Threat Research

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

Securonix

Lazarus’ FudModule subverts kernel protections by leveraging a vulnerable Dell driver to elevate to ring 0 and tamper with telemetry data streams to hide its activities. The article also outlines practical, detection-focused strategies such as monitoring ETW data stream health and using Windows event/setup logs to spot malicious driver installation. #Lazarus #FudModule

Keypoints

  • FudModule uses a BYOVD (bring your own vulnerable driver) approach to gain kernel-mode privileges via a vulnerable Dell DBUtil driver (CVE-2021-21551).
  • Once in kernel mode, it targets ETW registration handles to disable event tracing and degrade telemetry for security tooling.
  • Defenders can detect tampering by monitoring ETW data stream health and registering new ETW sessions to compare telemetry with Sysmon data.
  • PowerShell-based PoC scripts illustrate how telemetry health tests can be built to alert when data streams fail or diverge.
  • Static detection opportunities include monitoring for specific Dell DBUtil BYOVD driver filenames written to system drivers path (e.g., circlassmgr.sys, dmvscmgr.sys, etc.).
  • IOCs include FudModule.dll and dbutil_2_3.sys file hashes, plus SetupAPI/ROOTDBUtilDrv2 indicators and Windows Event 7045 entries for kernel-mode driver installations.

MITRE Techniques

  • [T1068] Exploitation for Privilege Escalation – The malware escalates privileges to kernel mode via a vulnerable Dell DBUtil driver using a BYOVD attack: ‘bring your own vulnerable driver (BYOVD) attack.’
  • [T1562.001] Impair Defenses – The FudModule tampers with ETW registration handles to disable telemetry across security tools: ‘disable all system ETW providers for all consuming applications, including those providers used by some antivirus and endpoint detection and response (EDR) solutions.’
  • [T1021.002] Remote Services – PsExec is used to assume NT AuthoritySYSTEM privileges during the BYOVD simulation: ‘ leveraged PsExec to assume privileges of NT AuthoritySYSTEM’
  • [T1059.001] PowerShell – A proof-of-concept detection script uses PowerShell to simulate telemetry health tests for threat detection: ‘The following PowerShell is a proof-of-concept replicating the core capabilities of X-Force’s telemetry stream health tests for threat detection.’

Indicators of Compromise

  • [File Hash] FudModule.dll – 97C78020EEDFCD5611872AD7C57F812B069529E96107B9A33B4DA7BC967BF38F
  • [File Hash] dbutil_2_3.sys – 0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5
  • [File Name] Known malicious driver filenames – circlassmgr.sys, dmvscmgr.sys, hidirmgr.sys, isapnpmgr.sys, mspqmmgr.sys, umpassmgr.sys
  • [Event] Windows System Event Log ID 7045 indicating kernel-mode driver installation (driver name and path shown in the log)
  • [SetupAPI] ROOTDBUtilDrv2 indicator in SetupAPI log entries during Dell DBUtil driver installations

Read more: https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/