Lazarus Group Exploits Microsoft Zero-Days CVE-2024-38193, Patch Urgently

Last week, Microsoft addressed multiple high-severity security vulnerabilities in its security updates, some of which have already been exploited by hackers. For instance, the CVE-2024-38193 (CVSS 7.8) vulnerability has been leveraged by the North Korean hacker group Lazarus to launch attacks.

CVE-2024-38193 is a  Bring Your Own Vulnerable Driver (BYOVD) flaw, located in the binary file of the Windows Ancillary Function Driver (AFD.sys), which serves as a kernel entry point for the Winsock API.

Upon successfully exploiting this vulnerability, hackers can gain system-level privileges, including the highest privilege in the Windows system, known as SYSTEM access, enabling them to execute untrusted code.

While Microsoft acknowledged the active exploitation of this vulnerability in its security advisory, it did not disclose the hacker group behind the attacks. However, the security researchers who initially discovered and reported the vulnerability to Microsoft identified Lazarus Group as the perpetrator.

Gen Digital, the security research company that discovered and reported the vulnerability to Microsoft, stated that this flaw allows attackers to bypass normal security restrictions and access sensitive system areas that are typically inaccessible to most users and administrators. This attack is both complex and cunning, potentially worth hundreds of thousands of dollars on the black market.

Typically, hackers who exploit and execute such sophisticated attacks have significant backing and target specific individuals, such as those working in cryptocurrency engineering or the aerospace sector.

The researchers disclosed their tracing and attribution results, revealing that the Lazarus Group has been using this vulnerability to install malware known as FudModule. This malware is highly sophisticated and was initially detected by researchers from AhnLab and ESET in 2022.

FudModule is the name given to this malware by security researchers, derived from a file named FudModule.dll in its export table.

Earlier this year, Czech security company Avast discovered a variant of FudModule that can bypass critical Windows defenses, such as Endpoint Detection and Response (EDR) and Protected Processes.

Notably, Avast also revealed that after notifying Microsoft, it took the company six months to patch the vulnerability, extending the Lazarus Group’s window of attack by half a year.

This variant also exploits a vulnerability in appid.sys for installation, a driver file for the Windows AppLocker service, which comes pre-installed on Windows systems. This makes it easier for hackers to deploy the variant.

Related Posts:

• Temptation from Money: Lazarus APT extended to cryptocurrencies
• North Korea’s Lazarus Group: A Persistent Threat to the Defense Sector
• From Spear-Phishing to Zero-Day: Lazarus Group’s Latest Cyber Strategies
• Lazarus Hacking Group’s Malicious Python Packages Uncovered
• Lazarus Group Suspected in Telegram Phishing Attacks on Investors