The infamous Lazarus Group actors exploited a just lately patched privilege escalation flaw within the Home windows Kernel as a zero-day to acquire kernel-level entry and disable security software program on compromised hosts.
The vulnerability in query is CVE-2024-21338 (CVSS rating: 7.8), which may allow an attacker to achieve SYSTEM privileges. It was resolved by Microsoft earlier this month as a part of Patch Tuesday updates.
“To use this vulnerability, an attacker would first have to go browsing to the system,” Microsoft stated. “An attacker might then run a specifically crafted utility that might exploit the vulnerability and take management of an affected system.”
Whereas there have been no indications of lively exploitation of CVE-2024-21338 on the time of the discharge of the updates, Redmond on Wednesday revised its “Exploitability evaluation” for the flaw to “Exploitation Detected.”
Cybersecurity vendor Avast, which found an in-the-wild admin-to-kernel exploit for the bug, stated the kernel learn/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to “carry out direct kernel object manipulation in an up to date model of their data-only FudModule rootkit.”
The FudModule rootkit was first reported by ESET and AhnLab in October 2022 as able to disabling the monitoring of all security options on contaminated hosts via what’s known as a Deliver Your Personal Weak Driver (BYOVD) assault, whereby an attacker a driver prone to a identified or zero-day flaw to escalate privileges.
What makes the newest assault vital is that it goes “past BYOVD by exploiting a zero-day in a driver that is identified to be already put in on the goal machine.” That prone driver is appid.sys, which is essential to the functioning of a Home windows part known as AppLocker that is accountable for utility management.
The actual-world exploit devised by the Lazarus Group entails utilizing CVE-2024-21338 within the appid.sys driver to execute arbitrary code in a fashion that bypasses all security checks and runs the FudModule rootkit.
“FudModule is barely loosely built-in into the remainder of Lazarus’ malware ecosystem and that Lazarus may be very cautious about utilizing the rootkit, solely deploying it on demand underneath the appropriate circumstances,” security researcher Jan Vojtěšek stated, describing the malware as underneath lively improvement.
In addition to taking steps to sidestep detection by disabling system loggers, FudModule is engineered to show off particular security software program reminiscent of AhnLab V3 Endpoint Safety, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (previously Home windows Defender).
The event marks a brand new stage of technical sophistication related to North Korean hacking teams, repeatedly iterating its arsenal for improved stealth and performance. It additionally illustrates the frilly methods employed to hinder detection and make their monitoring a lot tougher.
The adversarial collective’s cross-platform focus can also be exemplified by the truth that it has been noticed utilizing bogus calendar assembly invite hyperlinks to stealthily set up malware on Apple macOS methods, a marketing campaign that was beforehand documented by SlowMist in December 2023.
“Lazarus Group stays among the many most prolific and long-standing superior persistent menace actors,” Vojtěšek stated. “The FudModule rootkit serves as the newest instance, representing probably the most complicated instruments Lazarus holds of their arsenal.”
