SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fudmodule (Back to overview)

FudModule

aka: LIGHTSHOW

Actor(s): Lazarus Group

FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools.

References
2023-03-20SecurityIntelligenceJohn Dwyer
@online{dwyer:20230320:when:3f1345c, author = {John Dwyer}, title = {{When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule}}, date = {2023-03-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/}, language = {English}, urldate = {2023-03-21} } When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
FudModule
2023-03-09MandiantMandiant Intelligence
@online{intelligence:20230309:stealing:649068b, author = {Mandiant Intelligence}, title = {{Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW}}, date = {2023-03-09}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/blog/lightshift-and-lightshow}, language = {English}, urldate = {2023-07-05} } Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW
FudModule
2023-02-21SecurityIntelligenceRuben Boonen
@online{boonen:20230221:direct:6f70379, author = {Ruben Boonen}, title = {{Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers}}, date = {2023-02-21}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/}, language = {English}, urldate = {2023-03-21} } Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers
FudModule
2022-10-24AhnLabASEC Analysis Team
@online{team:20221024:malware:495a611, author = {ASEC Analysis Team}, title = {{Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique}}, date = {2022-10-24}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/40495/}, language = {Korean}, urldate = {2023-10-30} } Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique
FudModule LazarDoor Racket Downloader
2022-09-30Virus BulletinPeter Kálnai, Matěj Havránek
@techreport{klnai:20220930:lazarus:efbd75d, author = {Peter Kálnai and Matěj Havránek}, title = {{Lazarus & BYOVD: evil to the Windows core}}, date = {2022-09-30}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf}, language = {English}, urldate = {2023-07-11} } Lazarus & BYOVD: evil to the Windows core
FudModule
2022-09-30ESET ResearchPeter Kálnai
@online{klnai:20220930:amazonthemed:bf959b5, author = {Peter Kálnai}, title = {{Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium}}, date = {2022-09-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/}, language = {English}, urldate = {2023-11-27} } Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE
2022-09-22AhnLabAhnLab ASEC Analysis Team
@techreport{team:20220922:analysis:9dea34b, author = {AhnLab ASEC Analysis Team}, title = {{Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD}}, date = {2022-09-22}, institution = {AhnLab}, url = {https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf}, language = {English}, urldate = {2022-12-29} } Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD
FudModule
Yara Rules
[TLP:WHITE] win_fudmodule_auto (20230808 | Detects win.fudmodule.)
rule win_fudmodule_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.fudmodule."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f99c4 660fc8 f6d4 58 e9???????? e9???????? 660fbae405 }
            // n = 7, score = 100
            //   0f99c4               | rcl                 bx, cl
            //   660fc8               | neg                 ebx
            //   f6d4                 | not                 bl
            //   58                   | dec                 eax
            //   e9????????           |                     
            //   e9????????           |                     
            //   660fbae405           | add                 esp, 0x20

        $sequence_1 = { 66d3d3 f7db f6d3 4883c420 }
            // n = 4, score = 100
            //   66d3d3               | mov                 ecx, dword ptr [esp + 0x70]
            //   f7db                 | inc                 esp
            //   f6d3                 | mov                 eax, dword ptr [esi + 0xcb4]
            //   4883c420             | dec                 eax

        $sequence_2 = { e9???????? 0fb78120010000 b9b01d0000 663bc1 76e3 b97d4f0000 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   0fb78120010000       | cmp                 ebx, esp
            //   b9b01d0000           | dec                 ecx
            //   663bc1               | mov                 ecx, dword ptr [esp + 0x9d8]
            //   76e3                 | dec                 ecx
            //   b97d4f0000           | mov                 ecx, dword ptr [esp + 0x9e0]

        $sequence_3 = { d3d8 31d2 0c5b 89d0 }
            // n = 4, score = 100
            //   d3d8                 | add                 ecx, 1
            //   31d2                 | test                al, al
            //   0c5b                 | bt                  ax, 5
            //   89d0                 | sar                 bl, cl

        $sequence_4 = { 498b8c24d8090000 e8???????? 498b8c24e0090000 e8???????? 4983bc24d809000000 488bb42480000000 488b5c2478 }
            // n = 7, score = 100
            //   498b8c24d8090000     | mov                 ecx, eax
            //   e8????????           |                     
            //   498b8c24e0090000     | dec                 eax
            //   e8????????           |                     
            //   4983bc24d809000000     | lea    eax, [ebp - 0x49]
            //   488bb42480000000     | inc                 ecx
            //   488b5c2478           | mov                 ecx, 8

