Lazarus Hackers Installing Windows Rootkit Using Dell Driver Bug

An attack utilizing the BYOVD (Bring Your Own Vulnerable Driver) method was observed recently by the experts at ESET. In this attack, the North Korean hacking group, Lazarus installed a Windows rootkit that exploited a Dell hardware driver.

An aerospace expert in the Netherlands and a political journalist in Belgium have been confirmed as the targets of a spear-phishing campaign that unfolded in the autumn of 2021.


In the current campaign, the primary objective of the hackers was to steal data and carry out espionage.

Hackers Exploiting Dell Driver Bug

A large number of EU-based users are being targeted by hackers as part of this campaign. Hackers sent fake job offers via email to their targets, this time posing as Amazon employees. 

As a form of social engineering trick in 2022, hackers are likely to use fake job offers as part of their social engineering campaign.

Infections of these documents usually involve the execution of the following elements into the system of their targets:-

  • Malware loaders
  • Malicious downloaders
  • Custom backdoors

According to the report, These elements are downloaded from a hardcoded address and used to infect the target’s computer. This campaign used a wide variety of tools, but one of the most interesting is a brand-new rootkit tool called FudModule.

First of all, this rootkit exploits the vulnerability in a Dell hardware driver with a BYOVD technique, which is the first time a BYOVD technique has been exploited.

In terms of tools, the attackers delivered a user-mode module that stood out from the rest. A legitimate Dell driver was compromised by the CVE-2021-21551 vulnerability, which enabled this module to read and write kernel memory.

After gaining access to kernel memory, the attackers disabled seven Windows OS mechanisms. All these Windows mechanisms offer a variety of means for monitoring its actions, such as:-

  • Registry
  • File system
  • Process creation
  • Event tracing

Malicious Toolset Used

Here below we have mentioned all the malware, tools, droppers, and loaders used by the hackers:-

  • HTTP(S) downloader
  • HTTP(S) uploader
  • FudModule Rootkit
  • Trojanized lecui
  • Trojanized FingerText
  • Trojanized sslSniffer

This attack took advantage of a vulnerability in the Dell hardware driver called “dbutil_2_3.sys”, which was discovered to be vulnerable to CVE-2021-21551. This is a legitimate driver from Dell which has been dropped by FudModule.dll, and it’s a potentially vulnerable one.

The attackers were able to turn off all of the security solutions at once for the first time in the wild by leveraging the CVE-2021-21551 vulnerability.

Cyber Attack with Zero Trust Networking – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.