Recent findings reveal that the notorious Lazarus Group is actively exploiting a zero-day vulnerability, aiming to neutralize antivirus defenses on specific Windows endpoints.
According to cybersecurity analysts at Avast, a fresh campaign orchestrated by North Korean state-sponsored hackers has surfaced. This campaign strategically exploits a flaw within the Windows AppLocker driver, CVE-2024-21338. By capitalizing on this vulnerability, the hackers attain kernel-level privileges on the targeted device, subsequently incapacitating any installed antivirus software. This paves the way for the deployment of more disruptive malware.
The vulnerability resides in the appid.sys driver, an integral element of Windows AppLocker responsible for managing whitelist permissions.
Unveiling Lazarus Group: Exploiting Zero-Day Vulnerability
Lazarus Group, a notorious cybercriminal organization, seized the opportunity to exploit a zero-day vulnerability using a new iteration of their proprietary rootkit, FudModule.
Previously, FudModule targeted a Dell driver in a Bring Your Vulnerable Driver (BYOVD) tactic. Now, it’s evolved to evade detection more effectively.
Reportedly, the group utilized FudModule to disable various endpoint protection solutions including AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro.
Avast promptly alerted Microsoft, releasing a fix within the February 2024 Patch Tuesday update.
Acknowledging the severity, prompt patch application is strongly recommended for security.
Renowned for cyber-espionage and financial heists, Lazarus Group is believed to operate under the direct supervision of the North Korean government.
Their sophisticated tactics include luring victims through fake job postings, resulting in significant cryptocurrency thefts, such as half a billion dollars in one instance.
Via BleepingComputer
