The North Korea-linked hacking group Lazarus (also known as HIDDEN COBRA) has been launching systematic, organized spear-phishing campaigns against individuals in Netherlands and Belgium.

Who are the targets?

The targeted entities include a political journalist in Belgium and an employee at a firm dealing in the aerospace domain in the Netherlands. Both were sent fake job offers via email and LinkedIn Messaging respectively.

The attack campaign

  • The campaign delivers several malicious tools including droppers, loaders, fully featured HTTP(S) backdoors, HTTP(S) uploaders, and HTTP(S) downloaders.
  • The Lazarus group leverages Bring Your Own Vulnerable Driver (BYOVD) technique to abuse a vulnerability (CVE-2021-21551) in a Dell dbutil hardware driver.
  • A new HTTP(S) uploader named FudModule rootkit is used to disable various Windows monitoring features.

Tools in use

  • ESET researchers found that the Lazarus group further deployed its trademark custom HTTP(S) backdoor BLINDINGCAN (aka ZetaNile) which supports an extensive set of 25 commands covering file actions, command execution, C2 communication configuration,  taking screenshots, process creation and termination, and system information exfiltration.
  • In addition, the group used several other malicious tools, including mi.dll and cryptsp.dll, which are tainted versions of the genuine open-source project lecui, trojanized versions of FingerText, and sslSniffer.

Summing up

In recent months, the Lazarus group has been in the news with new malware or the same fake job offer campaigns. Now, the recent exploitation of CVE-2021-21551 vulnerability with the Windows rootkit FudModule indicates that this group is continuously working to achieve its target. Undoubtedly, the Lazarus group is growing as a threat with a set of advanced malicious tools.
Cyware Publisher