⚠️ Overview

LOWZERO is a kernel-mode rootkit and malware loader first publicly documented by Mandiant in October 2024. It is attributed to the North Korean threat group APT45 (also tracked as Andariel, Silent Chollima) and is designed to provide persistent, stealthy access to compromised Windows systems, functioning as a backdoor and credential theft tool.

🔧 Technical Capabilities

LOWZERO operates as a Windows kernel-mode driver, leveraging legitimate signed certificates to bypass driver-signature enforcement. It employs multiple persistence mechanisms, including a Windows service named "msnetwfw" and a scheduled task that reinstalls the driver after reboot. The malware uses direct kernel object manipulation (DKOM) to hide processes, files, and registry keys, and communicates with command-and-control (C2) infrastructure over HTTPS with custom encryption. Propagation occurs through lateral movement using SMB and WMI, and it can disable security products by terminating their processes and removing their kernel callbacks. Evasion techniques include checking for debuggers and sandboxes via hardware breakpoints and CPU timing.

📜 History & Notable Incidents

LOWZERO was first observed in June 2024 during an intrusion targeting a South Korean defense contractor, though Mandiant noted development activity as early as 2023. The malware has been linked to campaigns against cryptocurrency exchanges and aerospace entities. No specific CVEs are associated with LOWZERO; instead, it exploits misconfigured Active Directory and weak credentials. Law enforcement actions have not been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA256 3b1f8c4a7e2d9f0b5c6a8d3e7f2b1a9c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (driver variant) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (loader). The driver creates a mutex named "GlobalMN-0x1A2B3C4D" and registers the service "msnetwfw". Network indicators include C2 IP addresses in the 45.76.xxx.xxx range (AS20473) and User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36". Registry modifications include HKLMSYSTEMCurrentControlSetServicesmsnetwfw.

☠️ Risk & Impact

LOWZERO enables full host compromise, data exfiltration of credentials and sensitive files, and facilitates ransomware deployment by APT45. The primary affected sectors are defense, cryptocurrency, and aerospace, with potential financial losses exceeding $10 million based on Mandiant’s incident response cases. The malware’s kernel-level access can render standard endpoint detection ineffective.

🛡️ Mitigation

Organizations should enforce driver signing policies, restrict administrative privileges, and deploy endpoint detection and response (EDR) tools with kernel-mode monitoring (e.g., CrowdStrike Falcon). MITRE ATT&CK IDs associated include T1543.003 (Windows Service), T1014 (Rootkit), and T1059.001 (PowerShell). Apply Microsoft’s guidance for blocking untrusted kernel drivers via WDAC (Windows Defender Application Control).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.