Monday, April 21, 2025
HomeMalwareHackers Trick Microsoft Into Signing a Malicious Netfilter Rootkit

Hackers Trick Microsoft Into Signing a Malicious Netfilter Rootkit

Published on

SIEM as a Service

Follow Us on Google News

The security experts at G Data have recently detected a malicious driver, Netfilter that is signed by Microsoft itself. And this Netfilter rootkit generally connects to C&C infrastructure along with a Chinese IP address. 

However, in one of the recent reports, Microsoft has confirmed that they have hired a malicious driver, and now it is being administered in the gaming environment.

In an investigation, it came to know that the driver that has been signed by the company turned out to be a malicious Windows rootkit, and is continuously targetting gaming environments.

- Advertisement - Google News

The G DATA malware analyst, Karsten Hahn who has first identified the malicious rootkit has affirmed that the threat actors are targetting the users, particularly in the East Asian country.

However, the Redmond-based firm has noted the attack and they clarified that the main motive of the threat actors is to use the driver to trick their geo-location so that they can deceive the system and will implement their planned operation.

No Indication of Certificate Exposure

The company along with the Zero Trust and layered defenses security posture, have built-in detection and are trying their best to block this driver as soon as possible, and not only this the company is also trying to find out the files that are linked through Microsoft Defender for Endpoint.

However, the company asserted that they have not yet found any evidence, that the WHCP signing certificate was exposed. 

Apart from this the experts also cleared that the threat actors are not attacking the enterprise environment, as they are continuously targetting the gaming sector specifically in China.

All the methods that were used in this attack occur post-exploitation; however, this malware allows the threat actors to gain an advantage in games and they can easily exploit other players by negotiating the accounts of the players with the help of some common tools just as keyloggers.

Microsoft Signed a Rootkit

After a long investigation, the researchers came to know that the driver has been seen communicating with China-based C&C IPs, and all these IPs are being suspicious as they are not at all providing legitimate functionality.

However, it was being stated that since Windows Vista, any code that operates in kernel mode is needed to be tested and signed accordingly, and to ensure the safety and stability of the operating system, the testing is done before releasing it publicly.

But, the analysis of the URLs that are used by Netfilter’s C&C infrastructure clearly explicates, the first URL returns a set of alternate routes (URLs), separated by a pipe (“|”), and all these serve specific purposes.

  • “hxxp://110.42.4.180:2081/p” – This URL ending with is linked with the proxy settings.
  • “hxxp://110.42.4.180:2081/s” – Provisions encoded IP address forwarding.
  • “hxxp://110.42.4.180:2081/h?” – Dedicated for obtaining CPU-ID.
  • “hxxp://110.42.4.180:2081/c” – Produces the root certificate.
  • “hxxp://110.42.4.180:2081/v?” – Linked to the automatic malware update feature.

Third-Party Account Suspended

After knowing about the malicious driver, Microsoft has reported that they will start a strong investigation. Soon after the investigation, the company came to know that the hackers have capitulated the drivers for certification via Windows Hardware Compatibility Program (WHCP).

But, Microsoft has immediately suspended the malicious driver by disseminating the account and has inspected the hacker’s submissions for further signs of malware.

Microsoft Admits to Signing the Malicious Driver

However, it’s been clear that there was no such evidence that justifies the stolen code-signing certificates were used. But, so far the hackers have specifically attacked the gaming sector, particularly in China along with all the malicious drivers as we told earlier.

During the investigation, it has been cleared that this kind of falsely signed binaries can later be misused by hackers and can easily generate large-scale software supply-chain attacks.

Apart from all these things, Microsoft is trying its best to stop such attacks and find all the details and key factors that will lead them to know the main motive as well as the whole operational plan of the threat actors.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Infostealer Attacks Surge 84% Weekly Through Phishing Emails

The volume of infostealer malware distributed through phishing emails has surged by 84% week-on-week...

North Korean IT Workers Use Real-Time Deepfakes to Infiltrate Organizations Through Remote Jobs

A division of Palo Alto Networks, have revealed a sophisticated scheme by North Korean...

New Phishing Technique Hides Weaponized HTML Files Within SVG Images

Cybersecurity experts have observed an alarming increase in the use of SVG (Scalable Vector...

Detecting And Blocking DNS Tunneling Techniques Using Network Analytics

DNS tunneling is a covert technique that cybercriminals use to bypass traditional network security...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

North Korean IT Workers Use Real-Time Deepfakes to Infiltrate Organizations Through Remote Jobs

A division of Palo Alto Networks, have revealed a sophisticated scheme by North Korean...

Hackers Claim to Sell ‘Baldwin Killer’ Malware That Evades AV and EDR

A notorious threat actor has allegedly begun selling “Baldwin Killer,” a sophisticated malware toolkit...

New Android SuperCard X Malware Uses NFC-Relay Technique for POS & ATM Transactions

A new malware strain known as SuperCard X has emerged, utilizing an innovative Near-Field...