Lazarus Group Exploits Windows Zero-Day for Kernel-Level Access

February 28, 2024

The North Korean hacking group Lazarus has exploited a zero-day vulnerability in the Windows AppLocker driver, appid.sys, to gain kernel-level privileges and disable security tools. This bypasses the noisy BYOVD (Bring Your Own Vulnerable Driver) techniques. Avast analysts detected this activity and reported it to Microsoft, leading to a patch for the vulnerability, now known as CVE-2024-21338, as part of the February 2024 Patch Tuesday. However, Microsoft has not labeled the flaw as a zero-day exploit.

The Lazarus Group utilized the CVE-2024-21338 exploit to improve its FudModule rootkit, first documented by ESET in late 2022. The rootkit previously misused a Dell driver for BYOVD attacks. The updated version of FudModule boasts significant enhancements in stealth and functionality, including new and updated techniques for evading detection and disabling security protections like Microsoft Defender and CrowdStrike Falcon.

During their investigation, Avast uncovered a previously unknown remote access trojan (RAT) used by Lazarus. Further details about this RAT will be shared by Avast at the BlackHat Asia conference in April. The malware exploited a vulnerability in Microsoft's 'appid.sys' driver, a component of Windows AppLocker that offers application whitelisting capabilities. Lazarus manipulated the Input and Output Control (IOCTL) dispatcher in the appid.sys driver to trick the kernel into executing unsafe code, thereby bypassing security checks.

The FudModule rootkit, constructed within the same module as the exploit, carries out direct kernel object manipulation (DKOM) operations to disable security products, conceal malicious activities, and maintain persistence on the compromised system. The targeted security products include AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.

Avast noted new stealth features and expanded capabilities in the updated version of the rootkit, such as the ability to suspend processes protected by Protected Process Light (PPL) by manipulating handle table entries, selective and targeted disruption via DKOM, enhancements in tampering with Driver Signature Enforcement and Secure Boot, and more. This evolution in the threat actor's kernel access capabilities marks a significant shift, enabling them to conduct stealthier attacks and persist on compromised systems for longer periods.

The most effective countermeasure is to apply the February 2024 Patch Tuesday updates as soon as possible. Lazarus' exploitation of a Windows built-in driver makes the attack particularly difficult to detect and stop. YARA rules to assist defenders in detecting activity related to the latest version of the FudModule rootkit are available.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.