Friday 30 September 2022, 15:30 -16:00
Peter Kalnai (ESET)
Matěj Havránek (ESET)
The administrator-to-kernel transition is not a security boundary, as is defined in the Microsoft Security Serving Criteria for Windows. Nevertheless, it is an advantage to have the ability to modify the kernel memory, especially if the attacker can achieve that from the user space. The Bring Your Own Vulnerable Driver (BYOVD) technique is a viable option for doing so: the attackers carry and load a specific kernel driver with a valid signature, thus overcoming the driver signature enforcement policy (DSE). Moreover, this driver contains a vulnerability that gives the attacker an arbitrary kernel write primitive. In such case, the Windows API interface ceases to be a restriction and an adversary can tamper with the most privileged areas of the operating system.
To complete this mission successfully, one must undergo an undoubtedly sophisticated and time-consuming process: choosing an appropriate vulnerable driver; researching the Windows internals, as the functioning of the kernel is not well documented; working with a code base that is unfamiliar to most developers; and finally testing, as any unhandled error is the last step before BSOD, possibly triggering a subsequent investigation and the loss of access.
In our session we dive into a deep technical analysis of a malicious component that was used in an APT attack by Lazarus in late 2021. The malware is a sophisticated unpublished user-mode module that uses the BYOVD technique and leverages the CVE-2021-21551 vulnerability in a legitimate Dell driver. After gaining write access to the kernel memory, the module’s global goal is to blind security solutions and monitoring tools. This is tactically realized via seven distinct mechanisms that target important kernel functions, structures, and variables of Windows systems from versions 7.1 up to Windows Server 2022. We will shed more light on these mechanisms by demonstrating how they operate and what changes they make to system monitoring once the user-mode module is executed.
When compared to other APTs using BYOVD, this Lazarus case is unique as it possesses a complex bundle of ways to disable monitoring interfaces that was so far never seen in the wild. While some of the individual techniques may have been spotted by vulnerability researchers and game cheaters before, we will provide a comprehensive analysis of all of them and put them in context.
Peter Kálnai is a senior malware researcher at ESET. As a speaker, he has represented ESET at various international conferences including Virus Bulletin, AVAR and CARO Workshop. He earned his Ph.D. in mathematics at Charles University in Prague in 2020. In his free time he enjoys foosball and travelling.
Matěj Havránek is a malware analyst at ESET. In addition to malware research, he focuses on botnet activity tracking and developing analytic tools. He is a fan of ciphers, cryptography and enjoys challenges. In his free time he plays music, enjoys toying around with old hardware, online games and travelling.