Security News Windows driver zero-day exploited by Lazarus hackers to install rootkit (patched August 2024)

Gandalf_The_Grey

Level 81
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,084
The notorious North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems.

Microsoft fixed the flaw, tracked as CVE-2024-38193 during its August 2024 Patch Tuesday, along with seven other zero-day vulnerabilities.

CVE-2024-38193 is a Bring Your Own Vulnerable Driver (BYOVD) vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys), which acts as an entry point into the Windows Kernel for the Winsock protocol.

The flaw was discovered by Gen Digital researchers, who say that the Lazarus hacking group exploited the AFD.sys flaw as a zero-day to install the FUDModule rootkit, used to evade detection by turning off Windows monitoring features.

"In early June, Luigino Camastra and Milanek discovered that the Lazarus group was exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver," warned Gen Digital.

"This flaw allowed them to gain unauthorized access to sensitive system areas. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software."

A Bring Your Own Vulnerable Driver attack is when attackers install drivers with known vulnerabilities on targeted machines, which are then exploited to gain kernel-level privileges. Threat actors often abuse third-party drivers, such as antivirus or hardware drivers, which require high privileges to interact with the kernel.

What makes this particular vulnerability more dangerous is that the vulnerability was in AFD.sys, a driver that is installed by default on all Windows devices. This allowed the threat actors to conduct this type of attack without having to install an older, vulnerable driver that may be blocked by Windows and easily detected.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top