Fudmodule

FudModule is a sophisticated malware that has been associated with various North Korean hacking campaigns since October 2021. It uses direct kernel object manipulation (DKOM) techniques to bypass kernel security checks and has seen significant improvements since its initial discovery three years ago. FudModule is often deployed as part of privilege escalation by Advanced Persistent Threats (APTs) such as Citrine Sleet and Diamond Sleet, both known for their shared use of the malware. The malware has been linked to multiple zero-day vulnerabilities, including CVE-2024-21338, which allows for direct kernel object manipulation, making detection extremely challenging once the attacker gains kernel access. In one notable instance, Lazarus, another APT group, exploited the vulnerability CVE-2024-21338 to perform direct kernel object manipulation using an updated version of FudModule rootkit. This exploitation led to the deployment of the malware directly into the kernel, providing the attackers with significant control over the infected system. In another attack, Microsoft warned that North Korean attackers were exploiting a different zero-day vulnerability in the Windows Ancillary Function Driver (Afd.sys) for WinSock, tracked as CVE-2024-38193, to sneak FudModule onto targeted systems. Furthermore, FudModule was used in multi-stage attacks targeting a different zero-day vulnerability in Windows with the objective of dropping a never-before-seen remote access Trojan codenamed Kaolin onto victims' systems. The Trojan then loaded FudModule, further compromising the targeted systems. In a recent campaign targeting cryptocurrency users, victims were redirected to an attacker-controlled domain designed to remotely exploit the vulnerability to install FudModule, which runs in-memory on the targeted device. Once the sandbox was successfully escaped, the FudModule rootkit was executed in memory, marking the successful completion of the attack.