Lazarus Group Exploits Windows Zero-Day Flaw in Rootkit Attacks

Last Update: Nov 19, 2024 | Published: Mar 05, 2024

Security – 4

SHARE ARTICLE

Key Takeaways:

  • Avast has discovered a new security vulnerability that could allow hackers to launch rootkit attacks on vulnerable systems.
  • The Lazarus Group exploited the flaw with their advanced rootkit, FudModule, demonstrating evolving threat tactics and the need for ongoing cybersecurity vigilance.
  • Windows users who haven’t patched their computers yet should install the February 2024 Patch Tuesday updates.

Microsoft has recently addressed a zero-day vulnerability within the Windows AppLocker driver. The security flaw has been exploited by the North Korean threat group Lazarus for privilege escalation to carry out rootkit attacks.

The security flaw (tracked as CVE-2024-21338) was first discovered by the cybersecurity firm Avast last year. The Avast researchers created a proof-of-concept (PoC) exploit and shared a description of the zero-day with Microsoft in August 2023. Subsequently, Microsoft released the February 2024 Patch Tuesday updates to mitigate the vulnerability on Windows PCs.

The North Korean threat group Lazarus exploited the security vulnerability to interact with the Windows kernel. The hackers then used an updated version of its proprietary rootkit malware called “FudModule” to gain administrative-level privileges on vulnerable systems. A rootkit is a type of malware that is developed to obtain unauthorized access to a computer, manipulate system functions, and hide its presence from the operating system.

The latest version of the FudModule rootkit comes with several enhancements to infiltrate vulnerable computer systems while remaining undetected. It’s designed to bypass various security measures, including the AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro security software.

Previously, Lazarus and other threat actors used to exploit security vulnerabilities in third-party system drivers to gain unauthorized access to the Windows kernel. However, this BYOVD (bring your own vulnerable driver) technique made it easier for security professionals to detect an ongoing attack. As a result, the hacking groups switched to exploiting the CVE-2024-21338 flaw, which affects the ‘appid.sys’ driver associated with the Windows AppLocker service.

“Though their [Lazarus Group’s] signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected technical sophistication,” Avast explained. “The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal.”

Lazarus Group Exploits Windows Flaw in Rootkit Attacks
Access control entries of \Device\AppId

New Remote Access Trojan (RAT) Detected in Lazarus Campaign

Avast observed that as part of the attack campaign, Lazarus hackers also used a new remote access trojan (RAT). However, the company plans to provide more details about the trojan at BlackHat Asia next month.

Cybersecurity researchers have warned that proof-of-concept exploit is now publically available, which heightens the risk of exploitation in the wild. It’s highly recommended that customers apply the February 2024 Patch Tuesday updates as soon as possible to protect Windows systems. To further safeguard against the updated version of the FudModule rootkit, we recommend that you check out YARA rules on GitHub.

SHARE ARTICLE