The infamous Lazarus Group is exploiting a zero-day vulnerability to disable antivirus programs on specific Windows endpoints, new research claims.
Cybersecurity experts at Avast said they have observed a new campaign from North Korean state-sponsored hackers, now exploiting a flaw in Windows' AppLocker driver. This flaw, tracked as CVE-2024-21338, allowed them to gain kernel-level access to the device. They used it to disable any antivirus programs installed on the device, opening the door to more harmful malware.
The flaw was found in the appid.sys driver, a Windows AppLocker component that handles whitelisting.
Who are the Lázaro Group?
To exploit the zero-day, Lazarus used a new version of FudModule, its proprietary rootkit that was first detected in late 2022. In previous attacks, the rootkit abused a Dell driver, in what is known as the Bring Your attack. Own Vulnerable Driver (BYOVD). . Now, FudModule is stealthier and more functional, offering more ways to avoid detection and disable endpoint protection solutions.
The group apparently used it to disable products such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.
Avast notified Microsoft of its findings, which released a fix for the flaw as part of its February 2024 Patch Tuesday cumulative update. This is also the only way to stay safe, so it's recommended to apply the patch without hesitation. .
Lazarus Group is one of the most prominent and infamous cybercriminal organizations in the world. Investigators believe he is under the direct control of the North Korean government and often uses his skills for cyber espionage, but also money theft.
The group is known for its “fake jobs” attacks, in which they promote fake jobs on social media sites and engage in multiple rounds of negotiations with potential candidates, typically software developers. One such attack against a cryptocurrency business resulted in the theft of over $500 million in various crypto tokens.
Through beepcomputer
