The notorious Lazarus Group, originating from North Korea, has been found exploiting a zero-day vulnerability in the Windows AppLocker driver. This exploit allowed them to gain kernel-level access and disable security tools that could potentially detect their exploitation techniques. Microsoft has addressed this issue in its February patch update.
Details of the Exploit
Avast, a leading cybersecurity firm, unveiled on Wednesday the intricate details of an admin-to-kernel exploit carried out by the Lazarus Group. The exploit targeted a hitherto unknown zero-day vulnerability in the “appid.sys” AppLocker driver. This driver is a vital part of Windows security, enforcing policies that dictate which applications can run on a computer. The enforcement modes of these policies determine the level of strictness.
The “appid.sys” driver functions as a security sentinel within the computer’s core, assessing and enforcing these policies. As Microsoft puts it, “If the service isn’t running, policies aren’t enforced.”
Microsoft’s Response
Following Avast’s report, Microsoft promptly addressed this vulnerability, labeled as CVE-2024-21338, in their February Patch Tuesday update. While Microsoft has been sparse with details, they did mention that “An attacker who successfully exploited this vulnerability could gain system privileges.”
The Zero-Day Bug
According to Avast, the zero-day bug was located in the IOCTL dispatcher of the Windows AppLocker driver. Lazarus took advantage of the dispatcher’s flexibility, manipulating the kernel into executing their commands and controlling critical functions.
Despite Microsoft categorizing the CVE as “Privileges Required: Low,” the exploit had a higher impact due to the use of the local service account. The vulnerability affected Windows 10 [1703 onwards] and Win11 [up to 23H2]. Microsoft’s patch was designed to prevent user-mode-initiated IOCTLs, thereby protecting against arbitrary callbacks.
Lazarus Group’s Intentions
The Lazarus Group, infamous for its advanced persistent threat activities, sought to establish a kernel read/write primitive through this exploit. This primitive enabled the hackers to augment their malicious FudModule rootkit, which had previously been analyzed by ESET and AhnLab. The rootkit exploited a legitimate signed Dell driver at the time.
The admin-to-kernel exploit acted as a conduit for the FudModule rootkit, a data-only rootkit executed entirely from user space. FudModule utilized direct kernel object manipulation techniques, disrupting various kernel security mechanisms. Avast’s analysis identified nine rootkit techniques, with four new, three updated, and two deprecated from previous variants.
Stealthier Exploitation Techniques
Departing from their previous, more conspicuous bring-your-own-vulnerable-driver (BYOVD) exploitation techniques, Lazarus utilized the zero-day vulnerability for a subtler approach. The exploit involved the manipulation of a handle table entry to suspend processes protected by Protected Process Light. This included processes associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro. This advancement bolsters the rootkit’s stealth capabilities by targeting processes vital for system security, enabling the attacker to operate undetected and potentially tamper with or disable security measures.
New Remote Access Trojan Discovered
Avast also unearthed a new remote access Trojan (RAT) attributed to Lazarus, indicating a complex infection chain and suggesting the introduction of a new tool in their arsenal. The discovery of a new RAT implies that Lazarus has expanded its capabilities, potentially enabling more extensive control over compromised systems and facilitating prolonged and covert surveillance. Avast has announced that technical details of the RAT will be released in the coming days.
Linguistic Anomalies Point to Korean Origin
Researchers also discovered plaintext debug prints in the compiled code, revealing linguistic anomalies that hinted at a possible Korean origin, despite the code being written in English. The use of terms such as “vaccine” for security software and the abbreviation “pvmode” for PreviousMode further pointed to the identity of the threat group.
Continued Technical Sophistication
“Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication,” Avast commented. “The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal.”
Future Developments
Avast anticipates that Lazarus will continue to actively develop this rootkit, focusing on improvements in both stealth and functionality. “With their admin-to-kernel zero-day now burned, Lazarus is confronted with a significant challenge. They can either discover a new zero-day exploit or revert to their old BYOVD techniques,” Avast concluded.