Hackers disguise the rootkit as a Microsoft driver


Digital identity, governance and risk management

Netfilter registered as Microsoft driver for IP redirection

Akshaya Asokan (asokan_akshaya) •
June 29, 2021

Netfilter used to target the Chinese game industry (Source: Pixabay)

An unidentified group of hackers provides a rootkit called Netfilter, which is registered as a legitimate Microsoft driver but is used to influence game results, according to researchers at the German security firm say.

See also: Live panel | Given zero trusts – harness the value of the strategy

In a blog about their findings, G Data researchers say the malware was signed as a driver on June 17th, although its main purpose is to eavesdrop on SSL connections, perform an IP redirect and install a root certificate in the registry .

Since the malware redirected the IPs to a Chinese network, the researchers assume that the threat actor is likely a Chinese company.

In an update to Friday, Microsoft said the threat group primarily targeted the Chinese game industry and does not appear to be a sophisticated nation-state threat actor. “The actor’s goal is to use the driver to fake his geolocation in order to cheat the system and play from anywhere. The malware allows them to take an advantage in games and potentially take advantage of other players, by compromising their accounts through common tools like keyloggers. “

Microsoft added that it is currently investigating the malicious driver campaign. The company did not respond to the Information Security Media Group’s request for further comments on the campaign.

Detect line filter

Karsten Hahn, malware analyst at G Data, said he discovered Netfilter after noticing that the driver contained several obfuscated files. During the decryption, the researcher discovered a URL and a program database path and said: “When searching for this URL, as well as the PDB path and the similar example function on VirusTotal, we found older examples as well as the dropper of the Netfilter driver. The oldest sample signatures are from March 2021. “

On further analysis, the researcher found that Netfilter was using the URL as a server while the dropper placed the malware in a Microsoft driver file. The malware then created a new file for further infection activity.

The researcher also notes that the malware had self-updating capabilities, which it achieved by sending a hash to the server, which then replied with a URL for the latest example or “OK” if the example was current.

Microsoft certification

G Data researchers do not know how Netfilter passed the signing process, as Microsoft’s standard settings do not allow drivers to be added without a company-issued certificate.

In the update from Microsoft, however, the company made it clear that the attacks did not take place with exposed signature certificates and that it had not found any compromise of its infrastructure after the attacks.

Microsoft adds that the attacks were likely carried out by the hackers after gaining privileged access to the victims’ devices. “It’s important to understand that the techniques used in this attack are post-exploitation, which means that an attacker must either already have administrative privileges in order to run the installer to update the registry and the malicious driver the next time Microsoft said. “Customers should take no action other than following security best practices and deploying antivirus software like Windows Defender for Endpoint,” said Microsoft.

Compromising Certificates

Although Microsoft has denied that the latest attacks originated from bad certificates, hacks involving compromised or hijacked certificates are not uncommon.

Following the attack on the SolarWinds supply chain that resulted in 18,000 customers installing and running Trojanized software, security firm Proofpoint reported that the hackers carried out the hack after tampering with OAuth app certificates to maintain persistence and access privileged resources, including email. OAuth is an open standard for authorization that enables a third-party application to gain access to a cloud service (see: SolarWinds attackers compromised OAuth app certificates).

In January, email security provider Mimecast reported that hackers compromised a digital certificate the company used to encrypt data in several of its products and on Microsoft’s servers, exposing companies to data loss (see: Mimecast says hackers compromised the digital certificate).


About Author

Leave A Reply