North Korean Hacker Group Lazarus Actively Exploiting Windows Vulnerability for Attacks

This month, Microsoft fixed several high-risk security vulnerabilities in its security update, some of which have already been exploited by hackers. For example, the CVE-2024-38193 vulnerability has been exploited by the North Korean hacker group Lazarus to launch attacks.

This vulnerability falls into the typical Use-After-Free (UAF) category, located in the binary file of the Windows Auxiliary Function Driver (AFD.sys), which is also the kernel entry point for the Winsock API.

Once the vulnerability is successfully exploited, hackers can gain system-level operating privileges, including the highest system privileges in the Windows system, which is the SYSTEM privileges, and can execute untrusted code.

Security researchers state the attacks are initiated by the Lazarus group:

Microsoft's security bulletin indeed mentions that the vulnerability has been actively exploited but did not disclose the codename of the exploiting hacker group. However, the security researchers who initially discovered the vulnerability claim that it was the Lazarus group that launched the attacks.

Gen (the security research company that discovered and reported the vulnerability to Microsoft) stated that the vulnerability allows attackers to bypass normal security restrictions and access sensitive system areas that are inaccessible to most users and administrators. Such attacks are complex and cunning, potentially worth hundreds of thousands of dollars on the black market.

Typically, hackers who exploit such vulnerabilities and launch attacks have strong backgrounds and target specific individuals, such as engineers working on cryptocurrency engineering or those in the aviation field.

Researchers revealed their tracing and tracking results, showing that the Lazarus group is using the vulnerability to install a complex piece of malware named FudModule, which had been discovered by researchers from AhnLab and ESET in 2022.

Lazarus deployed rootkit malware:

FudModule is the name given by security researchers to this piece of malware, with its export table containing a file named FudModule.dll, hence the name.

The Czech security company Avast discovered a variant of FudModule earlier this year that can bypass critical defense measures of the Windows system, such as bypassing endpoint detection and response and protected processes.

It's noteworthy that Avast also revealed it took Microsoft 6 months to fix the vulnerability after being notified, extending the duration of Lazarus group's attacks by half a year.

This variant also uses a vulnerability in appid.sys, the driver file for the Windows AppLocker service, which is pre-installed in the Windows system, making it easier for hackers to install the variant version.