Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day

Category	Details
Threat Actors	Lazarus Group
Campaign Overview	Exploitation of a zero-day vulnerability in the appid.sys AppLocker driver to gain kernel access, manipulate objects, and deploy an updated version of FudModule rootkit.
Target Regions (Or Victims)	General Windows systems, likely targeting organizations with high-value or sensitive data. Specific regions not mentioned.
Methodology	Exploitation of the CVE-2024-21338 zero-day vulnerability through an admin-to-kernel boundary exploit, using a custom kernel function pointer manipulation.
Product Targeted	Windows operating systems with AppLocker technology.
Malware Reference	FudModule rootkit (updated version)
Tools Used	Exploits the appid.sys AppLocker driver and kernel function pointer manipulation.
Vulnerabilities Exploited	CVE-2024-21338: Zero-day vulnerability in the appid.sys AppLocker driver, which allows kernel function pointer manipulation.
TTPs	Exploits vulnerable drivers for admin-to-kernel privilege escalation (BYOVD). Utilizes kernel object manipulation, suspended PPL processes, and stealth techniques.
Attribution	Lazarus Group
Recommendations	Regular patching of Windows drivers, enhanced monitoring for suspicious kernel activities, and use of defense-in-depth techniques like DSE and HVCI to protect against BYOVD attacks.
Source	Avast

Read full article: https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/?utm_source=rss&utm_medium=rss&utm_campaign=lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day

Disclaimer: The above summary has been generated by an AI language model