This analysis delves into a Windows rootkit loader for the FK_Undead malware family, known for intercepting user network traffic through proxy manipulation. The loader, signed with a valid Microsoft certificate, installs itself as a system service and employs various evasion techniques. It downloads and decrypts a payload, which is another signed driver protected by VMProtect. The rootkit checks for security tools, virtual machine environments, and implements notify routines to hide from detection. It uses deaddrops to retrieve URLs for downloading the FK_Undead payload, which is then decrypted and installed as a separate kernel driver service. Author: AlienVault
Related Tags:
deaddrop
driver
kernel
FK_Undead
evasion
windows
AlienVault OTX
AlienVault
Proxy
Associated Indicators:
10D8591DD18E061FEBABE0384DC64E5516B7E7E54BE87CA0AC35E11F698B0CC2
1F5DCC5B0916A77087F160130D5EADB26FE8EE9D47177D19944773D562C03E8E
046442A7E16166225A0C070BF8D311CADDC48CBE61A4B82D462D8DD4501CFD00
ADF0BED4734B416C0C958E096593E93726BA9EB2B39C88645E02033755E16A1B
708F4F45F7515D2B94DE5772EE883CFD579DBFF216E8A8DB3181D2CF0E2A2770
6BD98C88DA1F29405AB4596108A4A86E9018A67F
E2D6C9B698932D209C9FAB3F96C48D476A44669A
1FB76D11FE8589C456599799C7722421
microsoftdns2.com