This threat report is about a set of new modules added to the FK_Undead malware and provides actionable intelligence to protect against this threat.
The modules can bypass standard host-based security software suites with ease. The malware itself is highly modular and can adapt to any environment rather quickly.
The new modules are a form of rootkit that bypasses traditional anti-virus and EDR solutions by operating at ring0. Ring0 allows the malware to have the same permissions as traditional security software. The new modules install themselves as system drivers through an initial dropper executable. The dropper executable will verify the victim machine’s location and download a VMProtect-protected payload.
Once the payload has run the malicious software will install three different drivers onto the infected host. The first driver will monitor the system’s behavior, proxy network traffic, and prevent any other malicious drivers from being installed. The second driver will provide a malicious version of the HOSTS file whenever svchost.exe tries to access it. The final driver will server SSL/TLS certificates for the purpose of controlling the victim’s traffic.
This malware threat could affect your organization in the following ways:
It is highly encouraged that you consider blocking the indicators of compromise listed via the link below. Consider monitoring for unusual file changes or process operations using real-time security monitoring solutions. Engage with your security provider to ensure that your LogRhythm or AlienVault deployment is properly tuned to detect modular threats like this.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Deciding between running an in-house SOC vs. using managed security services (MSS) to add more rigor, more relevance, and more responsiveness to your cybersecurity program? Compare the two options. Download the e-book!