North Korean threat actor Lazarus Group has been observed by security researchers deploying a Windows rootkit. The rootkit has been deployed by exploiting a Dell firmware driver, the researchers say. ESET was the first to detect this addition to the group’s constantly evolving techniques. According to ESET the campaign was first discovered last fall. The campaign originally consisted of spearphishing emails containing malicious Amazon-themed documents. The campaign was targeting an employee of an aerospace company in the Netherlands, according to ESET. Another early victim of this campaign was a political journalist in Belgium.
The primary goal of the campaign was data exfiltration, ESET says. Dell has since patched the flaw that was being exploited by the notorious threat actor, however, ESET believes that the vulnerability was exploited twice before the patch was released. In both of the observed cases, ESET targets were approached with job offers either via Linkedin or email. This opened the door to communication and the attackers deployed several malicious tools on each of the victims’ systems.