Even the security mechanisms don't help you get rid of the new hacking method.
North Korean hackers Lazarus used a vulnerability in the Windows AppLocker driver to gain access at the kernel level and disable security tools, avoiding detection.
Avast identified and reported on the activities of Microsoft hackers, which led to the elimination of a vulnerability in the Windows kernel, designated CVE-2024-21338 (CVSS rating: 7.8) and related to privilege escalation. However, Microsoft did not classify the flaw as 0day. The bug was fixed in the latest Patch Tuesday update in February.
The Lazarus group used CVE-2024-21338 to create a read/write primitive in the kernel in an updated version of its FudModule rootkit, first documented by ESET in late 2022. It is worth noting that FudModule uses the BYOVD (Bring Your Own Vulnerable Driver) method, which allows hackers to exploit a vulnerability in the device driver. The flaw gives cybercriminals a free hand, giving them full access to the kernel's memory.
The new version of FudModule introduces significant improvements in stealth and functionality, including new methods to bypass detection and disable security mechanisms such as Microsoft Defender and CrowdStrike Falcon.
In addition, Avast discovered a previously undocumented Remote Access Trojan (RAT) used by the group, which the company promises to tell you more about at the BlackHat Asia conference in April.
The operating method involved manipulating the I / O manager in the driver appid.sys to call an arbitrary pointer, which allowed you to bypass security checks. The FudModule rootkit performed Direct Kernel Object Manipulation (DKOM) operations to disable security products, hide malicious actions, and ensure stability on an infected system.
The targets include AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro antivirus solution. The new version of the rootkit has stealth features and advanced features, including the ability to suspend protected processes, selectively and purposefully disrupt the security system.
Avast emphasizes that the new tactics of exploitation indicate a significant evolution in the ability of hackers to sneak attacks and maintain control over compromised systems for a long time. The only effective security measure is the timely application of updates, since the use of the built-in Windows driver makes the attack particularly difficult to detect and stop.
North Korean hackers Lazarus used a vulnerability in the Windows AppLocker driver to gain access at the kernel level and disable security tools, avoiding detection.
Avast identified and reported on the activities of Microsoft hackers, which led to the elimination of a vulnerability in the Windows kernel, designated CVE-2024-21338 (CVSS rating: 7.8) and related to privilege escalation. However, Microsoft did not classify the flaw as 0day. The bug was fixed in the latest Patch Tuesday update in February.
The Lazarus group used CVE-2024-21338 to create a read/write primitive in the kernel in an updated version of its FudModule rootkit, first documented by ESET in late 2022. It is worth noting that FudModule uses the BYOVD (Bring Your Own Vulnerable Driver) method, which allows hackers to exploit a vulnerability in the device driver. The flaw gives cybercriminals a free hand, giving them full access to the kernel's memory.
The new version of FudModule introduces significant improvements in stealth and functionality, including new methods to bypass detection and disable security mechanisms such as Microsoft Defender and CrowdStrike Falcon.
In addition, Avast discovered a previously undocumented Remote Access Trojan (RAT) used by the group, which the company promises to tell you more about at the BlackHat Asia conference in April.
The operating method involved manipulating the I / O manager in the driver appid.sys to call an arbitrary pointer, which allowed you to bypass security checks. The FudModule rootkit performed Direct Kernel Object Manipulation (DKOM) operations to disable security products, hide malicious actions, and ensure stability on an infected system.
The targets include AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro antivirus solution. The new version of the rootkit has stealth features and advanced features, including the ability to suspend protected processes, selectively and purposefully disrupt the security system.
Avast emphasizes that the new tactics of exploitation indicate a significant evolution in the ability of hackers to sneak attacks and maintain control over compromised systems for a long time. The only effective security measure is the timely application of updates, since the use of the built-in Windows driver makes the attack particularly difficult to detect and stop.
