North Korean Hackers Bypass Security with Zero-Day

North Korean hackers from the Lazarus group exploited a vulnerability in the Windows AppLocker driver to gain kernel-level access and disable security measures, avoiding detection.

Avast analysts identified and reported the hackers’ activities to Microsoft, leading to the mitigation of a Windows kernel vulnerability, designated CVE-2024-21338 (with a CVSS score of 7.8) related to privilege escalation. However, Microsoft did not classify this flaw as a zero-day. The issue was resolved in the latest Patch Tuesday update in February.

The Lazarus group employed CVE-2024-21338 to create a read/write primitive in the kernel in the updated version of their rootkit, FudModule, first documented by ESET at the end of 2022. It’s noteworthy that FudModule utilizes the Bring Your Own Vulnerable Driver (BYOVD) method, allowing hackers to exploit a device driver vulnerability. This flaw grants cybercriminals unfettered access to kernel memory.

The new version of FudModule incorporates significant enhancements in stealth and functionality, including new methods for evading detection and disabling protective mechanisms such as Microsoft Defender and CrowdStrike Falcon.

Furthermore, Avast discovered a previously undocumented Remote Access Trojan (RAT) used by the group, with details promised at the BlackHat Asia conference in April.

The exploitation method involved manipulating the I/O manager in the appid.sys driver to invoke an arbitrary pointer, bypassing security checks. The FudModule rootkit performed Direct Kernel Object Manipulation (DKOM) operations to disable security products, conceal malicious activities, and ensure persistence on the infected system.

Targets include security products like AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro antivirus solution. The new version of the rootkit features stealth capabilities and enhanced functionalities, including the ability to suspend protected processes and selectively and strategically disrupt protective systems.

Avast emphasizes that this new exploitation tactic signifies a significant evolution in hackers’ abilities to launch covert attacks and maintain control over compromised systems for extended periods. The only effective security measure is the timely application of updates, as the use of an embedded Windows driver makes the attack particularly challenging to detect and counter.