The notorious North Korean hacker group Lazarus exploited a zero-day vulnerability in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems.
Microsoft fixed the bug, dubbed CVE-2024-38193, during its August 2024 Patch Tuesday along with seven other zero-day vulnerabilities.
CVE-2024-38193 is a Bring Your Own Vulnerable Driver (BYOVD) vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys), which acts as an entry point into the Windows kernel for the Winsock protocol.
The flaw was discovered by researchers at Gen Digital. According to them, the Lazarus hacker group used the AFD.sys flaw as a zero-day vulnerability to install the FUDModule rootkit, which was used to evade detection by disabling Windows monitoring features.
“In early June, Luigino Camastra and Milanek discovered that the Lazarus group was exploiting a hidden vulnerability in a crucial part of Windows called the AFD.sys driver,” Gen Digital warned.
“This flaw allowed them to gain unauthorized access to sensitive system areas. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software.”
In a Bring Your Own Vulnerable Driver attack, attackers install drivers with known vulnerabilities on targeted computers, which are then exploited to gain kernel-level privileges. Threat actors often abuse third-party drivers, such as antivirus or hardware drivers, that require high privileges to interact with the kernel.
What makes this particular vulnerability even more dangerous is the fact that it was located in AFD.sys, a driver that is installed by default on all Windows devices. This allowed the attackers to carry out this type of attack without having to install an older, vulnerable driver that might be blocked and easily detected by Windows.
The Lazarus group has previously abused the Windows kernel drivers appid.sys and Dell dbutil_2_3.sys in BYOVD attacks to install FUDModule.
The hacker group Lazarus
While Gen Digital did not reveal details about who was targeted in the attacks or when the attacks occurred, Lazarus is known for targeting financial and cryptocurrency companies in multi-million dollar cyber heists that fund the North Korean government’s weapons and cyber programs.
The group gained notoriety after the Sony Pictures extortion hack in 2014 and the global WannaCry ransomware campaign in 2017 that encrypted companies around the world.
In April 2022, the U.S. government linked the Lazarus group to a cyberattack on Axie Infinity that allowed threat actors to steal over $617 million worth of cryptocurrency.
The US government is offering a reward of up to five million US dollars for information on the malicious activities of North Korean hackers to identify or locate them.
