29 February 2024

North Korean Lazarus hackers abused recent Windows zero-day to obtain kernel-level access


North Korean Lazarus hackers abused recent Windows zero-day to obtain kernel-level access

The infamous Lazarus Group hacking outfit tied to the North Korean government leveraged a recently patched flaw in the Windows kernel, exploiting it as a zero-day to gain kernel-level access and bypass security measures on affected systems.

The issue came to light after Avast researchers discovered an active exploit targeting the appid.sys AppLocker driver, exploiting a previously undisclosed zero-day vulnerability — CVE-2024-21338. The flaw is a buffer overflow issue that can be leveraged by a local user to execute arbitrary code on the system. Microsoft addressed this issue in the February 2024 Patch Tuesday updates.

The campaign was orchestrated by the notorious Lazarus Group, aiming to establish a kernel read/write primitive, Avast said in a technical report detailing the vulnerability.

This primitive allowed Lazarus to directly manipulate kernel objects in an updated version of their FudModule rootkit. The tool underwent improvements in both functionality and stealth, including the introduction of four new and the enhancement of three existing rootkit techniques.

In terms of advancement, the rootkit now employs a new handle table entry manipulation method to suspend Protected Process Light (PPL) protected processes associated with security solutions such as Microsoft Defender, CrowdStrike Falcon, and HitmanPro.

Furthermore, the Lazarus Group's shift to exploiting zero-day vulnerabilities represents a significant escalation from their previous, more conspicuous methods involving BYOVD (Bring Your Own Vulnerable Driver) techniques to breach the admin-to-kernel boundary, Avast noted.

The researchers said they uncovered large parts of the group’s infection chain, leading to the discovery of a new Remote Access Trojan (RAT) attributed to Lazarus in the process.


Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024