Microsoft recently updated a zero-day exploit in its AppLocker application whitelisting software, but it was not done in time to prevent the North Korean state-backed Lazarus Group from utilizing the flaw to carry out a rootkit cyberattack.
According to researchers from Avast, the zero-day flaw, known as CVE-2024-21338, was discovered by them. This flaw allowed Lazarus to take advantage of an upgraded version of its proprietary rootkit malware, called “FudModule,” to breach the admin-to-kernel boundary. This information was detailed in a new report.
The vulnerability was patched on Feb. 13 as part of Microsoft’s February Patch Tuesday update. Avast released the details of the exploit on Feb. 29 for further analysis.
A noteworthy point mentioned by Avast analysts is that FudModule has been enhanced with new functionalities. One key feature includes the ability to suspend protected process light (PPL) processes found in platforms like Microsoft Defender, Crowdstrike Falcon, and HitmanPro.
Moreover, Lazarus Group decided to change its tactics by moving away from its previous “bring your own vulnerable driver (BYOVD)” strategy to using the more direct zero-day exploit approach to navigate from admin to kernel. This shift in tactics was explained by the research team.
Avast also uncovered a new Lazarus remote access Trojan (RAT) and has promised to provide more details about it in the near future.
In a statement from the Avast report, it was mentioned that despite the well-known tactics and techniques of the Lazarus Group, they are still able to surprise with their technical sophistication from time to time. The FudModule rootkit is cited as a prime example of this sophistication and is seen as one of the most intricate tools in Lazarus’s arsenal.
The continuous evolution of cyber threats highlights the need for organizations to stay vigilant and up-to-date with the latest security patches and measures. The collaboration between security researchers and software vendors like Microsoft and Avast plays a crucial role in detecting and addressing such vulnerabilities before they can be exploited by malicious actors.
As the cybersecurity landscape continues to evolve, it is essential for both individuals and organizations to prioritize cybersecurity practices and invest in robust security solutions to safeguard against potential threats and attacks. The incident involving the Lazarus Group serves as a reminder of the importance of constant vigilance and proactive security measures in today’s digital age.