5/29/2023 0 Comments Eset endpoint security for windowsThis research was presented at this year’s Virus Bulletin conference. In this blogpost, we explain the context of the campaign and provide a detailed technical analysis of all the components. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way. This is the first ever recorded abuse of this vulnerability in the wild. The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. In many cases, malicious files are DLL components that were side-loaded by legitimate EXEs, but from an unusual location in the file system. The commonality between the droppers was that they are trojanized open-source projects that decrypt the embedded payload using modern block ciphers with long keys passed as command line arguments. The attackers deployed several malicious tools on each system, including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders and downloaders. Attacks started after these documents were opened. The complexity of the attack indicates that Lazarus consists of a large team that is systematically organized and well prepared.īoth targets were presented with job offers – the employee in the Netherlands received an attachment via LinkedIn Messaging, and the person in Belgium received a document via email.Lazarus also used in this campaign their fully featured HTTP(S) backdoor known as BLINDINGCAN.It uses techniques against Windows kernel mechanisms that have never been observed in malware before.
0 Comments
Leave a Reply. |