Microsoft has up to date a zero-day exploit in its AppLocker software whitelisting software program, however not earlier than the North Korean state-backed Lazarus Group was capable of leverage the flaw to tug off a rootkit cyberattack.
Researchers from Avast found the Microsoft zero-day flaw, tracked underneath CVE-2024-21338, and defined that it allowed Lazarus to make use of an up to date model of its proprietary rootkit malware known as “FudModule” to cross the admin-to-kernel boundary, in accordance with a new report.
The zero day was fastened on Feb. 13 as part of Microsoft’s February Patch Tuesday replace, and Avast launched particulars of the exploit on Feb. 29.
Notably, the Avast analysts reported that FudModule has been turbocharged with new performance, together with a characteristic that suspends protected course of mild (PPL) processes discovered within the Microsoft Defender, Crowdstrike Falcon, and HitmanPro platforms.
Additional, Lazarus Group ditched its earlier deliver your personal susceptible driver (BYOVD) tactic to leap from admin to kernel utilizing the extra simple zero-day exploit method, the staff defined.
Avast additionally found a brand new Lazarus distant entry Trojan (RAT), about which the seller pledges to launch extra particulars later.
“Although their [Lazarus Group’s] signature ways and methods are well-recognized by now, they nonetheless sometimes handle to shock us with an sudden technical sophistication,” the Avast report mentioned. “The FudModule rootkit serves as the newest instance, representing one of the crucial advanced instruments Lazarus holds of their arsenal.”