Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead
Dec. 11, 2024, 11:03 a.m.
Description
This analysis delves into a Windows rootkit loader for the FK_Undead malware family, known for intercepting user network traffic through proxy manipulation. The loader, signed with a valid Microsoft certificate, installs itself as a system service and employs various evasion techniques. It downloads and decrypts a payload, which is another signed driver protected by VMProtect. The rootkit checks for security tools, virtual machine environments, and implements notify routines to hide from detection. It uses deaddrops to retrieve URLs for downloading the FK_Undead payload, which is then decrypted and installed as a separate kernel driver service.
Tags
Date
- Created: Dec. 11, 2024, 4:36 a.m.
- Published: Dec. 11, 2024, 4:36 a.m.
- Modified: Dec. 11, 2024, 11:03 a.m.
Indicators
- ca8061f5ee59cba8f8f4e036eddc5f470e0936ebec470a0ebd4e84ab0475ece2
- 708f4f45f7515d2b94de5772ee883cfd579dbff216e8a8db3181d2cf0e2a2770
- adf0bed4734b416c0c958e096593e93726ba9eb2b39c88645e02033755e16a1b
- 6af4343fd0ce9b27a2862f75d409d4021efc3160c40a5bda174b2ad30086722d
- 33a305cf2ff910c833e3c8efd77e9f55fc1344215f75a4c8feda6fd5d8e98628
- 1f5dcc5b0916a77087f160130d5eadb26fe8ee9d47177d19944773d562c03e8e
- 10d8591dd18e061febabe0384dc64e5516b7e7e54be87ca0ac35e11f698b0cc2
- 046442a7e16166225a0c070bf8d311caddc48cbe61a4b82d462d8dd4501cfd00
- 101.37.76.254
- http://tjxupdates.com:38005/auth7.bin
- http://tjxgood.com:38005/auth7.bin
- http://tjxgood.com:38005/auth.bin
- http://tjxupdates.com:38005/auth.bin
- http://microsoftdns2.com:27688/html/jpg/U[yyyyMMddHHmmssfff].dat
- http://microsoftdns2.com:27688/html/png/V[yyyyMMddHHmmssfff].dat
- http://101.37.76.254:31005/txlsddlx64_7.dat
- http://101.37.76.254:31005/txlsddlx64.dat
- tjxupdates.com
- tjxgood.com
- microsoftdns2.com
Attack Patterns
- FK_Undead
- FK_Undead