Lazarus Hackers exploit Windows zero-day Kernel vulnerability

Photo of author

By Muhammad Hussain

Lazarus Hackers, a notorious group known for its sophisticated cyber activities, has recently exploited a critical zero-day Windows Kernel flaw, marked as CVE-2024-21338, to achieve kernel-level access and disable security software on compromised systems. This flaw, with a CVSS score of 7.8, was identified as a privilege escalation vulnerability and was successfully resolved by Microsoft in the latest Patch Tuesday updates.

The vulnerability allowed attackers to gain SYSTEM privileges, posing a serious threat to the affected systems. Microsoft explained that to exploit this flaw, an attacker would first need to log into the system, followed by running a specially crafted application capable of exploiting the vulnerability and taking control of the targeted system.

Although there were no indications of active exploitation when the updates were released, Microsoft later revised its assessment, classifying the flaw under “Exploitation Detected.” This change raised concerns about the potential exploitation of the vulnerability in the wild.

The timeline of the attacks remains unclear, but it’s reported that the vulnerability was introduced in Windows 10, version 1703 (RS2/15063) during the implementation of the 0x22A018 IOCTL (input/output control) handler. This specific handler became the entry point for the attackers to leverage the vulnerability.

Cybersecurity vendor Avast played a crucial role in discovering an in-the-wild admin-to-kernel exploit for the CVE-2024-21338 bug. Avast noted that the kernel read/write primitive achieved through this flaw allowed the Lazarus Group to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit.


The FudModule rootkit initially gained attention when it was reported by ESET and AhnLab in October 2022. Capable of disabling the monitoring capabilities of security solutions on infected hosts, the rootkit employs a technique known as Bring Your Own Vulnerable Driver (BYOVD) attack. In this attack, an attacker implants a driver susceptible to a known or zero-day flaw to escalate privileges.

What sets the recent attack apart is its sophistication, going beyond the BYOVD technique by exploiting a zero-day in a driver already installed on the target machine. The vulnerable driver, appid.sys, is crucial for the functioning of a Windows component called AppLocker, responsible for application control. The Lazarus Group utilized CVE-2024-21338 in the appid.sys driver to execute arbitrary code, bypassing all security checks and running the FudModule rootkit.

Security researcher Jan Vojtěšek shed light on the complexity of the FudModule rootkit, describing it as loosely integrated into the rest of Lazarus’ malware ecosystem. He emphasized that Lazarus deploys the rootkit selectively, ensuring it is used only under specific circumstances.

FudModule not only evades detection by disabling system loggers but is also designed to disable specific security software, including AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (formerly Windows Defender). This multi-faceted approach demonstrates the level of technical sophistication employed by the Lazarus Group.

The recent development underscores the continuous evolution of North Korean hacking groups, with Lazarus Group showcasing improved stealth and functionality in its arsenal. The attackers’ ability to exploit a zero-day vulnerability in a widely used driver demonstrates an advanced level of technical prowess.

Lazarus Group’s activities extend beyond Windows systems, as evidenced by their use of bogus calendar meeting invite links to stealthily install malware on Apple macOS systems. This cross-platform focus was previously documented by SlowMist in December 2023, indicating the group’s adaptability and versatility in executing cyber campaigns.

In conclusion, the FudModule rootkit represents a significant advancement in Lazarus Group’s capabilities, showcasing one of the most complex tools in their arsenal. As a long-standing and prolific advanced persistent threat actor, Lazarus Group continues to pose a serious challenge to cybersecurity efforts. The continuous development of sophisticated techniques highlights the need for heightened vigilance and advanced security measures to counter evolving cyber threats.