"Researchers Outline the Lazarus APT Offensive Toolset"

Researchers at ESET discovered and examined a set of malicious tools used by the Lazarus Advanced Persistent Threat (APT) group in attacks at the end of 2021. The campaign began with spear phishing emails containing malicious Amazon-themed documents, targeting a Dutch aerospace company employee and a Belgian political journalist. The attackers' primary goal was data exfiltration. The attachment was sent to the employee in the Netherlands via LinkedIn Messaging, and the document was sent to the journalist in Belgium via email. Droppers, loaders, fully featured HTTP(S) backdoors, and HTTP(S) uploaders were among the malicious tools used by the attackers on the victims' systems. The attackers' most notable tool was a user-mode module that can read and write kernel memory as a result of the CVE-2021-21551 vulnerability, which impacts Dell DBUtil drivers. The attackers then used their kernel memory write access to disable seven mechanisms offered by the Windows operating system for monitoring its actions, such as registry, file system, process creation, event tracing, and more, thus effectively blinding security solutions in a generic and robust manner. With high confidence, ESET researchers attribute these attacks to Lazarus, which is defined by its diversity, number, and eccentric implementation of its campaigns. The group is also known for performing effectively in cyberespionage, cybersabotage, and the pursuit of financial gain. Since at least 2009, Lazarus, also known as HIDDEN COBRA, has been active. This article continues to discuss researchers' findings regarding the Lazarus APT offensive toolset.

Help Net Security reports "Researchers Outline the Lazarus APT Offensive Toolset"