A zero-day vulnerability in Windows recently patched by Microsoft was exploited by hackers working for the North Korean government, allowing them to install custom malware that is exceptionally stealthy and sophisticated, researchers reported Monday.
The vulnerability, tracked as CVE-2024-38193, was one of six zero-days (vulnerabilities that are known or actively exploited before a vendor has a patch) fixed in Microsoft’s monthly update release last Tuesday. Microsoft said the vulnerability (in a class known as “use after free”) was located in AFD.sys, the binary for what’s known as the ancillary function driver and the kernel entry point for the Winsock API. Microsoft warned that the zero-day could be exploited to give attackers system privileges, the maximum system privileges available in Windows and a state required to execute untrusted code.
Lazarus gains access to Windows kernel
Microsoft warned at the time that the vulnerability was being actively exploited, but did not provide details about who was behind the attacks or what their ultimate goal was. On Monday, researchers at Gen, the security firm that discovered the attacks and privately reported them to Microsoft, said the threat actors were part of Lazarus, the name researchers use to track a hacking group backed by the North Korean government.
“The vulnerability allowed attackers to bypass normal security restrictions and gain access to sensitive system areas that are inaccessible to most users and administrators,” Gen. researchers reported. “This type of attack is both sophisticated and resourceful, potentially costing hundreds of thousands of dollars on the black market. This is concerning because it targets individuals in sensitive industries, such as those working in cryptocurrency engineering or aerospace, to gain access to their employers’ networks and steal cryptocurrencies to fund attackers’ activities.”
Monday’s blog post said that Lazarus used the exploit to install FudModule, a sophisticated piece of malware discovered and analyzed in 2022 by researchers from two separate security firms: AhnLab and ESET. FudModule, named after the FudModule.dll file that was once listed in the export table, is a type of malware known as a rootkit. It was notable for its ability to operate robustly in the deepest recesses of Windows, an area that was and still is not widely understood. That ability allowed FudModule to evade monitoring by both internal and external security defenses.
Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself, while simultaneously controlling the deepest levels of the operating system. To operate, rootkits must first gain system privileges and then communicate directly with the kernel, the area of an operating system reserved for its most sensitive functions. The FudModule variants discovered by AhnLabs and ESET were installed using a technique called “bring your own vulnerable driver,” which involves installing a legitimate driver with known vulnerabilities in order to gain access to the kernel.
Earlier this year, researchers at security firm Avast discovered a newer FudModule variant that bypassed key Windows defenses like Endpoint Detection and Response and Protected Process Light. It took Microsoft six months after Avast privately reported the vulnerability to patch it, a delay that allowed Lazarus to continue exploiting it.
While Lazarus used “bring your own vulnerable driver” to install earlier versions of FudModule, group members installed the variant discovered by Avast by exploiting a bug in appid.sys, a driver that enables the Windows AppLocker service, which comes pre-installed with Windows. Avast researchers said at the time that the Windows vulnerability exploited in those attacks was a holy grail for hackers because it was built directly into the operating system rather than requiring installation from a third party.
A conglomerate that includes brands such as Norton, Norton Lifelock, Avast and Avira, Gen did not provide critical details, including when Lazarus began exploiting CVE-2024-38193, how many organizations were targeted in the attacks or whether the latest FudModule variant was detected by endpoint protection services. There are also no indicators of compromise. Company representatives did not respond to emails.