The recent report reveals that hackers have been exploiting a Dell driver bug to install a Windows rootkit. This campaign primarily targeted EU-based users, with hackers adopting a social engineering trick by posing as Amazon employees and sending fake job offers through email. The attack involved the use of malware loaders and malicious downloaders to infect documents, as well as custom backdoors to gain system access. The vulnerability in the Dell hardware driver, specifically the dbutil_2_3.sys driver, was exploited through the CVE-2021-21551 exploit, enabling the rootkit to gain access to kernel memory and disable seven Windows OS mechanisms. The hackers utilized various tools such as the BLINDINGCAN malware, HTTP(S) downloaders and uploaders, and the FudModule rootkit tool. Additionally, they Trojanized legitimate software such as lecui, FingerText, and sslSniffer. The report also provides updates on other cybersecurity vulnerabilities and offers a free e-book on Zero Trust Networking for enhanced protection against cyber attacks.
Key Takeaways
- Lazarus Hackers have been exploiting a Dell driver bug to install a Windows rootkit.
- The hackers targeted EU-based users by posing as Amazon employees and sending fake job offers via email.
- The campaign involved the use of malware loaders, malicious downloaders, custom backdoors, and the FudModule rootkit tool.
- The Dell driver vulnerability (CVE-2021-21551) was exploited to gain access to kernel memory and disable seven Windows OS mechanisms.
How Hackers Exploit
Hackers exploit the vulnerability in the Dell hardware driver, specifically the dbutil_2_3.sys driver, to install a rootkit on Windows systems. They employ social engineering techniques, such as posing as Amazon employees and sending fake job offers via email to EU-based users. Once the victim opens the malicious document, malware loaders and malicious downloaders are used to infect the system. The custom backdoors are then utilized to download elements from a hardcoded address. The FudModule rootkit tool is employed in the campaign, gaining access to kernel memory and disabling seven Windows OS mechanisms. To detect and mitigate rootkit installations, it is crucial to employ comprehensive security solutions that can identify and block suspicious activities. Regular software updates and patches also play a vital role in preventing vulnerabilities that can be exploited by hackers.
Infections through Documents
Malicious code is introduced into systems through the utilization of infected documents. Hackers employ various techniques to infect documents and compromise systems. One such technique involves the use of malware loaders, which are responsible for loading and executing malicious code embedded within the infected document. These loaders act as gateways for the malware, allowing it to gain entry into the system. Additionally, hackers make use of custom backdoors, which are designed to provide unauthorized access to compromised systems. These backdoors serve as hidden entry points, allowing hackers to maintain persistence and control over the infected system. By leveraging malware loaders and custom backdoors, hackers exploit vulnerabilities in documents to infiltrate systems and carry out their malicious activities. It is crucial for users to exercise caution when handling documents and to employ robust security measures to mitigate the risk of infection.
Exploiting Dell Hardware
The exploitation of vulnerabilities in Dell hardware can lead to unauthorized access and compromise of systems. To achieve this, hackers have utilized the BYOVD (Bring Your Own Vulnerable Driver) technique, specifically targeting the CVE-2021-21551 vulnerability in the dbutil_2_3.sys driver. By compromising this Dell driver, the hackers gain access to the kernel memory and disable seven Windows OS mechanisms, allowing them to carry out their malicious activities undetected. One of the significant threats posed by this exploitation is the installation of a rootkit, such as the FudModule tool, which can evade traditional security measures and remain hidden within the system. Therefore, detecting and mitigating the presence of rootkits becomes crucial in safeguarding systems from these sophisticated attacks.
Tools Used by Hackers
One of the tools employed by the threat actors in the campaign is the BLINDINGCAN malware. This malware is used as a means to infiltrate and compromise targeted systems. It is designed to act as an HTTP(S) downloader and uploader, allowing the attackers to download and upload various malicious components and payloads. Additionally, the FudModule rootkit tool is utilized by the hackers to ensure persistence and avoid detection by security solutions. This tool enables the rootkit to hide its presence within the compromised system, making it difficult to detect and remove. To protect against such attacks, it is important to employ techniques for identifying and mitigating rootkit infections. This includes regularly updating and patching software, using reliable security solutions, and employing intrusion detection and prevention systems. Furthermore, strategies for protecting against social engineering attacks should be implemented, such as educating users about the dangers of phishing emails and suspicious job offers.
Vulnerability in Dell Driver
The vulnerability in the Dell hardware driver exposes a weakness that allows unauthorized access to the core functions of the system, potentially compromising its security and integrity. This vulnerability, identified as CVE-2021-21551, enables attackers to drop a legitimate Dell driver and replace it with a malicious one, facilitating the installation of a rootkit. Such unauthorized access to kernel memory provides hackers with the ability to disable seven critical Windows OS mechanisms, leaving the system vulnerable to further exploitation. The impact of this vulnerability on cybersecurity is significant, as it allows attackers to gain persistent control over the compromised system and potentially exfiltrate sensitive data. To mitigate the risk of Dell driver exploits, organizations should ensure timely patching and updates of drivers, implement robust endpoint security solutions, and follow best practices for secure system configurations. Regular security awareness training for employees is also crucial to prevent social engineering attacks that exploit such vulnerabilities.
Frequently Asked Questions
How can hackers exploit the Dell driver bug to install a Windows rootkit?
The Dell driver bug is exploited by hackers to gain remote access and install a Windows rootkit. This vulnerability allows hackers to compromise the Dell driver, gain access to kernel memory, and disable seven Windows OS mechanisms, resulting in a significant impact on system security.
What types of documents are commonly used for malware infections in this campaign?
The campaign exploiting the Dell driver bug utilizes various document file formats for malware infections. Techniques such as the use of malicious downloaders, custom backdoors, and FudModule rootkit tool are employed to deliver malware through document files in this campaign.
What specific techniques are used to exploit the Dell hardware driver vulnerability?
The techniques used to exploit the dell hardware driver vulnerability include the exploitation of the BYOVD technique, compromising the Dell driver through CVE-2021-21551, gaining access to kernel memory, and disabling seven Windows OS mechanisms. The dell driver bug significantly impacts system security by allowing hackers to install a rootkit and disable security mechanisms.
What are some of the tools that hackers use in this campaign?
Hackers in the campaign utilize various tools, including BLINDINGCAN malware, HTTP(S) downloaders and uploaders, and the FudModule rootkit tool. These tools are used to exploit the Dell driver bug and install a Windows rootkit on targeted systems.
How does the vulnerability in the Dell hardware driver allow hackers to disable Windows OS mechanisms and potentially compromise security solutions?
The vulnerability in the Dell hardware driver allows hackers to disable Windows OS mechanisms and potentially compromise security solutions. This can impact system performance by granting the rootkit access to kernel memory and disabling critical security features. Detecting and mitigating the Dell driver bug exploitation involves identifying and patching the CVE-2021-21551 vulnerability, employing robust security solutions, and regularly updating software and drivers.
