From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
2024-04-18,
Avast
https://www.blackhat.com/asia-24/briefings/schedule/index.html#from-byovd-to-a--day-unveiling-advanced-exploits-in-cyber-recruiting-scams-37786
Asia-24-Camastra-FromBYOVDtoa0dayUnveilingAdvancedExploitsinCyberR_DiNoSEj.pdf, 2.0 MB
#BYOVD #FudModule #CVE-2024-21338 #KaolinRAT #Slides
https://www.blackhat.com/asia-24/briefings/schedule/index.html#from-byovd-to-a--day-unveiling-advanced-exploits-in-cyber-recruiting-scams-37786
Asia-24-Camastra-FromBYOVDtoa0dayUnveilingAdvancedExploitsinCyberR_DiNoSEj.pdf, 2.0 MB
#BYOVD #FudModule #CVE-2024-21338 #KaolinRAT #Slides
Contents
In a groundbreaking case, we have uncovered a sophisticated cyber-attack disguised as a job recruitment drive, primarily targeting the Asia region. The attacker demonstrated a high level of sophistication, utilizing 0-day exploits and an improved rootkit for stealthy operations.
Our investigation began when a client received a seemingly innocuous job offer. The attackers, masquerading as recruiters, used various delivery methods - including email attachments, malicious links, and WhatsApp messages via the web version - to send an ISO file disguised as a skills assessment.
This attack chain featured unprecedented sophistication:
-Use of Undocumented Loaders: The attackers deployed a series of intricate loaders to inject a fully functional, undocumented RAT, achieving kernel mode read/write access.
-Exploitation of 0-day Vulnerabilities: A novel Admin->Kernel 0-day exploit in a default Windows driver was discovered, bypassing previous BYOVD (Bring Your Own Vulnerable Driver) methods.
-Advanced Rootkit Capabilities: A rootkit, an upgrade from previously known versions, includes features to remove kernel …
Our investigation began when a client received a seemingly innocuous job offer. The attackers, masquerading as recruiters, used various delivery methods - including email attachments, malicious links, and WhatsApp messages via the web version - to send an ISO file disguised as a skills assessment.
This attack chain featured unprecedented sophistication:
-Use of Undocumented Loaders: The attackers deployed a series of intricate loaders to inject a fully functional, undocumented RAT, achieving kernel mode read/write access.
-Exploitation of 0-day Vulnerabilities: A novel Admin->Kernel 0-day exploit in a default Windows driver was discovered, bypassing previous BYOVD (Bring Your Own Vulnerable Driver) methods.
-Advanced Rootkit Capabilities: A rootkit, an upgrade from previously known versions, includes features to remove kernel …