April 15, 2024

Microsoft has up to date a zero-day exploit in its AppLocker software whitelisting software program, however not earlier than the North Korean state-backed Lazarus Group was in a position to leverage the flaw to drag off a rootkit cyberattack.

Researchers from Avast found the Microsoft zero-day flaw, tracked below CVE-2024-21338, and defined that it allowed Lazarus to make use of an up to date model of its proprietary rootkit malware referred to as “FudModule” to cross the admin-to-kernel boundary, in response to a new report.

The zero day was mounted on Feb. 13 as part of Microsoft’s February Patch Tuesday replace, and Avast launched particulars of the exploit on Feb. 29.

Notably, the Avast analysts reported that FudModule has been turbocharged with new performance, together with a characteristic that suspends protected course of gentle (PPL) processes discovered within the Microsoft Defender, Crowdstrike Falcon, and HitmanPro platforms.

Additional, Lazarus Group ditched its earlier deliver your personal susceptible driver (BYOVD) tactic to leap from admin to kernel utilizing the extra easy zero-day exploit method, the group defined.

Avast additionally found a brand new Lazarus distant entry Trojan (RAT), about which the seller pledges to launch extra particulars later.

“Although their [Lazarus Group’s] signature techniques and strategies are well-recognized by now, they nonetheless often handle to shock us with an sudden technical sophistication,” the Avast report stated. “The FudModule rootkit serves as the newest instance, representing one of the crucial complicated instruments Lazarus holds of their arsenal.”