A recently patched vulnerability in Microsoft Windows was exploited as a zero-day vulnerability by the Lazarus Group, a prolific state-sponsored actor linked to North Korea.
The security vulnerability, which is CVE-2024-38193 (CVSS score: 7.8) was described as a privilege escalation flaw in the Windows Ancillary Function Driver (AFD.sys) for WinSock.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in an alert about the vulnerability last week. The tech giant fixed it as part of its monthly Patch Tuesday update.
Gen Digital researchers Luigino Camastra and Milánek are believed to be the authors of the flaw. Gen Digital owns a number of security and utility brands such as Norton, Avast, Avira, AVG, ReputationDefender and CCleaner.
“This flaw allowed them to gain unauthorized access to sensitive areas of the system,” the company said last week, adding that it discovered the vulnerability in early June 2024. “The vulnerability allowed attackers to bypass normal security restrictions and access sensitive areas of the system that most users and administrators cannot reach.”
The cybersecurity provider also noted that the attacks were characterized by the use of a rootkit called FudModule to evade detection.
While the exact technical details of the breaches are currently unknown, the vulnerability is reminiscent of another privilege escalation that Microsoft fixed in February 2024 and that was also weaponized by the Lazarus Group to delete FudModules.
Specifically, it involved the exploitation of CVE-2024-21338 (CVSS score: 7.8), a privilege escalation flaw in the Windows kernel rooted in the AppLocker driver (appid.sys) that allows the execution of arbitrary code that bypasses all security checks and executes the FudModule rootkit.
Both attacks are notable because they go beyond a traditional Bring Your Own Vulnerable Driver (BYOVD) attack by exploiting a vulnerability in a driver already installed on a Windows host, rather than “bringing” a vulnerable driver and using it to bypass security measures.
Previous attacks detailed by cybersecurity company Avast showed that the rootkit is spread via a remote access Trojan called Kaolin RAT.
“FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem,” the Czech company explained at the time, adding: “Lazarus is very cautious when deploying the rootkit and only uses it when necessary and under the right circumstances.”
