October 3, 2022

Lazarus, a North Korean ransomware gang is exploiting a Dell hardware driver flaw for Bring Your Own Vulnerable Driver attack. A Bring Your Own Vulnerable Driver (BYOVD) attack occurs when an attacker loads legitimate signed drivers into Windows that also contain known vulnerabilities.

In order to carry out their nefarious malware campaign, the targets receive fake job offers via email. Once the document is opened, a remote template is downloaded from a hardcoded address, followed by infections that involve malware loaders, droppers, custom backdoors, and other types of malicious activity.

ESET identified a new FudModule Rootkit that exploits a BYOVD (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability in a Dell hardware driver. Threat actors are now exploiting the driver’s vulnerabilities to launch commands with kernel-level privileges.

“This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way,” ESET said.

The gang primarily target users in the EU some of which include an aerospace expert in the Netherlands and a political journalist in Belgium. The aim of the campaign is to conduct cyber espionage and steal data.

The sources for this piece include an article in BleepingComputer.