The notorious hacker group Lazarus from North Korea exploited a “zero-day” security vulnerability in the Windows operating system to escalate privileges to mistakenly attack users. This is part of their attack campaign using a rootkit called FudModule.
This vulnerability, codenamed CVE-2024-21338, discovered by Avast during Lazarus attacks last year. The company created a test exploit (PoC) and submitted a report to Microsoft in August 2023.
Microsoft patched the vulnerability during its “Patch Tuesday” security update in February 2024. However, the initial announcement of CVE-2024-21338 did not mention that it had been exploited In reality. On Wednesday, the tech giant updated its notification to warn customers that the exploit was still ongoing.
Avast's blog post on Wednesday provided a detailed technical description of the vulnerability and how Lazarus exploited this CVE to distribute the rootkit. The location of the attack is located in the 'appid.sys' driver related to Microsoft's AppLocker security feature. Instead of installing malicious drivers themselves (BYOVD), Hackers will target a driver available in many systems to avoid detection.
Rootkits is a type of malware (malware. malware) is designed to hide its or other malware's existence in the computer system. Rootkits penetrate deeply into the system with high-level access (root or administrator), allowing hackers to control the entire system without being detected. Rootkits can cause many security problems, including stealing personal information, monitoring user activity, and installing additional malware. Due to their high level of concealment, rootkits are difficult to detect and remove.
Avast explains: “By exploiting such vulnerabilities, Hackers minimize saving or downloading other malicious drivers.” This helps Hackers attack the system kernel (kernel) so they can bypass most detection mechanisms and even work on systems that apply driver control.
Through CVE-2024-21338, hacker Lazarus has elevated User rights on the compromised system and created a direct read/write mechanism at the operating system kernel level. This trick allows them to directly manipulate kernel objects in the updated version of the FudModule rootkit (appearing in 2022).
The new rootkit version has improvements that increase stealth and disable security software AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon and HitmanPro.
The Lazarus campaign tracked by Avast also used a remote access trojan (RAT) new, detailed information will be announced by the company later.
