Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead
Dec. 11, 2024, 11:03 a.m.
Tags
External References
Description
This analysis delves into a Windows rootkit loader for the FK_Undead malware family, known for intercepting user network traffic through proxy manipulation. The loader, signed with a valid Microsoft certificate, installs itself as a system service and employs various evasion techniques. It downloads and decrypts a payload, which is another signed driver protected by VMProtect. The rootkit checks for security tools, virtual machine environments, and implements notify routines to hide from detection. It uses deaddrops to retrieve URLs for downloading the FK_Undead payload, which is then decrypted and installed as a separate kernel driver service.
Date
Published: Dec. 11, 2024, 4:36 a.m.
Created: Dec. 11, 2024, 4:36 a.m.
Modified: Dec. 11, 2024, 11:03 a.m.
Indicators
ca8061f5ee59cba8f8f4e036eddc5f470e0936ebec470a0ebd4e84ab0475ece2
708f4f45f7515d2b94de5772ee883cfd579dbff216e8a8db3181d2cf0e2a2770
adf0bed4734b416c0c958e096593e93726ba9eb2b39c88645e02033755e16a1b
6af4343fd0ce9b27a2862f75d409d4021efc3160c40a5bda174b2ad30086722d
33a305cf2ff910c833e3c8efd77e9f55fc1344215f75a4c8feda6fd5d8e98628
1f5dcc5b0916a77087f160130d5eadb26fe8ee9d47177d19944773d562c03e8e
10d8591dd18e061febabe0384dc64e5516b7e7e54be87ca0ac35e11f698b0cc2
046442a7e16166225a0c070bf8d311caddc48cbe61a4b82d462d8dd4501cfd00
101.37.76.254
http://tjxupdates.com:38005/auth7.bin
http://tjxgood.com:38005/auth7.bin
http://tjxgood.com:38005/auth.bin
http://tjxupdates.com:38005/auth.bin
http://microsoftdns2.com:27688/html/jpg/U[yyyyMMddHHmmssfff].dat
http://microsoftdns2.com:27688/html/png/V[yyyyMMddHHmmssfff].dat
http://101.37.76.254:31005/txlsddlx64_7.dat
http://101.37.76.254:31005/txlsddlx64.dat
tjxupdates.com
tjxgood.com
microsoftdns2.com
Attack Patterns
FK_Undead
FK_Undead