Microsoft Zero-Day Used by Lazarus in Rootkit Attack

Microsoft has updated a zero-day exploit in its AppLocker application whitelisting software, but not before the North Korean state-backed Lazarus Group was able to leverage the flaw to pull off a rootkit cyberattack.

Researchers from Avast discovered the Microsoft zero-day flaw, tracked under CVE-2024-21338, and explained that it allowed Lazarus to use an updated version of its proprietary rootkit malware called "FudModule" to cross the admin-to-kernel boundary, according to a new report.

The zero-day was fixed on Feb. 13 as a part of Microsoft's February Patch Tuesday update, and Avast released details of the exploit on Feb. 29.

Notably, the Avast analysts reported that FudModule has been turbocharged with new functionality, including a feature that suspends protected process light (PPL) processes found in the Microsoft Defender, Crowdstrike Falcon, and HitmanPro platforms.

Further, Lazarus Group ditched its previous bring your own vulnerable driver (BYOVD) tactic to jump from admin to kernel using the more straightforward zero-day exploit approach, the team explained.

Avast also discovered a new Lazarus remote access Trojan (RAT), about which the vendor pledges to release more details later.

"Though their [Lazarus Group's] signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected technical sophistication," the Avast report said. "The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal."