Zero-Day Alert (CVE-2024-21338): Lazarus Group Exploits Windows Kernel Vulnerability

CVE-2024-21338

Avast has uncovered details surrounding a zero-day exploit actively used by the Lazarus Group, targeting a vulnerability in the Windows appid.sys driver (CVE-2024-21338). This kernel-level vulnerability allowed attackers to deploy an advanced, stealthy rootkit, named “FudModule.”

This vulnerability, hidden within the depths of the `appid.sys` AppLocker driver and cataloged as CVE-2024-21338, emerged as a formidable Windows Kernel Elevation of Privilege Vulnerability, scoring a 7.8 on the CVSS scale. The exploit required an attacker to have initial access to the system, from where they could launch a specially designed application to leverage this vulnerability, aiming to gain SYSTEM privileges—a significant threat that could potentially give an attacker unfettered control over an affected system.

CVE-2024-21338

Avast’s proactive detection and development of a custom Proof of Concept (PoC) exploit in August 2023, followed by a timely report to Microsoft, exemplifies the critical role of collaboration in cybersecurity. This partnership culminated in a comprehensive advisory during the February Patch Tuesday update, introducing an ExGetPreviousMode check to the IOCTL handler to mitigate the vulnerability.

Microsoft issued a fix as part of the February 2024 Patch Tuesday. While not initially marked as a zero-day, in a later update on February 28th, Microsoft confirmed its active exploitation in the wild.

The exploitation of CVE-2024-21338 was not just an isolated incident but a calculated move by the Lazarus Group, with the sinister objective of establishing a kernel read/write primitive. This capability was instrumental in the evolution of their FudModule rootkit, showcasing significant advancements in functionality and stealth. Avast’s deep dive into this updated rootkit variant revealed a sophisticated blend of new and enhanced techniques, pushing the boundaries of cyber espionage and sabotage.

A notable innovation in the rootkit’s arsenal is a technique aimed at suspending processes protected under the Protected Process Light (PPL) framework, including those integral to security solutions like Microsoft Defender, CrowdStrike Falcon, and HitmanPro. This advancement, alongside the shift from more detectable BYOVD techniques to exploiting a zero-day vulnerability, marks a strategic pivot in Lazarus’s approach to maintaining persistence and evading detection.

The discovery of a new Remote Access Trojan (RAT) attributed to Lazarus further underscores the group’s relentless innovation and adaptation in their cyber operations. This RAT, part of the infection chain leading to the rootkit’s deployment, signifies a broader strategy to infiltrate, surveil, and potentially disrupt targeted systems.

In response to these developments, Avast has provided YARA rules to aid defenders in detecting activities linked to the FudModule rootkit.