The infamous Lazarus Group hacking outfit tied to the North Korean government leveraged a recently patched flaw in the Windows kernel, exploiting it as a zero-day to gain kernel-level access and bypass security measures on affected systems.
The issue came to light after Avast researchers discovered an active exploit targeting the appid.sys AppLocker driver, exploiting a previously undisclosed zero-day vulnerability — CVE-2024-21338. The flaw is a buffer overflow issue that can be leveraged by a local user to execute arbitrary code on the system. Microsoft addressed this issue in the February 2024 Patch Tuesday updates.
The campaign was orchestrated by the notorious Lazarus Group, aiming to establish a kernel read/write primitive, Avast said in a technical report detailing the vulnerability.
This primitive allowed Lazarus to directly manipulate kernel objects in an updated version of their FudModule rootkit. The tool underwent improvements in both functionality and stealth, including the introduction of four new and the enhancement of three existing rootkit techniques.
In terms of advancement, the rootkit now employs a new handle table entry manipulation method to suspend Protected Process Light (PPL) protected processes associated with security solutions such as Microsoft Defender, CrowdStrike Falcon, and HitmanPro.
Furthermore, the Lazarus Group's shift to exploiting zero-day vulnerabilities represents a significant escalation from their previous, more conspicuous methods involving BYOVD (Bring Your Own Vulnerable Driver) techniques to breach the admin-to-kernel boundary, Avast noted.
The researchers said they uncovered large parts of the group’s infection chain, leading to the discovery of a new Remote Access Trojan (RAT) attributed to Lazarus in the process.