Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD

Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries.

AhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. An analysis of the attack process revealed that the Lazarus Group exploits an old version of the INITECH process to perform the initial compromise before downloading and executing the rootkit malware from the attacker’s server.

The rootkit malware identified in the recent product-disabling attack abused vulnerable driver kernel modules to directly read and write to the kernel memory area and accordingly, all monitoring systems inside the system including AV (Anti-Virus) were disabled.

This technique is called the “BYOVD (Bring Your Own Vulnerable Driver)” method and is known to be performed mainly on vulnerable driver modules of hardware supply companies. With the latest Windows OS, unsigned drivers can longer be loaded, however, attackers can use such legally-signed vulnerable drivers to control kernel area easily.

The vulnerable driver module used by the Lazarus Group, in this case, was a hardware-related module manufactured by “ENE Technology”. This module used the original form of an open source library called “WinIO,” developed by Yariv Kaplan in 1999. The problems with this module include not only the fact that it uses an old open source code but also the fact that the verification condition for calling modules is weak, which enables reading and writing to an arbitrary kernel memory area via a simple bypassing process.

Thus, the attacker was able to read and write to an arbitrary kernel memory area through this module and by modifying data in all areas related to the kernel including files, processes, threads, registries, and event filters, disabled all monitoring programs within the system including AV.

Contents

1. Overview
2. ene.sys Analysis
… 2.1. Physical Memory Mapping
… 2.2 Caller and Data Validity Verification
……. 2.2.1. SB_SMBUS_SDK.dll Module Loading Verification
……. 2.2.2. AES Encrypted IOCTL Communication and Call Time Verification
… 2.3. ene.sys Driver (WinIO Library) Vulnerability
3. Rootkit Malware Analysis
… 3.1 Rootkit Loader (~BIT353.tmp)
… 3.2 Rootkit (Advance Preparation Stage)
……. 3.2.1. Rootkit Export Function
……. 3.2.2. Infection Target Verification Routine
……. 3.2.3. Checking OS Version
……. 3.2.4. Loading Vulnerable Driver Modules
……. 3.2.5. Obtaining the Kernel DTB (Directory Table Base) Address
……. 3.2.6. Address Conversion (Virtual Address > Physical Address)
……. 3.2.7. Modification of the Thread Object’s PreviousMode Field
… 3.3. Rootkit (Security Product Disabling Stage)
……. 3.3.1. Disabling Mini File Filter (fltmgr.sys)
……. 3.3.2. Disabling Process/Thread/Module Detection
……. 3.3.3. Disabling Registry Callback
……. 3.3.4. Disabling Object Callback
……. 3.3.5. Disabling WFP Network Filter
……. 3.3.6. Disabling Event Tracing
……. 3.3.7. Disabling Windows Prefetch File Creation
AhnLab Response Overview
Conclusion
IoC (Indicators of Compromise)
File path and name
File hashes (MD5)
References