- The Lazarus campaign targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium.
- The most notable tool used in this campaign represents the first recorded abuse of the Dell driver vulnerability.
- The complexity of the attack indicates that Lazarus consists of a large team that is systematically organized and well prepared.
Researchers at ESET announced that they have uncovered and analyzed malicious tools that were used by the notorious Lazarus APT group during the autumn of 2021. According to the report, the attack started with spear phishing emails that contains Amazon-themed documents. The first two targets of the campaign were an employee of an aerospace company in the Netherlands and a political journalist in Belgium.
DBUtil drivers
The attackers sent files via email and LinkedIn Messaging. When victims opened the documents, the attackers deployed their tools on the system, including The attackers deployed several malicious tools on systems, including droppers, loaders, and fully featured HTTP(S) backdoors, HTTP(S) uploaders, and downloaders. The droppers were trojanized open-source projects that decrypt the embedded payload using modern block ciphers with long keys passed as command line arguments.
The most notable tool was a user-mode module that gained the ability to read and write kernel memory by exploiting a vulnerability, tracked as CVE-2021-21551, in a legitimate Dell driver. It became the first-ever attack to exploit this vulnerability. The attackers disabled seven mechanisms of the operating system that monitors its actions with the access they gained.
Based on the specific modules, the code-signing certificate, and the intrusion approach, ESET states that these attacks are related to the Lazarus APT group. Detailed information about the attack and the incident is available in the white paper Lazarus & BYOVD: Evil to the Windows core.