From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams

Uncover how Lazarus Group evolved from BYOVD to zero-day exploits in sophisticated job scams, exploring their advanced kernel manipulation techniques and evasion methods.

Key takeaways
  • Lazarus Group targeted individuals through fake job offers on platforms like LinkedIn and WhatsApp, focusing on gaining access to corporate networks

  • The group used a sophisticated zero-day exploit in Windows components along with a data-only rootkit (FAD module) implementing 9 different kernel object manipulation techniques

  • Attack chain involved multiple stages: initial phishing > rolfling loader > roll meet > calendar RAT, communicating with three different C&C servers

  • FAD module could effectively blind security vendors and disable protection features through:

    • Registry callback disruption
    • Object callback manipulation
    • Process/thread/image callback interference
    • Windows Filtering Platform disruption
    • ETW logging disruption
    • Minifilter disruption
  • The malware showed advanced capabilities including:

    • File compression
    • Custom encryption
    • Steganography in PNG files
    • DLL injection
    • Service persistence
  • The group evolved from using Bring Your Own Vulnerable Driver (BYOVD) techniques to more sophisticated zero-day exploits

  • Despite existing mitigations like driver signature enforcement and HVCI, kernel-based security solutions remain vulnerable to data-only attacks

  • The malware could disable kernel mode telemetry, manipulate handle tables, and modify object pointer bits to evade detection

  • The attack demonstrated significant code overlap with previous Lazarus campaigns but showed increased sophistication in kernel manipulation techniques

  • Primary motivation appeared to be financial, targeting corporate networks through individual employees