Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD

Since 2009, Lazarus Group, known to be a group of hackers in North Korea, has been attacking not only Korea but various countries of America, Asia, and Europe. According to AhnLab’s ASD (AhnLab Smart Defense) infrastructure, in early 2022, the Lazarus Group performed APT (Advanced Persistent Threat) attacks on Korea’s defense, finance, media, and pharmaceutical industries.

AhnLab closely tracked these APT attacks and discovered that these attacks incapacitate security products in the attack process. An analysis of the attack process revealed that the Lazarus Group exploits an old version of the INITECH process to perform the initial compromise before downloading and executing the rootkit malware from the attacker’s server.

The rootkit malware identified in the recent product-disabling attack abused vulnerable driver kernel modules to directly read and write to the kernel memory area and accordingly, all monitoring systems inside the system including AV (Anti-Virus) were disabled.

This technique is called the “BYOVD (Bring Your Own Vulnerable Driver)” method and is known to be performed mainly on vulnerable driver modules of hardware supply companies. With the latest Windows OS, unsigned drivers can longer be loaded, however, attackers can use such legally-signed vulnerable drivers to control kernel area easily.

The vulnerable driver module used by the Lazarus Group, in this case, was a hardware-related module manufactured by “ENE Technology”. This module used the original form of an open source library called “WinIO,” developed by Yariv Kaplan in 1999. The problems with this module include not only the fact that it uses an old open source code but also the fact that the verification condition for calling modules is weak, which enables reading and writing to an arbitrary kernel memory area via a simple bypassing process.

Thus, the attacker was able to read and write to an arbitrary kernel memory area through this module and by modifying data in all areas related to the kernel including files, processes, threads, registries, and event filters, disabled all monitoring programs within the system including AV.

Contents

1. Overview
2. ene.sys Analysis
… 2.1. Physical Memory Mapping
… 2.2 Caller and Data Validity Verification
……. 2.2.1. SB_SMBUS_SDK.dll Module Loading Verification
……. 2.2.2. AES Encrypted IOCTL Communication and Call Time Verification
… 2.3. ene.sys Driver (WinIO Library) Vulnerability
3. Rootkit Malware Analysis
… 3.1 Rootkit Loader (~BIT353.tmp)
… 3.2 Rootkit (Advance Preparation Stage)
……. 3.2.1. Rootkit Export Function
……. 3.2.2. Infection Target Verification Routine
……. 3.2.3. Checking OS Version
……. 3.2.4. Loading Vulnerable Driver Modules
……. 3.2.5. Obtaining the Kernel DTB (Directory Table Base) Address
……. 3.2.6. Address Conversion (Virtual Address > Physical Address)
……. 3.2.7. Modification of the Thread Object’s PreviousMode Field
… 3.3. Rootkit (Security Product Disabling Stage)
……. 3.3.1. Disabling Mini File Filter (fltmgr.sys)
……. 3.3.2. Disabling Process/Thread/Module Detection
……. 3.3.3. Disabling Registry Callback
……. 3.3.4. Disabling Object Callback
……. 3.3.5. Disabling WFP Network Filter
……. 3.3.6. Disabling Event Tracing
……. 3.3.7. Disabling Windows Prefetch File Creation
AhnLab Response Overview
Conclusion
IoC (Indicators of Compromise)
File path and name
File hashes (MD5)
References

Categories:Malware Information

Tagged as:, , ,

5 2 votes
Article Rating
guest

22 Comments
Inline Feedbacks
View all comments
trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] a pengemudi yang rentan untuk memasang serangan rootkitnya. Baru bulan lalu, ASEC AhnLab terperinci eksploitasi driver yang sah yang dikenal sebagai “ene.sys” untuk melucuti perangkat […]

trackback

[…] a vulnerable driver to mount its rootkit assaults. Simply final month, AhnLab’s ASEC detailed the exploitation of a reputable driver generally known as “ene.sys” to disarm safety […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] de un conductor vulnerable para activar sus ataques de rootkit. El mes pasado, el ASEC de AhnLab detallado explotar un controlador legítimo conocido como "ene.sys" para deshabilitar el software de […]

trackback

[…] a susceptible driver to mount its rootkit assaults. Simply final month, AhnLab’s ASEC detailed the exploitation of a reputable driver generally known as “ene.sys” to disarm safety […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] uso de un conductor vulnerable para montar sus ataques de rootkit. El mes pasado, el ASEC de AhnLab detallado la explotación de un controlador legítimo conocido como «ene.sys» para desarmar el software de […]

trackback

[…] vulnérable pour monter ses attaques de rootkit. Le mois dernier, l’ASEC d’AhnLab détaillé l’exploitation d’un pilote légitime connu sous le nom de « ene.sys » pour […]

trackback

[…] to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software […]

trackback

[…] The disabling of security software using rootkit is covered in detail in the AhnLab ASEC blog post of September 22nd, “Analysis Report on Lazarus Group’s Rootkit Attack Using BYOVD” (https://asec.ahnlab.com/en/38993/). […]