FudModule (Malware Family)

FudModule

aka: LIGHTSHOW

VTCollection

FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools.

References

2024-09-19 ⋅ Gen Digital ⋅ Luigino Camastra
Evolution of Lazarus ‘FudModule - no longer (stand)alone’
FudModule

2024-08-30 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
North Korean threat actor Citrine Sleet exploiting Chromium zero-day
FudModule

2024-04-18 ⋅ Avast ⋅ Luigino Camastra
From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
FudModule

2024-02-28 ⋅ Avast Decoded ⋅ Jan Vojtěšek
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day
FudModule

2023-03-20 ⋅ SecurityIntelligence ⋅ John Dwyer
When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
FudModule

2023-03-09 ⋅ Mandiant ⋅ Mandiant Intelligence
Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW
FudModule

2023-02-21 ⋅ SecurityIntelligence ⋅ Ruben Boonen
Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers
FudModule

2022-10-24 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team
Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique
FudModule LazarDoor Racket Downloader

2022-09-30 ⋅ Virus Bulletin ⋅ Matěj Havránek, Peter Kálnai
Lazarus & BYOVD: evil to the Windows core
FudModule

2022-09-30 ⋅ ESET Research ⋅ Peter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE

2022-09-22 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD
FudModule

Yara Rules

[TLP:WHITE] win_fudmodule_auto (20241030 | Detects win.fudmodule.)

rule win_fudmodule_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.fudmodule."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3446 4839eb f9 f5 }
            // n = 4, score = 100
            //   3446                 | mov                 dword ptr [ebp + 0x27], eax
            //   4839eb               | xor                 eax, eax
            //   f9                   | inc                 ebp
            //   f5                   | xor                 ebp, ebp

        $sequence_1 = { c7451079737465 c745146d496e66 c745186f726d61 c7451c74696f6e c6452000 c745c04e745772 c745c469746556 }
            // n = 7, score = 100
            //   c7451079737465       | mov                 dword ptr [ebp + 0x10], 0x65747379
            //   c745146d496e66       | mov                 dword ptr [ebp + 0x14], 0x666e496d
            //   c745186f726d61       | mov                 dword ptr [ebp + 0x18], 0x616d726f
            //   c7451c74696f6e       | mov                 dword ptr [ebp + 0x1c], 0x6e6f6974
            //   c6452000             | mov                 byte ptr [ebp + 0x20], 0
            //   c745c04e745772       | mov                 dword ptr [ebp - 0x40], 0x7257744e
            //   c745c469746556       | mov                 dword ptr [ebp - 0x3c], 0x56657469

        $sequence_2 = { 4585ed 0f8416010000 488d3cb0 ff15???????? 488d542448 488bc8 488d442460 }
            // n = 7, score = 100
            //   4585ed               | inc                 ecx
            //   0f8416010000         | lea                 ebx, [ebp + 8]
            //   488d3cb0             | mov                 edi, 0x2580
            //   ff15????????         |                     
            //   488d542448           | nop                 word ptr [eax + eax]
            //   488bc8               | dec                 eax
            //   488d442460           | lea                 ecx, [esp + 0x60]

        $sequence_3 = { eb20 4c8d25c0e00000 488b0d???????? bf01000000 897c2460 ff15???????? 4c8be8 }
            // n = 7, score = 100
            //   eb20                 | jmp                 0x22
            //   4c8d25c0e00000       | dec                 esp
            //   488b0d????????       |                     
            //   bf01000000           | lea                 esp, [0xe0c0]
            //   897c2460             | mov                 edi, 1
            //   ff15????????         |                     
            //   4c8be8               | mov                 dword ptr [esp + 0x60], edi

        $sequence_4 = { c745ae6e006500 66897db2 c745b453007900 c745b873007400 }
            // n = 4, score = 100
            //   c745ae6e006500       | mov                 dword ptr [ebp - 0x52], 0x65006e
            //   66897db2             | mov                 word ptr [ebp - 0x4e], di
            //   c745b453007900       | mov                 dword ptr [ebp - 0x4c], 0x790053
            //   c745b873007400       | mov                 dword ptr [ebp - 0x48], 0x740073

