FudModule (Malware Family)

FudModule

aka: LIGHTSHOW

VTCollection

FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools.

References

2024-09-19 ⋅ Gen Digital ⋅ Luigino Camastra
Evolution of Lazarus ‘FudModule - no longer (stand)alone’
FudModule

2024-08-30 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
North Korean threat actor Citrine Sleet exploiting Chromium zero-day
FudModule Lazarus Group

2024-04-18 ⋅ Avast ⋅ Luigino Camastra
From BYOVD to a 0-day: Unveiling Advanced Exploits in Cyber Recruiting Scams
FudModule Kaolin RAT

2024-02-28 ⋅ Avast Decoded ⋅ Jan Vojtěšek
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day
FudModule

2023-03-20 ⋅ SecurityIntelligence ⋅ John Dwyer
When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
FudModule

2023-03-09 ⋅ Mandiant ⋅ Mandiant Intelligence
Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW
FudModule

2023-02-21 ⋅ SecurityIntelligence ⋅ Ruben Boonen
Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers
FudModule

2022-10-24 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team
Malware infection case of Lazarus attack group that neutralizes antivirus program with BYOVD technique
FudModule LazarDoor Racket Downloader

2022-09-30 ⋅ Virus Bulletin ⋅ Matěj Havránek, Peter Kálnai
Lazarus & BYOVD: evil to the Windows core
FudModule

2022-09-30 ⋅ ESET Research ⋅ Peter Kálnai
Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule HTTP(S) uploader LambLoad TOUCHMOVE

2022-09-22 ⋅ AhnLab ⋅ AhnLab ASEC Analysis Team
Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD
FudModule

Yara Rules

[TLP:WHITE] win_fudmodule_auto (20251219 | Detects win.fudmodule.)

rule win_fudmodule_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-01-05"
        version = "1"
        description = "Detects win.fudmodule."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20260105"
        malpedia_hash = "19b79e7cab4eaf532122e5b45a77dd8f6bb5cc79"
        malpedia_version = "20251219"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 660fb3e9 53 f6dd 660fbbe2 57 }
            // n = 5, score = 100
            //   660fb3e9             | dec                 eax
            //   53                   | mov                 esi, dword ptr [esp + 0x80]
            //   f6dd                 | dec                 eax
            //   660fbbe2             | mov                 ebx, dword ptr [esp + 0x78]
            //   57                   | dec                 eax

        $sequence_1 = { 4801e3 fec8 66c1cf03 d2e8 }
            // n = 4, score = 100
            //   4801e3               | xor                 bl, bl
            //   fec8                 | sbb                 bl, 0x4a
            //   66c1cf03             | add                 bl, ch
            //   d2e8                 | add                 ecx, 1

        $sequence_2 = { 498b8c24e0090000 e8???????? 4983bc24d809000000 488bb42480000000 488b5c2478 }
            // n = 5, score = 100
            //   498b8c24e0090000     | dec                 eax
            //   e8????????           |                     
            //   4983bc24d809000000     | lea    ecx, [esp + 0x58]
            //   488bb42480000000     | mov                 edx, dword ptr [esp + eax + 0x60]
            //   488b5c2478           | dec                 esp

        $sequence_3 = { f9 4801e3 e9???????? 660fbec2 58 e9???????? f5 }
            // n = 7, score = 100
            //   f9                   | dec                 eax
            //   4801e3               | add                 esp, 0x20
            //   e9????????           |                     
            //   660fbec2             | mov                 bl, 0x7a
            //   58                   | jne                 0xffff7361
            //   e9????????           |                     
            //   f5                   | sar                 si, cl

        $sequence_4 = { 41ffd5 85c0 782d 488bd6 }
            // n = 4, score = 100
            //   41ffd5               | inc                 ecx
            //   85c0                 | call                ebp
            //   782d                 | test                eax, eax
            //   488bd6               | js                  0x2f

        $sequence_5 = { 30db 80db4a 00eb 83c101 fec3 }
            // n = 5, score = 100
            //   30db                 | mov                 ecx, 8
            //   80db4a               | dec                 eax
            //   00eb                 | mov                 edx, ebx
            //   83c101               | dec                 eax
            //   fec3                 | mov                 ecx, eax

