The infamous Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows kernel as zero-day to gain kernel-level access and disable security software on compromised hosts.
The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which may allow an attacker to gain SYSTEM privileges. The issue was fixed by Microsoft earlier this month as part of its Patch Tuesday updates.
“To exploit this vulnerability, an attacker would first need to gain access to the system,” Microsoft said. “An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.”
While there was no indication of active exploitation of CVE-2024-21338 at the time the updates were released, Redmond on Wednesday revised its “exploitability assessment” for the flaw to “Exploitation Detected.”
It is currently unclear when the attacks occurred, but the vulnerability is said to have been introduced in Windows 10, version 1703 (RS2/15063) when the 0x22A018 IOCTL (short for input/output control) handler was first implemented time.
Cybersecurity vendor Avast, which discovered an admin-to-kernel exploit for the bug, said the kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to “perform a manipulation kernel object direct in an updated version of the bug.” their data-only FudModule rootkit.”
The FudModule rootkit was first reported by ESET and AhnLab in October 2022 as capable of disabling the monitoring of all security solutions on infected hosts via a so-called Bring Your Own Vulnerable Driver (BYOVD) attack, in which a attacker implants a driver susceptible to a known flaw or zero-day to escalate privileges.
What makes the latest attack significant is that it goes “beyond BYOVD by exploiting a zero-day in a driver known to be already installed on the target machine.” The sensitive driver is appid.sys, which is critical to the operation of a Windows component called AppLocker responsible for controlling applications.
The real-world exploit designed by the Lazarus Group uses CVE-2024-21338 in the appid.sys driver to execute arbitrary code in a way that bypasses all security checks and executes the FudModule rootkit.
“FudModule is only loosely integrated into the rest of the Lazarus malware ecosystem, and Lazarus is very careful about using the rootkit, only deploying it upon request under the right circumstances,” said security researcher Jan Vojtěšek, describing the malware as being active development.
In addition to taking measures to evade detection by disabling system loggers, FudModule is designed to disable specific security software such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (formerly Windows Defender).
The development marks a new level of technical sophistication associated with North Korean hacking groups, who continually upgrade their arsenal to improve stealth and functionality. It also illustrates the elaborate techniques used to thwart detection and make it much more difficult to track them.
The adversary collective’s cross-platform focus is also exemplified by the fact that it has been observed using fake calendar meeting invitation links to covertly install malware on Apple macOS systems, a campaign previously documented by SlowMist in December 2023.
“Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors,” Vojtěšek said. “The FudModule rootkit is the latest example, representing one of the most complex tools Lazarus has in its arsenal.”