Microsoft updated a zero-day exploit in its AppLocker application whitelisting software, but not before the North Korean state-backed Lazarus group was able to exploit the flaw to launch a rootkit cyberattack.
Avast researchers discovered the Microsoft zero-day flaw, tracked under CVE-2024-21338, and explained that it allowed Lazarus to use an updated version of its proprietary rootkit malware called “FudModule” to cross the line between administrator and kernel, second to a new relationship.
Day zero was set on February 13 as part of the agreement Microsoft’s February Patch Tuesday updateand Avast released details of the exploit on February 29.
Specifically, Avast analysts reported that FudModule has been enhanced with new features, including a feature that suspends Protected Process Light (PPL) processes found in the Microsoft Defender, Crowdstrike Falcon, and HitmanPro platforms.
Further, Lazarus Group he abandoned his precedent bring your vulnerable driver tactic (BYOVD). move from administration to kernel using the most direct approach to the zero-day exploit, the team explained.
Avast also discovered something new Lazarus Remote Access Trojan (RAT)on which the seller undertakes to release more details later.
“Although they [Lazarus Group’s] The distinctive tactics and techniques are now well recognized, but they still occasionally manage to surprise us with unexpected technical sophistication,” the Avast report states. “The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus has. their arsenal.”