Getty Images

A Windows zero-day vulnerability recently patched by Microsoft was exploited by hackers working on behalf of the North Korean government so they could install custom malware that’s exceptionally stealthy and advanced, researchers reported Monday.

The vulnerability, tracked as CVE-2024-38193, was one of six zero-days—meaning vulnerabilities known or actively exploited before the vendor has a patch—fixed in Microsoft’s monthly update release last Tuesday. Microsoft said the vulnerability—in a class known as a “use after free”—was located in AFD.sys, the binary file for what’s known as the ancillary function driver and the kernel entry point for the Winsock API. Microsoft warned that the zero-day could be exploited to give attackers system privileges, the maximum system rights available in Windows and a required status for executing untrusted code.

Lazarus gets access to the Windows kernel

Microsoft warned at the time that the vulnerability was being actively exploited but provided no details about who was behind the attacks or what their ultimate objective was. On Monday, researchers with Gen—the security firm that discovered the attacks and reported them privately to Microsoft—said the threat actors were part of Lazarus, the name researchers use to track a hacking outfit backed by the North Korean government.

“The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach,” Gen researchers reported. “This type of attack is both sophisticated and resourceful, potentially costing several hundred thousand dollars on the black market. This is concerning because it targets individuals in sensitive fields, such as those working in cryptocurrency engineering or aerospace to get access to their employer’s networks and steal cryptocurrencies to fund attackers’ operations.”

Monday’s blog post said that Lazarus was using the exploit to install FudModule, a sophisticated piece of malware discovered and analyzed in 2022 by researchers from two separate security firms: AhnLab and ESET. Named after the FudModule.dll file that once was present in its export table, FudModule is a type of malware known as a rootkit. It stood out for its ability to operate robustly in the deep in the innermost recess of Windows, a realm that wasn’t widely understood then or now. That capability allowed FudModule to disable monitoring by both internal and external security defenses.

Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself and, at the same time, control the deepest levels of the operating system. To work, rootkits must first gain system privileges and go on to directly interact with the kernel, the area of an operating system reserved for the most sensitive functions. The FudModule variants discovered by AhnLabs and ESET were installed using a technique called “bring your own vulnerable driver,” which involves installing a legitimate driver with known vulnerabilities to gain access to the kernel.

Earlier this year, researchers from security firm Avast spotted a newer FudModule variant that bypassed key Windows defenses such as Endpoint Detection and Response, and Protected Process Light. Microsoft took six months after Avast privately reported the vulnerability to fix it, a delay that allowed Lazarus to continue exploiting it.

Whereas Lazarus used “bring your own vulnerable driver” to install earlier versions of FudModule, group members installed the variant discovered by Avast by exploiting a bug in appid.sys, a driver enabling the Windows AppLocker service, which comes preinstalled in Windows. Avast researchers said at the time the Windows vulnerability exploited in those attacks represented a holy grail for hackers because it was baked directly into the OS rather than having to be installed from third-party sources.

Gen, a conglomerate comprising brands Norton, Norton Lifelock, Avast, and Avira, among others, didn’t provide critical details, including when Lazarus started exploiting CVE-2024-38193, how many organizations were targeted in the attacks, and whether the latest FudModule variant was detected by any endpoint protection services. There are also no indicators of compromise. Representatives of the company didn’t respond to emails.

By Holden