        $sequence_5 = { 488d3ca51c3489c2 0f8f7cf20100 660fbdfe 4801e3 66c1d707 66f7c74b20 }
            // n = 6, score = 100
            //   488d3ca51c3489c2     | mov                 ecx, eax
            //   0f8f7cf20100         | dec                 eax
            //   660fbdfe             | lea                 eax, [esp + 0x60]
            //   4801e3               | dec                 eax
            //   66c1d707             | xor                 eax, esp
            //   66f7c74b20           | dec                 eax

        $sequence_6 = { 29d2 c0c804 89d0 24a6 4883c701 }
            // n = 5, score = 100
            //   29d2                 | stc                 
            //   c0c804               | cmc                 
            //   89d0                 | ja                  0x23b89
            //   24a6                 | bt                  ebp, edx
            //   4883c701             | stc                 

        $sequence_7 = { 488b05???????? 4833c4 48894527 33c0 4533ed 4c8bf1 458d4504 }
            // n = 7, score = 100
            //   488b05????????       |                     
            //   4833c4               | xor                 edx, edx
            //   48894527             | inc                 ecx
            //   33c0                 | mov                 eax, 0x200
            //   4533ed               | inc                 ebp
            //   4c8bf1               | test                ebp, ebp
            //   458d4504             | je                  0x11c

        $sequence_8 = { 0f87833b0200 0fa3d5 f9 f5 69d20a000000 }
            // n = 5, score = 100
            //   0f87833b0200         | dec                 esp
            //   0fa3d5               | mov                 esi, ecx
            //   f9                   | inc                 ebp
            //   f5                   | lea                 eax, [ebp + 4]
            //   69d20a000000         | inc                 sp

        $sequence_9 = { 660fa3e0 29d9 6629ce 660fbcf6 }
            // n = 4, score = 100
            //   660fa3e0             | test                di, 0x204b
            //   29d9                 | xor                 al, 0x46
            //   6629ce               | dec                 eax
            //   660fbcf6             | cmp                 ebx, ebp

        $sequence_10 = { 488d442438 4d8bc4 4889442420 41ff96d00d0000 ba4d5a0000 663955a0 }
            // n = 6, score = 100
            //   488d442438           | dec                 esp
            //   4d8bc4               | mov                 ebp, eax
            //   4889442420           | dec                 eax
            //   41ff96d00d0000       | lea                 eax, [esp + 0x38]
            //   ba4d5a0000           | dec                 ebp
            //   663955a0             | mov                 eax, esp

        $sequence_11 = { c744246c69006c00 c744247065005300 66898552010000 c744247673007400 c744247a65006d00 }
            // n = 5, score = 100
            //   c744246c69006c00     | mov                 dword ptr [esp + 0x6c], 0x6c0069
            //   c744247065005300     | mov                 dword ptr [esp + 0x70], 0x530065
            //   66898552010000       | mov                 word ptr [ebp + 0x152], ax
            //   c744247673007400     | mov                 dword ptr [esp + 0x76], 0x740073
            //   c744247a65006d00     | mov                 dword ptr [esp + 0x7a], 0x6d0065

        $sequence_12 = { 38e9 30c0 f9 f2ae 0f89bb620100 }
            // n = 5, score = 100
            //   38e9                 | mov                 dword ptr [ebp - 0x74], ebp
            //   30c0                 | mov                 dword ptr [ebp + 0x140], 0x6b005c
            //   f9                   | mov                 dword ptr [ebp + 0x144], 0x720065
            //   f2ae                 | mov                 dword ptr [ebp + 0x148], 0x65006e
            //   0f89bb620100         | mov                 dword ptr [ebp + 0x14c], 0x33006c

        $sequence_13 = { 418d5d08 bf80250000 660f1f840000000000 488d4c2460 33d2 41b800020000 }
            // n = 6, score = 100
            //   418d5d08             | dec                 eax
            //   bf80250000           | mov                 dword ptr [esp + 0x20], eax
            //   660f1f840000000000     | inc    ecx
            //   488d4c2460           | call                dword ptr [esi + 0xdd0]
            //   33d2                 | mov                 edx, 0x5a4d
            //   41b800020000         | cmp                 word ptr [ebp - 0x60], dx

        $sequence_14 = { fec8 f6c65a fec0 b02e 80fec3 }
            // n = 5, score = 100
            //   fec8                 | cmc                 
            //   f6c65a               | imul                edx, edx, 0xa
            //   fec0                 | cmp                 cl, ch
            //   b02e                 | xor                 al, al
            //   80fec3               | stc                 

