Cybersecurity researchers have unearthed a novel rootkit signed by Microsoft that’s engineered to communicate with an actor-controlled attack infrastructure.
Trend Micro has attributed the activity cluster to the same actor that was previously identified as behind the FiveSys rootkit, which came to light in October 2021.
“This malicious actor originates from China and their main victims are the gaming sector in China,” Trend Micro’s Mahmoud Zohdy, Sherif Magdy, and Mohamed Fahmy said. “Their malware seems to have passed through the Windows Hardware Quality Labs (WHQL) process for getting a valid signature.”
Multiple variants of the rootkit spanning eight different clusters have been discovered, with 75 such drivers signed using Microsoft’s WHQL program in 2022 and 2023.
Trend Micro’s analysis of some of the samples has revealed the presence of debug messages in the source code, indicating that the operation is still in the development and testing phase.
In subsequent steps, the first-stage driver disables the User Account Control (UAC) and Secure Desktop mode by editing the registry and initializes Winsock Kernel (WSK) objects for initiating network communication with the remote server.
It further periodically polls the server to retrieve more payloads and load them directly into memory after decoding and decrypting the received data, effectively functioning as a stealthy kernel driver loader that can bypass detections.
“The main binary acts as a universal loader that allows the attackers to directly load a second-stage unsigned kernel module,” the researchers explained. “Each second-stage plug-in is customized to the victim machine it’s deployed on, with some containing even a custom compiled driver for each machine. Each plug-in has a specific set of actions to be carried out from the kernel space.”
The plug-ins, for their part, come with different capabilities to achieve persistence, disarm Microsoft Defender Antivirus, and deploy a proxy on the machine and redirect web browsing traffic to a remote proxy server.
Much like FiveSys, the new rootkit detections have been confined exclusively to China. One of the suspected entry points for these infections is said to be a trojanized Chinese game, mirroring Cisco Talos’ discovery of a malicious driver called RedDriver.
The findings dovetail with other reports from Cisco Talos and Sophos about the use of Microsoft-signed malicious kernel-mode drivers for post-exploitation activities, with Chinese-speaking threat actors using open-source software popular within the video game cheat development community to bypass restrictions enforced by the tech giant.
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
As many as 133 malicious drivers signed with legitimate digital certificates have been uncovered, 81 of which are capable of terminating antivirus solutions on victims’ systems. The remaining drivers are rootkits designed to covertly monitor sensitive data sent over the internet.
The fact that these drivers are signed by the Windows Hardware Compatibility Program (WHCP) means that attackers can install them on breached systems without raising any alerts and proceed to carry out malicious activity virtually unimpeded.
“Because drivers often communicate with the ‘core’ of the operating system and load before security software, when they are abused, they can be particularly effective at disabling security protections – especially when signed by a trusted authority,” Christopher Budd, director of threat research at Sophos X-Ops, said.
Microsoft, in response to the disclosures, said it has implemented blocking protections and suspended the partners’ seller accounts involved in the incident to safeguard users from future threats.
If anything, the development paints a picture of an evolving attack vector that’s being actively used by adversaries to obtain privileged access to Windows machines and sidetep detection by security software.
“Malicious actors will continue to use rootkits to hide malicious code from security tools, impair defenses, and fly under the radar for long periods of time,” the researchers said. “These rootkits will see heavy use from sophisticated groups that have both the skills to reverse-engineer low-level system components and the required resources to develop such tools.”