February 28, 2024 at 12:26PM
The Lazarus Group exploited a zero-day flaw in the Windows AppLocker driver to gain kernel-level access and disable security tools. Avast analysts reported the activity, leading to a fix by Microsoft (CVE-2024-21338). The new FudModule rootkit by Lazarus includes advanced evasion techniques. Avast also discovered a previously undocumented RAT used by Lazarus. Apply the February 2024 Patch Tuesday updates promptly to mitigate this threat.
From the meeting notes, the key takeaways are:
1. The Lazarus Group exploited a zero-day flaw in the Windows AppLocker driver (appid.sys) to gain kernel-level access, turn off security tools, and bypass noisy BYOVD techniques.
2. Avast analysts detected this activity and reported it to Microsoft, leading to a fix for the flaw (CVE-2024-21338) as part of the February 2024 Patch Tuesday.
3. Lazarus used the exploit to create a read/write kernel primitive in an updated version of its FudModule rootkit, with significant enhancements in stealth and functionality to evade detection and disable security protections.
4. Avast discovered a previously undocumented remote access trojan (RAT) used by Lazarus, which they plan to share more details about at BlackHat Asia in April.
5. The malware manipulated the appid.sys driver to call an arbitrary pointer, tricking the kernel into executing unsafe code, thus bypassing security checks.
6. The FudModule rootkit executed direct kernel object manipulation (DKOM) operations to turn off security products, hide malicious activities, and maintain persistence on the breached system, targeting specific security products such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro.
7. The new rootkit version includes new stealth features and expanded capabilities, marking a significant evolution in the threat actor’s kernel access capabilities, allowing for stealthier attacks and persistence on compromised systems.
8. The only effective security measure recommended is to apply the February 2024 Patch Tuesday updates as soon as possible, as the exploit makes the attack particularly challenging to detect and stop.
Additionally, YARA rules to help defenders detect activity linked to the latest version of the FudModule rootkit can be found at this link: [YARA rules link].
These are the main points highlighted in the meeting notes. If there are any specific details or further action items needed, please let me know.