BleepingComputer reports that North Korean threat actor organization the Lazarus Group used a zero-day vulnerability in the Windows AppLocker driver (appid.sys) to obtain kernel-level access and disable security mechanisms.
The vulnerability, currently known as CVE-2024-21338, was fixed as part of the Microsoft February 2024 Patch Tuesday after Avast experts saw this activity and quickly reported it. According to Avast, Lazarus modified its FudModule rootkit, which ESET initially reported in late 2022, and used CVE-2024-21338 to construct a read/write kernel primitive. The rootkit was previously used to exploit a Dell driver for BYOVD attacks. The security tools that are being targeted are the HitmanPro anti-malware program, AhnLab V3 Endpoint Security, Windows Defender, and CrowdStrike Falcon. Avast also reported its discovery of additional capabilities and new stealth features in the latest rootkit version. These included enhanced tampering with Driver Signature Enforcement and Secure Boot. Microsoft, however, has not identified the vulnerability as a zero-day attack.