Hackers Disguise Rootkit as Microsoft DriversNetfilter Signed in as Microsoft Driver for IP Redirection
An unidentified hacking group is deploying a rootkit dubbed Netfilter, which is signed in as a legitimate Microsoft driver but used to affect gaming outcomes, researchers at German security firm say.
In a blog detailing their findings, G Data researchers say that the malware was signed as a driver on June 17 although its main purpose is to eavesdrop on SSL connections, perform IP redirection and install a root certificate to the registry.
Since the malware was redirecting the IPs to a Chinese network, the researchers believe that the threat actor is likely a Chinese entity.
In an update on Friday, Microsoft said the threat group mainly targeted the Chinese gaming industry and does not appear to be a sophisticated nation-state threat actor. "The actor's goal is to use the driver to spoof their geolocation to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers."
Microsoft added that it is currently investigating the campaign involving the malicious driver. The company did not respond to Information Security Media Group's request for further comment on the campaign.
Karsten Hahn, a malware analyst at G Data, says he detected Netfilter after noting that the driver contained several obfuscated files. On decoding these, the researcher discovered a URL and a program database path, saying: "Searching for this URL as well as the PDB path and the similar samples feature on Virustotal we found older samples as well as the dropper of the Netfilter driver. The oldest sample signatures date back to March 2021."
On further analysis, the researcher uncovered that Netfilter used the URL as its server, while the dropper placed the malware on a Microsoft driver file. The malware then created a new file for further infection activities.
The researcher also notes the malware had self-updating capabilities, which it achieved by sending a hash to the server, which then responded with a URL for the latest sample, or 'OK' if the sample was up to date.
G Data researchers do not know how Netfilter passed the signing process, as Microsoft default settings do not allow drivers to be added without having a company-issued certificate.
In Microsoft's update, however, the company clarified that the attacks did not occur using exposed signing certificates and that it had not detected any compromise of its infrastructure following the attacks.
Microsoft adds that the attacks were likely carried out by the hackers after they gained privileged access on the victims' devices. "It’s important to understand that the techniques used in this attack occur post-exploitation, meaning an attacker must either have already gained administrative privileges to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf," Microsoft said. "There are no actions customers should take other than follow security best practices and deploy Antivirus software such as Windows Defender for Endpoint," says Microsoft.
Although Microsoft has denied that the latest attacks stemmed from faulty certificates, hacks using compromised or hijacked certificates are not uncommon.
For instance, following the SolarWinds supply chain attack, which resulted in 18,000 customers installing and running Trojanized software, security firm Proofpoint reported that the hackers carried out the hack after manipulating OAuth app certificates to maintain persistence and access privileged resources, including email. OAuth is an open standard for authorization that allows a third-party application to obtain access to a cloud service (see: SolarWinds Attackers Manipulated OAuth App Certificates).
In January, email security provider Mimecast reported that hackers compromised a digital certificate the company used for data encryption in several of its products and Microsoft’s servers, putting organizations at risk of data loss (see: Mimecast Says Hackers Compromised Digital Certificate).