When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
Contents
In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the Lazarus sample analyzed by X-Force, as well as highlight a strategy of using telemetry stream health as a mode of detecting malware designed to impair defenses through ETW tampering.
One Ring 0 To Rule Them All
The Lazarus FudModule begins with the installation of a Dell driver that is vulnerable to CVE-2021-21551 which allows the malware to elevate privileges to a level where DKOM attacks are possible. This type of attack is …
One Ring 0 To Rule Them All
The Lazarus FudModule begins with the installation of a Dell driver that is vulnerable to CVE-2021-21551 which allows the malware to elevate privileges to a level where DKOM attacks are possible. This type of attack is …
IoC
0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5
97C78020EEDFCD5611872AD7C57F812B069529E96107B9A33B4DA7BC967BF38F
97C78020EEDFCD5611872AD7C57F812B069529E96107B9A33B4DA7BC967BF38F