Cybersecurity researchers have uncovered a new rootkit signed by Microsoft designed to communicate with an actor-controlled attack infrastructure.
Trend Micro associates activity clusters with the same actors previously identified as behind the FiveSys rootkit, which was revealed in October 2021.
“These bad actors are from China and their main victim is the gaming sector in China,” Trend Micro’s Mahmoud Zohdy, Sherif Magdy, and Mohamed Fahmy said. Their malware appears to have passed the Windows Hardware Quality Lab (WHQL) process to obtain a valid signature.
Various rootkit variants spanning eight different clusters have been discovered, with 75 of these drivers signed using Microsoft’s WHQL program in 2022 and 2023.
Trend Micro’s analysis of some samples has revealed debug messages in the source code, indicating that the operation is still in the development and testing stages.
In the next step, the first-stage driver disables User Account Control (UAC) And Safe Desktop Mode by editing the registry and initializing the Winsock Kernel (WSK) object to initiate network communication with the remote server.
It further periodically asks the server to take more payload and load it directly into memory after decrypting and decrypting the received data, effectively functioning as a hidden kernel driver loader that can bypass detection.
“The main binary acts as a universal loader allowing an attacker to directly load second-stage unsigned kernel modules,” the researchers explained. “Each second-stage plugin is customized to the victim machine it’s running on, with some even containing specially compiled drivers for each machine. Each plugin has a specific set of actions that must be performed from kernel space.”
Plug-ins, for their part, come with different abilities to achieve persistence, disable Microsoft Defender Antivirus, and deploy proxies on machines and redirect web browsing traffic to remote proxy servers.
Much like FiveSys, the new rootkit detection has been restricted exclusively to China. One of the suspected entry points for this infection is said to be a trojanized Chinese game, reflecting Cisco Talos’ discovery of a rogue driver called RedDriver.
This finding aligns with other reports from Cisco Talos and Sophos of using Microsoft-signed malicious kernel-mode drivers for post-exploit activity, with Chinese-speaking threat actors using open-source software popular within the video game cheat development community to bypass them. restrictions imposed by the tech giants.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
A total of 133 malicious drivers signed with valid digital certificates were found, 81 of which were able to terminate antivirus solutions on victim systems. The remaining drivers are rootkits designed to surreptitiously monitor sensitive data sent over the internet.
The fact that this driver is signed by the Windows Hardware Compatibility Program (WHCP) means that an attacker can install it on a compromised system without raising any warnings and continue to perform malicious activity virtually unhindered.
“Because drivers often communicate with the ‘core’ of the operating system and load before security software, when misused, they can very effectively disable security protections – especially when signed by a trusted authority,” Christopher Budd, director of threat research at Sophos X-Ops, said. .
Microsoft, in response to the disclosure, said it had put in place block protections and suspended the accounts of the seller partners involved in the incident to protect users from future threats.
If anything, the development describes evolving attack vectors that are actively used by adversaries to gain privileged access to Windows machines and sidestep detection by security software.
“Malicious actors will continue to use rootkits to hide malicious code from security tools, undermine defenses, and fly under the radar for long periods of time,” the researchers said. “This rootkit will be widely used by sophisticated groups that have the skills to reverse engineer low-level system components and the resources required to develop such a tool.”