November 14, 2024

LAZARUS STRIKES AGAIN — Windows 0-day was exploited by North Korea to install advanced rootkit FudModule rootkit burrows deep into Windows, where it can bypass key security defenses.

Dan Goodin – Aug 19, 2024 11:37 pm UTC EnlargeGetty Images reader comments 36

A Windows zero-day vulnerability recently patched by Microsoft was exploited by hackers working on behalf of the North Korean government so they could install custom malware thats exceptionally stealthy and advanced, researchers reported Monday.

The vulnerability, tracked as CVE-2024-38193, was one of six zero-daysmeaning vulnerabilities known or actively exploited before the vendor has a patchfixed in Microsofts monthly update release last Tuesday. Microsoft said the vulnerabilityin a class known as a “use after free”was located in AFD.sys, the binary file for whats known as the ancillary function driver and the kernel entry point for the Winsock API. Microsoft warned that the zero-day could be exploited to give attackers system privileges, the maximum system rights available in Windows and a required status for executing untrusted code. Lazarus gets access to the Windows kernel

Microsoft warned at the time that the vulnerability was being actively exploited but provided no details about who was behind the attacks or what their ultimate objective was. On Monday, researchers with Genthe security firm that discovered the attacks and reported them privately to Microsoftsaid the threat actors were part of Lazarus, the name researchers use to track a hacking outfit backed by the North Korean government.

The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach, Gen researchers reported. This type of attack is both sophisticated and resourceful, potentially costing several hundred thousand dollars on the black market. This is concerning because it targets individuals in sensitive fields, such as those working in cryptocurrency engineering or aerospace to get access to their employers networks and steal cryptocurrencies to fund attackers operations.

Mondays blog post said that Lazarus was using the exploit to install FudModule, a sophisticated piece of malware discovered and analyzed in 2022 by researchers from two separate security firms: AhnLab and ESET. Named after the FudModule.dll file that once was present in its export table, FudModule is a type of malware known as a rootkit. It stood out for its ability to operate robustly in the deep in the innermost recess of Windows, a realm that wasnt widely understood then or now. That capability allowed FudModule to disable monitoring by both internal and external security defenses.

Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself and, at the same time, control the deepest levels of the operating system. To work, rootkits must first gain system privileges and go on to directly interact with the kernel, the area of an operating system reserved for the most sensitive functions. The FudModule variants discovered by AhnLabs and ESET were installed using a technique called “bring your own vulnerable driver,” which involves installing a legitimate driver with known vulnerabilities to gain access to the kernel.

Further ReadingHackers exploited Windows 0-day for 6 months after Microsoft knew of itEarlier this year, researchers from security firm Avast spotted a newer FudModule variant that bypassed key Windows defenses such as Endpoint Detection and Response, and Protected Process Light. Microsoft took six months after Avast privately reported the vulnerability to fix it, a delay that allowed Lazarus to continue exploiting it.

Whereas Lazarus used “bring your own vulnerable driver” to install earlier versions of FudModule, group members installed the variant discovered by Avast by exploiting a bug in appid.sys, a driver enabling the Windows AppLocker service, which comes preinstalled in Windows. Avast researchers said at the time the Windows vulnerability exploited in those attacks represented a holy grail for hackers because it was baked directly into the OS rather than having to be installed from third-party sources.

A conglomerate comprising brands Norton, Norton Lifelock, Avast, and Avira, among others, Gen didnt provide critical details, including when Lazarus started exploiting CVE-2024-38193, how many organizations were targeted in the attacks, and whether the latest FudModule variant was detected by any endpoint protection services. There are also no indicators of compromise. Representatives of the company didnt respond to emails. reader comments 36 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at @dangoodin on Mastodon. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars