Lazarus Hackers Exploited Windows 0-Day to Gain Kernel read/write Access

The Lazarus Group, a well-known cybercriminal organization, has recently exploited a zero-day vulnerability in Windows to gain kernel privileges, a critical level of system access.

This vulnerability, identified as CVE-2024-21338, was found in the appid.Sys AppLocker driver was patched by Microsoft in their February Patch Tuesday update following a report from Avast Threat Labs.

The exploit allowed the Lazarus Group to establish a kernel read/write primitive, a fundamental capability for manipulating the operating system’s kernel memory.

This capability was used to update their FudModule rootkit, enhancing its functionality and stealth.

The rootkit now includes new techniques for manipulating handle table entries, which can interfere with processes protected by Microsoft’s Protected Process Light (PPL), such as those belonging to Microsoft Defender, CrowdStrike Falcon, and HitmanPro.

Are you From Malware analysis, SOC, or Incident Response team? Now, you can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Beyond BYOVD:

The ultimate goal for hackers trying to gain deep control of a computer system is to move from having administrative access to kernel access, which is the operating system’s core.

One advanced way to do this is by finding and using a zero-day vulnerability, which is a security flaw that the software maker doesn’t know about, in a driver that’s already installed on the computer.

This is more difficult than other methods because fewer drivers come with the system, and they are usually better protected against attacks.

The Lazarus Group, a well-known hacking group, chose this method because it’s harder to notice.

They are famous for their attacks, so they must often change their methods to avoid being caught. Using a zero-day in a built-in driver, they hoped to stay hidden for a longer time without switching to a new method.

CVE-2024-21338 is the name of the vulnerability found in a Windows driver. It was a good target for hackers because it was easy to use for an attack, and it was part of the system, so they didn’t need to add anything new that could be detected.

Microsoft has since fixed this problem, making it harder for the Lazarus Group to use this method again. They might have to return to older attacks or find a new zero-day vulnerability to exploit.

FudModule rootkit

Avast’s reverse engineering of the updated FudModule rootkit revealed both new and updated rootkit techniques, indicating a significant advancement in the group’s capabilities.

The FudModule rootkit, a complex tool in Lazarus’s arsenal, has been actively developed to enhance its stealth and functionality.

Previously, the group relied on the Bring Your Own Vulnerable Driver (BYOVD) technique, using a Dell hardware driver vulnerability (CVE-2021-21551) to gain kernel-level access.

However, Avast’s recent findings indicate that Lazarus has now exploited a new zero-day vulnerability in the Windows AppLocker driver (appid.sys), tracked as CVE-2024-21338, to create a read/write kernel primitive

The Lazarus Group’s approach to exploiting the zero-day vulnerability marks a departure from their previous method of using BYOVD (Bring Your Own Vulnerable Driver) techniques, which involved exploiting known vulnerabilities in third-party drivers.

Instead, they targeted a built-in Windows driver, a more challenging but stealthier method.

CVE-2024-21338

The CVE-2024-21338 vulnerability itself is relatively straightforward to exploit. It involves an IOCTL (Input and Output Control) dispatcher in the appid.sys driver that computes a brilliant hash of an executable file.

Attackers could exploit this by providing kernel function pointers that bypass specific security measures like SMEP (Supervisor Mode Execution Prevention) and kCFG (Kernel Control Flow Guard).

Direct syscalls are heavily used throughout the exploit. (Credits:Avast)

The exploit crafted by Lazarus manipulated the PreviousMode of the current thread, allowing them to bypass kernel-mode checks and read or write arbitrary kernel memory.

Lazarus Hackers Exploitation Technique

The Lazarus Group’s hacking method starts with setting up their tools, including an exploit and a rootkit combined. First, they make sure they can use specific Windows functions needed for the attack.

They also check if the computer has any anti-hacking measures active and what version of Windows it’s running to adjust their attack accordingly. They even consider minor version differences to ensure their attack works smoothly on different computers.

To get the information they need for the attack, they trick the computer into giving them the locations of certain important parts of the Windows system.

They do this by asking the system for information in a way that’s not supposed to reveal anything sensitive, but they exploit it to get what they need.

Before they can use their main attack, they might need to make the computer load a specific Windows component if it’s not already running.

They do this roundabout by logging a special kind of event. Once that component is running, they pretend to be a part of the computer’s basic services to get the necessary access.

Their attack involves sending a specially crafted request to the computer that tricks it into doing something it shouldn’t, like writing data in places that are normally off-limits.

This is done by corrupting a tiny part of the system’s memory to bypass security checks, allowing it to take control at the deepest level of the system.

They’re careful to check if their attack worked by trying to do something that would only be possible if it succeeded. If it doesn’t work the first time, they try again with a slight adjustment because newer versions of Windows expect a slightly different request.

These detailed planning and adjustments show how sophisticated and determined hackers like the Lazarus Group are finding ways to exploit computer systems despite the obstacles.

Microsoft Patch

The discovery of this zero-day and its subsequent patching by Microsoft disrupts the Lazarus Group’s operations, forcing them to find new methods for admin-to-kernel exploitation or revert to older techniques.

The patch added by Microsoft prevents user-mode initiated IOCTLs from triggering arbitrary callbacks, thus closing off the vulnerability.

In conclusion, the Lazarus Group’s exploitation of the Windows zero-day CVE-2024-21338 demonstrates their advanced capabilities and the continuous threat they pose to cybersecurity.

The incident underscores the importance of robust security measures and the need for timely patching of vulnerabilities to protect against such sophisticated attacks.

Is your network under attack?: You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, that are incredibly harmful, can wreak havoc, and damage your network with Perimeter81 malware protection.