About the Group

Lazarus Group (also known as Guardians of Peace or WhoisTeam) is a hacker group made up of an unknown number ofindividuals, alleged to be run by the government of North Korea.

·      The North Korean threat actor,Lazarus, has operated for more than 10 years and is behind infamous cyberincidents such as the attack on Sony Pictures in 2014 and the spread of theWannaCry ransomware in 2017.

·      Unlike other state actors, Lazarusis highly financially motivated and attempts to boost the feeble North Koreaneconomy.

·      Due to government support andinstigation, North Korean threat actors face no risk of prosecution in theirhome country; on the contrary. It’s therefore very likely that the Lazarusgroup will continue to operate for years to come.

Introduction

The Lazarus threat group has recently exploited a Microsoftvulnerability associated with Windows Kernel Privilege Escalation, enablingthem to establish a kernel-level read/write primitive.

This previouslyundisclosed vulnerability resides within the appid.sys AppLocker driver and hasbeen assigned CVE-2024-21338. Microsoft addressed this vulnerability in theirFebruary patch release. Once established, threat actors gain the ability tomanipulate kernel objects directly through their updated FudModule rootkit,employing advanced table entry manipulation techniques.

Lazarus Hackers Exploited Windows 0-day

According to a report by Avast, threat actors had previously relied onBring Your Own Vulnerable Driver (BYOVD) techniques for admin-to-kernelprivilege escalation, which is a conspicuous method. However, the discovery ofthis new zero-day exploit provides a stealthier avenue for establishingkernel-level read/write primitives.

Investigation revealsthat this vulnerability has lingered within Windows Security for some time,with Microsoft maintaining the stance that "administrator-to-kernel is nota security boundary." This loophole allows threat actors with admin-levelprivileges to exploit Windows kernel vulnerabilities.

Once kernel-levelaccess is attained, malicious activities such as software disruption, hidinginfection indicators, and disabling kernel-mode telemetry become possible.

Lazarus And Three Types Of Admin-To-kernelExploits

Therewere three categories of Admin-to-kernel exploits discovered,each with a trade-off between attack difficulty and stealth.

●      N-Day BYOVD Exploits (requires the attacker to drop a vulnerable driveon the file system and load it to the kernel)

●      Zero-day exploits (requires the attacker to discover a zero-dayvulnerability) and

●      Beyond BYOVD (used by the Lazarus threat group for exploiting thekernel).

Moreover,the Lazarus group selected the third method of kernel exploit as a means ofstealth and to cross the admin-to-kernel boundary on Windows systems.

Inaddition, this approach also offers the minimizing of swapping with another vulnerabilitythat enables the threat actors to stay undetected for longer periods.

Exploitation

The malware took advantage of a weakness in Microsoft's 'appid.sys'driver, which is part of Windows AppLocker responsible for controllingapplication access. Lazarus exploited this weakness by manipulating the Inputand Output Control (IOCTL) dispatcher within the appid.sys driver. By doing so,it directed the kernel to execute unauthorized code, effectively bypassingsecurity protocols.

Figure1 Directsyscalls used in the exploit (Avast)

The FudModule rootkit,integrated with the exploit, conducted direct manipulation of kernel objects(DKOM). This allowed it to disable security software, conceal maliciousactivities, and establish persistence on compromised systems. Among thetargeted security products were AhnLab V3 Endpoint Security, Windows Defender,CrowdStrike Falcon, and HitmanPro anti-malware.

Avast detected newstealth capabilities in the updated rootkit version. These included the abilityto target processes protected by Protected Process Light (PPL), selectivelydisrupt operations through DKOM, and improve manipulation of Driver Signature Enforcementand Secure Boot.

This advancement inexploit tactics, as noted by Avast, represents a significant enhancement in thethreat actor's ability to access the kernel. It enables them to conduct morecovert attacks and maintain control over compromised systems for extended duration.

Figure2 Rootkit's main function executing individual techniques (Avast)

The most effective defenseagainst this threat is to promptly apply the February 2024 Patch Tuesdayupdates. Since Lazarus leverages vulnerabilities in a core Windows driver,detecting and halting these attacks can be particularly challenging without thelatest security patches.

"Lazarus Group remains among the mostprolific and long-standing advanced persistent threat actors," Vojtěšeksaid. "The FudModule rootkit serves as the latestexample, representing one of the most complex tools Lazarus holds in theirarsenal."