"Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers"

The North Korea-backed Lazarus Group has been seen deploying a Windows rootkit by exploiting a vulnerability in a Dell firmware driver, underscoring new tactics used by the state-sponsored adversary. The Bring Your Own Vulnerable Driver (BYOVD) attack, which occurred in the autumn of 2021, is another variant of the threat actor's espionage-focused activity known as Operation In(ter)ception, which is aimed at the aerospace and defense industries. According to ESET researcher Peter Kálnai, the campaign began with spear-phishing emails containing malicious Amazon-themed documents. It targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium. When the lure documents were opened, the attack chains unfolded, leading to the distribution of malicious droppers that were trojanized versions of open-source projects. According to ESET, Lazarus dropped weaponized versions of FingerText and sslSniffer, a component of the wolfSSL library, as well as HTTPS-based downloaders and uploaders. The intrusions also paved the way for BLINDINGCAN, also known as AIRDRY and ZetaNile, the group's preferred backdoor, which an operator can use to control and explore compromised systems. The 2021 attacks were notable for a rootkit module that exploited a Dell driver flaw to gain the ability to read and write kernel memory. The flaw stems from a set of critical privilege escalation vulnerabilities in dbutil_2_3.sys. This article continues to discuss the Lazarus Group's deployment of a Windows rootkit through the exploitation of a Dell firmware vulnerability. 

THN reports "Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers"