We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
Uncover how Lazarus Group evolved from BYOVD to zero-day exploits in sophisticated job scams, exploring their advanced kernel manipulation techniques and evasion methods.
-
Lazarus Group targeted individuals through fake job offers on platforms like LinkedIn and WhatsApp, focusing on gaining access to corporate networks
-
The group used a sophisticated zero-day exploit in Windows components along with a data-only rootkit (FAD module) implementing 9 different kernel object manipulation techniques
-
Attack chain involved multiple stages: initial phishing > rolfling loader > roll meet > calendar RAT, communicating with three different C&C servers
-
FAD module could effectively blind security vendors and disable protection features through:
- Registry callback disruption
- Object callback manipulation
- Process/thread/image callback interference
- Windows Filtering Platform disruption
- ETW logging disruption
- Minifilter disruption
-
The malware showed advanced capabilities including:
- File compression
- Custom encryption
- Steganography in PNG files
- DLL injection
- Service persistence
-
The group evolved from using Bring Your Own Vulnerable Driver (BYOVD) techniques to more sophisticated zero-day exploits
-
Despite existing mitigations like driver signature enforcement and HVCI, kernel-based security solutions remain vulnerable to data-only attacks
-
The malware could disable kernel mode telemetry, manipulate handle tables, and modify object pointer bits to evade detection
-
The attack demonstrated significant code overlap with previous Lazarus campaigns but showed increased sophistication in kernel manipulation techniques
-
Primary motivation appeared to be financial, targeting corporate networks through individual employees