Security News > 2022 > October > Lazarus hackers abuse Dell driver bug using new FudModule rootkit
The notorious North Korean hacking group 'Lazarus' was seen installing a Windows rootkit that abuses a Dell hardware driver in a Bring Your Own Vulnerable Driver attack.
ESET reports that among the tools deployed in this campaign, the most interesting is a new FudModule rootkit that abuses a BYOVD technique to exploit a vulnerability in a Dell hardware driver for the first time.
"The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver," explains ESET in a new report on the attack.
A Bring Your Own Vulnerable Driver attack is when threat actors load legitimate, signed drivers in Windows that also contain known vulnerabilities.
As the kernel drivers are signed, Windows will allow the driver to be installed in the operating system.
It appears that Lazarus was already well aware of this potential for abuse and exploited the Dell driver well before security analysts issued their public warnings.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-04 | CVE-2021-21551 | Unspecified vulnerability in Dell Dbutil 2 3.Sys Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. | 7.8 |