Lazurus Group, a North Korean hacker group, have been deploying a Windows rootkit by exploiting a Dell driver vulnerability. This attack is part of the threat-actors campaign Operation In(ter)ception, which is set to target aerospace and defence industries.
Research into the activity by ESET researcher Peter Kálnai has uncovered the campaign began in 2021 with spear-phishing emails impersonating online retail giant Amazon with emails containing malicious documents, which targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium.
With a multitude of attacks taking place since then, research has shown that the attack was a rootkit module that exploited a Dell driver flaw to gain the ability to read and write to kernel memory, the issue, tracked as CVE-2021-21551, relates to a set of critical privilege escalation vulnerabilities in dbutil_2_3.sys. This exposure disables the monitoring of all security solutions on compromised machines.
Researcher Kálnai said, “The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way.”
Demonstrates how the Lazurus Group and other threat actors are constantly developing new techniques despite the pressure from law enforcement and the research community. It is important to train your staff on how to spot phishing attempts and what to do with them.
Click here to find out how to protect your business and employees from phishing attempts.