0.1 C
New York
Saturday, November 30, 2024

Home windows driver zero-day exploited by Lazarus hackers to put in rootkit


Home windows driver zero-day exploited by Lazarus hackers to put in rootkit
Picture: Midjourney

The infamous North Korean Lazarus hacking group exploited a zero-day flaw within the Home windows AFD.sys driver to raise privileges and set up the FUDModule rootkit on focused methods.

Microsoft mounted the flaw, tracked as CVE-2024-38193 throughout its August 2024 Patch Tuesday, together with seven different zero-day vulnerabilities.

CVE-2024-38193 is a Deliver Your Personal Susceptible Driver (BYOVD) vulnerability within the Home windows Ancillary Perform Driver for WinSock (AFD.sys), which acts as an entry level into the Home windows Kernel for the Winsock protocol.

The flaw was found by Gen Digital researchers, who say that the Lazarus hacking group exploited the AFD.sys flaw as a zero-day to put in the FUDModule rootkit, used to evade detection by turning off Home windows monitoring options.

“In early June, Luigino Camastra and Milanek found that the Lazarus group was exploiting a hidden safety flaw in an important a part of Home windows referred to as the AFD.sys driver,” warned Gen Digital.

“This flaw allowed them to achieve unauthorized entry to delicate system areas. We additionally found that they used a particular sort of malware referred to as Fudmodule to cover their actions from safety software program.”

A Deliver Your Personal Susceptible Driver assault is when attackers set up drivers with identified vulnerabilities on focused machines, that are then exploited to achieve kernel-level privileges. Risk actors usually abuse third-party drivers, comparable to antivirus or {hardware} drivers, which require excessive privileges to work together with the kernel.

What makes this explicit vulnerability extra harmful is that the vulnerability was in AFD.sys, a driver that’s put in by default on all Home windows units. This allowed the risk actors to conduct this kind of assault with out having to put in an older, susceptible driver which may be blocked by Home windows and simply detected.

The Lazarus group has beforehand abused the Home windows appid.sys and Dell dbutil_2_3.sys kernel drivers in BYOVD assaults to put in FUDModule.

The Lazarus hacking group

Whereas Gen Digital didn’t share particulars about who was focused within the assault and when the assaults occurred, Lazarus is understood to focus on monetary and cryptocurrency companies in million-dollar cyberheists used to fund the North Korean authorities’s weapons and cyber applications.

The group gained notoriety after the 2014 Sony Photos blackmail hack and the 2017 international WannaCry ransomware marketing campaign that encrypted companies worldwide.

In April 2022, the US authorities linked the Lazarus group to a cyberattack on Axie Infinity that allowed the risk actors to steal over $617 million value of cryptocurrency.

The US authorities presents a reward of as much as $5 million for tips about the DPRK hackers’ malicious exercise to assist establish or find them.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles