Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead

SUMMARY :

This analysis delves into a Windows rootkit loader for the FK_Undead malware family, known for intercepting user network traffic through proxy manipulation. The loader, signed with a valid Microsoft certificate, installs itself as a system service and employs various evasion techniques. It downloads and decrypts a payload, which is another signed driver protected by VMProtect. The rootkit checks for security tools, virtual machine environments, and implements notify routines to hide from detection. It uses deaddrops to retrieve URLs for downloading the FK_Undead payload, which is then decrypted and installed as a separate kernel driver service.

OPENCTI LABELS :

windows,evasion,rootkit,proxy,kernel,vmprotect,driver,deaddrop,fk_undead


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead