Researchers warn that a Windows kernel privilege escalation in vulnerability fixed by Microsoft during the February Patch Tuesday was exploited in the wild as a zero-day by a North Korean threat actor known as the Lazarus group. The attackers leveraged the flaw in an updated version of its ââFudModule rootkit that was also enhanced with new functionality.
“This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit,” researchers from security firm Avast said in a new report. “In a key advancement, the rootkit now employs a new handle table entry manipulation technique in an attempt to suspend PPL (Protected Process Light) protected processes associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro.”
AppLocker vulnerability replaces bring your own vulnerable driver technique
Lazarus group, also known as APT38, is one of the North Korean governmentâs state-run hacking teams that is tasked with cyberespionage and sabotage and also sometimes cybercrime to raise money for the regime. Its operations span back many years, but some researchers believe the Lazarus is most likely an umbrella for different sub-groups that operate their own campaigns and develop bespoke malware for their targets.
The FudModule rootkit is not new to Lazarus’ toolset and has been analyzed before by other cybersecurity firms in 2022. It is a data-only rootkit that exists in userspace and leverages kernel read/write privileges through drivers to tamper with Windows security mechanisms and impair the ability of security products to detect other malicious components.
In previous versions, attackers gained read/write kernel privileges by exploiting known vulnerabilities in third-party signed drivers they deployed on the system with the malware. This technique is known as bring your own vulnerable driver (BYOVD). To install a driver on Windows you need administrator privileges, so the attackers already have elevated privileges on the systems.
However, there is a difference between gaining administrator access and gaining kernel (SYSTEM) privileges on Windows. These roles work at different integrity levels and have different limitations placed on them, but Microsoft doesn’t officially consider administrator-to-kernel as being a security boundary, because there are various ways to achieve kernel execution from an administrator account — for example, BYOVD as there is no shortage of poorly written third-party drivers. Any admin account can install a driver and any driver is loaded into the kernel.
âMicrosoft hasnât given up on securing the admin-to-kernel boundary, though,” researchers from Avast explain. “Quite the opposite. It has made a great deal of progress in making this boundary harder to cross. Defense-in-depth protections, such as DSE (Driver Signature Enforcement) or HVCI (Hypervisor-Protected Code Integrity), have made it increasingly difficult for attackers to execute custom code in the kernel, forcing most to resort to data-only attacks (where they achieve their malicious objectives solely by reading and writing kernel memory). Other defenses, such as driver blocklisting, are pushing attackers to move to exploiting less-known vulnerable drivers, resulting in an increase in attack complexity. Although these defenses havenât yet reached the point where we can officially call admin-to-kernel a security boundary (BYOVD attacks are still feasible, so calling it one would just mislead users into a false sense of security), they clearly represent steps in the right direction.”
The new CVE-2024-21338 vulnerability exploited by Lazarus is located in appid.sys, which is the central driver behind AppLocker, the application whitelisting technology built into Windows, which makes it sort of ironic. Microsoft gave this vulnerability a score of 7.8 out of 10 on the CVSS scale and, according to Avast, that might be because it can also be exploited from the local service account, which has even more reduced privileges compared to administrators.
“Though the vulnerability may only barely meet Microsoftâs security servicing criteria, we believe patching was the right choice and would like to thank Microsoft for eventually addressing this issue,” the Avast researchers said. “Patching will undoubtedly disrupt Lazarusâ offensive operations, forcing them to either find a new admin-to-kernel zero-day or revert to using BYOVD techniques.”
Lazarusâs improved rootkit techniques
The FudModule rootkit leverage its kernel read/write access to disable some important features that security products rely on to detect suspicious behavior: register callbacks, which are used to detect system registry modifications; object callbacks, which are used to execute custom code in response to thread, process and desktop handle operations; and process, thread, and image kernel callbacks, which allow endpoint security products to perform checks every time new processes are created or DLLs are loaded.
The FudModule rootkit will delete all of these types of callbacks registered by security products in the kernel in order to impair their malware detection capabilities. The new variant only makes minor modifications to the callbacks that it deletes. The rootkit also removes file system minifilters that are registered by antivirus programs to monitor file operations.
A new feature of the rootkit is to disable image verification callbacks which are invoked when a new driver image is loaded into kernel memory. This functionality is leveraged by some anti-malware programs to detect and block malicious or vulnerable drivers.
While this might seem to help attackers with their BYOVD technique, it doesn’t make much sense to disable these callbacks after you’ve already loaded a malicious driver to deploy the rootkit. It would be too late at that point unless the attackers plan to load additional malicious drivers for some purpose after the rootkit has already been deployed. Lazarus has been known in the past to use certain custom drivers to perform disk wiping attacks.
Another new rootkit technique implemented in this version aims to directly disable specific security products, namely AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro.
“The Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors. Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication,” the Avast researchers said. “The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal.”