Background
The Windows Ancillary Function Driver (afd.sys) provides kernel support for WinSock — it’s the interface between user-mode socket applications and the Windows kernel networking stack. It’s been a source of privilege escalation vulnerabilities in the past, and CVE-2024-38193 continues that pattern.
What makes this notable is the attribution: Gen Digital researchers identified active zero-day exploitation by Lazarus Group, the North Korean state-sponsored APT. Lazarus is one of the most prolific and well-resourced threat actors operating today, responsible for everything from cryptocurrency theft to attacks on defence contractors. Their use of a Windows kernel zero-day indicates they had significant operational capability when deploying this.
Technical Mechanism
CVE-2024-38193 is a use-after-free (UAF) vulnerability in afd.sys. Use-after-free bugs occur when code continues to reference memory after it’s been freed — if the attacker can control the content of that freed memory (through heap manipulation), they can control what the code reads from it, potentially hijacking execution flow.
In the Windows kernel context:
- An attacker triggers a specific sequence of WinSock API calls that cause afd.sys to free a kernel object
- Immediately after freeing, the attacker allocates a crafted object in the same memory location (heap spray/grooming)
- When afd.sys subsequently accesses the freed memory, it reads the attacker’s crafted data
- This allows overwriting of critical kernel data structures, typically leading to privilege token manipulation
- The attacker’s process token is replaced with a SYSTEM token, achieving privilege escalation
This requires local code execution to start with — typically achieved via a phishing-delivered initial implant, then the LPE elevates to SYSTEM for full system control.
Real-World Exploitation Evidence
Gen Digital researchers discovered Lazarus Group exploiting CVE-2024-38193 in the wild:
- Lazarus Group (North Korea) — confirmed exploitation; Gen Digital attributed the activity with high confidence based on TTPs, infrastructure, and code characteristics
- FudModule rootkit — Lazarus deployed their custom FudModule rootkit using this exploit; FudModule is a kernel-level rootkit that can disable security monitoring tools from kernel space
- Bring Your Own Vulnerable Driver (BYOVD) connection — in some variants, Lazarus combined the LPE with a BYOVD technique; this UAF provided a cleaner exploitation path
- Cryptocurrency and defence targeting — consistent with Lazarus’s dual mandate of financial theft and espionage
FudModule is particularly concerning — it’s designed specifically to blind security tools at the kernel level, making detection extremely difficult.
Impact Assessment
- Kernel-level code execution — not just SYSTEM user mode, but ring-0 kernel execution with FudModule
- Security tool blinding — FudModule disables ETW (Event Tracing for Windows), AV/EDR kernel callbacks, and other security telemetry
- Persistent rootkit — kernel-mode rootkits are extremely difficult to detect and remove
- Complete system compromise — with kernel access, any data on the system is accessible
- Cryptocurrency theft — consistent with Lazarus operational goals; harvest crypto wallets and credentials
- Long-term persistence — rootkit persists across security tool reinstallation
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Windows 10 (21H2, 22H2) | Before August 2024 patches | KB5041580 |
| Windows 11 (21H2, 22H2, 23H2) | Before August 2024 patches | KB5041571, KB5041592 |
| Windows Server 2019 | Before August 2024 patches | KB5041578 |
| Windows Server 2022 | Before August 2024 patches | KB5041160 |
Remediation Steps
- Apply August 2024 Patch Tuesday updates
- Given Lazarus involvement and FudModule deployment, treat any identified compromised system as fully compromised at kernel level
- If FudModule is suspected:
- Standard AV scans may be insufficient — rootkits can hide from them
- Consider memory forensics tools (Volatility, etc.) that operate outside the potentially compromised OS
- Incident response and system rebuild is recommended for confirmed compromise
- Review network connections from the host for unusual outbound connections to Lazarus-linked infrastructure
- Monitor for abnormal afd.sys behaviour (difficult without specific tooling, but kernel debuggers can help)
Detection Guidance
Kernel telemetry — this is difficult to detect post-exploitation if FudModule is deployed (it specifically disables telemetry). Best detection windows are:
- During exploitation — kernel crash events or unexpected exceptions in afd.sys context
- Before FudModule deployment — anomalous process privilege changes (token impersonation events)
- Network-based — Lazarus C2 infrastructure indicators
Windows Event Logs (pre-FudModule):
- Event ID 4688: Unexpected process creation from initial implant
- Security log anomalies (FudModule may clear these)
SIEM rule:
process_parent_integrity_level = "Medium" AND
process_integrity_level = "System" AND
event_id = 4688 AND
NOT process_name IN (known_elevation_tools)Suricata signature:
alert tcp $HOME_NET any -> any any (msg:"Possible Lazarus Group FudModule C2 - CVE-2024-38193"; flow:established,to_server; content:"|17 03 03|"; offset:0; depth:3; classtype:trojan-activity; sid:2034021; rev:1;)Timeline
| Date | Event |
|---|---|
| 2024 (pre-patch) | Lazarus Group exploits CVE-2024-38193 as zero-day with FudModule rootkit |
| July 2024 | Gen Digital discovers exploitation and reports to Microsoft |
| 13 August 2024 | Microsoft patches CVE-2024-38193 in August Patch Tuesday |
| August 2024 | CISA adds to Known Exploited Vulnerabilities catalogue |
| August 2024 | Gen Digital publishes analysis of Lazarus zero-day exploitation |