        $sequence_5 = { 488d45af 41b908000000 4d8bc5 4889442420 ff96d00d0000 }
            // n = 5, score = 100
            //   488d45af             | dec                 eax
            //   41b908000000         | mov                 ebx, dword ptr [esp + 0x78]
            //   4d8bc5               | dec                 eax
            //   4889442420           | mov                 dword ptr [esp + 0x10], esi
            //   ff96d00d0000         | push                ebp

        $sequence_6 = { 0f855b73ffff 66d3fe 80fbfc 09e6 89f9 6681c69719 }
            // n = 6, score = 100
            //   0f855b73ffff         | mov                 eax, ebp
            //   66d3fe               | dec                 eax
            //   80fbfc               | mov                 dword ptr [esp + 0x20], eax
            //   09e6                 | call                dword ptr [esi + 0xdd0]
            //   89f9                 | inc                 ecx
            //   6681c69719           | inc                 ecx

        $sequence_7 = { 41ffc1 453bc8 7e27 b818000000 8bc8 }
            // n = 5, score = 100
            //   41ffc1               | push                edi
            //   453bc8               | inc                 ecx
            //   7e27                 | push                esp
            //   b818000000           | dec                 eax
            //   8bc8                 | mov                 ebp, esp

        $sequence_8 = { 55 57 4154 488dac2400feffff 4881ec00030000 488b05???????? 4833c4 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   57                   | push                edi
            //   4154                 | inc                 ecx
            //   488dac2400feffff     | push                esp
            //   4881ec00030000       | dec                 eax
            //   488b05????????       |                     
            //   4833c4               | lea                 ebp, [esp - 0x200]

        $sequence_9 = { 210a dd63c2 58 5f }
            // n = 4, score = 100
            //   210a                 | lea                 eax, [ebp - 0x51]
            //   dd63c2               | inc                 ecx
            //   58                   | mov                 ecx, 8
            //   5f                   | dec                 ebp

        $sequence_10 = { 85c0 755f 488b4c2470 e8???????? 448b86b40c0000 }
            // n = 5, score = 100
            //   85c0                 | dec                 ecx
            //   755f                 | cmp                 dword ptr [esp + 0x9d8], 0
            //   488b4c2470           | dec                 eax
            //   e8????????           |                     
            //   448b86b40c0000       | mov                 esi, dword ptr [esp + 0x80]

        $sequence_11 = { 0facea1a 56 660fbdf4 0fc1ca 488b5510 d2e5 }
            // n = 6, score = 100
            //   0facea1a             | dec                 eax
            //   56                   | add                 ebx, 8
            //   660fbdf4             | cmp                 edi, 3
            //   0fc1ca               | jl                  0xffffffe5
            //   488b5510             | stc                 
            //   d2e5                 | cmp                 ebp, 0x61298b65

        $sequence_12 = { f9 81fd658b2961 83c101 84c0 660fbae005 d2fb }
            // n = 6, score = 100
            //   f9                   | cmp                 ax, cx
            //   81fd658b2961         | jbe                 0xfffffff4
            //   83c101               | mov                 ecx, 0x4f7d
            //   84c0                 | test                eax, eax
            //   660fbae005           | jne                 0x63
            //   d2fb                 | dec                 eax

        $sequence_13 = { 66d3f3 0fcf 8b3e 6681feaa7e 00ef 18cb }
            // n = 6, score = 100
            //   66d3f3               | inc                 ebp
            //   0fcf                 | cmp                 ecx, eax
            //   8b3e                 | jle                 0x2c
            //   6681feaa7e           | mov                 eax, 0x18
            //   00ef                 | mov                 ecx, eax
            //   18cb                 | inc                 edi

        $sequence_14 = { 48ff25???????? 4889742410 55 57 4154 488bec 4883ec60 }
            // n = 7, score = 100
            //   48ff25????????       |                     
            //   4889742410           | dec                 eax
            //   55                   | mov                 dword ptr [esp + 0x20], eax
            //   57                   | call                dword ptr [esi + 0xdd0]
            //   4154                 | dec                 esp
            //   488bec               | mov                 ebx, dword ptr [ebp - 0x69]
            //   4883ec60             | dec                 ebp

        $sequence_15 = { ff96d00d0000 4c8b5d97 4d3bdc 75c8 }
            // n = 4, score = 100
            //   ff96d00d0000         | dec                 eax
            //   4c8b5d97             | sub                 esp, 0x300
            //   4d3bdc               | dec                 eax
            //   75c8                 | xor                 eax, esp

    condition:
        7 of them and filesize < 795648
}
Download all Yara Rules