Skip to content

Lazarus exploits Windows zero-day flaw to install stealth malware

  • by
  • 3 min read

Microsoft has recently addressed a severe zero-day security flaw in its Windows operating system, responding to active exploitation by Lazarus Group cyber-attackers linked to North Korea. Identified as CVE-2024-38193, this severe vulnerability allows attackers to gain the highest level of administrator access and install stealth malware such as FudModule.

The security flaw affects a key Windows system file called AFD.sys. This file is essential in the operating system, overseeing the ancillary function driver and serving as the primary kernel interface for Winsock API operations.

Security experts have categorised this vulnerability as a ‘use after free’ issue, which is dangerous because it could allow unauthorised users to obtain the highest system access in Windows.

This flaw enables attackers to run malicious code with system-level permissions when exploited. This level of access is especially concerning as it allows hackers to take full control of affected systems and could lead to widespread compromise across connected networks.

Microsoft confirmed this vulnerability was being exploited in the wild but initially withheld specifics about the threat actors and their objectives. However, security researchers at Gen, a prominent cybersecurity firm that reported the attacks to Microsoft, have now attributed the campaign to the Lazarus Group, a well-known hacking collective with ties to the North Korean government.

According to Gen’s findings, Lazarus leveraged this vulnerability to install FudModule, an advanced rootkit malware that has been a focus of cybersecurity scrutiny since its discovery in 2022. Rootkits like FudModule are particularly dangerous as they operate at the kernel level of an operating system, hiding their activities and evading detection by internal and external security mechanisms.

Lazarus Group have been known to use the FudModule malware.

What sets FudModule apart is its capability to disable security defences that would typically monitor suspicious activities. This malware’s stealthy nature makes it a powerful tool for cyber espionage, particularly when used against high-value targets such as those in the cryptocurrency and aerospace sectors — industries frequently targeted by North Korean cyber operations.

The hacking group has a history of using this particular rootkit and employing various methods to deploy it. In past operations, they utilised a strategy to install a legitimate but compromised driver to gain unauthorised high-level system access. Cybersecurity experts often refer to this approach as using a ‘vulnerable driver.’

More recently, as ArsTechnica reports, security researchers identified a new campaign where the group targeted a weakness in a Windows system file associated with the AppLocker service. This latest tactic allowed them to install an updated version of their rootkit software, demonstrating the group’s ability to adapt and evolve their attack strategies.

The ability to exploit a flaw inherent to Windows rather than relying on third-party software makes this vulnerability especially valuable to hackers. It represents what many in the cybersecurity community consider the ‘holy grail’ of exploits — a vulnerability that is not just present in the operating system but integral to its functionality.

Despite Microsoft’s patch, critical details about the extent of the attacks remain unknown. Gen has yet to disclose when Lazarus began exploiting CVE-2024-38193, the number of organisations affected, or whether any endpoint protection solutions successfully detected the latest FudModule variant.

Moreover, no indicators of compromise (IOCs) are available, making it challenging for organisations to assess potential exposure.

In the News: Chrome to start redacting passwords, credit cards when sharing Android screen

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>