How the Lazarus Group Weaponized AppLocker to Bypass Kernel Protections

TLDR: The Lazarus Group is using a sophisticated multi-stage infection chain that culminates in the exploitation of a zero-day vulnerability in the Windows AppLocker driver. By leveraging CVE-2024-21338, the attackers gain arbitrary kernel memory access, allowing them to deploy the FudModule 2.0 rootkit. This rootkit uses direct kernel object manipulation to disable security software, making it a critical threat for any environment relying on standard endpoint protection.

Security researchers have long tracked the Lazarus Group, but their latest campaign demonstrates a shift toward high-stakes, kernel-level persistence that bypasses modern defensive mitigations. The attack chain begins with a classic social engineering hook—a fabricated job offer—but quickly evolves into a technical masterclass in evasion. By delivering a malicious ISO file, the attackers initiate a multi-stage loader sequence that eventually drops a custom remote access trojan (RAT) and a powerful rootkit. This is not just another commodity malware campaign; it is a targeted effort to neutralize the very security tools designed to stop it.

The Infection Chain: From ISO to Kernel

The initial access vector relies on the victim mounting a malicious ISO file, which contains a seemingly benign skill assessment tool. Once executed, the loader—dubbed "Rollfling"—begins its work. This loader is designed to be stealthy, using XOR-based decryption to hide its next stage, "Rollmid," which is then loaded directly into memory.

The technical sophistication here lies in how the malware achieves persistence and command-and-control (C2) communication. Rollmid communicates with three distinct C2 servers, using steganography to extract the address of the final C2 server from a PNG file. This multi-layered approach is designed to frustrate automated sandbox analysis and network traffic inspection. Once the C2 is established, the malware downloads and executes the final payload: a custom RAT capable of file compression, timestamp manipulation, and, most importantly, the deployment of the FudModule 2.0 rootkit.

Exploiting CVE-2024-21338 for Kernel Access

The most alarming part of this research is the use of CVE-2024-21338, a zero-day vulnerability in the Windows AppLocker driver (appid.sys). This vulnerability allows an attacker to send a specially crafted IOCTL to the driver, which triggers an arbitrary kernel function call.

For a pentester, this is a goldmine. The vulnerability allows for partial control of the first argument of the function call, which, when combined with the ability to read and write arbitrary kernel memory via NtWriteVirtualMemory, provides a direct path to privilege escalation. The researchers demonstrated that the exploit requires the attacker to be running as LOCAL SERVICE, a common privilege level for many services. Once the IOCTL is sent, the attacker can change the PreviousMode of the current thread to kernel mode, effectively tricking the system into executing code with elevated privileges.

FudModule 2.0 and Direct Kernel Object Manipulation

Once the attackers have achieved kernel-mode execution, they deploy the FudModule 2.0 rootkit. This tool is a prime example of why Direct Kernel Object Manipulation (DKOM) remains a potent threat. Instead of patching code, which is easily detected by modern integrity checks, FudModule modifies kernel data structures directly.

The rootkit targets several critical areas:

• Registry Callbacks: It unlinks its own callbacks from the registry notification list, effectively blinding the system to its registry modifications.
• Object Callbacks: It manipulates the nt!ObTypeIndexTable to neutralize process and thread monitoring.
• File System Minifilters: It removes itself from the list of active minifilters, preventing security software from intercepting its file operations.
• Windows Filtering Platform (WFP): It zeroes out the netio!WfpGlobal structure to disable network traffic filtering.

By manipulating these structures, the rootkit can effectively "ghost" itself from the view of security products like Windows Defender, CrowdStrike Falcon, and Kaspersky Endpoint Security. The demo provided in the research showed the rootkit successfully unlinking its own process from the system's tracking mechanisms, rendering it invisible to standard monitoring tools.

Defensive Implications

Defending against this level of sophistication requires moving beyond signature-based detection. Because FudModule 2.0 operates by modifying kernel objects rather than injecting malicious code, traditional EDR solutions may fail to trigger an alert. Defenders should focus on monitoring for suspicious IOCTL requests to drivers like appid.sys and implementing strict AppLocker policies that restrict the execution of unsigned or untrusted binaries.

Furthermore, the reliance on social engineering as the initial entry point remains the weakest link. Security awareness training that specifically highlights the dangers of "skill assessment" files delivered via platforms like LinkedIn or WhatsApp is essential.

The Lazarus Group’s ability to move from a simple phishing lure to a kernel-level rootkit using a zero-day vulnerability is a stark reminder that the perimeter is no longer the only battleground. As researchers, we must continue to scrutinize the drivers and kernel-mode components that our systems trust implicitly. The next time you are on an engagement, look beyond the user-mode applications and start investigating the IOCTLs being sent to your system drivers. You might find exactly what the attackers are hiding.