February 29, 2024 at 06:45AM
Cybersecurity firm Avast reported that the North Korean group Lazarus exploited a Windows zero-day vulnerability, CVE-2024-21338, using a rootkit called FudModule for privilege escalation. Microsoft patched the flaw but initially did not list it as a zero-day. The attack aimed at evading detection and included a new variant of the rootkit and a remote access trojan.
From the meeting notes, it was discussed that the notorious North Korean threat group Lazarus exploited a Windows zero-day vulnerability, CVE-2024-21338, for privilege escalation in attacks using the FudModule rootkit. Avast observed this vulnerability being exploited by Lazarus in attacks last year. Avast developed a proof-of-concept exploit and reported it to Microsoft in August 2023.
Microsoft patched the vulnerability in their February 2024 Patch Tuesday updates, after initially not listing it as a zero-day. They updated their advisory to inform customers of the exploitation after detection. Avast published a detailed technical description of the vulnerability and how it was exploited by Lazarus in a blog post.
The vulnerability impacts Microsoft’s AppLocker security feature and the ‘appid.sys’ driver. By exploiting this vulnerability, the attackers were able to elevate their privileges and establish a kernel read/write primitive, enabling direct kernel object manipulation in an updated version of the FudModule rootkit.
The new variant of the rootkit includes improvements to make the malware more stealthy and to attempt to disable various security software. Additionally, a new remote access trojan (RAT) was used in the observed Lazarus attack, which Avast will detail at a later time.
It was noted that North Korean hackers frequently exploit zero-day vulnerabilities in their attacks.
Related articles mentioned in the meeting notes:
– Microsoft Warns of Exploited Exchange Server Zero-Day
– Windows Zero-Day Exploited in Attacks on Financial Market Traders
– Windows Zero-Day Exploited in Nokoyawa Ransomware Attacks