0-day in Windows driver exploited by North Korean hackers to deliver rootkit (CVE-2024-38193)
CVE-2024-38193, an actively exploited zero-day that Microsoft patched earlier this month, has been leveraged by North Korean hackers to install a rootkit on targets’ computers, Gen Digital researchers have revealed.
About CVE-2024-38193
CVE-2024-38193 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys).
Gen Digital researchers Luigino Camastra and Milanek discovered in early June 2024 that the Lazarus APT group was exploiting the flaw to achieve SYSTEM privilege, so they can “bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach.”
“We also discovered that they used a special type of malware called FudModule to hide their activities from security software,” the company now confirmed.
“This type of attack is both sophisticated and resourceful, potentially costing several hundred thousand dollars on the black market. This is concerning because it targets individuals in sensitive fields, such as those working in cryptocurrency engineering or aerospace to get access to their employer’s networks and steal crypto currencies to fund attackers’ operations.”
Exploiting vulnerable drivers
FudModule is a rootkit – a type of malware that, once installed, has access to the deepest levels of the operating system (e.g., kernel), can make changes to the system and can disable native and third-party security solutions.
The Lazarus group is well known for delivering rootkits to targets, either by:
- Taking advantage of zero-day vulnerabilities they found in Windows drivers that are installed by default, or by
- Installing vulnerable third-party drivers and taking advantage of their 0-day or n-day flaws (this is the so-called “Bring Your Own Vulnerable Driver” technique).
“If an attacker (…) manages to exploit a zero-day vulnerability in a built-in driver, they will be rewarded with a level of stealth that cannot be matched by standard BYOVD exploitation,” Avast researchers explained earlier this year.
“By exploiting such a vulnerability, the attacker is in a sense living off the land with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place.”
How can potential victims check whether they have been saddled with the rootkit and further compromised by the Lazarus hackers? Gen Digital does not say.
We’ve reached out to the company to ask for more information, and we’ll update this piece if we hear back from them.
UPDATE (August 20, 2024, 11:20 a.m. ET):
The victim organizations are largely from the crypto currency sphere as well as aerospace, a Gen Digital representative has told us.
“The lead researchers following Lazarus also shared that they believe this campaign is the same as the last one,” they added.