North Korean hackers launch zero-day attack on Windows users
What's the story
A zero-day vulnerability in Windows, recently rectified by Microsoft, was exploited by hackers believed to be operating on behalf of the North Korean government.
The security flaw, identified as CVE-2024-38193, was one of six zero-days addressed in Microsoft's latest monthly update.
This particular vulnerability is classified as a "use after free" type and is located within AFD.sys - a binary file associated with the ancillary function driver and kernel entry point for the Winsock API.
Exploitation risk
Security flaw could grant hackers system privileges
Microsoft warned that the zero-day vulnerability could potentially be exploited by hackers to gain system privileges.
These are the highest level of rights available on Windows, and are necessary for executing untrusted code.
The tech giant acknowledged active exploitation of this vulnerability but did not provide specifics regarding who was responsible or their ultimate goal.
Zero-day attacks are particularly dangerous because they are often highly targeted and can be difficult to detect and defend against.
Threat identification
Lazarus group linked to Windows vulnerability exploitation
Security firm Gen, which first identified and privately reported the attacks to Microsoft, has now revealed that the threat actors are part of 'Lazarus' hacking group believed to be backed by the North Korean government.
"The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can't reach," Gen researchers stated.
They highlighted the sophistication of this type of attack, noting its potential high cost on the black market.
Malware installation
Lazarus group used exploit to install FudModule malware
Gen's researchers have disclosed that the Lazarus group was using the exploit to install FudModule, a sophisticated malware first identified and analyzed in 2022.
This malware, known as a rootkit, is named after the FudModule.dll file once present in its export table.
Rootkits are unique in their ability to conceal their processes and control deep levels of an operating system.
Security bypass
FudModule variants bypassed key Windows defenses
Earlier this year, a new variant of FudModule was discovered by security firm Avast.
This version was able to bypass key Windows defenses such as Endpoint Detection and Response, and Protected Process Light.
The Lazarus group had previously used a technique called "bring your own vulnerable driver" to install earlier versions of FudModule.
However, the variant identified by Avast was installed by exploiting a bug in appid.sys - a driver associated with the Windows AppLocker service.