This malware was first spotted by researchers from Sophos Cybersecurity, who found that a group of North Korean hackers called the Lazarus Group was using this malware to infect key computer systems in Dell Technologies. Other cybersecurity researchers from ESET also found it being used to hack aerospace experts and political journalists in Europe using fake Amazon job offers.
The virus is spread through fake pdf files, which contain old vulnerable versions of various drivers that are downloaded onto the system. Since the driver isn't malicious per se, it is ignored by the antivirus software, which is then itself attacked by the malicious code within it.
The latest example of such an exploit was used by a ransomware hacking group called BlackByte, which embedded the code within Micro-Star’s MSI AfterBurner 4.6.2.15658 software. It is an overclocking utility for GPUs that gives users more control over the hardware. The file was hidden within the RTCore64.sys and RTCore32.sys files of the same and allowed hackers to read and write to arbitrary memory.
This gave them privileged access to code execution, which they then used for data theft and other activities. Through this exploit, BlackByte was able to disable more than 1000 drivers needed for various antivirus software to function properly. The security firms are asking IT admins to blacklist these particular drivers, so they can't be used for illegal purposes. They are also suggesting that enterprise users thoroughly check all drivers before they are installed on any system to prevent such vulnerabilities in the future.
