Avast has uncovered details surrounding a zero-day exploit actively used by the Lazarus Group, targeting a vulnerability in the Windows appid.sys driver. This kernel-level vulnerability allowed attackers to deploy an advanced, stealthy rootkit, named “FudModule.”
This vulnerability, hidden within the depths of the `appid.sys` AppLocker driver and tracked as CVE-2024-21338 with a CVSS score of 7.8, emerged as a Windows Kernel Elevation of Privilege Vulnerability. The exploit required an attacker to have initial access to the system, from where they could launch a specially designed application to leverage this vulnerability, aiming to gain SYSTEM privileges.
Avast’s released the PoC exploit in August 2023, followed by a timely report to Microsoft and as part of the February 2024 Patch Tuesday introduced an ExGetPreviousMode check to the IOCTL handler to mitigate the vulnerability. While not initially marked as a zero-day, in a later update on February 28th, Microsoft confirmed its active exploitation in the wild.
Lazarus Group exploiting the vulnerability, with the sinister objective of establishing a kernel read/write primitive. This capability was instrumental in the evolution of their FudModule rootkit, showcasing significant advancements in functionality and stealth. Avast’s deep dive into this updated rootkit variant revealed a sophisticated blend of new and enhanced techniques, pushing the boundaries of cyber espionage and sabotage.
A notable innovation in the rootkit’s arsenal is a technique aimed at suspending processes protected under the Protected Process Light (PPL) framework, including those integral to security solutions like Microsoft Defender, CrowdStrike Falcon, and HitmanPro.
This advancement, alongside the shift from more detectable BYOVD techniques to exploiting a zero-day vulnerability, marks a strategic pivot in Lazarus’s approach to maintaining persistence and evading detection.
Avast has provided YARA rules to aid defenders in detecting activities linked to the FudModule rootkit.
rule fudmodule_v2_sequences
{
meta:
reference = "https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/"
strings:
$s00 = "overwrite pvmode failed. %X"
$s01 = "%s\\temp\\tem1245.tmp"
$s02 = "get NTKernelBase and some DriverBase failed."
$s03 = "ClearVaccineNotifyRoutine failed."
$s04 = "DisableUserEtwSource (%d/%d) passed."
$s05 = "ClearVaccineNetworkFilterRoutine skipped."
$h00 = {65 48 8B 04 25 30 00 00 00 48 8B CB 48 8B 50 60 48 89 13 80 7A 02 01 75 16 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 01 00 00 F0 E9}
$h01 = {48 C7 81 F0 00 00 00 20 01 00 00 48 C7 81 F8 00 00 00 A0 00 00 00 48 C7 81 08 01 00 00 A0 00 00 00 48 C7 81 18 01 00 00 68 00 00 00 48 C7 81 20 01 00 00 40 00 00 00}
$h02 = {05 9F B5 FF FF 83 F8 04 0F 87 ?? ?? ?? ?? 48 C7 81 28 01 00 00 80 10 00 00}
$h03 = {48 A3 08 00 00 80 00 00 00 00 48 8B 43 38 48 8B 4B 60}
$h04 = {C7 45 ?? 65 72 53 69 C7 45 ?? 6C 6F 4E 61 66 C7 45 ?? 6D 65 C6 45 ?? 00 66 C7 45 ?? 48 8D}
$h05 = {66 C7 45 ?? 4C 8B C6 45 ?? 3D 66 C7 45 ?? 48 8D C6 45 ?? 05 C7 45 ?? 46 6C 74 45 C7 45 ?? 6E 75 6D 65}
condition:
2 of them
}
