“Microsoft hasn’t given up on securing the admin-to-kernel boundary, though,” researchers from Avast explain. “Quite the opposite. It has made a great deal of progress in making this boundary harder to cross. Defense-in-depth protections, such as DSE (Driver Signature Enforcement) or HVCI (Hypervisor-Protected Code Integrity), have made it increasingly difficult for attackers to execute custom code in the kernel, forcing most to resort to data-only attacks (where they achieve their malicious objectives solely by reading and writing kernel memory). Other defenses, such as driver blocklisting, are pushing attackers to move to exploiting less-known vulnerable drivers, resulting in an increase in attack complexity. Although these defenses haven’t yet reached the point where we can officially call admin-to-kernel a security boundary (BYOVD attacks are still feasible, so calling it one would just mislead users into a false sense of security), they clearly represent steps in the right direction.”
The new CVE-2024-21338 vulnerability exploited by Lazarus is located in appid.sys, which is the central driver behind AppLocker, the application whitelisting technology built into Windows, which makes it sort of ironic. Microsoft gave this vulnerability a score of 7.8 out of 10 on the CVSS scale and, according to Avast, that might be because it can also be exploited from the local service account, which has even more reduced privileges compared to administrators.
“Though the vulnerability may only barely meet Microsoft’s security servicing criteria, we believe patching was the right choice and would like to thank Microsoft for eventually addressing this issue,” the Avast researchers said. “Patching will undoubtedly disrupt Lazarus’ offensive operations, forcing them to either find a new admin-to-kernel zero-day or revert to using BYOVD techniques.”
Lazarus’s improved rootkit techniques
The FudModule rootkit leverage its kernel read/write access to disable some important features that security products rely on to detect suspicious behavior: register callbacks, which are used to detect system registry modifications; object callbacks, which are used to execute custom code in response to thread, process and desktop handle operations; and process, thread, and image kernel callbacks, which allow endpoint security products to perform checks every time new processes are created or DLLs are loaded.
The FudModule rootkit will delete all of these types of callbacks registered by security products in the kernel in order to impair their malware detection capabilities. The new variant only makes minor modifications to the callbacks that it deletes. The rootkit also removes file system minifilters that are registered by antivirus programs to monitor file operations.
A new feature of the rootkit is to disable image verification callbacks which are invoked when a new driver image is loaded into kernel memory. This functionality is leveraged by some anti-malware programs to detect and block malicious or vulnerable drivers.
