Windows driver zero-day exploited by Lazarus hackers to install rootkit

Windows driver zero-day exploited by Lazarus hackers to install rootkit

August 19, 2024 at 11:37PM

The North Korean Lazarus hacking group exploited a zero-day flaw in Windows AFD.sys driver to install the FUDModule rootkit on targeted systems. Microsoft fixed the flaw (CVE-2024-38193) in August 2024, along with seven other zero-day vulnerabilities. Gen Digital warned about the activities and targeting of the notorious group, which is known for its cyberheists.

Key takeaways from the meeting notes are as follows:

– The North Korean Lazarus hacking group exploited a zero-day vulnerability in the AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems.
– Microsoft addressed the vulnerability, tracked as CVE-2024-38193, during the August 2024 Patch Tuesday along with seven other zero-day vulnerabilities.
– CVE-2024-38193 is a Bring Your Own Vulnerable Driver (BYOVD) vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys).
– Gen Digital researchers discovered the flaw and reported that the Lazarus group used it to install the FUDModule rootkit in an attempt to evade detection.
– The AFD.sys driver being installed by default on all Windows devices made this vulnerability particularly dangerous, as it allowed the threat actors to conduct this type of attack without having to install an older, vulnerable driver that may be easily detected.

Additionally, the meeting notes outline the notoriety and past cyber activities of the Lazarus hacking group, their known targets, and their activities in cyberheists and ransomware campaigns. It is important to note the US government’s reward for information related to the malicious activity of the Lazarus group.

Full Article