Security researchers published the technical details and proof-of-concept (PoC) exploit code for a zero-day CVE-2024-21338 vulnerability that was recently exploited by the state-backed North Korean hacking group, Lazarus. This flaw resides in the Windows kernel allowing attackers to gain deep system-level control and disable security tools.
The Lazarus Group exploited this vulnerability to create a read/write kernel primitive via an updated version of their FudModule rootkit, a malicious software previously noted for using a Dell driver in BYOVD attacks. This new exploitation method allowed them to bypass more detectable BYOVD techniques, achieving kernel-level access.
The rootkit now includes capabilities to suspend processes protected by Protected Process Light (PPL) by manipulating handle table entries. It also features selective disruption strategies through DKOM and has improved methods to tamper with Driver Signature Enforcement and Secure Boot mechanisms.
This access was used to disable security tools, including prominent ones like Microsoft Defender and CrowdStrike Falcon, thus facilitating further malicious activities without detection.
Following Avast’s initial analysis, researcher Nero22k released a PoC exploit code for the Windows Kernel vulnerability (CVE-2024-21338) last month. Rafael Felix of Hakai Security has since published technical details and a proof-of-concept for this flaw.
The exploit involves manipulating the Input and Output Control (IOCTL) dispatcher in the appid.sys driver to call an arbitrary pointer. This action deceives the kernel into executing unsafe code, effectively bypassing built-in security checks. Within this vulnerability’s scope, the FudModule rootkit conducts direct kernel object manipulation (DKOM) to disable security products, hide its activities, and ensure its persistence on the infected systems.
The immediate and most effective defense against this exploit is to apply the updates released by Microsoft in the February 2024 Patch Tuesday.
