Development Hacking Security

Lazarus Group Exploits Windows Zero-Day for Privilege Escalation with FudModule Rootkit

1. Lazarus

The Lazarus group, a North Korean collective known for cyber-system sabotage, has recently been exploiting a Windows kernel privilege escalation vulnerability (CVE-2024-21338) in the form of a zero-day. This vulnerability is found within appid.sys, the core driver of AppLocker, Microsoft’s application whitelisting app; this newly discovered vulnerability earned a score of 7.8 out of 10 on the CVSS scale.

Lazarus has taken advantage of the vulnerability with the use of the FudModule rootkit, a data-only rootkit that accesses kernel read/write privileges through your machine’s drivers; the ultimate goal – bypass Windows security mechanisms.

Prior to the most recent iteration of this exploit, attackers would expose read/write privileges by attacking known vulnerabilities in third-party drivers. However, with the FudModule rootkit, hackers can deliver a special handle table entry manipulation technique to suspend PPL (Protected Process Light) protected processes.

Those AV Programs effected include, but are not limited to, Microsoft Defender, CrowdStrike Falcon, and HitmanPro.

2. FudModule

The FudModule rootkit itself is a frighteningly versatile piece of malware; it leverages kernel level read/write access to disable important features that security products rely on to detect suspicious behavior. This includes register callbacks, object callbacks, and process, thread, and image kernel callbacks.

It also is capable of removing file system minifilters used by AV Programs to monitor file operations.

This behavior is used by AV Products to find and block effected drivers; keep in mind that not all updates applied to an effected driver necessarily remove the instances of the old versions, thus leaving those weak spots open to attack.

Another additional rootkit behavior targets specific AV’s altogether, as mentioned earlier, rendering their security bypassed and non-functional.

3. Summary

The Lazarus Group is one of the most well-known and persistent threats to cybersecurity. The FudModule rootkit is only the most recent display of there technical prowess.

It is important for organizations to stay vigilant in their security; this includes taking proper precautions, addressing potential leaks/weaknesses in infrastructure, and regularly applying updates. Additionally, having monitors in place will help spot suspicious behavior before anything malicious occurs.

Staying educated, up to date, and aware will serve your system’s security in the long-term.