The notorious North Korean hacking group Lazarus exploited a zero-day flaw in the Windows AFD.sys driver to escalate privileges and install the FUDModule rootkit on targeted systems.
Microsoft patched the flaw, identified as CVE-2024-38193, in its August 2024 Patch Tuesday, along with seven other zero-day vulnerabilities.
CVE-2024-38193 is a Bring Your Own Vulnerable Driver (BYOVD) vulnerability in the Windows Auxiliary Function Driver for WinSock (AFD.sys), which acts as an entry point into the Windows kernel for the Winsock protocol.
The flaw was discovered by researchers at Gen Digital, who claim that the Lazarus hacking group exploited the AFD.sys flaw as a zero-day to install the FUDModule rootkit, which is used to evade detection by disabling Windows monitoring features.
“In early June, Luigino Camastra and Milanek discovered that the Lazarus group was exploiting a hidden security vulnerability in a crucial part of Windows called the AFD.sys driver,” Gen Digital warns.
“This vulnerability allowed them to gain unauthorized access to sensitive areas of the system. We also discovered that they were using a special type of malware called Fudmodule to hide their activities from security software.”
A Bring Your Own Vulnerable Driver attack occurs when attackers install drivers with known vulnerabilities on targeted machines, which are then exploited to gain kernel-level privileges. Malicious actors often abuse third-party drivers, such as antivirus or hardware drivers, that require elevated privileges to interact with the kernel.
What makes this particular vulnerability even more dangerous is that it resides in AFD.sys, a driver that is installed by default on all Windows devices. This allowed malicious actors to carry out this type of attack without having to install an older, vulnerable driver that can be blocked by Windows and easily detected.
The Lazarus group has previously abused the Windows kernel drivers appid.sys and Dell dbutil_2_3.sys in BYOVD attacks to install FUDModule.
Lazarus Hacker Group
While Gen Digital did not share details about who was targeted in the attack and when the attacks took place, Lazarus is known for targeting financial and cryptocurrency companies in multi-million dollar cyberattacks used to fund the North Korean government’s weapons and cybersecurity programs.
The group gained notoriety after the 2014 Sony Pictures hack and the 2017 WannaCry global ransomware campaign that encrypted businesses around the world.
In April 2022, the US government linked the Lazarus Group to a cyberattack on Axie Infinity that allowed threat actors to steal more than $617 million in cryptocurrency.
The U.S. government is offering a reward of up to $5 million for information about malicious activities by DPRK hackers to help identify or locate them.
