The notorious North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems.
Microsoft fixed the flaw, tracked as CVE-2024-38193 during its August 2024 Patch Tuesday, along with seven other zero-day vulnerabilities.
CVE-2024-38193 is a Bring Your Own Vulnerable Driver (BYOVD) vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys), which acts as an entry point into the Windows Kernel for the Winsock protocol.
The flaw was discovered by Gen Digital researchers, who say that the Lazarus hacking group exploited the AFD.sys flaw as a zero-day to install the FUDModule rootkit, used to evade detection by turning off Windows monitoring features.
“In early June, Luigino Camastra and Milanek discovered that the Lazarus group was exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver,” warned Gen Digital.
“This flaw allowed them to gain unauthorized access to sensitive system areas. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software.”
A Bring Your Own Vulnerable Driver attack is when attackers install drivers with known vulnerabilities on targeted machines, which are then exploited to gain kernel-level privileges. Threat actors often abuse third-party drivers, such as antivirus or hardware drivers, which require high privileges to interact with the kernel.
What makes this particular vulnerability more dangerous is that the vulnerability was in AFD.sys, a driver that is installed by default on all Windows devices. This allowed the threat actors to conduct this type of attack without having to install an older, vulnerable driver that may be blocked by Windows and easily detected.
Gen Digital told BleepingComputer last week that they discovered the attack in June and believe it is related to a campaign in Brazil previously disclosed by Google TAG.
Google says that North Korean hackers that they attribute as PUKCHONG (UNC4899) targeted Brazillian cryptocurrency professionals with fake job opportunities that ultimately led to the installation of malware.
“To deliver the malicious app, PUKCHONG reached out to targets via social media and sent a benign PDF containing a job description for an alleged job opportunity at a well known cryptocurrency firm,” explained a June Google TAG article.
“If the target replied with interest, PUKCHONG sent a second benign PDF with a skills questionnaire and instructions for completing a coding test. The instructions directed users to download and run a project hosted on GitHub.”
“The project was a trojanized Python app for retrieving cryptocurrency prices that was modified to reach out to an attacker-controlled domain to retrieve a second stage payload if specific conditions were met.”
The Lazarus group have also abused the Windows appid.sys and Dell dbutil_2_3.sys kernel drivers in other BYOVD attacks to install FUDModule.
The Lazarus hacking group
The Lazarus hacking group is known to target financial and cryptocurrency firms in million-dollar cyberheists used to fund the North Korean government’s weapons and cyber programs.
The group gained notoriety after the 2014 Sony Pictures blackmail hack and the 2017 global WannaCry ransomware campaign that encrypted businesses worldwide.
In April 2022, the US government linked the Lazarus group to a cyberattack on Axie Infinity that allowed the threat actors to steal over $617 million worth of cryptocurrency.
The US government offers a reward of up to $5 million for tips on the DPRK hackers’ malicious activity to help identify or locate them.
Update 8/20/24: Added further information about the attack.
Source: www.bleepingcomputer.com