From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams

Lazarus Group targeted individuals through fake job offers on platforms like LinkedIn and WhatsApp, focusing on gaining access to corporate networks

The group used a sophisticated zero-day exploit in Windows components along with a data-only rootkit (FAD module) implementing 9 different kernel object manipulation techniques

Attack chain involved multiple stages: initial phishing > rolfling loader > roll meet > calendar RAT, communicating with three different C&C servers

FAD module could effectively blind security vendors and disable protection features through:

• Registry callback disruption
• Object callback manipulation
• Process/thread/image callback interference
• Windows Filtering Platform disruption
• ETW logging disruption
• Minifilter disruption

The malware showed advanced capabilities including:

• File compression
• Custom encryption
• Steganography in PNG files
• DLL injection
• Service persistence

The group evolved from using Bring Your Own Vulnerable Driver (BYOVD) techniques to more sophisticated zero-day exploits

Despite existing mitigations like driver signature enforcement and HVCI, kernel-based security solutions remain vulnerable to data-only attacks

The malware could disable kernel mode telemetry, manipulate handle tables, and modify object pointer bits to evade detection

The attack demonstrated significant code overlap with previous Lazarus campaigns but showed increased sophistication in kernel manipulation techniques

Primary motivation appeared to be financial, targeting corporate networks through individual employees