A recently patched security flaw in Microsoft Windows was exploited as a zero-day Lazar’s groupa prolific state-funded actor with ties to North Korea.
A security vulnerability tracked as CVE-2024-38193 (CVSS score: 7.8) was described as an elevation of privilege error in the Windows Auxiliary Functions Driver (AFD.sys) for WinSock.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges” – Microsoft said in a deficiency advisory last week. It was addressed by the tech giant as part of its monthly Patch Tuesday update.
Gen Digital researchers Luigino Camastro and Milanek are credited with discovering and reporting the flaw. Gen Digital owns a number of security software and utility brands such as Norton, Avast, Avira, AVG, ReputationDefender and CCleaner.
“This flaw allowed them to gain unauthorized access to confidential areas of the system,” the company said in a statement. opened last week, adding that the exploit discovered in early June 2024 “The vulnerability allowed attackers to bypass normal security restrictions and gain access to sensitive areas of the system that most users and administrators cannot access.”
The cybersecurity vendor also noted that the attacks were characterized by the use of a rootkit called FudModule in an attempt to avoid detection.
While the exact technical details surrounding the intrusions are currently unknown, the vulnerability resembles another privilege escalation that Microsoft patched in February 2024, and which was also used by the Lazarus Group to deprecate FudModule.
In particular, it entailed the exploitation of CVE-2024-21338 (CVSS Score: 7.8), a Windows kernel privilege escalation flaw in the AppLocker driver (appid.sys) that allows arbitrary code execution that bypasses all security checks and launches the FudModule rootkit.
Both of these attacks are unique in that they go beyond the traditional Bring Your Own Vulnerable Driver (BYOVD) attack by exploiting a security flaw in a driver already installed on a Windows host, as opposed to “poaching” a vulnerable driver and using it to bypass security measures .
Previous attacks, detailed by cybersecurity firm Avast, have shown that the rootkit is delivered via a remote access Trojan known as Kaolin RAT.
“FudModule is loosely integrated into the rest of the Lazarus malware ecosystem,” the Czech company said at the time, saying that “Lazarus uses the rootkit very carefully, deploying it only on demand under the right circumstances.”
