Windows Ancillary Function Driver Zero-Day Exploited by ‘Lazarus Group’ to Install Rootkit

Published on August 20, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

The North Korean Lazarus group was seen exploiting a hidden security flaw in a crucial part of Windows, the Ancillary Function Driver (AFD.sys) in June, a report from Gen Digital says. Microsoft fixed the privilege escalation bug in the Windows AFD.sys for WinSock through its 'August 2024' patch.

The advanced persistent threat (APT) group, also known as Guardians of Peace or Whois Team, exploited the CVE-2024-38193 zero-day to elevate privileges and gain unauthorized access to sensitive system areas.

The Lazarus APT group created a special type of malware, the FUDModule rootkit, which disables Windows security software to evade detection. 

CVE-2024-38193 is a Bring Your Own Vulnerable Driver (BYOVD) vulnerability serving as an entry point into the Windows Kernel for the Winsock protocol. The BYOVD attacks install drivers with known vulnerabilities to exploit for kernel-level privileges. 

Since the AFD.sys driver is installed by default on all Windows devices, the attack is simplified for cybercriminals.

The report says this kind of attack targets workers in sensitive fields, like cryptocurrency engineering or aerospace, to gain unauthorized access to their employer’s networks and steal crypto for their malicious operations.

In February 2021, the U.S. Department of Justice indicted three members of the Reconnaissance General Bureau, a North Korean military intelligence agency, for having participated in several Lazarus hacking campaigns: Park Jin Hyok, Jon Chang Hyok, and Kim Il Park. 

A Canadian and two Chinese individuals have also been charged with having acted as money mules and money launderers for the Lazarus group.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: