Lazarus APT Exploited Zero-Day in Windows Driver to Gain Kernel Privileges

The Lazarus APT group, strategically exploited a zero-day vulnerability within the Windows AppLocker driver to infiltrate target systems at the kernel level. This sophisticated technique allowed them to achieve direct kernel object manipulation granting the actors unprecedented access and the ability to disable security software. The particular vulnerability is known as CVE-2024-21338, it was identified and addressed by Microsoft in their February Patch Tuesday update.

Typically, adversaries aiming for such high-level access resort to BYOVD methods, which tend to be more conspicuous. However, Lazarus demonstrated an advanced approach by leveraging a zero-day exploit within a built-in Windows driver that’s already present on the target machine, thus making their attack more universal and difficult to detect. Their exploitation of the appid[.]sys driver involved manipulation of its Input and Output Control (IOCTL) dispatcher, effectively bypassing security measures and enabling the execution of arbitrary code. This manipulation ultimately granted them a powerful kernel read/write primitive, allowing for disruptive kernel object manipulation.

Security Officer Comments:
The impact of this exploit was significant, as it compromised processes protected by Protected Process Light (PPL), such as those associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro. However, with the exposure of this valuable zero-day, Lazarus now faces a dilemma: either seek out new critical exploits or revert to less potent BYOVD tactics.

Suggested Corrections:
To aid in detection and mitigation efforts, researchers have shared Indicators of Compromise (IoCs) and YARA rules targeting the latest iteration of the FudModule rootkit, which Lazarus employed to execute their malicious activities.