Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead

We discovered a Windows rootkit loader [F1] for the malware family FK_Undead. The malware family is known for intercepting user network traffic through manipulation of proxy configurations. To the best of our knowledge the rootkit loader hasn't been officially analyzed before. As required by any Windows kernel driver, the rootkit loader is validly signed with the Microsoft Windows Hardware Compatibility Publisher certificate (see thumbprint [T1]). It is compatible with different Windows versions and protected with VMProtect.

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor of the Malware Binary Triage (IMBT) course starting this Black Friday and Cyber Monday!

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: This is an affiliate link – your enrollment helps support this platform at no extra cost to you.

     

Article Link: Malware Analysis: A Kernel Land Rootkit Loader for FK_Undead