Avast - February 28, 2024 Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day https://decoded.avast.io/janvojtese...eyond-byovd-with-an-admin-to-kernel-zero-day/ Long article, read there more.
Yes, very interesting, I'm surprised no one has responded to this thread. But seems to be a very nasty and super advanced rootkit for Win 10/11. But it's not clear to me if the malicious .exe (process) has to first load the vulnerable AppLocker driver (appid.sys) or if it can simply interact with it directly. In the first scenario, a behavior blocker could block the driver. But I'm afraid in the second scenario, the only solution would be to resdesign Windows, because a malicious process shouldn't be able to interact with any loaded driver on the system. Or perhaps I misunderstand? https://www.bleepingcomputer.com/ne...d-windows-zero-day-to-gain-kernel-privileges/
Also, check out Erik Loman bragging about the FudModule rootkit trying to disable HMPA. https://twitter.com/erikloman/status/1762847300542497181
There is a little known Windows utility which I will not name that can load any Windows kernel mode driver on the fly.
Why didn't you give some quote(s)? Not everyone uses twitter! And, BTW, Erik is a member here. He could also post his comment(s).
I think MS dodged the outcry and rage by forgetting to mention that they knew about it for six month and then sweeping it under the rug in the patchnotes. Quote from bleeping: Microsoft patched a high-severity Windows Kernel privilege escalation vulnerability in February, six months after being informed that the flaw was being exploited as a zero-day. https://www.bleepingcomputer.com/ne...ast-month-exploited-as-zero-day-since-august/
Hist post on Twitter should be visible for everyone, you don't have to be logged in, can't you see it? And to clarify, I thought it was funny, and he has every right to brag about it, seems like HMPA is really pretty good in blocking advanced attacks. Of course when the OS itself is vulnerable like Windows, then there is not much you can do.
Yes correct, but the technical aspects are quite interesting. But wasn't PatchGuard designed to block this stuff? Now that I think of it, I'm guessing that PatchGuard was designed to protect certain parts of the Windows OS kernel, but apparently it can't do anything against legitimate drivers being abused to disable or evade security software. But any .exe can do this? Or you probably mean that this utility is most likely trusted by security software? Then it might indeed be a problem. Yes good point, M$ should be ashamed of themselves for waiting so long to patch this.
Very weird that you can't see it. I can see it without being logged in on Edge, Firefox and Vivaldi. Must be your adblocker or something, perhaps you should allow cookies. But anyway, this is what he said:
BTW, what I forgot to mention is that M$ claims that it can only be exploited locally, but I don't understand this. I mean I assume you can also either trick someone into running this malicious app which then will trigger the exploit, or you can perhaps even use an automatic exploit via browser? So I assume this can also be triggered from remote? Actually, I assumed right, it is cleared up in the security bulletin:
DAN GOODIN - 8/19/2024, 7:37 PM https://arstechnica.com/security/20...d-by-north-korea-to-install-advanced-rootkit/
And once again, it's still not clear to me, if they actually have to load such a vulnerable driver, or can malware exploit an already installed (system) driver? Is it just me, or isn't this clearly explained in all of these articles? The reason why it matters, is because behavior blockers should be able to block driver loading.
BTW, to answer my own question. I just read this article again, and it's worse than I thought. You don't even need to load a vulnerable driver, you can simply exploit a driver that's already installed. In other words, Windows could really use a complete redesign.
And here is some more technical information. https://www.elastic.co/security-labs/forget-vulnerable-drivers-admin-is-all-you-need
