Lazarus Group Exploits Windows Zero-Day for Kernel-Level Access

February 28, 2024

The North Korean hacking group Lazarus has exploited a zero-day vulnerability in the Windows AppLocker driver, appid.sys, to gain kernel-level privileges and disable security tools. This bypasses the noisy BYOVD (Bring Your Own Vulnerable Driver) techniques. Avast analysts detected this activity and reported it to Microsoft, leading to a patch for the vulnerability, now known as CVE-2024-21338, as part of the February 2024 Patch Tuesday. However, Microsoft has not labeled the flaw as a zero-day exploit.

The Lazarus Group utilized the CVE-2024-21338 exploit to improve its FudModule rootkit, first documented by ESET in late 2022. The rootkit previously misused a Dell driver for BYOVD attacks. The updated version of FudModule boasts significant enhancements in stealth and functionality, including new and updated techniques for evading detection and disabling security protections like Microsoft Defender and CrowdStrike Falcon.

During their investigation, Avast uncovered a previously unknown remote access trojan (RAT) used by Lazarus. Further details about this RAT will be shared by Avast at the BlackHat Asia conference in April. The malware exploited a vulnerability in Microsoft's 'appid.sys' driver, a component of Windows AppLocker that offers application whitelisting capabilities. Lazarus manipulated the Input and Output Control (IOCTL) dispatcher in the appid.sys driver to trick the kernel into executing unsafe code, thereby bypassing security checks.

The FudModule rootkit, constructed within the same module as the exploit, carries out direct kernel object manipulation (DKOM) operations to disable security products, conceal malicious activities, and maintain persistence on the compromised system. The targeted security products include AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.

Avast noted new stealth features and expanded capabilities in the updated version of the rootkit, such as the ability to suspend processes protected by Protected Process Light (PPL) by manipulating handle table entries, selective and targeted disruption via DKOM, enhancements in tampering with Driver Signature Enforcement and Secure Boot, and more. This evolution in the threat actor's kernel access capabilities marks a significant shift, enabling them to conduct stealthier attacks and persist on compromised systems for longer periods.

The most effective countermeasure is to apply the February 2024 Patch Tuesday updates as soon as possible. Lazarus' exploitation of a Windows built-in driver makes the attack particularly difficult to detect and stop. YARA rules to assist defenders in detecting activity related to the latest version of the FudModule rootkit are available.

Latest News

• BlackCat Ransomware Gang Alleges Theft of 6TB Data from Change Healthcare
• APT28 Uses Compromised Ubiquiti EdgeRouters in Global Cyber Operations
• FBI and CISA Alert Healthcare Sector of Targeted BlackCat Ransomware Attacks
• Black Basta and Bl00dy Ransomware Gangs Target Unpatched ScreenConnect Servers
• LiteSpeed Cache Plugin XSS Vulnerability Threatens Millions of WordPress Sites