        $sequence_6 = { e8???????? 498bcc e8???????? 8d7514 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   498bcc               | dec                 eax
            //   e8????????           |                     
            //   8d7514               | mov                 edx, esi

        $sequence_7 = { 4963c3 488d4c2458 8b540460 4c8d440460 }
            // n = 4, score = 100
            //   4963c3               | lea                 edi, [ecx + eax]
            //   488d4c2458           | dec                 eax
            //   8b540460             | lea                 edx, [ebp - 0x50]
            //   4c8d440460           | dec                 eax

        $sequence_8 = { 0fb6c3 f6d0 0f9cc0 58 e9???????? }
            // n = 5, score = 100
            //   0fb6c3               | lea                 ecx, [ecx + 0x18]
            //   f6d0                 | mov                 word ptr [ebp - 0x48], ax
            //   0f9cc0               | mov                 eax, 0x33
            //   58                   | dec                 esp
            //   e9????????           |                     

        $sequence_9 = { 488bce e8???????? 85c0 7403 83cf08 488bce }
            // n = 6, score = 100
            //   488bce               | mov                 ecx, eax
            //   e8????????           |                     
            //   85c0                 | dec                 eax
            //   7403                 | lea                 eax, [esp + 0x40]
            //   83cf08               | dec                 ecx
            //   488bce               | arpl                bx, ax

        $sequence_10 = { 488d3c01 ff15???????? 488d55b0 488bc8 488d442440 }
            // n = 5, score = 100
            //   488d3c01             | mov                 dword ptr [ebp - 0x48], 0x74756f52
            //   ff15????????         |                     
            //   488d55b0             | mov                 dword ptr [ebp - 0x44], 0x45656e69
            //   488bc8               | mov                 word ptr [ebp - 0x40], 0x78
            //   488d442440           | dec                 eax

        $sequence_11 = { 4883c420 b37a e9???????? 0f855b73ffff 66d3fe }
            // n = 5, score = 100
            //   4883c420             | mov                 dword ptr [esp + 0x20], edx
            //   b37a                 | dec                 esp
            //   e9????????           |                     
            //   0f855b73ffff         | lea                 eax, [esp + 0x30]
            //   66d3fe               | inc                 ecx

        $sequence_12 = { 488d8c246ed9e517 f5 f8 4889c3 488d3ced1b6cb3bd }
            // n = 5, score = 100
            //   488d8c246ed9e517     | mov                 eax, 0x45
            //   f5                   | xor                 ebx, ebx
            //   f8                   | dec                 eax
            //   4889c3               | mov                 edi, ecx
            //   488d3ced1b6cb3bd     | dec                 esp

        $sequence_13 = { 4889542420 4c8d442430 41b908000000 488bd3 488bc8 }
            // n = 5, score = 100
            //   4889542420           | lea                 eax, [esp + eax + 0x60]
            //   4c8d442430           | dec                 eax
            //   41b908000000         | mov                 ecx, esi
            //   488bd3               | test                eax, eax
            //   488bc8               | je                  5

        $sequence_14 = { c745b073734e6f c745b474696679 c745b8526f7574 c745bc696e6545 66c745c07800 }
            // n = 5, score = 100
            //   c745b073734e6f       | dec                 ecx
            //   c745b474696679       | mov                 ecx, esp
            //   c745b8526f7574       | lea                 esi, [ebp + 0x14]
            //   c745bc696e6545       | mov                 dword ptr [ebp - 0x50], 0x6f4e7373
            //   66c745c07800         | mov                 dword ptr [ebp - 0x4c], 0x79666974

        $sequence_15 = { fecb 4889e8 b377 b301 660fa3d2 0fbae207 }
            // n = 6, score = 100
            //   fecb                 | lea                 eax, [ebp - 0x50]
            //   4889e8               | btr                 cx, bp
            //   b377                 | push                ebx
            //   b301                 | neg                 ch
            //   660fa3d2             | btc                 dx, sp
            //   0fbae207             | push                edi

    condition:
        7 of them and filesize < 795648
}

[TLP:WHITE] win_fudmodule_w0 (20241014 | Detects win.fudmodule.)

