The Lazarus Group, a North Korean threat actor, has been identified exploiting a critical flaw in the Windows AppLocker driver (appid.sys) as a zero-day vulnerability. This exploit grants the group kernel-level access, enabling them to bypass security measures and deactivate tools designed to detect malicious activities, such as BYOVD techniques. Avast analysts detected this activity and promptly alerted Microsoft, leading to the issuance of a fix tracked as CVE-2024-21338 during the February 2024 Patch Tuesday.
Utilizing the exploit, Lazarus was able to enhance its FudModule rootkit, initially documented by ESET in late 2022. The updated rootkit boasts improved stealth capabilities and functionalities, including techniques for evading detection and disabling security software like Microsoft Defender and CrowdStrike Falcon. Avast also uncovered a previously undocumented remote access trojan (RAT) used by Lazarus, promising further details at BlackHat Asia in April.
The exploit tactic involves manipulating the Input and Output Control (IOCTL) dispatcher in the appid.sys driver to execute arbitrary code, circumventing security checks and enabling the execution of unsafe operations within the kernel. With the updated FudModule rootkit, Lazarus executes direct kernel object manipulation (DKOM) operations to disable security products, conceal malicious activities, and maintain persistence on compromised systems.
