Fudmodule

Malware updated 23 days ago (2024-11-29T14:02:46.304Z)
Download STIX
Preview STIX
FudModule is a sophisticated malware that has been associated with various North Korean hacking campaigns since October 2021. It uses direct kernel object manipulation (DKOM) techniques to bypass kernel security checks and has seen significant improvements since its initial discovery three years ago. FudModule is often deployed as part of privilege escalation by Advanced Persistent Threats (APTs) such as Citrine Sleet and Diamond Sleet, both known for their shared use of the malware. The malware has been linked to multiple zero-day vulnerabilities, including CVE-2024-21338, which allows for direct kernel object manipulation, making detection extremely challenging once the attacker gains kernel access. In one notable instance, Lazarus, another APT group, exploited the vulnerability CVE-2024-21338 to perform direct kernel object manipulation using an updated version of FudModule rootkit. This exploitation led to the deployment of the malware directly into the kernel, providing the attackers with significant control over the infected system. In another attack, Microsoft warned that North Korean attackers were exploiting a different zero-day vulnerability in the Windows Ancillary Function Driver (Afd.sys) for WinSock, tracked as CVE-2024-38193, to sneak FudModule onto targeted systems. Furthermore, FudModule was used in multi-stage attacks targeting a different zero-day vulnerability in Windows with the objective of dropping a never-before-seen remote access Trojan codenamed Kaolin onto victims' systems. The Trojan then loaded FudModule, further compromising the targeted systems. In a recent campaign targeting cryptocurrency users, victims were redirected to an attacker-controlled domain designed to remotely exploit the vulnerability to install FudModule, which runs in-memory on the targeted device. Once the sandbox was successfully escaped, the FudModule rootkit was executed in memory, marking the successful completion of the attack.
Description last updated: 2024-10-17T11:59:06.648Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Citrine Sleet is a possible alias for Fudmodule. Citrine Sleet, also known as Gleaming Pisces, is a financially motivated threat actor associated with North Korea that has been active since at least 2018. The group is renowned for distributing the AppleJeus malware, targeting cryptocurrency traders. They have previously been linked to various cybe
3
Diamond Sleet is a possible alias for Fudmodule. Diamond Sleet, a threat actor linked to North Korea, has been identified as a significant cybersecurity concern. This group, also known as Selective Pisces, has targeted various sectors including media, defense, and IT organizations. The advanced persistent threat (APT) group is known for its supply
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rootkit
Vulnerability
Malware
Microsoft
Exploit
Windows
Avast
Chrome
Apt
Antivirus
Zero Day
Exploits
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The vulnerability CVE-2024-21338 is associated with Fudmodule. Unspecified
4
The vulnerability CVE-2024-38193 is associated with Fudmodule. Unspecified
2
Source Document References
Information about the Fudmodule Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
a month ago
DARKReading
4 months ago
BankInfoSecurity
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
CERT-EU
9 months ago
CERT-EU
10 months ago
Securityaffairs
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
BankInfoSecurity
10 months ago
DARKReading
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago