Thursday, November 30, 2023

Hackers Trick Microsoft Into Signing a Malicious Netfilter Rootkit

The security experts at G Data have recently detected a malicious driver, Netfilter that is signed by Microsoft itself. And this Netfilter rootkit generally connects to C&C infrastructure along with a Chinese IP address. 

However, in one of the recent reports, Microsoft has confirmed that they have hired a malicious driver, and now it is being administered in the gaming environment.

In an investigation, it came to know that the driver that has been signed by the company turned out to be a malicious Windows rootkit, and is continuously targetting gaming environments.

The G DATA malware analyst, Karsten Hahn who has first identified the malicious rootkit has affirmed that the threat actors are targetting the users, particularly in the East Asian country.

However, the Redmond-based firm has noted the attack and they clarified that the main motive of the threat actors is to use the driver to trick their geo-location so that they can deceive the system and will implement their planned operation.

No Indication of Certificate Exposure

The company along with the Zero Trust and layered defenses security posture, have built-in detection and are trying their best to block this driver as soon as possible, and not only this the company is also trying to find out the files that are linked through Microsoft Defender for Endpoint.

However, the company asserted that they have not yet found any evidence, that the WHCP signing certificate was exposed. 

Apart from this the experts also cleared that the threat actors are not attacking the enterprise environment, as they are continuously targetting the gaming sector specifically in China.

All the methods that were used in this attack occur post-exploitation; however, this malware allows the threat actors to gain an advantage in games and they can easily exploit other players by negotiating the accounts of the players with the help of some common tools just as keyloggers.

Microsoft Signed a Rootkit

After a long investigation, the researchers came to know that the driver has been seen communicating with China-based C&C IPs, and all these IPs are being suspicious as they are not at all providing legitimate functionality.

However, it was being stated that since Windows Vista, any code that operates in kernel mode is needed to be tested and signed accordingly, and to ensure the safety and stability of the operating system, the testing is done before releasing it publicly.

But, the analysis of the URLs that are used by Netfilter’s C&C infrastructure clearly explicates, the first URL returns a set of alternate routes (URLs), separated by a pipe (“|”), and all these serve specific purposes.

  • “hxxp://” – This URL ending with is linked with the proxy settings.
  • “hxxp://” – Provisions encoded IP address forwarding.
  • “hxxp://” – Dedicated for obtaining CPU-ID.
  • “hxxp://” – Produces the root certificate.
  • “hxxp://” – Linked to the automatic malware update feature.

Third-Party Account Suspended

After knowing about the malicious driver, Microsoft has reported that they will start a strong investigation. Soon after the investigation, the company came to know that the hackers have capitulated the drivers for certification via Windows Hardware Compatibility Program (WHCP).

But, Microsoft has immediately suspended the malicious driver by disseminating the account and has inspected the hacker’s submissions for further signs of malware.

Microsoft Admits to Signing the Malicious Driver

However, it’s been clear that there was no such evidence that justifies the stolen code-signing certificates were used. But, so far the hackers have specifically attacked the gaming sector, particularly in China along with all the malicious drivers as we told earlier.

During the investigation, it has been cleared that this kind of falsely signed binaries can later be misused by hackers and can easily generate large-scale software supply-chain attacks.

Apart from all these things, Microsoft is trying its best to stop such attacks and find all the details and key factors that will lead them to know the main motive as well as the whole operational plan of the threat actors.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...

Zyxel Command Injection Flaws Let Attackers Run OS Commands

Three Command injection vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products,...

North Korean Hackers Attacking macOS Using Weaponized Documents

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution...

Most Popular Websites Still Allow Users To Have Weak Passwords

The latest analysis shows that tens of millions of people are creating weak passwords...

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles