<— Back

Lazarus declares war on Windows system monitoring

The Lazarus Group is one of the most active advanced threat actors and therefore also heavily tracked by cyber threat hunters. There are usually many malicious tools deployed to compromise endpoints in networks targeted by the group and their high activity triggers various Windows system events. This vast volume of samples and artifacts provides an advantage for the defenders, namely a higher chance of identifying the on-going compromise and plentiful evidence for digital forensics in a post-mortem investigation.

Since late 2021, developers from the Lazarus Group have started to implement a new malware that would be able to turn off as many Windows monitoring features as possible, effectively blinding most monitoring tools, security solutions and event logging. To achieve the desired functionality, they have created a user-mode module that gains write access to kernel memory using the CVE-2021-21551 vulnerability in a legitimate, signed Dell driver (the so called Bring Your Own Vulnerable Driver technique). Its current version contains eight distinct mechanisms targeting important kernel variables, functions, and structures. The module supports a wide range of operating system versions ranging from Windows 7.1 up to Windows 11 build 22500 and is actively being used in recent in-the-wild attacks.

In our presentation, we will focus on the most recent version of this malicious module discovered in summer 2022 containing newly added blinding features. We demonstrate how these mechanisms operate and what changes they make to the system once the module is executed. This involves monitoring of processes, images and threads; Windows registry; file system; Windows Filtering Platform services; Windows event tracing; and Prefetch files. The affected software includes EDRs/XDRs, firewalls, antivirus/antimalware products, digital forensics software etc. When compared to other APTs using BYOVD, this Lazarus case is unique, as it possesses a complex bundle of ways to disable monitoring interfaces that have never before been seen in the wild. For developers of security products, this can be an impulse for reevaluation of their implementations and increasing their solution’s self-protection.