        $sequence_15 = { 4829fb 66ffc7 d2f8 66ffcf f8 4801e3 660fadd7 }
            // n = 7, score = 100
            //   4829fb               | dec                 eax
            //   66ffc7               | lea                 edi, [0xc289341c]
            //   d2f8                 | jg                  0x1f282
            //   66ffcf               | bsr                 di, si
            //   f8                   | dec                 eax
            //   4801e3               | add                 ebx, esp
            //   660fadd7             | rcl                 di, 7

    condition:
        7 of them and filesize < 795648
}

[TLP:WHITE] win_fudmodule_w0 (20241014 | Detects win.fudmodule.)

rule win_fudmodule_w0 {

    meta:
        author = "Jan Vojtesek - Avast Decoded"
        date = "2024-10-14"
        description = "Detects win.fudmodule."
        source = "https://github.com/avast/ioc/tree/master/FudModule#yara"
        reference = "https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20241014"
        malpedia_hash = ""
        malpedia_version = "20241014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s00 = "overwrite pvmode failed. %X"
        $s01 = "%s\\temp\\tem1245.tmp"
        $s02 = "get NTKernelBase and some DriverBase failed."
        $s03 = "ClearVaccineNotifyRoutine failed."
        $s04 = "DisableUserEtwSource (%d/%d) passed."
        $s05 = "ClearVaccineNetworkFilterRoutine skipped."

        $h00 = {65 48 8B 04 25 30 00 00 00 48 8B CB 48 8B 50 60 48 89 13 80 7A 02 01 75 16 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 01 00 00 F0 E9}
        $h01 = {48 C7 81 F0 00 00 00 20 01 00 00 48 C7 81 F8 00 00 00 A0 00 00 00 48 C7 81 08 01 00 00 A0 00 00 00 48 C7 81 18 01 00 00 68 00 00 00 48 C7 81 20 01 00 00 40 00 00 00}
        $h02 = {05 9F B5 FF FF 83 F8 04 0F 87 ?? ?? ?? ?? 48 C7 81 28 01 00 00 80 10 00 00}
        $h03 = {48 A3 08 00 00 80 00 00 00 00 48 8B 43 38 48 8B 4B 60}
        $h04 = {C7 45 ?? 65 72 53 69 C7 45 ?? 6C 6F 4E 61 66 C7 45 ?? 6D 65 C6 45 ?? 00 66 C7 45 ?? 48 8D}
        $h05 = {66 C7 45 ?? 4C 8B C6 45 ?? 3D 66 C7 45 ?? 48 8D C6 45 ?? 05 C7 45 ?? 46 6C 74 45 C7 45 ?? 6E 75 6D 65}
    condition:
        2 of them

}

[TLP:WHITE] win_fudmodule_w1 (20241014 | Detects win.fudmodule.)

rule win_fudmodule_w1 {

    meta:
        author = "Luigino Camastra, GenDigital"
        date = "2024-10-14"
        description = "Detects win.fudmodule."
        source = "https://github.com/avast/ioc/tree/master/FudModule#yara"
        reference = "https://www.gendigital.com/blog/preview/lazarus-fudmodule"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20241014"
        malpedia_hash = ""
        malpedia_version = "20241014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$s00 = "Success." // 0x14001acf0
		$s01 = "remote_exec failed." // 0x14001ad00
		$s02 = "init_env failed." // 0x14001ac90
		$s03 = "GetGodMode failed" // 0x14001acc0
		$s04 = "RemoteDllExecute passed." // 0x14001b268
		$s05 = "CreateRemoteProcess passed." // 0x14001b220
		$s06 = "GetSystemHandle passed." // 0x14001b208
		$s07 = "SuspendDefender skipped." // 0x14001b1b8
		$s08 = "DisableUserEtwSource (%d/%d) passed." // 0x14001b180
		$s09 = "EtwpHostSiloState is Null." // 0x14001b140
		$s10 = "Get EtwpHostSiloState failed." // 0x14001b160
		
		$h00 = { 8A 44 0E ?? 41 32 C4 88 01 B0 0D 48 FF C1 41 F6 }
		$h01 = { 4? 8B DF 4? 8D 47 D0 4? C1 E0 10 4? C1 E3 10 4? }
		$h02 = { B? 05 00 00 00 4? 81 E3 FF FF 0F 00 4? 33 D8 4C }
	condition:
		3 of them

}

Download all Yara Rules

FudModule Propose Change

References

Yara Rules

FudModule