Summarize

Simplifying... Inshort

North Korean hackers from the Lazarus group have exploited a Windows vulnerability to gain high-level system privileges, according to Microsoft and security firm Gen.
The hackers used this exploit to install a sophisticated malware called FudModule, which can bypass key Windows defenses and control deep levels of the operating system.
This type of attack is highly targeted, hard to detect, and could potentially have a high cost on the black market.

Was a long read? Making it simpler...

Next Article

Lazarus group linked to Windows vulnerability exploitation

North Korean hackers launch zero-day attack on Windows users

By Mudit Dube

Aug 20, 2024

12:57 pm

What's the story

A zero-day vulnerability in Windows, recently rectified by Microsoft, was exploited by hackers believed to be operating on behalf of the North Korean government. The security flaw, identified as CVE-2024-38193, was one of six zero-days addressed in Microsoft's latest monthly update. This particular vulnerability is classified as a "use after free" type and is located within AFD.sys - a binary file associated with the ancillary function driver and kernel entry point for the Winsock API.

Exploitation risk

Security flaw could grant hackers system privileges

Microsoft warned that the zero-day vulnerability could potentially be exploited by hackers to gain system privileges. These are the highest level of rights available on Windows, and are necessary for executing untrusted code. The tech giant acknowledged active exploitation of this vulnerability but did not provide specifics regarding who was responsible or their ultimate goal. Zero-day attacks are particularly dangerous because they are often highly targeted and can be difficult to detect and defend against.

Threat identification

Lazarus group linked to Windows vulnerability exploitation

Security firm Gen, which first identified and privately reported the attacks to Microsoft, has now revealed that the threat actors are part of 'Lazarus' hacking group believed to be backed by the North Korean government. "The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can't reach," Gen researchers stated. They highlighted the sophistication of this type of attack, noting its potential high cost on the black market.

Malware installation

Lazarus group used exploit to install FudModule malware

Gen's researchers have disclosed that the Lazarus group was using the exploit to install FudModule, a sophisticated malware first identified and analyzed in 2022. This malware, known as a rootkit, is named after the FudModule.dll file once present in its export table. Rootkits are unique in their ability to conceal their processes and control deep levels of an operating system.

Security bypass

FudModule variants bypassed key Windows defenses

Earlier this year, a new variant of FudModule was discovered by security firm Avast. This version was able to bypass key Windows defenses such as Endpoint Detection and Response, and Protected Process Light. The Lazarus group had previously used a technique called "bring your own vulnerable driver" to install earlier versions of FudModule. However, the variant identified by Avast was installed by exploiting a bug in appid.sys - a driver associated with the Windows AppLocker service.