Researchers define the Lazarus APT offensive toolset | Crusader Tech

ESET researchers found and analyzed a set of malicious instruments that have been utilized by the Lazarus APT group in assaults in late 2021. The marketing campaign began with spear phishing emails containing malicious Amazon-themed paperwork, and focused an worker of an aerospace firm within the Netherlands and a political journalist in Belgium. The principle purpose of the attackers was knowledge exfiltration.

Amazon themed doc shipped to vacation spot within the Netherlands. Supply: ESET

Each victims have been introduced with job affords: the worker within the Netherlands obtained an attachment by way of LinkedIn Messaging and the journalist in Belgium obtained a doc by way of e-mail. The assaults started after these paperwork have been opened. The attackers deployed numerous malicious instruments on the system, together with droppers, loaders, full-featured HTTP(S) backdoors, and HTTP(S) loaders.

Essentially the most notable device delivered by the attackers was a user-mode module that gained the power to learn and write kernel reminiscence as a result of CVE-2021-21551 vulnerability in a reliable Dell driver. This vulnerability impacts Dell’s DBUtil drivers; Dell offered a safety replace in Might 2021. That is the primary recorded abuse of this vulnerability within the wild.

“The attackers then used their write entry to kernel reminiscence to disable seven mechanisms provided by the Home windows working system to watch their actions, akin to registry, file system, course of creation, occasion monitoring, and many others., principally blinding safety options in a really generic and sturdy manner. ”, explains Peter Kálnai, senior malware researcher at ESET, who found the marketing campaign. “It was not solely accomplished in kernel area, but additionally robustly, utilizing a variety of poorly documented or undocumented inner Home windows elements. This undoubtedly required deep analysis, improvement and testing expertise,” he provides.

Lazarus additionally used a totally featured HTTP(S) backdoor generally known as BLINDINGCAN. ESET believes that this Distant Entry Trojan (RAT) has a fancy server-side driver with a user-friendly interface by which the operator can management and discover compromised techniques.

Within the Netherlands, the assault affected a Home windows 10 pc related to the company community, the place an worker was contacted by way of LinkedIn Messaging a few potential new job, leading to an e-mail with a doc being despatched. hooked up. The Amzon_Netherlands.docx Phrase file despatched to the sufferer is solely an overview doc with an Amazon brand. Investigators have been unable to amass the distant template, however surmise that it could have contained a job posting for Amazon’s Venture Kuiper area program. It is a technique that Lazarus practiced within the Operation In(ter)ception and Operation DreamJob campaigns concentrating on the aerospace and protection industries.

Relying on the variety of command codes which can be obtainable to the operator, there’s more likely to be a server-side driver obtainable the place the operator can management and discover compromised techniques. The greater than two dozen obtainable instructions embody downloading, importing, rewriting and deleting information, and taking screenshots.

“On this assault, in addition to many others attributed to Lazarus, we noticed that many instruments have been distributed to even a single focused endpoint in a community of curiosity. For sure, the group behind the assault is sort of massive, systematically organized and excellently ready”, says Kálnai.

ESET Analysis attributes these assaults to Lazarus with nice confidence. The variety, quantity and eccentricity within the implementation of Lazarus campaigns outline this group, because it carries out the three pillars of cybercriminal actions: cyber espionage, cyber sabotage and seek for monetary achieve. Lazarus (aka HIDDEN COBRA) has been lively since at the least 2009. He’s accountable for a number of high-profile incidents.