As defined by the Microsoft Security Serving Criteria for Windows, the administrator-to-kernel transition is not a security boundary. Nevertheless, it is an advantage to have the ability to modify kernel memory, especially if an attacker can achieve that from user space. The Bring Your Own Vulnerable Driver (BYOVD) technique is a viable option for doing so: the attackers carry and load a specific kernel driver with a valid signature, thus overcoming the driver signature enforcement policy (DSE). Moreover, this driver contains a vulnerability that gives the attacker an arbitrary kernel write primitive. In such cases, the Windows API ceases to be a restriction, and an adversary can tamper with the most privileged areas of the operating system at will.
To complete this mission successfully, one must undergo an undoubtedly sophisticated and time-consuming process: choosing an appropriate vulnerable driver; researching Windows’ internals, as the functioning of the kernel is not well documented; working with a code base that is unfamiliar to most developers; and finally testing, as any unhandled error is the last step before a BSOD, which might trigger a subsequent investigation and the loss of access.
In this paper we dive into a deep technical analysis of a malicious component that was used in an APT attack by Lazarus in late 2021. The malware is a sophisticated, previously undocumented user-mode module that uses the BYOVD technique and leverages the CVE-2021-21551 vulnerability in a legitimate, signed Dell driver. After gaining write access to kernel memory, the module’s global goal is to blind security solutions and monitoring tools. This is tactically realized via seven distinct mechanisms that target important kernel functions, structures, and variables of Windows systems from versions 7.1 up to Windows Server 2022. We will shed more light on these mechanisms by demonstrating how they operate and what changes they make to system monitoring once the user-mode module is executed.
When compared to other APTs using BYOVD, this Lazarus case is unique, because it possesses a complex bundle of ways to disable monitoring interfaces that have never before been seen in the wild. While some of the individual techniques may have been spotted before by vulnerability researchers and game cheats, we will provide a comprehensive analysis of all of them and put them in context.
In October 2021, we recorded an attack on an endpoint of a corporate network in the Netherlands [1]. Various types of malicious tools were deployed onto the victim’s computer, many of which can confidently be attributed to the infamous Lazarus threat actor [2]. Besides usual malware like HTTP(S) backdoors, downloaders and uploaders, one sample attracted our curiosity – an 88,064-byte user-mode dynamically linked library with internal name FudModule. Its functionality is the main subject of this paper.