Threat Research

LAZARUS greift die Niederlande und Belgien an

Securonix

ESET researchers uncovered a Lazarus campaign in fall 2021 that targeted a Netherlands aerospace employee and a Belgian political journalist via spearphishing attachments, leading to a multi-tool intrusion set. Notably, it marked the first publicized real-world abuse of CVE-2021-21551 to disable security monitoring, and it leveraged the BLINDINGCAN HTTP(S) backdoor alongside a wide, heavily engineered toolset. #Lazarus #BLINDINGCAN #BYOVD #CVE-2021-21551 #DellDBUtil #WannaCry

Keypoints

  • The Lazarus campaign targeted a Netherlands aerospace employee and a Belgian political journalist using spearphishing with job-themed attachments linked to a remote template.
  • The most notable tool is the first confirmed real-world abuse of CVE-2021-21551 in a Dell driver to disable OS security monitoring via a user‑mode module.
  • In this campaign Lazarus deployed a full HTTP(S) backdoor named BLINDINGCAN, along with a multi-stage toolset including droppers, loaders, and uploaders/downloader components.
  • Dropper/loader chains used trojanized open-source projects, encrypted payloads, and loading from unusual locations in the file system; many payloads were DLLs embedded in executables.
  • The operation demonstrates Lazarus’s organization, with a large team and sophisticated kernel-level techniques to subvert Windows security features.
  • Infrastructure relied on compromised third-party servers for C2, with multiple IPs and domains hosting commands (e.g., turnscor and aquaprographix sites).
  • BYOVD techniques (via the Dell vulnerability) were used to load kernel-level components like FudModule.dll, enabling deep persistence and monitoring evasion.

MITRE Techniques

  • [T1106] Native API – The Lazarus HTTP(S) backdoor uses the Windows API to create new processes. [“The Lazarus HTTP(S) backdoor uses the Windows API to create new processes.”]
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – HTTP(S) backdoor malware uses cmd.exe to execute command-line tools. [“HTTP(S) backdoor malware uses cmd.exe to execute command-line tools.”]
  • [T1140] Deobfuscate/Decode Files or Information – Many of the Lazarus tools are stored in an encrypted state on the file system. [“Many of the Lazarus tools are stored in an encrypted state on the file system.”]
  • [T1070.006] Indicator Removal on Host: Timestomp – The Lazarus HTTP(S) backdoor can modify the file time attributes of a selected file. [“The Lazarus HTTP(S) backdoor can modify the file time attributes of a selected file.”]
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – Many of the Lazarus droppers and loaders use a legitimate program for their loading. [“Many of the Lazarus droppers and loaders use a legitimate program for their loading.”]
  • [T1014] Rootkit – The user-to-kernel module of Lazarus can turn off monitoring features of the OS. [“The user-to-kernel module of Lazarus can turn off monitoring features of the OS.”]
  • [T1027.002] Obfuscated Files or Information: Software Packing – Lazarus uses Themida and VMProtect to obfuscate their binaries. [“Lazarus uses Themida and VMProtect to obfuscate their binaries.”]
  • [T1218.011] System Binary Proxy Execution: Rundll32 – Lazarus uses rundll32.exe to execute its malicious DLLs. [“Lazarus uses rundll32.exe to execute its malicious DLLs.”]
  • [T1071.001] Application Layer Protocol: Web Protocols – The Lazarus HTTP(S) backdoor uses HTTP and HTTPS to communicate with its C&C servers. [“The Lazarus HTTP(S) backdoor uses HTTP and HTTPS to communicate with its C&C servers.”]
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – The Lazarus HTTP(S) backdoor encrypts C&C traffic using the AES-128 algorithm. [“The Lazarus HTTP(S) backdoor encrypts C&C traffic using the AES-128 algorithm.”]
  • [T1132.001] Data Encoding: Standard Encoding – The Lazarus HTTP(S) payloads encode C&C traffic using the base64 algorithm. [“The Lazarus HTTP(S) payloads encode C&C traffic using the base64 algorithm.”]
  • [T1560.002] Archive Collected Data: Archive via Library – The Lazarus HTTP(S) uploader can zip files of interest and upload them to its C&C. [“The Lazarus HTTP(S) uploader can zip files of interest and upload them to its C&C.”]
  • [T1584.004] Acquire Infrastructure: Server – Compromised servers were used by all the Lazarus HTTP(S) backdoor, uploader, and downloader as a C&C. [“Compromised servers were used by all the Lazarus HTTP(S) backdoor, uploader, and downloader as a C&C.”]
  • [T1587.001] Malware – Custom tools from the attack are likely developed by the attackers. Some exhibit highly specific kernel development capacities seen earlier in Lazarus tools. [“Custom tools from the attack are likely developed by the attackers. Some exhibit highly specific kernel development capacities seen earlier in Lazarus tools.”]
  • [T1204.002] User Execution: Malicious File – The target was lured to open a malicious Word document. [“The target was lured to open a malicious Word document.”]
  • [T1566.003] Phishing: Spearphishing via Service – The target was contacted via LinkedIn Messaging. [“The target was contacted via LinkedIn Messaging.”]
  • [T1566.001] Phishing: Spearphishing Attachment – The target received a malicious attachment. [“The target received a malicious attachment.”]
  • [T1547.006] Boot or Logon Autostart Execution: Kernel Modules and Extensions – The BYOVD DBUtils_2_3.sys was installed to start via the Boot loader (value 0x00 in the Start key under HKLMSYSTEMCurrentControlSetServices). [“The BYOVD DBUtils_2_3.sys was installed to start via the Boot loader (value 0x00 in the Start key under HKLMSYSTEMCurrentControlSetServices).”]
  • [T1547.001] Boot or Logon Autostart Execution: Startup Folder – The dropper of the HTTP(S) downloader creates a OneNoteTray.LNK file in the Startup folder. [“The dropper of the HTTP(S) downloader creates a OneNoteTray.LNK in the Startup folder.”]

Indicators of Compromise

  • [SHA-1] context – 296D882CB926070F6E43C99B9E1683497B6F17C4, FudModule.dll (rootkit). Example: Win64/Rootkit.NukeSped.A
  • [SHA-1] context – 001386CBBC258C3FCC64145C74212A024EAA6657, C:PublicCachemsdxm.ocx (HTTP(S) downloader). Example: Win32/NukeSped.KQ
  • [File name] context – colorui.dll (Dropper for BLINDINGCAN); Adobe.tmp (HTTP(S) downloader); credui.dll (intermediate loader). Example:Win64/NukeSped.JK
  • [File path] context – C:ProgramDataPTCcolorui.dll; C:WindowsVsscredui.dll; C:ProgramDataAdobeAdobe.tmp. Example: Dropper/Loader components
  • [URL] context – https://aquaprographix[.]com/patterns/Map/maps.php; https://turnscor[.]com/wp-includes/feedback.php; http://www.stracarrara[.]org/images/img.asp. Example: C2 servers
  • [IP] context – 67.225.140[.]4 (turnscor site); 50.192.28[.]29 (aquaprographix site); 31.11.32[.]79 (stracarrara site). Example: Compromised hosting sites
  • [Certificate] context – “A” MEDICAL OFFICE, PLLC (validly signed but expired certificate used for sslSniffer dropper). Example: Signed 32-bit dropper

Read more: https://www.welivesecurity.com/deutsch/2022/10/18/lazarus-greift-die-niederlande-und-belgien-an/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint