New FK_Undead Malware Modules

Overview of New FK_Undead Malware Modules

This threat report is about a set of new modules added to the FK_Undead malware and provides actionable intelligence to protect against this threat.

The modules can bypass standard host-based security software suites with ease. The malware itself is highly modular and can adapt to any environment rather quickly.

Tactics, Techniques, and Procedures Used by FK_Undead Modules

The new modules are a form of rootkit that bypasses traditional anti-virus and EDR solutions by operating at ring0. Ring0 allows the malware to have the same permissions as traditional security software. The new modules install themselves as system drivers through an initial dropper executable. The dropper executable will verify the victim machine’s location and download a VMProtect-protected payload.

Once the payload has run the malicious software will install three different drivers onto the infected host. The first driver will monitor the system’s behavior, proxy network traffic, and prevent any other malicious drivers from being installed. The second driver will provide a malicious version of the HOSTS file whenever svchost.exe tries to access it. The final driver will server SSL/TLS certificates for the purpose of controlling the victim’s traffic.

How the New FK_Undead Malware Modules Affect You

This malware threat could affect your organization in the following ways:

• Could lead to the loss of control over system routing.
• May result in excellent lateral movement opportunities for the bad actor involved.
• Could allow for intelligence gathering opportunities for the bad actor.

What You Can Do to Protect Against This Malware Threat

It is highly encouraged that you consider blocking the indicators of compromise listed via the link below. Consider monitoring for unusual file changes or process operations using real-time security monitoring solutions. Engage with your security provider to ensure that your LogRhythm or AlienVault deployment is properly tuned to detect modular threats like this.

Additional Resources

 IBM X-Force Exchange

https://exchange.xforce.ibmcloud.com/collection/Recent-FK_Undead-Rootkit-Samples-663ed357c545a72676219752d6e132c0

Lab52 Malware Analysis (IOC List)

https://lab52.io/blog/recent-fk-undead-rootkit-samples-found-in-the-wild/

MITRE ATT&CK Framework Mapping(s)

• https://attack.mitre.org/techniques/T1050/
• https://attack.mitre.org/beta/techniques/T1547/006/
• https://attack.mitre.org/tactics/TA0003/

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed security service capabilities. 

Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!