Lazarus & BYOVD: Evil to the Windows core.

2022-09-30 ESET

https://www.virusbulletin.com/uploads/pdf/conference/vb2022/VB2022-Kalnai-Havranek.pdf

Attachments

VB2022-Kalnai-Havranek.pdf (3 MB)

Thumbnail for Lazarus & BYOVD: Evil to the Windows core.

ESET documents FudModule, an 88,064-byte user-mode DLL used in a Lazarus attack on a corporate endpoint in the Netherlands in October 2021. The module was delivered alongside other Lazarus-attributed tools such as HTTP(S) backdoors, downloaders, and uploaders, although the full delivery chain was not recovered. FudModule used the BYOVD technique by dropping and loading Dell’s signed DBUtil_2_3.sys driver, then triggering CVE-2021-21551 to rewrite the current thread’s PreviousMode field and enable kernel memory writes from user mode. After that access was obtained, it attempted to disable monitoring mechanisms such as registry callbacks so security tools would lose visibility into system activity.

Indicators of Compromise

Type Value First Seen Last Seen
HASH 0296e2ce999e67c76352613a718e115… 2022-09-30 2024-09-02
HASH 97c78020eedfcd5611872ad7c57f812… 2022-09-30 2023-03-20
URL https://public.cnotools.studio/ 2022-09-30 2022-09-30
URL https://www.ijiss.org/ijiss/ind… 2022-09-30 2022-09-30
DOMAIN aviadshamriz.medium.com 2022-09-30 2022-09-30
DOMAIN triplefault.io 2022-09-30 2022-09-30
DOMAIN br-sn.github.io 2022-09-30 2022-09-30
DOMAIN dk.upce.cz 2022-09-30 2022-09-30
DOMAIN blog.xpnsec.com 2022-09-30 2022-09-30
DOMAIN public.cnotools.studio 2022-09-22 2022-09-30

Related Reports

« Back