Saturday, April 20, 2024

Hackers Trick Microsoft Into Signing a Malicious Netfilter Rootkit

By Balaji

Hackers Trick Microsoft Into Signing a Malicious Netfilter Rootkit

The security experts at G Data have recently detected a malicious driver, Netfilter that is signed by Microsoft itself. And this Netfilter rootkit generally connects to C&C infrastructure along with a Chinese IP address. 

However, in one of the recent reports, Microsoft has confirmed that they have hired a malicious driver, and now it is being administered in the gaming environment.

In an investigation, it came to know that the driver that has been signed by the company turned out to be a malicious Windows rootkit, and is continuously targetting gaming environments.

The G DATA malware analyst, Karsten Hahn who has first identified the malicious rootkit has affirmed that the threat actors are targetting the users, particularly in the East Asian country.

However, the Redmond-based firm has noted the attack and they clarified that the main motive of the threat actors is to use the driver to trick their geo-location so that they can deceive the system and will implement their planned operation.

No Indication of Certificate Exposure

The company along with the Zero Trust and layered defenses security posture, have built-in detection and are trying their best to block this driver as soon as possible, and not only this the company is also trying to find out the files that are linked through Microsoft Defender for Endpoint.

However, the company asserted that they have not yet found any evidence, that the WHCP signing certificate was exposed. 

Apart from this the experts also cleared that the threat actors are not attacking the enterprise environment, as they are continuously targetting the gaming sector specifically in China.

All the methods that were used in this attack occur post-exploitation; however, this malware allows the threat actors to gain an advantage in games and they can easily exploit other players by negotiating the accounts of the players with the help of some common tools just as keyloggers.

Microsoft Signed a Rootkit

After a long investigation, the researchers came to know that the driver has been seen communicating with China-based C&C IPs, and all these IPs are being suspicious as they are not at all providing legitimate functionality.

However, it was being stated that since Windows Vista, any code that operates in kernel mode is needed to be tested and signed accordingly, and to ensure the safety and stability of the operating system, the testing is done before releasing it publicly.

But, the analysis of the URLs that are used by Netfilter’s C&C infrastructure clearly explicates, the first URL returns a set of alternate routes (URLs), separated by a pipe (“|”), and all these serve specific purposes.

  • “hxxp://110.42.4.180:2081/p” – This URL ending with is linked with the proxy settings.
  • “hxxp://110.42.4.180:2081/s” – Provisions encoded IP address forwarding.
  • “hxxp://110.42.4.180:2081/h?” – Dedicated for obtaining CPU-ID.
  • “hxxp://110.42.4.180:2081/c” – Produces the root certificate.
  • “hxxp://110.42.4.180:2081/v?” – Linked to the automatic malware update feature.

Third-Party Account Suspended

After knowing about the malicious driver, Microsoft has reported that they will start a strong investigation. Soon after the investigation, the company came to know that the hackers have capitulated the drivers for certification via Windows Hardware Compatibility Program (WHCP).

But, Microsoft has immediately suspended the malicious driver by disseminating the account and has inspected the hacker’s submissions for further signs of malware.

Microsoft Admits to Signing the Malicious Driver

However, it’s been clear that there was no such evidence that justifies the stolen code-signing certificates were used. But, so far the hackers have specifically attacked the gaming sector, particularly in China along with all the malicious drivers as we told earlier.

During the investigation, it has been cleared that this kind of falsely signed binaries can later be misused by hackers and can easily generate large-scale software supply-chain attacks.

Apart from all these things, Microsoft is trying its best to stop such attacks and find all the details and key factors that will lead them to know the main motive as well as the whole operational plan of the threat actors.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Managed WAF Protection

Website

Latest articles

cyber security

Akira Ransomware Attacks Over 250 Organizations and Collects $42 Million

The Akira ransomware variant has severely impacted more than 250 organizations worldwide, amassing...
Uncategorized

Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums

A new zero-day Local Privilege Escalation (LPE) exploit has been put up for sale...
Vulnerability

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...
Cyber Attack

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...
Cyber Attack

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...
Android

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...
cyber security

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]