rule win_fudmodule_w0 {

    meta:
        author = "Jan Vojtesek - Avast Decoded"
        date = "2024-10-14"
        description = "Detects win.fudmodule."
        source = "https://github.com/avast/ioc/tree/master/FudModule#yara"
        reference = "https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20241014"
        malpedia_hash = ""
        malpedia_version = "20241014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s00 = "overwrite pvmode failed. %X"
        $s01 = "%s\\temp\\tem1245.tmp"
        $s02 = "get NTKernelBase and some DriverBase failed."
        $s03 = "ClearVaccineNotifyRoutine failed."
        $s04 = "DisableUserEtwSource (%d/%d) passed."
        $s05 = "ClearVaccineNetworkFilterRoutine skipped."

        $h00 = {65 48 8B 04 25 30 00 00 00 48 8B CB 48 8B 50 60 48 89 13 80 7A 02 01 75 16 48 8D 15 ?? ?? ?? ?? E8 ?? ?? ?? ?? B8 01 00 00 F0 E9}
        $h01 = {48 C7 81 F0 00 00 00 20 01 00 00 48 C7 81 F8 00 00 00 A0 00 00 00 48 C7 81 08 01 00 00 A0 00 00 00 48 C7 81 18 01 00 00 68 00 00 00 48 C7 81 20 01 00 00 40 00 00 00}
        $h02 = {05 9F B5 FF FF 83 F8 04 0F 87 ?? ?? ?? ?? 48 C7 81 28 01 00 00 80 10 00 00}
        $h03 = {48 A3 08 00 00 80 00 00 00 00 48 8B 43 38 48 8B 4B 60}
        $h04 = {C7 45 ?? 65 72 53 69 C7 45 ?? 6C 6F 4E 61 66 C7 45 ?? 6D 65 C6 45 ?? 00 66 C7 45 ?? 48 8D}
        $h05 = {66 C7 45 ?? 4C 8B C6 45 ?? 3D 66 C7 45 ?? 48 8D C6 45 ?? 05 C7 45 ?? 46 6C 74 45 C7 45 ?? 6E 75 6D 65}
    condition:
        2 of them

}

[TLP:WHITE] win_fudmodule_w1 (20241014 | Detects win.fudmodule.)

rule win_fudmodule_w1 {

    meta:
        author = "Luigino Camastra, GenDigital"
        date = "2024-10-14"
        description = "Detects win.fudmodule."
        source = "https://github.com/avast/ioc/tree/master/FudModule#yara"
        reference = "https://www.gendigital.com/blog/preview/lazarus-fudmodule"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20241014"
        malpedia_hash = ""
        malpedia_version = "20241014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

	strings:
		$s00 = "Success." // 0x14001acf0
		$s01 = "remote_exec failed." // 0x14001ad00
		$s02 = "init_env failed." // 0x14001ac90
		$s03 = "GetGodMode failed" // 0x14001acc0
		$s04 = "RemoteDllExecute passed." // 0x14001b268
		$s05 = "CreateRemoteProcess passed." // 0x14001b220
		$s06 = "GetSystemHandle passed." // 0x14001b208
		$s07 = "SuspendDefender skipped." // 0x14001b1b8
		$s08 = "DisableUserEtwSource (%d/%d) passed." // 0x14001b180
		$s09 = "EtwpHostSiloState is Null." // 0x14001b140
		$s10 = "Get EtwpHostSiloState failed." // 0x14001b160
		
		$h00 = { 8A 44 0E ?? 41 32 C4 88 01 B0 0D 48 FF C1 41 F6 }
		$h01 = { 4? 8B DF 4? 8D 47 D0 4? C1 E0 10 4? C1 E3 10 4? }
		$h02 = { B? 05 00 00 00 4? 81 E3 FF FF 0F 00 4? 33 D8 4C }
	condition:
		3 of them

}

Download all Yara Rules

FudModule Propose Change

References

Yara Rules

FudModule