Aug 20, 2024 14:00:00

Windows zero-day vulnerability exploited by North Korea to develop sophisticated rootkit to install malware

It has been revealed that a zero-day vulnerability in Windows was exploited by hackers operating in North Korea to install highly stealthy and sophisticated malware on users.

Gen Blogs | Safeguarding Digital Freedom: How a Gen Discovery Helped to Protect Windows Users Everywhere

https://www.gendigital.com/blog/news/innovation/protecting-windows-users

Windows 0-day was exploited by North Korea to install advanced rootkit | Ars Technica

https://arstechnica.com/security/2024/08/windows-0-day-was-exploited-by-north-korea-to-install-advanced-rootkit/

The vulnerability in question is CVE-2024-38193 , which Microsoft describes as a 'privilege elevation vulnerability in the Windows Ancillary Function Driver for WinSock.' According to Microsoft, if an attacker successfully exploits this vulnerability, they can gain system privileges. Microsoft has already applied a patch, but evidence of exploitation has been confirmed.

While Microsoft warned that the vulnerability was being actively exploited, it did not provide any details about who was behind the attacks or their ultimate goal. However, researchers at security firm Gen have revealed that the attacks are the work of a North Korea-based criminal group called Lazarus.

According to Gen, Lazarus exploited a 'hidden security flaw in a critical part of Windows' called the AFD.sys driver, which allowed attackers to bypass normal security restrictions and access sensitive system areas that are inaccessible to most users and administrators.

Gen noted that the purpose of the attack was to target individuals in sensitive fields, such as those working in crypto engineering and aerospace, in order to gain access to their employers' networks and steal cryptocurrencies to fund the attackers' operations. 'These types of attacks are sophisticated and resourceful, and could result in hundreds of thousands of dollars in losses on the black market,' Gen researchers said.

According to the investigation, Lazarus exploited the vulnerability to install 'FudModule,' a type of malware known as a '

rootkit .' FudModule is known to be highly capable of operating in sensitive areas of Windows and is capable of disabling monitoring by internal and external security defenses.

Lazarus installed a FudModule variant by exploiting a bug in the driver appid.sys, which enables the pre-installed Windows AppLocker. According to security firm Avast, the Windows vulnerabilities exploited in these attacks are 'like the Holy Grail' for hackers because they are built directly into the OS without the need to be installed from a third-party source.

The vulnerability was privately reported to Microsoft by Avast in early 2024, and it took six months for it to be fixed.