Summary:
The North Korean Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems. Microsoft addressed this flaw, identified as CVE-2024-38193, during its August 2024 Patch Tuesday, along with seven other zero-day vulnerabilities. CVE-2024-38193 is a "Bring Your Own Vulnerable Driver" (BYOVD) vulnerability in the Windows Ancillary Function Driver for WinSock, which serves as an entry point into the Windows Kernel for the Winsock protocol. The vulnerability was discovered by Gen Digital researchers, who reported that Lazarus exploited it to install the FUDModule rootkit, designed to evade detection by disabling Windows monitoring features.


BYOVD attacks involve the installation of drivers with known vulnerabilities, allowing attackers to gain kernel-level privileges. In this case, the vulnerability in AFD.sys, a driver installed by default on all Windows devices, made the attack particularly dangerous, as it didn't require the installation of older, more easily detected vulnerable drivers. Gen Digital discovered the attack in June 2024 and believes it may be connected to a campaign in Brazil previously disclosed by Google’s Threat Analysis Group (TAG). In this campaign, North Korean hackers, identified as PUKCHONG (UNC4899), targeted Brazilian cryptocurrency professionals with fake job offers, leading to the installation of malware. The attack involved sending benign PDFs with job descriptions and skill questionnaires, ultimately tricking victims into running a trojanized Python app that retrieved a second-stage payload.

Security Officer Comments:
The Lazarus group has a history of using BYOVD attacks, previously abusing the Windows appid.sys and Dell dbutil_2_3.sys kernel drivers to install the FUDModule rootkit. The group is notorious for targeting financial and cryptocurrency firms, often conducting million-dollar cyberheists to fund North Korea’s weapons and cyber programs. They gained global attention after the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack, and in April 2022, the U.S. government linked them to a $617 million cryptocurrency theft from Axie Infinity. The U.S. government is offering a reward of up to $5 million for information leading to the identification or location of these DPRK hackers.

Suggested Corrections:
Microsoft has now issued a patch to address the critical vulnerability. For continued protection, it’s crucial for all Windows users to update their systems promptly and stay vigilant against potential threats.


Link(s):
https://www.bleepingcomputer.com/ne...loited-by-lazarus-hackers-to-install-rootkit/