Lazarus And The FudModule Rootkit : Beyond BYOVD With An Admin-To-Kernel Zero-Day

The Lazarus threat group has been exploiting a Microsoft vulnerability associated with Windows Kernel Privilege Escalation to establish a kernel-level read/write primitive.

This vulnerability was previously unknown which exists in the appid.sys AppLocker driver.

This vulnerability has been assigned with CVE-2024-21338 and has been addressed by Microsoft on their February patch.

Once established, threat actors could perform direct kernel object manipulation in their new version of the FudModule rootkit. There has been a major advancement in the rootkit, which handles table entry manipulation techniques.

Lazarus Hackers Exploited Windows 0-day

According to the Avast report, the threat actors were previously using BYOVD (Bring Your Own Vulnerable Driver) techniques for establishing the admin-to-kernel primitive, which is a noisy method.

But it seems like this new zero-day exploitation has paved a new way for establishing kernel-level read/write primitives.

Investigating further, it was discovered that this issue is technically due to a thin line on Windows Security that Microsoft has left for a long time.

Microsoft still holds the right to patch admin-to-kernel vulnerabilities, stating that “administrator-to-kernel is not a security boundary”.

Triggered Vulnerability (Source: Avast)

This also means that threat actors who have admin-level privileges still have access to exploit the kernel of Windows. As this is an open space for attackers to play with, they try to exploit vulnerabilities in every possible way to access the Kernel. 

Once kernel-level access is achieved, the threat actors can do any kind of malicious activities, including disruption of software, concealing infection indicators, kernel-mode telemetry disabling, and much more.

Lazarus And Three Types Of Admin-To-kernel Exploits

There were three categories of Admin-to-kernel exploits discovered, each with a trade-off between attack difficulty and stealth. 

  • N-Day BYOVD Exploits (requires the attacker to drop a vulnerable drive on the file system and load it to the kernel)
  • Zero-day exploits (requires the attacker to discover a zero-day vulnerability) and 
  • Beyond BYOVD (used by the Lazarus threat group for exploiting the kernel).

Moreover, the Lazarus group selected the third method of kernel exploit as a means of stealth and to cross the admin-to-kernel boundary on Windows systems.

In addition, this approach also offers the minimizing of swapping with another vulnerability that enables the threat actors to stay undetected for longer periods.

Access control entries (Source: Avast)

Exploitation

The threat group’s exploitation begins with performing a one-time setup for both the exploit and the rootkit by dynamically resolving all necessary Windows API functions. After this, the exploit inspects the build number to see if the version supports this rootkit. 

If it is supported, the hard-coded constants are tailored for the build version, which can sometimes lead to updating the build revision.

This is done so that the exploit does not have any interruption during the execution and that it supports a wide range of target machines. 

The FudModule Rootkit is a data-only rootkit that is capable of read/write primitives that affect the user-mode thread and can read and write arbitrary kernel memory using system calls.

It is executed entirely from user space, and kernel tampering is performed with the rootkit’s privileges.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.