North Korean threat actors, known as the Lazarus Group, recently made headlines for exploiting a zero-day vulnerability in the Windows AppLocker driver (appid.sys). This flaw allowed them to gain kernel-level access, disable security tools, and bypass BYOVD techniques, which are typically used for attacking vulnerable drivers.
The discovery of this activity was credited to Avast analysts, who promptly reported the exploit to Microsoft. As a result, Microsoft addressed the flaw in their February 2024 Patch Tuesday release, identifying it as CVE-2024-21338. Despite the severity of the exploitation, Microsoft did not classify it as a zero-day attack.
Avast detailed how Lazarus leveraged the vulnerability to enhance its FudModule rootkit, a malicious tool that had previously targeted a Dell driver for BYOVD attacks. The updated version of FudModule exhibited improved stealth and functionality, empowering Lazarus to evade detection and neutralize security measures like Microsoft Defender and CrowdStrike Falcon.
Furthermore, Avast’s investigation unveiled a previously undisclosed remote access trojan (RAT) utilized by Lazarus. The security firm announced their intention to provide more insights on this RAT at the upcoming BlackHat Asia event in April.
The exploit itself involved manipulating Microsoft’s ‘appid.sys’ driver, a critical component for application whitelisting in Windows AppLocker. By exploiting the Input and Output Control (IOCTL) dispatcher within the driver, Lazarus tricked the kernel into running malicious code, circumventing security protocols.
Within the FudModule rootkit, Lazarus employed direct kernel object manipulation (DKOM) techniques to disable security products, conceal malicious activities, and persist on compromised systems. Notably, the rootkit targeted well-known security solutions such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro.
Avast’s analysis highlighted new stealth features and expanded capabilities in the updated rootkit version, including handling processes protected by Protected Process Light (PPL), selective disruption via DKOM, tampering with Driver Signature Enforcement and Secure Boot, among others. This evolution in Lazarus’ tactics signifies a significant advancement in their kernel access capabilities, enabling more prolonged and stealthier attacks.
To mitigate the threat posed by this exploit, it is crucial for users to implement the February 2024 Patch Tuesday updates promptly. Given the use of a Windows built-in driver by Lazarus, detecting and stopping these attacks presents a significant challenge to cybersecurity professionals. YARA rules provided by Avast can aid defenders in identifying activity associated with the latest iteration of the FudModule rootkit.
In conclusion, the Lazarus Group’s exploitation of the Windows AppLocker driver vulnerability underscores the persistent threat posed by sophisticated threat actors. This incident serves as a reminder of the importance of timely software updates and proactive security measures to safeguard against evolving cyber threats.
English 
Albanian 
Serbian 
Croatian 