Microsoft has updated a zero-day exploit in its application whitelisting software AppLocker, but not before the North Korean state-backed Lazarus group was able to exploit the flaw to carry out rootkit cyberattacks. Not yet reached.
Avast researchers have discovered a Microsoft zero-day flaw, tracked by CVE-2024-21338, that allows Lazarus to use an updated version of its own rootkit malware called “FudModule” to attack administrators and the kernel. He explained that it is now possible to cross boundaries.to new report.
Zero day was fixed on February 13th as part of: Microsoft February Patch Tuesday UpdateAvast published details of the exploit on February 29th.
Notably, Avast analysts say significant new functionality has been added to FudModule, including the ability to suspend Protected Process Light (PPL) processes found in Microsoft Defender, Crowdstrike Falcon, and HitmanPro platforms. I reported it.
Even further away, lazarus group I threw away what was before Bring your own vulnerable driver (BYOVD) tactics The team explained that this is to jump from the administrator to the kernel using a simpler zero-day exploit approach.
Avast also made a new discovery Lazarus Remote Access Trojan (RAT)The vendor promises to announce more details about this later.
“their [Lazarus Group’s] “While their signature tactics and techniques are now well known, they still occasionally surprise us with unexpected sophistication,” Avast’s report states. “The FudModule rootkit is the latest example and represents one of the most complex tools Lazarus maintains in their arsenal. ”