- WHY AVERTIUM?
-
-
Why Avertium?
Context over chaos. Disconnected technologies, siloed data, and reactive processes can only get you so far. Protecting businesses in today’s threat landscape demands more than a set of security tools – it requires context.
That's where Avertium comes in
-
Considering Microsoft?
Avertium Named Microsoft Security Solutions PartnerAvertium’s managed services for Microsoft Security Solutions is delivered through the company’s premium service: Fusion MXDR. Fusion MXDR includes 24x7 monitoring and management of Defender for Endpoint and Sentinel, threat intelligence, attack surface
monitoring, and vulnerability management for Microsoft Security customers.
-
-
- SOLUTIONS
- COMPANY
- PARTNERS
-
-
Our Partners
Best-in-class technology from our partners... backed by service excellence from Avertium.
-
Partner Opportunity Registration
Interested in becoming a partner?
With Avertium's deal registration, partners can efficiently and confidently connect with Avertium on opportunities to protect your deals.
-
-
- NEWS & RESOURCES
- CONTACT
Overview of New FK_Undead Malware Modules
This threat report is about a set of new modules added to the FK_Undead malware and provides actionable intelligence to protect against this threat.
The modules can bypass standard host-based security software suites with ease. The malware itself is highly modular and can adapt to any environment rather quickly.
Tactics, Techniques, and Procedures Used by FK_Undead Modules
The new modules are a form of rootkit that bypasses traditional anti-virus and EDR solutions by operating at ring0. Ring0 allows the malware to have the same permissions as traditional security software. The new modules install themselves as system drivers through an initial dropper executable. The dropper executable will verify the victim machine’s location and download a VMProtect-protected payload.
Once the payload has run the malicious software will install three different drivers onto the infected host. The first driver will monitor the system’s behavior, proxy network traffic, and prevent any other malicious drivers from being installed. The second driver will provide a malicious version of the HOSTS file whenever svchost.exe tries to access it. The final driver will server SSL/TLS certificates for the purpose of controlling the victim’s traffic.
How the New FK_Undead Malware Modules Affect You
This malware threat could affect your organization in the following ways:
- Could lead to the loss of control over system routing.
- May result in excellent lateral movement opportunities for the bad actor involved.
- Could allow for intelligence gathering opportunities for the bad actor.
What You Can Do to Protect Against This Malware Threat
It is highly encouraged that you consider blocking the indicators of compromise listed via the link below. Consider monitoring for unusual file changes or process operations using real-time security monitoring solutions. Engage with your security provider to ensure that your LogRhythm or AlienVault deployment is properly tuned to detect modular threats like this.
Additional Resources
IBM X-Force Exchange
Lab52 Malware Analysis (IOC List)
https://lab52.io/blog/recent-fk-undead-rootkit-samples-found-in-the-wild/
MITRE ATT&CK Framework Mapping(s)
- https://attack.mitre.org/techniques/T1050/
- https://attack.mitre.org/beta/techniques/T1547/006/
- https://attack.mitre.org/tactics/TA0003/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed security service capabilities.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!