This article discusses the discovery of a Windows rootkit loader associated with the FK_Undead malware family, which manipulates user proxy settings and intercepts network traffic. The rootkit is disguised as a legitimate Microsoft application and employs various evasion techniques to avoid detection. It is capable of downloading and decrypting payloads from remote servers, leading to severe security risks. Affected: Windows, cybersecurity sector
Keypoints :
- A Windows rootkit loader has been discovered for the FK_Undead malware family.
- The rootkit can intercept user network traffic through proxy manipulation.
- The loader installs itself as a system service, disguised as “Microsoft Foundation Applications.”
- It stealthily relocates its files to obscure locations to avoid detection.
- Using the speakeasy emulator, the rootkit’s memory accesses are analyzed for more insights.
- The rootkit fetches payloads based on the Windows version detected.
- It employs encryption mechanisms to secure its payloads and deaddrops.
- Various evasion techniques are used to prevent detection by security solutions.
MITRE Techniques :
- Persistence (T1547.001) – The rootkit loader registers itself as a system service using the name “EventStore.”
- Defense Evasion (T1562.001) – The rootkit moves its files and disguises its identity to avoid detection.
- Command and Control (T1071.001) – It fetches encrypted payloads from remote URLs based on the Windows version.
- Exfiltration Over Command and Control Channel (T1041) – The malware could potentially exfiltrate data through modified proxy settings.
Indicator of Compromise :
- [URL] hxxp://tjxgood[.]com:38005/auth.bin
- [URL] hxxp://tjxupdates[.]com:38005/auth.bin
- [URL] hxxp://tjxgood[.]com:38005/auth7.bin
- [URL] hxxp://tjxupdates[.]com:38005/auth7.bin
- [IP Address] 101.37.76.254
Full Story: https://www.gdatasoftware.com/blog/2024/12/38091-analysis-fk-undead