![]() ![]() ![]() ene.sys Driver (WinIO Library) Vulnerability AES Encrypted IOCTL Communication and Call Time Verification ![]() SB_SMBUS_SDK.dll Module Loading Verification … 2.2 Caller and Data Validity Verification Thus, the attacker was able to read and write to an arbitrary kernel memory area through this module and by modifying data in all areas related to the kernel including files, processes, threads, registries, and event filters, disabled all monitoring programs within the system including AV.Īnalysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Oct-05-2022 Download The problems with this module include not only the fact that it uses an old open source code but also the fact that the verification condition for calling modules is weak, which enables reading and writing to an arbitrary kernel memory area via a simple bypassing process. This module used the original form of an open source library called “WinIO,” developed by Yariv Kaplan in 1999. The vulnerable driver module used by the Lazarus Group, in this case, was a hardware-related module manufactured by “ENE Technology”. With the latest Windows OS, unsigned drivers can longer be loaded, however, attackers can use such legally-signed vulnerable drivers to control kernel area easily. The notorious Lazarus advanced persistent threat (APT) group has been identified as the cybergang behind a campaign spreading malicious documents to job-seeking engineers. This technique is called the “BYOVD (Bring Your Own Vulnerable Driver)” method and is known to be performed mainly on vulnerable driver modules of hardware supply companies. The rootkit malware identified in the recent product-disabling attack abused vulnerable driver kernel modules to directly read and write to the kernel memory area and accordingly, all monitoring systems inside the system including AV (Anti-Virus) were disabled. An analysis of the attack process revealed that the Lazarus Group exploits an old version of the INITECH process to perform the initial compromise before downloading and executing the rootkit malware from the attacker’s server. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries.ĪhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. Posted By AhnLab_en, SeptemAnalysis Report on Lazarus Group’s Rootkit Attack Using BYOVD ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |