#LAZARUS GROUP APT DRIVER#
ene.sys Driver (WinIO Library) Vulnerability AES Encrypted IOCTL Communication and Call Time Verification SB_SMBUS_SDK.dll Module Loading Verification
… 2.2 Caller and Data Validity Verification Thus, the attacker was able to read and write to an arbitrary kernel memory area through this module and by modifying data in all areas related to the kernel including files, processes, threads, registries, and event filters, disabled all monitoring programs within the system including AV.Īnalysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Oct-05-2022 Download The problems with this module include not only the fact that it uses an old open source code but also the fact that the verification condition for calling modules is weak, which enables reading and writing to an arbitrary kernel memory area via a simple bypassing process. This module used the original form of an open source library called “WinIO,” developed by Yariv Kaplan in 1999. The vulnerable driver module used by the Lazarus Group, in this case, was a hardware-related module manufactured by “ENE Technology”.
#LAZARUS GROUP APT DRIVERS#
With the latest Windows OS, unsigned drivers can longer be loaded, however, attackers can use such legally-signed vulnerable drivers to control kernel area easily. This technique is called the “BYOVD (Bring Your Own Vulnerable Driver)” method and is known to be performed mainly on vulnerable driver modules of hardware supply companies.
The rootkit malware identified in the recent product-disabling attack abused vulnerable driver kernel modules to directly read and write to the kernel memory area and accordingly, all monitoring systems inside the system including AV (Anti-Virus) were disabled. Researchers with Kaspersky, in their APT trends report for the third quarter of 2021, said the Lazarus group leveraged an updated version of the DeathNote malware, which is known to send data about the compromised host and fetch a next-stage payload, as well as the Racket downloader. An analysis of the attack process revealed that the Lazarus Group exploits an old version of the INITECH process to perform the initial compromise before downloading and executing the rootkit malware from the attacker’s server. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries.ĪhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. Posted By AhnLab_en, SeptemAnalysis Report on Lazarus Group’s Rootkit Attack Using BYOVD
0 kommentar(er)
