Lazarus group operations — A deep dive into FudModule Rootkit
North Korean threat actors known as the Lazarus Group exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools, allowing them to bypass noisy BYOVD techniques.
The most famous north korea hacker group alias Lazarus group continuing innovate your capabilities to impact and persistence on environment. Recently, Avast researchers discovered a new technique used by the group, exploiting a zero-day named CVE-2024–21338 to gain kernel-level access and turn off security tools.
Overview
In history, few cybercriminal groups have had as much disruptive power and lasting impact as the Lazarus Group. Ever since their first attacks, which involved DDoS operations against various organizations across different industries, the group has managed to step up their attacks even further. Two of the group’s most notable campaigns include the 2014 Sony hack, which involved sensitive company and personal information, and the 2016 Bangladeshi bankattack that stole millions of dollars from the financial institution.
The Lazarus group has had multiple operations over the years, most of which involve either disruption, sabotage, financial theft or espionage. The organization also has “spin-off” groups.
Bluenoroff:
A subgroup focused on attacking foreign financial institutions. They are responsible for a wide array of financial theft incidents, including the aforementioned attack on a Bangladeshi bank.
Andariel:
A subgroup focused on South Korean organizations and businesses using specifically tailored methods created for maximum effectivity.
FudModule Analysis
FudModule rootkit was first reported by ESET and AhnLab in October 2022 as capable of disabling the monitoring of all security solutions on infected hosts by means of what’s called a Bring Your Own Vulnerable Driver (BYOVD) attack, wherein an attacker a driver susceptible to a known or zero-day flaw to escalate privileges.
According to avast researchers, Lazarus group create an exploit to manipulating the Input and Output Control (IOCTL) dispatcher in the appid.sys driver to call an arbitrary pointer, tricking the kernel into executing unsafe code, thus bypassing security checks.
The FudModule rootkit, built within the same module as the exploit, executes direct kernel object manipulation (DKOM) operations to turn off security products, hide malicious activities, and maintain persistence on the breached system.
New stealth features and expanded capabilities was observed in the new rootkit version, like the ability to suspect processes protected by Protected Process Light (PPL) by manipulating handle table entries, selective and targeted disruption via DKOM, enhancements in tampering with Driver Signature Enforcement and Secure Boot, and more.
Moreover, the adversarial collective’s cross-platform focus is also exemplified by the fact that it has been observed using bogus calendar meeting invite links to stealthily install malware on Apple macOS systems, a campaign that was previously documented by SlowMist in December 2023.
“Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors, Vojtěšek said. The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal.”
Conclusion
The constantly development of FudModule rootkit marks a new level of technical sophistication associated with North Korean hacking groups, continuously iterating its arsenal for improved stealth and functionality. It also illustrates the elaborate techniques employed to hinder detection and make their tracking much harder.