HomeWinBuzzer NewsNorth Korean Lazarus Group Exploits Windows Zero-Day Flaw for Kernel Access

North Korean Lazarus Group Exploits Windows Zero-Day Flaw for Kernel Access

North Korean hackers (Lazarus Group) exploited a Windows vulnerability (CVE-2024-21338) to gain high-level access and disable security software.


In a concerning development, security analysts at Avast have identified an exploitative attack conducted by the North Korean-based hacker collective, Lazarus Group. The hackers have successfully manipulated a previously unknown vulnerability within the Windows operating system, specifically targeting the ‘appid.sys' driver, integral to Windows AppLocker's application whitelisting capabilities. By exploiting this flaw, now identified as CVE-2024-21338, the attackers have been able to achieve kernel-level access, drastically enhancing their ability to conduct stealth operations and circumvent traditional security measures.

Elaboration on the Exploit and Its Impact

Utilizing this zero-day exploit, the Lazarus Group has updated its notorious FudModule rootkit to facilitate a more shadowy presence within compromised systems. Initially discovered in late 2022, the rootkit previously leveraged a Dell driver for its operations. However, the latest iteration exhibits enhancements in both evasiveness and functionality. Notably, among these are the ability to turn off pivotal security products such as AhnLab V3 Endpoint Security, , CrowdStrike Falcon, and HitmanPro's solution. These advancements permit the rootkit to execute direct kernel object manipulation (DKOM) tasks, enabling it to hide its activities and maintain persistence undetected.

Security Measures and Recommendations

Upon 's detection and subsequent reporting of the exploit, has issued a patch as part of its February 2024 Patch Tuesday updates, aimed at mitigating the risks associated with CVE-2024-21338. However, it is crucial for organizations and individuals alike to implement these patches promptly to safeguard against potential infiltrations. Additionally, Avast has shared YARA rules designed to assist in the detection of activities linked to the updated version of the Lazarus Group's FudModule rootkit, fortifying defenses against this and potentially similar .

The engagement of the Lazarus Group utilizing this sophisticated exploit technique underscores a significant elevation in their capacity to conduct highly discrete and enduring campaigns. These incidents serve as a stark reminder of the escalating challenges and intricacies associated with threats, emphasizing the ever-present need for vigilance and proactive security measures in the digital realm.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News