Security News > 2022 > October > Lazarus hackers abuse Dell driver bug using new FudModule rootkit

Lazarus hackers abuse Dell driver bug using new FudModule rootkit
2022-10-01 14:05

The notorious North Korean hacking group 'Lazarus' was seen installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack.

ESET reports that among the tools deployed in this campaign, the most interesting is a new FudModule rootkit that abuses a BYOVD technique to exploit a vulnerability in a Dell hardware driver for the first time.

"The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver," explains ESET in a new report on the attack.

A Bring Your Own Vulnerable Driver attack is when threat actors load legitimate, signed drivers in Windows that also contain known vulnerabilities.

As the kernel drivers are signed, Windows will allow the driver to be installed in the operating system.

It appears that Lazarus was already well aware of this potential for abuse and exploited the Dell driver well before security analysts issued their public warnings.


News URL

https://www.bleepingcomputer.com/news/security/lazarus-hackers-abuse-dell-driver-bug-using-new-fudmodule-rootkit/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-05-04 CVE-2021-21551 Unspecified vulnerability in Dell Dbutil 2 3.Sys
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure.
local
low complexity
dell
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Dell 1764 98 476 312 95 981