ESET researchers uncovered and analyzed a set of malicious tools that were used by the Lazarus APT group in attacks during the end of 2021. The campaign started with spear phishing emails containing malicious Amazon-themed documents, and it targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium. The primary goal of the attackers was data exfiltration.
Amazon-themed document sent to the target in the Netherlands. Source: ESET
Both victims were presented with job offers: The employee in the Netherlands received an attachment via LinkedIn Messaging, and the journalist in Belgium received a document via email. The attacks started after these documents were opened. The attackers deployed several malicious tools on the system, including droppers, loaders, fully featured HTTP(S) backdoors, and HTTP(S) uploaders.
The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This vulnerability affects Dell DBUtil drivers; Dell provided a security update in May 2021. This is the first ever recorded abuse of this vulnerability in the wild.
“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” explains Peter Kálnai, Senior Malware Researcher at ESET, who discovered the campaign. “It was not just done in kernel space, but also in a robust way, using a series of little- or undocumented Windows internals. Undoubtedly this required deep research, development, and testing skills,” he adds.
Lazarus also used a fully featured HTTP(S) backdoor known as BLINDINGCAN. ESET believes this remote access trojan (RAT) has a complex server-side controller with a user-friendly interface through which the operator can control and explore compromised systems.
In the Netherlands, the attack affected a Windows 10 computer connected to the corporate network, where an employee was contacted via LinkedIn Messaging about a potential new job, resulting in an email with a document attachment being sent. The Word file Amzon_Netherlands.docx sent to the victim is merely an outline document with an Amazon logo. Researchers were unable to acquire the remote template, but they assume that it may have contained a job offer for the Amazon space program Project Kuiper. This is a method that Lazarus practiced in the Operation In(ter)ception and Operation DreamJob campaigns targeting aerospace and defense industries.
Based on the number of command codes that are available to the operator, it is likely that a server-side controller is available where the operator can control and explore compromised systems. The more than two dozen commands available include downloading, uploading, rewriting, and deleting files, and taking screenshots.
“In this attack, as well as in many others attributed to Lazarus, we saw that many tools were distributed even on a single targeted endpoint in a network of interest. Without a doubt, the team behind the attack is quite large, systematically organized, and excellently prepared,” says Kálnai.
ESET Research attributes these attacks to Lazarus with high confidence. The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that it performs all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain. Lazarus (also known as HIDDEN COBRA) has been active since at least 2009. It is responsible for several high-profile incidents.