Recent cybersecurity intelligence has revealed that the infamous Lazarus Group has exploited a newly patched privilege escalation vulnerability in the Windows Kernel as a zero-day attack. This exploit allows the adversaries to gain kernel-level access, enabling them to disable crucial security software on affected systems.
The vulnerability, identified as CVE-2024-21338 with a CVSS score of 7.8, empowers attackers to obtain SYSTEM privileges. Microsoft addressed this flaw earlier this month as part of its Patch Tuesday updates.
To successfully exploit this vulnerability, attackers need to first gain access to the system, as outlined in a statement from Microsoft. Upon logging in, they could deploy a specially crafted application to exploit this flaw and take control of the targeted system.
While there were initially no reported incidents of exploitation for CVE-2024-21338 following the updates, Microsoft has since revised its “Exploitability assessment” to indicate that exploitation has been detected. The precise timeline of these attacks remains uncertain; however, this vulnerability appears to have been introduced in Windows 10 version 1703 when a specific IOCTL (input/output control) handler was implemented.
Cybersecurity firm Avast has uncovered that the Lazarus Group weaponized this flaw, leveraging the kernel read/write primitive to facilitate direct kernel object manipulation via an updated version of their data-only FudModule rootkit. This rootkit had previously been identified by ESET and AhnLab in October 2022 as a tool capable of disabling various security measures through a Bring Your Own Vulnerable Driver (BYOVD) attack, which enables privilege escalation when vulnerable drivers are employed.
This latest attack is alarming because it transcends the BYOVD technique by exploiting a zero-day vulnerability in a driver already present on the target machine. Specifically, the vulnerable driver in question is appid.sys, integral to a Windows feature known as AppLocker, which governs application control.
Using CVE-2024-21338, the Lazarus Group can execute arbitrary code via the appid.sys driver, circumventing all established security checks and facilitating the operation of the FudModule rootkit. According to cybersecurity researcher Jan Vojtěšek, the FudModule is only loosely integrated within the larger array of Lazarus’ malware tools, suggesting meticulous control over its deployment under specific circumstances.
FudModule is designed not only to evade security system loggers but also to disable specific security software such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus. This incident represents a significant evolution in the technical sophistication employed by North Korean hacking groups, showcasing their ongoing enhancements in stealth and operational capability.
The Lazarus Group’s extensive tactics are further underscored by its recent use of deceptive calendar meeting links to surreptitiously distribute malware on Apple macOS platforms, which was previously noted in campaigns documented by SlowMist in December 2023. This persistent evolution indicates that the Lazarus Group remains one of the most formidable and longstanding advanced persistent threat actors in the cybersecurity landscape.
In summary, the FudModule rootkit exemplifies a complex addition to the tools in the Lazarus arsenal. Its ability to orchestrate sophisticated and stealthy attacks reflects an ongoing commitment to evolving and refining their methodologies, posing significant challenges for businesses and security professionals alike.
