Lazarus Group hackers broke into systems via a zero-day vulnerability in the Windows AppLocker driver and gained access at the kernel level. An enhanced version of their rootkit allowed them to disable security tools on affected systems.
According to Avast research, a zero-day vulnerability in the Windows AppLocker driver (appid.sys) allowed the Lazarus Group to gain kernel-level access to affected systems. More specifically, this exploited vulnerability CVE-2024-21338 to distribute the updated version of Lazarus’ own FudModule rootkit. This rootkit previously used a Dell driver to perform so-called Bring Your Own Vulnerable Driver (BYOVD) attacks.
The now improved version of the FudModule rootkit is more invisible than the previous version and also offers more functionality. For example, for evading detection techniques and disabling security tools on affected systems. These mainly include security-tooling Microsoft Defender, CrowdStrike Falcon, AhnLab V3 Endpoint Security and HitmanPro’s antimalware solutions.
Attack path for kernel access
In more detail, the enhanced malware targets the “appid.sys” driver in Windows. The Lazarus Group hackers’ attack path is via manipulating the Input and Output Control (IOCTL) dispatcher in the driver in question. This particular dispatcher is persuaded to make a call to an arbitrary pointer, thus convincing the kernel to execute unsafe code. That explains why security tools are bypassed.
Next, the FudModule rootkit causes kernel object manipulation (DKOM) activities to be performed directly. The disable the security tools, hide malicious activity and provide persistence on the affected systems.
Important development
According to Avast, the now-discovered vulnerability is an important new step in the North Korean hacker gang’s kernel access capabilities.
Microsoft recently fixed the vulnerability in the recent February 2024 Patch Tuesday update.
Also read: Lazarus hackers use open-source tools for malware infection