Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Lazarus uses 0day to install a rootkit.
The Lazarus group exploited a zero-day vulnerability in the Windows driver AFD.sys to increase privileges and install the FUDModule rootkit, which disables Windows monitoring functions and allows you to hide malicious activity. Windows Driver AFD.sys It is used for working with the Winsock protocol and serves as an entry point to the operating system kernel.
The CVE-2024-38193 flaw (CVSS score: 7.8) was fixed as part of the August Patch Tuesday. CVE-2024-38193 stands out from the rest because it allows you to conduct an attack like Bring Your Own Vulnerable Driver (BYOVD). In this case, attackers install drivers with vulnerabilities on the target systems, then use them to gain privileges at the kernel level.
A particular risk of vulnerability in AFD.sys This is because the driver is installed by default on all Windows devices. This allows hackers to attack systems without having to install old vulnerable drivers that can be blocked and easily detected by Windows security mechanisms. This makes exploiting the vulnerability less visible and more effective.
The vulnerability was first discovered by Gen Digital. Experts noted that the Lazarus group used the bug to install the FUDModule rootkit, which is able to hide its actions from security tools. Experts emphasize that such attacks pose a serious threat to security, as they allow attackers to gain unauthorized access to critical areas of the system.
Gen Digital does not disclose details about who was the target of the attack or when it occurred. It is worth noting that the Lazarus group has already used similar methods in the past, exploiting vulnerable drivers appid.sys and dbutil_2_3.sys to install FUDModule.
Source
The Lazarus group exploited a zero-day vulnerability in the Windows driver AFD.sys to increase privileges and install the FUDModule rootkit, which disables Windows monitoring functions and allows you to hide malicious activity. Windows Driver AFD.sys It is used for working with the Winsock protocol and serves as an entry point to the operating system kernel.
The CVE-2024-38193 flaw (CVSS score: 7.8) was fixed as part of the August Patch Tuesday. CVE-2024-38193 stands out from the rest because it allows you to conduct an attack like Bring Your Own Vulnerable Driver (BYOVD). In this case, attackers install drivers with vulnerabilities on the target systems, then use them to gain privileges at the kernel level.
A particular risk of vulnerability in AFD.sys This is because the driver is installed by default on all Windows devices. This allows hackers to attack systems without having to install old vulnerable drivers that can be blocked and easily detected by Windows security mechanisms. This makes exploiting the vulnerability less visible and more effective.
The vulnerability was first discovered by Gen Digital. Experts noted that the Lazarus group used the bug to install the FUDModule rootkit, which is able to hide its actions from security tools. Experts emphasize that such attacks pose a serious threat to security, as they allow attackers to gain unauthorized access to critical areas of the system.
Gen Digital does not disclose details about who was the target of the attack or when it occurred. It is worth noting that the Lazarus group has already used similar methods in the past, exploiting vulnerable drivers appid.sys and dbutil_2_3.sys to install FUDModule.
Source
