AhnLab, a leader in cybersecurity, recently released an in-depth report on an attack using the BYOVD(Bring Your Own Vulnerable Driver) technique performed by Lazarus group during 2022.
The report titled 'Analysis Report on Lazarus Group's Rootkit Malware That Uses BYOVD', offers an in-depth look into the BYOVD(Bring Your Own Vulnerable Driver) technique, carrying and loading legitimate, signed drivers that also contain known vulnerabilities into Windows kernel(*). By loading it, the threat actors can exploit the driver's vulnerabilities to have full read and write access right to kernel.
* The kernel manages the system resources, including file systems, processes, and physical devices. It provides applications with system services such as I/O management, virtual memory, and scheduling.
In this attack, after successful initial infiltration, threat actors deployed several malicious tools including rootkit that contains a driver module developed by ENE Technology(ene.sys). The legitimately singed driver has vulnerability that fails to add checks that restrict read and write access to kernel memory.
After gaining write access to the kernel memory by exploiting the vulnerability, the threat actors launched malicious commands with kernel-level privileges to blind security solutions and monitoring tools in an infected system.
“Since directly loading a malicious, unsigned driver is no longer possible in the recent versions of Windows, the attackers are abusing legitimate, signed drivers” explained AhnLab in its report, “It is possible that even more legitimately signed drivers with vulnerabilities could be found and utilized on future attacks. It means that the organizations should be on high alert for such cyberattacks”, the company added.
AhnLab researchers believe that the attackers to perform more malicious acts such as data breach, ransomware infection, espionage etc. in the compromised systems. AhnLab has updated its engine to detect the malwares used in the attack.
To stay safe from sophisticated threats, it is recommended to take the following security measures.
△Check & deploy security patch for the software that is currently used in organizations and apply the newest one △Set the organizations' security policy to disable drivers to be loaded in user mode △Keep updating security solutions including anti-malware △Provide your employees with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
For more details, you can read and download full report 'Analysis Report on Lazarus Group's Rootkit Malware That Uses BYOVD' on AhnLab ASEC blog(https://asec.ahnlab.com/en/38993/).
※ BYOVD technique: Threat actors carry and loads vulnerable signed drivers into Windows kernel to blind security solutions and monitoring tools in an infected system.
etnews
