Microsoft has up to date a zero-day exploit in its AppLocker software whitelisting software program, however not earlier than the North Korean state-backed Lazarus Group was in a position to leverage the flaw to drag off a rootkit cyberattack.
Researchers from Avast found the Microsoft zero-day flaw, tracked underneath CVE-2024-21338, and defined that it allowed Lazarus to make use of an up to date model of its proprietary rootkit malware known as “FudModule” to cross the admin-to-kernel boundary, in response to a new report.
The zero day was fastened on Feb. 13 as part of Microsoft’s February Patch Tuesday replace, and Avast launched particulars of the exploit on Feb. 29.
Notably, the Avast analysts reported that FudModule has been turbocharged with new performance, together with a function that suspends protected course of gentle (PPL) processes discovered within the Microsoft Defender, Crowdstrike Falcon, and HitmanPro platforms.
Further, Lazarus Group ditched its earlier deliver your individual susceptible driver (BYOVD) tactic to leap from admin to kernel utilizing the extra easy zero-day exploit method, the staff defined.
Avast additionally found a brand new Lazarus distant entry Trojan (RAT), about which the seller pledges to launch extra particulars later.
“Though their [Lazarus Group’s] signature ways and strategies are well-recognized by now, they nonetheless sometimes handle to shock us with an sudden technical sophistication,” the Avast report mentioned. “The FudModule rootkit serves as the most recent instance, representing one of the crucial complicated instruments Lazarus holds of their arsenal.”