Hackers supported by the North Korean government they were running a zero-day which Microsoft left unpatched for six months even though it knew it was being actively exploited.
Even after Microsoft patched the vulnerability last month, the company did not report that the North Korean hacking group Lazarus had been using the vulnerability since at least August to install a secret rootkit on vulnerable computers.
The vulnerability provided an easy way to install malware that could gain system privileges to interact with the Windows kernel. The hacking group Lazarus used the vulnerability for this very reason.
Microsoft, of course, has long stated that such kernel administrator rights do not represent a security breach, and this is one possible explanation for the time it took the company to patch the vulnerability.
But Microsoft's policy turned out to be gold for the Lazarus hackers with the installation of the “FudModule,” a custom rootkit that Avast says was extremely advanced.
Rootkits are malicious software that have the ability to hide their files, processes and other internal functions from the operating system itself. At the same time they control the deepest levels of the operating system.
But in order to work, they must first gain administrative privileges – a significant achievement for any malware infecting a modern operating system.
Then they have to overcome one more hurdle: interacting directly with the kernel, the innermost part of an operating system reserved for the most sensitive functions.