SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fudmodule (Back to overview)

FudModule

Actor(s): Lazarus Group


FudModule is a user-mode DLL that gets the ability to read and write arbitrary kernel memory via the BYOVD technique. Its main goal is to turn off Windows system monitoring features, which is done by modifying kernel variables and removing kernel callbacks. Its actions may very likely affect various types of security products, e.g. EDRs, firewalls, antimalware and even digital forensics tools.

References
2023-03-20SecurityIntelligenceJohn Dwyer
@online{dwyer:20230320:when:3f1345c, author = {John Dwyer}, title = {{When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule}}, date = {2023-03-20}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/}, language = {English}, urldate = {2023-03-21} } When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
FudModule
2023-02-21SecurityIntelligenceRuben Boonen
@online{boonen:20230221:direct:6f70379, author = {Ruben Boonen}, title = {{Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers}}, date = {2023-02-21}, organization = {SecurityIntelligence}, url = {https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/}, language = {English}, urldate = {2023-03-21} } Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers
FudModule
2022-09-30ESET ResearchPeter Kálnai, Matěj Havránek
@techreport{klnai:20220930:lazarus:efbd75d, author = {Peter Kálnai and Matěj Havránek}, title = {{Lazarus & BYOVD: evil to the Windows core}}, date = {2022-09-30}, institution = {ESET Research}, url = {https://www.virusbulletin.com/uploads/pdf/conference/vb2022/papers/VB2022-Lazarus-and-BYOVD-evil-to-the-Windows-core.pdf}, language = {English}, urldate = {2022-12-24} } Lazarus & BYOVD: evil to the Windows core
FudModule
2022-09-30ESET ResearchPeter Kálnai
@online{klnai:20220930:amazonthemed:bf959b5, author = {Peter Kálnai}, title = {{Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium}}, date = {2022-09-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2022/09/30/amazon-themed-campaigns-lazarus-netherlands-belgium/}, language = {English}, urldate = {2022-12-29} } Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium
BLINDINGCAN FudModule
2022-09-22AhnLabAhnLab ASEC Analysis Team
@techreport{team:20220922:analysis:9dea34b, author = {AhnLab ASEC Analysis Team}, title = {{Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD}}, date = {2022-09-22}, institution = {AhnLab}, url = {https://asec.ahnlab.com/wp-content/uploads/2022/09/Analysis-Report-on-Lazarus-Groups-Rootkit-Attack-Using-BYOVD_Sep-22-2022.pdf}, language = {English}, urldate = {2022-12-29} } Analysis Report on Lazarus Group's Rootkit Attack Using BYOVD
FudModule
Yara Rules
[TLP:WHITE] win_fudmodule_auto (20230407 | Detects win.fudmodule.)
rule win_fudmodule_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.fudmodule."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodule"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41b904000000 4c8bc7 4889442420 41ff96d00d0000 488b442440 488d3c70 }
            // n = 6, score = 100
            //   41b904000000         | mov                 dword ptr [ecx + 0xcb0], 0x50
            //   4c8bc7               | dec                 eax
            //   4889442420           | mov                 dword ptr [ecx + 0xd10], 0x32
            //   41ff96d00d0000       | dec                 eax
            //   488b442440           | mov                 dword ptr [ecx + 0xcf8], 0x10
            //   488d3c70             | dec                 eax

        $sequence_1 = { c744246c6c6f6164 c744247044726976 66c74424746572 c644247600 }
            // n = 4, score = 100
            //   c744246c6c6f6164     | mov                 dword ptr [ecx + 0xd00], 0x38
            //   c744247044726976     | dec                 eax
            //   66c74424746572       | mov                 dword ptr [ecx + 0xd08], 0x60
            //   c644247600           | dec                 eax

        $sequence_2 = { 488bce e8???????? e9???????? 4c8d2d6d9c0000 8bcb 488beb 498bc5 }
            // n = 7, score = 100
            //   488bce               | push                ebp
            //   e8????????           |                     
            //   e9????????           |                     
            //   4c8d2d6d9c0000       | inc                 ecx
            //   8bcb                 | push                esp
            //   488beb               | inc                 ecx
            //   498bc5               | push                ebp

        $sequence_3 = { 48637ddc 4c89ac2430020000 4903fc ff15???????? 488d55e0 488bc8 488d442438 }
            // n = 7, score = 100
            //   48637ddc             | inc                 esp
            //   4c89ac2430020000     | movzx               eax, word ptr [ebp + eax + 0xf]
            //   4903fc               | dec                 esp
            //   ff15????????         |                     
            //   488d55e0             | lea                 ecx, [ebp + eax + 0xf]
            //   488bc8               | inc                 sp
            //   488d442438           | cmp                 eax, dword ptr [edx]

        $sequence_4 = { 4c8bd2 448bcb 4585db 742f 8bd3 488d7e18 4c3b17 }
            // n = 7, score = 100
            //   4c8bd2               | dec                 eax
            //   448bcb               | xor                 ecx, esp
            //   4585db               | mov                 ebp, 1
            //   742f                 | dec                 eax
            //   8bd3                 | add                 edi, 8
            //   488d7e18             | dec                 eax
            //   4c3b17               | dec                 esi

        $sequence_5 = { 488d3d4b0d0100 ba58000000 488bcd e8???????? }
            // n = 4, score = 100
            //   488d3d4b0d0100       | mov                 dword ptr [esp + 0x40], ecx
            //   ba58000000           | dec                 eax
            //   488bcd               | mov                 dword ptr [esp + 0x50], eax
            //   e8????????           |                     

        $sequence_6 = { 498bce ff15???????? 418bc5 4c8bb42410060000 488b8d00050000 }
            // n = 5, score = 100
            //   498bce               | cmp                 ecx, eax
            //   ff15????????         |                     
            //   418bc5               | jb                  0x1866
            //   4c8bb42410060000     | inc                 edi
            //   488b8d00050000       | dec                 eax

        $sequence_7 = { 48215c2420 488d8520060000 448bc6 442bc0 488b442450 488d0dbdda0000 }
            // n = 6, score = 100
            //   48215c2420           | dec                 ecx
            //   488d8520060000       | dec                 edx
            //   448bc6               | jne                 0xd9
            //   442bc0               | dec                 esp
            //   488b442450           | mov                 esi, dword ptr [esp + 0x30]
            //   488d0dbdda0000       | dec                 eax

        $sequence_8 = { 81ff00010000 7d16 4863cf 8a84191d010000 42888401301b0100 ffc7 ebde }
            // n = 7, score = 100
            //   81ff00010000         | mov                 esi, dword ptr [ebp + eax*8 + 0x10]
            //   7d16                 | dec                 eax
            //   4863cf               | mov                 ebx, dword ptr [esp + 0x78]
            //   8a84191d010000       | dec                 eax
            //   42888401301b0100     | mov                 edi, dword ptr [esp + 0x60]
            //   ffc7                 | jmp                 0x1e9a
            //   ebde                 | dec                 ecx

        $sequence_9 = { 443a4102 7504 8bc6 eb05 1bc0 83d8ff 85c0 }
            // n = 7, score = 100
            //   443a4102             | sub                 eax, dword ptr [ebx + 0x9d8]
            //   7504                 | dec                 eax
            //   8bc6                 | cmp                 eax, 0x800000
            //   eb05                 | jbe                 0xbaa
            //   1bc0                 | dec                 eax
            //   83d8ff               | lea                 ecx, [ecx + eax + 0xd]
            //   85c0                 | dec                 eax

    condition:
        7 of them and filesize < 223232
}
Download all Yara Rules