The notorious North Korean Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver to escalate privileges and install the FUDModule rootkit on targeted systems.
Microsoft fixed the flaw, tracked as CVE-2024-38193, along with seven other zero-day vulnerabilities, in its August 2024 Patch Tuesday.
CVE-2024-38193 is a Bring Your Own Vulnerable Driver (BYOVD) vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys), which serves as the entry point into the Windows kernel for the Winsock protocol.
The flaw was discovered by researchers at Gen Digital, who say the Lazarus hacking group exploited the AFD.sys flaw as a zero-day to install the FUDModule rootkit, which is used to turn off Windows monitoring features and evade detection.
“In early June, Luigino Camastra and Milanec discovered that the Lazarus group was exploiting a hidden security flaw in a critical part of Windows called the AFD.sys driver,” Gen Digital warned.
“This flaw allowed them to gain unauthorized access to sensitive areas of the system. We also found that they used a specialized type of malware called Fudmodule to hide their activities from security software.”
A vulnerable driver introduction attack occurs when an attacker installs a driver with a known vulnerability on a targeted machine and exploits it to gain kernel-level privileges. Threat actors often exploit third-party drivers, such as antivirus or hardware drivers, that require elevated privileges to interact with the kernel.
What makes this vulnerability even more dangerous is that it existed in AFD.sys, a driver that is installed by default on all Windows devices, allowing threat actors to carry out this type of attack without having to install outdated and vulnerable drivers that could be blocked by Windows and easily detected.
The Lazarus group has previously exploited the Windows appid.sys and Dell dbutil_2_3.sys kernel drivers in BYOVD attacks to install FUDModule.
Lazarus Hacking Group
Gen Digital has not released details about who the attack was targeted by or when it occurred, but Lazarus is known to target financial and cryptocurrency companies in multi-million dollar cyber heists to fund the North Korean government’s weapons and cyber programs.
The group gained notoriety for the extortion hack of Sony Pictures in 2014 and the global WannaCry ransomware attack in 2017 that encrypted companies around the world.
In April 2022, the US government linked the Lazarus Group to a cyber attack on Axie Infinity that allowed threat actors to steal more than $617 million in cryptocurrency.
The US government is offering a reward of up to $5 million to anyone who can help identify and locate North Korean hackers engaged in malicious activity.
