The infamous Lazarus Group is exploiting a zero-day vulnerability to disable antivirus programs on targeted Windows endpoints, new research shows.
Cybersecurity experts at Avast said they have spotted a new campaign by the North Korean state-sponsored hackers, which is now exploiting a flaw in the Windows AppLocker driver. This flaw, tracked as CVE-2024-21338, allowed them to gain kernel-level access to the device. They used it to disable any antivirus programs installed on the device, opening the door for more disruptive malware.
The flaw was found in the appid.sys driver, a component of Windows AppLocker that handles the whitelisting.
Who are the Lazarus Group?
To exploit the zero-day, Lazarus used a new version of FudModule, its proprietary rootkit first spotted in late 2022. In previous attacks, the rootkit exploited a Dell driver in a so-called Bring Your Own Vulnerable Driver (BYOVD) attack. . Now FudModule is more discreet and functional, offering more ways to avoid detection and disable endpoint protection solutions.
Apparently the group used it to disable products such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.
Avast notified Microsoft of its findings, who released a fix for the flaw as part of the February 2024 Patch Tuesday cumulative update. This is also the only way to stay safe, so it is advised to apply the patch without hesitation to bring.
Lazarus Group is one of the world’s most prominent and notorious cybercriminal organizations. Researchers believe it is under the direct control of the North Korean government and that the country often uses its skills for cyber espionage, as well as cash heists.
The group is known for its “fake job” attacks, in which they promote fake jobs on social media sites and engage in multiple rounds of negotiations with potential candidates, usually software developers. One such attack on a cryptocurrency company resulted in the theft of over half a billion dollars worth of various crypto tokens.
Through BleepingComputer
