new window)