FudModule (Trojan) – Malware

Overview

The FudModule trojan is a sophisticated piece of malware that has gained notoriety for its ability to maintain stealth and gain deep-level access to compromised systems. Initially observed in use by the North Korean threat actor Diamond Sleet, FudModule has evolved over time into a highly effective tool for maintaining control over infected systems. It specifically targets Windows-based systems, operating at the kernel level to perform critical operations like kernel tampering and security mechanism bypassing. The rootkit operates primarily in memory, making it difficult to detect and remove, allowing threat actors to carry out long-term surveillance and control of their targets’ devices.

Targets

Arts, Entertainment, and Recreation

Finance and Insurance

Public Administration

Information

Utilities

Health Care and Social Assistance

Professional, Scientific, and Technical Services

Manufacturing

How they operate

Initial Infection and Exploitation

FudModule’s attack begins when a victim is targeted through a series of exploits designed to take advantage of specific vulnerabilities in software. These vulnerabilities often include zero-day exploits, which are previously unknown flaws in widely used applications or system components. A notable example is CVE-2024-7971, a type confusion vulnerability found in the Chromium browser’s V8 JavaScript engine. Once the victim interacts with a maliciously crafted website or is tricked into running a weaponized application, the malware can exploit these vulnerabilities to gain remote code execution (RCE) within the victim’s system.

After achieving RCE, FudModule deploys a payload that includes an array of malicious tools, the most critical being a vulnerability exploit targeting the Windows kernel. The kernel is the core component of an operating system responsible for managing hardware and system resources. By exploiting this kernel vulnerability, FudModule bypasses the security sandbox in the affected browser and gains privileged access to critical system resources, setting the stage for further actions.

Privilege Escalation and Kernel Manipulation

Once FudModule has gained initial execution on the system, it aims to escalate its privileges from low-level access to full administrative control. This is achieved by exploiting kernel vulnerabilities such as CVE-2024-38106, a Windows kernel bug that allows attackers to break out of system sandboxes and gain access to kernel-space functions. With this higher level of access, FudModule can manipulate system-level operations, bypass security controls, and execute its payloads with minimal detection.

The malware uses techniques like Direct Kernel Object Manipulation (DKOM) to interact with the Windows kernel directly. DKOM enables FudModule to modify kernel objects in memory, such as processes, threads, and other critical data structures, without altering them on disk. This ability is crucial for the malware’s persistence, as it allows FudModule to evade detection by security software that typically scans file systems or registry keys for signs of malicious activity.

Evasion and Stealth Mechanisms

FudModule excels at avoiding detection, employing various stealth tactics to hide its presence within the infected system. One of the primary methods it uses is obfuscation. The malware hides its operations by executing directly from memory rather than writing files to disk, which makes it harder for traditional file-based security tools to detect. Moreover, it can disguise its actions by modifying system logs and activity records, ensuring that traces of its activity are erased or altered before they can be flagged by investigators.

Additionally, FudModule operates in a manner that disables or evades traditional security software. This involves altering kernel-level processes to disable security checks or obscure the malware’s operation within the system’s runtime environment. These evasion techniques prevent antivirus software and endpoint protection tools from identifying the malware during regular system scans, allowing FudModule to continue its operations undetected for long periods.

Data Exfiltration and Command-and-Control Communication
FudModule also facilitates data exfiltration, allowing attackers to siphon sensitive information from the compromised system. With elevated access and control, FudModule can collect a wide range of data, from user credentials to encrypted files and system configurations. This data is often sent back to an attacker-controlled server via secure communication channels, ensuring that the data exfiltration process remains undetected.

The malware can establish an encrypted, persistent connection to a command-and-control (C2) server, allowing attackers to issue further commands and receive updates from the compromised machine. This C2 communication can be disguised to look like normal, encrypted web traffic, making it difficult for network-based security tools to spot the data being exfiltrated.

References:

• North Korean threat actor Citrine Sleet exploiting Chromium zero-day