The notorious North Korean threat group known as Lazarus exploited a Windows zero-day vulnerability for privilege escalation in attacks involving a rootkit named FudModule, according to cybersecurity firm Avast.
The vulnerability is tracked as CVE-2024-21338 and it was observed by Avast in Lazarus attacks last year. The security company developed a proof-of-concept (PoC) exploit and sent it to Microsoft in August 2023.
The flaw was patched by Microsoft with the company’s February 2024 Patch Tuesday updates, but the initial advisory for CVE-2024-21338 did not list it as a zero-day.
The tech giant updated its advisory on Wednesday to inform customers that exploitation of the vulnerability has been detected.
A blog post published by Avast on Wednesday provides a detailed technical description of the vulnerability and how it has been exploited by Lazarus.
The vulnerability impacts the ‘appid.sys’ driver associated with Microsoft’s AppLocker security feature. By targeting a vulnerability in a driver that is present on many systems — rather than using a bring your own vulnerable driver (BYOVD) approach — the attacker benefits from a higher degree of stealth.
“By exploiting such a vulnerability, the attacker is in a sense living off the land with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place,” Avast explained.
By exploiting CVE-2024-21338, Lazarus hackers were able to elevate their privileges on the compromised system and establish a kernel read/write primitive. This enabled them to perform direct kernel object manipulation in an updated version of the FudModule rootkit, which came to light in 2022.
The new variant of the rootkit includes several improvements, including to make the malware more stealthy and to attempt to disable the AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro security software.
The Lazarus attack observed by Avast also involved the use of a new remote access trojan (RAT), which the company will detail at a later time.
It’s not uncommon for North Korean hackers to exploit zero-day vulnerabilities in their attacks.
Related: Microsoft Warns of Exploited Exchange Server Zero-Day
Related: Windows Zero-Day Exploited in Attacks on Financial Market Traders
Related: Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks
