Lazarus Hackers Exploit Windows Driver Zero-Day to Install Rootkit

August 20, 2024

The notorious Lazarus hacking group, originating from North Korea, has leveraged a zero-day vulnerability in the Windows AFD.sys driver to escalate system privileges and deploy the FUDModule rootkit on selected targets. The flaw, known as CVE-2024-38193, was patched by Microsoft during its August 2024 Patch Tuesday, which also addressed seven other zero-day vulnerabilities.

The CVE-2024-38193 is a Bring Your Own Vulnerable Driver (BYOVD) vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys). This driver serves as an entry point into the Windows Kernel for the Winsock protocol. Gen Digital researchers discovered the flaw and revealed that the Lazarus group exploited it as a zero-day to install the FUDModule rootkit, a tool used to evade detection by disabling Windows monitoring features.

Gen Digital researchers, Luigino Camastra and Milanek, found that the Lazarus group was exploiting a concealed security flaw in a critical part of Windows called the AFD.sys driver. "This flaw allowed them to gain unauthorized access to sensitive system areas. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software," Gen Digital warned.

A BYOVD attack occurs when threat actors install drivers with known vulnerabilities on targeted machines, which are then exploited to gain kernel-level privileges. These actors often misuse third-party drivers, such as antivirus or hardware drivers, that require high privileges to interact with the kernel. The AFD.sys vulnerability is particularly dangerous because it is a driver that comes pre-installed on all Windows devices. This means the threat actors could carry out this type of attack without needing to install an older, vulnerable driver that might be detected and blocked by Windows.

The Lazarus group has a history of abusing the Windows appid.sys and Dell dbutil_2_3.sys kernel drivers in BYOVD attacks to install FUDModule. Gen Digital did not disclose who was targeted in this attack or when it occurred, but Lazarus is known to target financial and cryptocurrency firms in large-scale cyberheists used to finance the North Korean government's weapons and cyber programs.

The group first gained notoriety following the 2014 Sony Pictures blackmail hack and the 2017 global WannaCry ransomware campaign that encrypted businesses worldwide. In April 2022, the US government linked the Lazarus group to a cyberattack on Axie Infinity that resulted in the theft of over $617 million worth of cryptocurrency. The US government is currently offering a reward of up to $5 million for information on the DPRK hackers' malicious activities to help identify or locate them.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.