Keypoints
- Avast identified an in-the-wild exploit for a zero-day in appid.sys (CVE-2024-21338) that allowed arbitrary kernel callback invocation from user space.
- The exploit impersonated the Local Service account to gain write access to the DeviceAppId IOCTL and corrupted KTHREAD.PreviousMode to obtain kernel read/write via NtWriteVirtualMemory/NtWriteVirtualMemory-based primitives.
- Lazarus used the kernel primitive to deploy an updated FudModule data-only rootkit that now includes nine techniques (four new, three improved) for stealth and security-solution disruption.
- FudModule performs extensive DKOM: it removes registry/object/process/thread/image callbacks, disables ETW system loggers and specific provider GUIDs, and unlinks or wipes minifilter callbacks and WFP callouts.
- The rootkit adds a new handle-table entry manipulation technique to craft arbitrary handles and suspend or thread-suspend protected processes (Windows Defender, CrowdStrike Falcon, AhnLab V3, HitmanPro).
- Avast reported the vulnerability to Microsoft; patches added an ExGetPreviousMode check to mitigate user-mode initiated IOCTL abuse in the February Patch Tuesday update.
- Avast recovered most of the infection chain and noted a new Lazarus RAT; further technical details (RAT and initial vector) were deferred to a follow-up release.
MITRE Techniques
- [T1068] Exploitation for Privilege Escalation – Exploited a vulnerable IOCTL in appid.sys (control code 0x22A018) to “call an arbitrary kernel function” by supplying kernel callback pointers from user space (‘…the vulnerable control code 0x22A018 … allows the kernel to call an arbitrary pointer’).
- [T1134] Access Token Manipulation – The exploit “impersonates the local service account using a direct syscall to NtSetInformationThread with the ThreadImpersonationToken” to obtain write access to DeviceAppId (‘…impersonated the local service account … to obtain a read/write handle to DeviceAppId’).
- [T1562.001] Impair Defenses: Disable or Modify Tools – FudModule uses DKOM to remove registry/object/process/thread/image callbacks and modify kernel structures to neutralize defenses (‘…FudModule’s goal is to remove existing registry callbacks’ and ‘clears EtwpActiveSystemLoggers’).
- [T1215] Kernel Modules and Extensions – The rootkit manipulates kernel internals (minifilter, WFP, ETW structures, ObjectTable, HANDLE_TABLE_ENTRY) to alter kernel behavior without loading kernel code (‘…direct kernel object manipulation (DKOM) techniques … data-only rootkit, meaning it executes entirely from user space’).
- [T1499] Endpoint Denial of Service – FudModule crafts handle-table entries to suspend targeted security processes and their threads (MsSense.exe, MsMpEng.exe, CSFalconService.exe, hmpalert.exe) via NtSuspendProcess/SuspendThread (‘…modifies the dummy thread’s _HANDLE_TABLE_ENTRY so that it points to the _OBJECT_HEADER of the target _EPROCESS … call NtSuspendProcess’).
Indicators of Compromise
- [CVE] exploited vulnerability – CVE-2024-21338 (appid.sys IOCTL 0x22A018)
- [File name] rootkit artifact & reporting – tem1245.tmp (file written with technique bitfield results)
- [Driver / Device] targeted/used drivers – appid.sys (AppLocker driver), applockerfltr.sys (and references to apid device DeviceAppId)
- [Processes] targeted security processes – MsSense.exe, MsMpEng.exe, CSFalconService.exe, hmpalert.exe
- [GitHub rule] detection resource – YARA rule at https://github.com/avast/ioc/tree/master/FudModule#yara
Avast’s technical rewrite (procedural focus)
Avast’s analysis shows the exploit chain begins by loading or ensuring appid.sys is present, impersonating the Local Service account via NtSetInformationThread(ThreadImpersonationToken), and opening DeviceAppId with write access to call IOCTL 0x22A018. The IOCTL expects two kernel function pointers in its input buffer; by crafting fake kernel objects and supplying controlled pointers and data, the attacker forces the kernel to indirectly call a chosen kernel-function gadget. The exploit crafts the gadget to perform a 64-bit copy from the IOCTL buffer into the current KTHREAD.PreviousMode byte, clearing it to KernelMode; this corrupts PreviousMode and allows subsequent NtWriteVirtualMemory-based reads/writes of arbitrary kernel memory from user space to establish a stable kernel read/write primitive.
With the kernel primitive, the updated FudModule rootkit performs data-only DKOM to disable a wide range of defenses without executing kernel code. It locates kernel globals by scanning exported ntoskrnl functions (e.g., locating nt!CallbackListHead via CmUnRegisterCallback or nt!EtwSendTraceBuffer to find EtwpHostSiloState), iterates and unlinks entries in registry and object callback lists, clears process/thread/image callback arrays (selectively whitelisting certain drivers), and wipes or unlinks minifilter callback nodes based on driver name or altitude. For network telemetry, it locates netio!gWfpGlobal to set FWP callout flags (FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW) and disables ETW both broadly (zeroing EtwpActiveSystemLoggers) and surgically (clearing ProviderEnableInfo.IsEnabled and RegList masks for a hardcoded list of provider GUIDs), ensuring EtwEventEnabled/EtwWriteEx return false for targeted providers.
FudModule’s most novel direct attack crafts arbitrary handles by manipulating a handle-table entry in the target process’s _EPROCESS.ObjectTable: it creates a dummy thread with THREAD_ALL_ACCESS, locates its _HANDLE_TABLE_ENTRY, and overwrites ObjectPointerBits to reference the _OBJECT_HEADER of a protected security process. Reinterpreting the access bits, the manipulated handle is used to call NtSuspendProcess and SuspendThread (then resume the process but leave threads suspended), effectively neutralizing protected processes (Windows Defender, CrowdStrike Falcon, AhnLab V3, HitmanPro). The exploit and rootkit use extensive direct syscalls and build-specific hardcoded offsets for reliability; Microsoft patched the user-mode IOCTL vector by adding an ExGetPreviousMode check to prevent user-mode initiated callbacks (CVE-2024-21338).