Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Governance & Risk Management
Lazarus Espionage Group’s Sophisticated Malware Evades Antivirus Monitoring
North Korea’s Lazarus hacking team has been exploiting a zero-day vulnerability in Microsoft Windows to install malware on targeted devices – again.
See Also: Securing Your Workforce with Datto RMM: Automating Patching, Hardening, and Backups
As part of its monthly Patch Tuesday series of updates, Microsoft on Aug. 13 patched the Windows Ancillary Function Driver – Afd.sys
– for WinSock to fix a zero-day flaw designated CVE-2024-38193. Security experts advise users to install the fix as quickly as possible, after Microsoft warned it’s being exploited in the wild.
Exploiting the vulnerability allows attackers to escalate privileges. “Successful exploitation is via a use-after-free memory management bug, and could lead to system
privileges,” security firm Rapid7 said on Aug. 13. “The advisory doesn’t provide further clues, but with existing in-the-wild exploitation, low attack complexity, no user interaction involved and low privileges required, this is one to patch immediately to keep malware at bay.”
That warning turned out to be prescient, as two Avast security researchers – who identified the flaw and reported it to Microsoft in early June – reported Friday that before Microsoft patched the flaw, it was being exploited by Lazarus, a nation-state hacking group tied to the government of North Korea.
The researchers, Luigino Camastra and Martin Milanek, said the goal behind attackers’ “admin-to-kernel driver exploit” was to get a rootkit called Fudmodule onto the targeted systems. “We believe that stealth was their primary motivation,” the researchers said of the attackers’ decision to target a zero-day vulnerability as part of the attack chain.
Using Fudmodule allowed the attackers “to hide their activities from security software,” they said.
The researchers didn’t detail how many organizations may have been targeted or what industries they are in, but Lazarus and its affiliated nation-state hacking groups have a penchant for stealing massive quantities of cryptocurrency to service the perpetually cash-starved regime of North Korea (see: North Korea’s Supercharged State-Backed Cryptocurrency Theft).
North Korea is the rare state that backs for-profit hacking, using stolen money to fund development of weapons of mass destruction and to infuse Pyongyang with hard currency. The government also deploys its hacking teams to steal intelligence pertaining to Western governments’ nuclear facilities, research institutes and defense systems.
Repeat Targeting of Windows Drivers
If this exploit sounds familiar, that’s because North Korean hackers continue to pursue admin-to-kernel driver hacking.
In February, Microsoft patched a previously unknown vulnerability, designated CVE-2024-21338, which Lazarus was using to gain system-level privileges in targeted systems.
That vulnerability differed from CVE-2024-38193 in that it existed in the appid.sys
AppLocker driver, a crucial component of Windows security with policies that control which applications can run on a computer and different enforcement modes determining how strictly these rules should be followed (see: Lazarus Group Exploits Windows AppLocker Driver Zero-Day).
Credit for finding the flaw patched in February and reporting it to Microsoft again went to Avast, which said it submitted a proof-of-concept exploit and vulnerability report in August 2023.
When Microsoft patched the flaw, the zero-day vulnerability was being actively exploited in the wild in attacks by the Lazarus group to sneak Fudmodule onto targeted systems. Avast researchers said Lazarus had overhauled Fudmodule since it first appeared, giving it additional capabilities, such as the ability to disable protected processes used by such antivirus tools as Microsoft Defender, CrowdStrike Falcon and HitmanPro to protect a system.
The security firm described Fudmodule as “one of the most complex tools Lazarus holds in their arsenal,” noting that “the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel.” That’s precisely what CVE-2024-21338 let Lazarus do: bridge the “thin line between admin and kernel.”
Avast reported in February that “with their admin-to-kernel zero-day now burned,” Lazarus “can either discover a new zero-day exploit” or fall back on the tactics it previously used, which involved sneaking signed but vulnerable drivers onto systems via what’s known as a “bring your own vulnerable driver” or BYOVD attack.
The Rise of BYOVD
Lazarus’ use of BYOVD to sneak Fudmodule onto a victim’s system dates from at least October 2021, when the hacking team used it against a Dutch organization, as security firm Eset reported the following year. The researchers said the attack involved the use of “an 88,064-byte user-mode dynamically linked library with internal name Fudmodule,” which was run as in-memory shellcode.
That attack was designed to load a legitimate driver signed by Dell, for which vulnerabilities were discovered in May 2021 and assigned CVE-2021-21551 (see: Millions of Dell Devices Vulnerable to Update Driver Flaw).
After loading the driver, the attackers used it to disable security monitoring. Developing this approach “undoubtedly required deep research, development and intense testing,” Eset said. After disabling monitoring, the attackers would have been more free to continue their intrusion, which could have aimed to target and steal information.
Admin-to-Kernel Attacks Proliferate
As the Lazarus attacks spotted in June and earlier this year demonstrate, Avast said, admin-to-kernel attacks fall into one of three buckets, each with increasing stealth but also difficulty:
- N-day BYOVD exploits: An n-day is a known vulnerability, for which exploit details might be freely available, such as with the Dell driver Lazarus exploited in 2021. On the downside for attackers, drivers known as being vulnerable can be blocked by Windows.
- Zero-day BYOVD: Attackers load a legitimate, signed driver with a zero-day vulnerability that only they know about onto a targeted system.
- Zero-day in already-installed driver: “The holy grail of admin-to-kernel is going beyond BYOVD by exploiting a zero-day in a driver that’s known to be already installed on the target machine,” Avast said. “To make the attack as universal as possible, the most obvious target here would be a built-in Windows driver that’s already a part of the operating system.”
The problem with BYOVD attacks is that they’re noisy, and Microsoft continues to block signed drivers that are known to be malicious. Hence the ideal for attackers is to find a zero-day flaw in a driver already running on a targeted system that they can exploit instead, via what’s known as a “living off the land” attack.
Bring Your Own Vulnerable Driver
Lazarus is far from the only attack group that’s been practicing BYOVD tactics. Last week, security firm Sophos reported that the RansomHub group – and maybe others – have been using a tool, codenamed EDRKillShifter, to load and exploit on a system “one of a variety of different vulnerable, legitimate drivers to gain privileges sufficient to unhook an EDR tool’s protection.
In December 2022, multiple security firms reported seeing a surge in attacks that involved custom-built or outdated drivers with known, exploitable vulnerabilities being used to disable antivirus – aka endpoint detection and response – tools.
In early 2023, Sophos reported seeing attackers use a commercially available tool that it gave the codename AuKill to install on infected systems “an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.”
Sophos said the tool had been used in attacks that led to the deployment of Medusa Locker ransomware and LockBit ransomware. Whether or not the same ransomware group affiliates were behind all of those attacks wasn’t clear.