Home News Hackers Trick Microsoft Into Signing Netfilter Driver Loaded With Rootkit Malware

    Hackers Trick Microsoft Into Signing Netfilter Driver Loaded With Rootkit Malware


    Netfilter Driver

    Microsoft on Friday mentioned it is investigating an incident whereby a driver signed by the corporate turned out to be a malicious Home windows rootkit that was noticed speaking with command-and-control (C2) servers situated in China.

    The motive force, referred to as “Netfilter,” is alleged to focus on gaming environments, particularly within the East Asian nation, with the Redmond-based agency noting that “the actor’s objective is to make use of the motive force to spoof their geo-location to cheat the system and play from anyplace.”

    Stack Overflow Teams

    “The malware permits them to realize a bonus in video games and probably exploit different gamers by compromising their accounts by way of frequent instruments like keyloggers,” Microsoft Safety Response Middle (MSRC) said.

    The rogue code signing was noticed by Karsten Hahn, a malware analyst at German cybersecurity firm G Knowledge, who shared additional details of the rootkit, together with a dropper, which is used to deploy and set up Netfilter on the system.


    Upon profitable set up, the motive force was discovered to ascertain reference to a C2 server to retrieve configuration data, which supplied various functionalities similar to IP redirection, amongst different capabilities to obtain a root certificates and even self-update the malware.


    The oldest sample of Netfilter detected on VirusTotal dates again to March 17, 2021, Hahn mentioned.

    Prevent Data Breaches

    Microsoft famous that the actor submitted the motive force for certification by way of the Home windows {Hardware} Compatibility Program (WHCP), and that the drivers had been constructed by a third-party. The corporate has since suspended the account and reviewed its submissions for extra indicators of malware.

    The Home windows maker additionally burdened that the strategies employed within the assault happen post-exploitation, which necessitates that the adversary will need to have had beforehand gained administrative privileges in order to have the ability to set up the motive force throughout system startup or trick the consumer into doing it on their behalf.

    Moreover, Microsoft mentioned it intends to refine its associate entry insurance policies in addition to its validation and signing course of to boost protections additional.

    “The safety panorama continues to quickly evolve as menace actors discover new and revolutionary strategies to realize entry to environments throughout a variety of vectors,” MSRC mentioned, as soon as once more highlighting how reputable processes might be exploited by menace actors to facilitate large-scale software program provide chain assaults.

    Source link