Aliases
LIGHTSHOW
Tags
Rootkit
Techniques
Bring Your Own Vulnerable DriverDirect Kernel object manipulation
References
https://malpedia.caad.fkie.fraunhofer.de/details/win.fudmodulehttps://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/https://thehackernews.com/2024/08/north-korean-hackers-deploy-fudmodule.html
Last edited
Feb 19, 2025 2:50 PM
FudModule is a user-mode DLL rootkit associated with the North Korean threat actor group known as Lazarus Group. It gains the ability to read and write arbitrary kernel memory via the Bring Your Own Vulnerable Driver (BYOVD) technique, allowing it to disable Windows system monitoring features by modifying kernel variables and removing kernel callbacks. This effectively blinds security solutions, including Endpoint Detection and Response (EDR) systems, firewalls, and antivirus software. FudModule has been deployed in attacks exploiting zero-day vulnerabilities, such as CVE-2024-21338 and CVE-2024-38193, to escalate privileges and execute kernel-level code.