29 February 2024

North Korean Lazarus hackers abused recent Windows zero-day to obtain kernel-level access


North Korean Lazarus hackers abused recent Windows zero-day to obtain kernel-level access

The infamous Lazarus Group hacking outfit tied to the North Korean government leveraged a recently patched flaw in the Windows kernel, exploiting it as a zero-day to gain kernel-level access and bypass security measures on affected systems.

The issue came to light after Avast researchers discovered an active exploit targeting the appid.sys AppLocker driver, exploiting a previously undisclosed zero-day vulnerability — CVE-2024-21338. The flaw is a buffer overflow issue that can be leveraged by a local user to execute arbitrary code on the system. Microsoft addressed this issue in the February 2024 Patch Tuesday updates.

The campaign was orchestrated by the notorious Lazarus Group, aiming to establish a kernel read/write primitive, Avast said in a technical report detailing the vulnerability.

This primitive allowed Lazarus to directly manipulate kernel objects in an updated version of their FudModule rootkit. The tool underwent improvements in both functionality and stealth, including the introduction of four new and the enhancement of three existing rootkit techniques.

In terms of advancement, the rootkit now employs a new handle table entry manipulation method to suspend Protected Process Light (PPL) protected processes associated with security solutions such as Microsoft Defender, CrowdStrike Falcon, and HitmanPro.

Furthermore, the Lazarus Group's shift to exploiting zero-day vulnerabilities represents a significant escalation from their previous, more conspicuous methods involving BYOVD (Bring Your Own Vulnerable Driver) techniques to breach the admin-to-kernel boundary, Avast noted.

The researchers said they uncovered large parts of the group’s infection chain, leading to the discovery of a new Remote Access Trojan (RAT) attributed to Lazarus in the process.


Back to the list

Latest Posts

Cyber Security Week in Review: December 13, 2024

Cyber Security Week in Review: December 13, 2024

In brief: Cleo fixes a critical bug exploited in the wild, Germany sinkholes the BADBOX botnet, and more.
13 December 2024
New EagleMsgSpy surveillance tool linked to Chinese authorities

New EagleMsgSpy surveillance tool linked to Chinese authorities

The Android-based tool has been in operation since at least 2017.
12 December 2024
Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine.
12 December 2024