Microsoft Fixed Bug in February That Gave Kernel-Level Access to North Korean APT

North Korea's Lazarus hackers exploited a Windows AppLocker driver zero-day to gain kernel-level access and turn off security tools that could detect the group's bring-your-own-vulnerable-driver exploitation techniques. Microsoft fixed the bug in its February patch dump.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Researchers of cybersecurity firm Avast revealed Wednesday details of a sophisticated admin-to-kernel exploit orchestrated by the North Korean Lazarus Group. This exploit targeted a previously unknown zero-day vulnerability in the AppLocker driver, a crucial component of Windows security with policies that control which applications can run on a computer, with different enforcement modes determining how strictly these rules should be followed.

The acts as a security guard within the computer's core, evaluating and enforcing these rules. "If the service isn't running, policies aren't enforced," Microsoft explained.

Avast's report led to Microsoft swiftly addressing this vulnerability, identified as CVE-2024-21338, in the February Patch Tuesday update. Microsoft shared few details but said, "An attacker who successfully exploited this vulnerability could gain system privileges."

The zero-day bug resided in the IOCTL dispatcher of the Windows AppLocker driver, Avast said. Lazarus exploited the flexibility of this dispatcher, allowing hackers to trick the kernel into following their instructions and control important functions.

Although Microsoft categorized the CVE as "Privileges Required: Low," the exploit's impact was higher due to the use of the local service account. The vulnerability affected Windows 10 [1703 onwards] and Win11 [up to 23H2]. Microsoft's patch aimed to prevent user-mode-initiated IOCTLs, safeguarding against arbitrary callbacks.

Lazarus Group, known for its advanced persistent threat activities, aimed to establish a kernel read/write primitive through this exploit. This primitive allowed the hackers to enhance their malicious FudModule rootkit, previously analyzed by ESET and AhnLab. The rootkit abused a legitimate signed Dell driver at the time.

The admin-to-kernel exploit served as a gateway for the FudModule rootkit, a data-only rootkit executed entirely from user space. FudModule employed direct kernel object manipulation techniques, disrupting various kernel security mechanisms. Avast's analysis highlighted nine rootkit techniques, with four new, three updated and two depr ecated from previous variants.

Unlike previous noisier bring-your-own-vulnerable-driver exploitation techniques, Lazarus leveraged the zero-day vulnerability for a more covert approach. The exploit involved manipulating a handle table entry to suspend processes protected by Protected Process Light, including those associated with Microsoft Defender, CrowdStrike Falcon and HitmanPro. This advancement enhances the rootkit's stealth capabilities by targeting processes crucial for system security, allowing the attacker to operate undetected and potentially tamper with or disable security measures.

Avast also discovered a new remote access Trojan attributed to Lazarus, indicating a complex infection chain and suggesting the introduction of a fresh tool in their arsenal. The discovery of a new RAT implies that Lazarus has expanded its capabilities, potentially enabling more extensive control over compromised systems and facilitating prolonged and covert surveillance. Technical details of the RAT will be released in coming days, Avast said.

Researchers also found plaintext debug prints in the compiled code, revealing linguistic anomalies that hinted at a possible Korean origin, although the code is written in English. The use of terms such as "vaccine" for security software and the abbreviation "pvmode" for PreviousMode also pointed to the identity of the threat group.

"Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication," Avast said. "The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal."

Avast expects Lazarus to actively keep developing this rootkit, focusing on improvements in both stealth and functionality. "With their admin-to-kernel zero-day now burned, Lazarus is confronted with a significant challenge. They can either discover a new zero-day exploit or revert to their old BYOVD techniques," Avast said.