Microsoft Signed a Driver That Turned Out To Be a Malicious Rootkit
Microsoft signed a driver being distributed in gaming environments that turned out to be a malicious network filter rootkit. The driver, called Netfilter, is a rootkit that spoofs gamers' geo-locations to cheat the system and play from anywhere. Analyst Karsten Hahn from G DATA first noticed the rootkit. The third-party driver for Windows called Netfilter has been circulating in the gaming community and is connected to an IP address in China. Hahn first thought it was a false positive on a legitimately signed file But found out later that it was malicious.
According to WHOIS records, the command-and-control address, 110.42.4.180 , that the malicious Netfilter driver connected to, belongs to Ningbo Zhuo Zhi Innovation Network Technology Co. Ltd. Microsoft confirmed the finding and have launched an internal investigation. MIcrosoft also added malware signatures to Windows Defender and shared the signatures with other security companies. Microsoft is still trying to figure out how a rootkit could slip through the signing process. The hackers submitted the drivers for certification through the Windows Hardware Compatibility Program ( WHCP ), which is designed to ensure that Windows-compatible software and hardware run smoothly on Windows 10, Windows 11 and Windows Server 2022 and to provide guidance for developing, testing and distributing drivers. Microsoft has suspended the malicious-driver-disseminating account and has reviewed the threat actor’s submissions for additional signs of malware.
The gaming industry has been under constant attack by pandemic-bored hackers. The attacks includes the compromise of every Sony PlayStation 3 ID whick caused bans of legit players on the network. Hackers have injected pirated games with cryptojacking malware. The Steam gaming platform have been used to host malware.
Microsoft assumes that the goal of the hacker is to cheat gaming systems to spoof their geo-location and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers. According to Microsoft, a hacker must have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver. Microsoft plans to share an update regarding how it will refine its partner access policies, validation and the signing process to boost its protections. According to Microsoft, customers don't have to do anything, just follow security best practices and deploy antivirus software.
Digital certificates allow users to cryptographically link ownership to a public key for authentication purposes. It is one way for hackers to avoid detection as they trick users into downloading malware because it appears legitimate. Hackers have been tricking certificate authorities by impersonating legitimate entities which they turn around and sell the fraudulently purchased certificates on the black market, where they were purchased by other hackers and used to digitally sign malicious files. In the SolarWinds attack, the component that contained the malware was code-signed with the appropriate SolarWinds certificate. The signature made the DLL look legitimate and safe component for SolarWinds' Orion product. From there, it was bundled into a fake patch and distributed across thousands of customers.