Security News > 2022 > October > Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers

The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary.

The Bring Your Own Vulnerable Driver attack, which took place in the autumn of 2021, is another variant of the threat actor's espionage-oriented activity called Operation In(ter)ception that's directed against aerospace and defense industries.

What's notable about the 2021 attacks was a rootkit module that exploited a Dell driver flaw to gain the ability to read and write kernel memory.

Named FudModule, the previously undocumented malware achieves its goals via multiple methods "Either not known before or familiar only to specialized security researchers andcheat developers," according to ESET. "The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way," Kálnai said.

This is not the first time the threat actor has resorted to using a vulnerable driver to mount its rootkit attacks.

Just last month, AhnLab's ASEC detailed the exploitation of a legitimate driver known as "Ene.sys" to disarm security software installed in the machines.

News URL

https://thehackernews.com/2022/10/hackers-exploiting-dell-driver.html