Cybersecurity researchers have discovered a new rootkit signed by Microsoft designed to communicate with attacker-controlled attack infrastructure.
Trend Micro believes this cluster of activity is from the same actor previously identified behind the FiveSys rootkit that was revealed in October 2021.
“This malicious actor hails from China and the main victim is the Chinese gaming industry,” said Mahmoud Zodi, Sheriff Magdi and Mohamed Fahmy of Trend Micro. Their malware appears to have gone through the Windows Hardware Quality Labs (WHQL) process to obtain a valid signature.
Multiple variants of the rootkit have been discovered across eight different clusters, including 75 such drivers signed using Microsoft’s WHQL program in 2022 and 2023.
Analysis of some samples by Trend Micro revealed the presence of debug messages in the source code, indicating that the operation is still in development and testing.
In subsequent steps, the first stage driver edits the registry to disable User Account Control (UAC) and Secure Desktop Mode, and initializes a Winsock Kernel (WSK) object to initiate network communication with the remote server. .
It also periodically polls the server for more payloads, decodes and decrypts the received data, and then loads them directly into memory, effectively acting as a stealth kernel driver loader that can evade detection. To do.
“The main binary acts as a universal loader, allowing attackers to directly load second-stage unsigned kernel modules,” the researchers explained. “Each plug-in in the second stage is customized for the victim machine on which it is deployed, and some even include custom-compiled drivers for each machine. There is a specific set of actions that are performed.”
The plugin comes with various features for enabling persistence, disabling Microsoft Defender Antivirus, deploying a proxy on your machine and redirecting web browsing traffic to a remote proxy server.
Similar to FiveSys, new rootkit detections are exclusively limited to China. One of these suspected entry points for infection is said to be a trojanized Chinese game that reflects Cisco Talos’ discovery of his malicious driver called RedDriver.
The findings show that Chinese-speaking attackers used a Microsoft-signed malicious kernel-mode driver in their post-exploit activities to bypass prevalent open source software within the video game cheat development community. Consistent with other reports from Cisco Talos and Sophos that it is being used. Restrictions enforced by tech giants.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
133 malicious drivers signed with legitimate digital certificates have been found, 81 of which are capable of terminating antivirus solutions on victims’ systems. The remaining drivers are rootkits designed to covertly monitor sensitive data sent over the Internet.
The fact that these drivers are signed by the Windows Hardware Compatibility Program (WHCP) means that an attacker can install the drivers on a compromised system without warning and execute malicious actions with virtually no impediment. Means you can perform an activity.
“Since drivers communicate with the ‘core’ of the operating system and are often loaded before security software, misused drivers can defeat security protections, especially if signed by a trusted authority. ,” said Christopher Budd, director of threats. A Sophos X-Ops study states:
Following the disclosure, Microsoft said it had introduced blocking protection and suspended the merchant accounts of the partners involved in the incident to protect users from future threats.
Rather, this development paints a picture of the evolving attack vectors actively used by adversaries to gain privileged access to Windows machines and sidestep detection by security software.
“Malicious attackers will continue to use rootkits to hide malicious code from security tools, undermine defenses, and fly off the radar for long periods of time,” the researchers said. rice field. “These rootkits will frequently be used by sophisticated groups with both the skills to reverse-engineer low-level system components and the resources necessary to develop such tools.”
