A recent campaign targeting gaming users in China has highlighted the increasing use of sophisticated rootkits by threat actors. These rootkits are designed to conceal malicious payloads, disable security tools, and maintain persistence on victim systems. What sets this particular rootkit apart is that it possesses a valid Microsoft digital signature. This means that it can successfully load on systems running recent Windows versions without triggering any security alerts or being blocked. The rootkit can download unsigned kernel mode drivers directly into the system’s memory, including one that is specifically engineered to shut down Windows Defender software. By doing so, the threat actor behind the rootkit can deploy second-stage malware of their choice and maintain persistence on the compromised system.
Security researchers at Trend Micro recently discovered this malicious kernel driver targeting gaming users in China and promptly reported their findings to Microsoft. They believe that the same threat actor responsible for this rootkit was also behind a similar one discovered in 2021, called FiveSys, which also targeted the Chinese gaming sector. The proliferation of Microsoft-signed kernel drivers that contain malware has been observed by security researchers over the past two years. Examples include PoorTry, a rootkit reported by Mandiant in December 2022, and NetFilter for IP redirection. One Microsoft-signed Windows driver, disclosed by Sophos, was engineered to disable antivirus software and other endpoint security tools. It is believed that attackers are increasingly turning to such tools due to the effectiveness of endpoint security solutions in detecting threats.
While many of these tools have primarily targeted the gaming sector in China, there is no reason why threat actors couldn’t use them in other regions and for various other malicious purposes. According to Trend Micro researchers Mahmoud Zohdy, Sherif Magdy, and Mohamed Fahmy, the competence and consistent usage of such tools, tactics, and procedures (TTPs) by current malicious actors despite their motives and objectives demonstrate their ability to build and employ such capabilities.
The researchers identified the newly discovered malware as a standalone kernel driver functioning as a universal rootkit loader. The first-stage driver, which possesses a Microsoft digital signature, communicates with command and control (C2) servers using the Windows Socket Kernel. If it fails to resolve an address, it directly connects to hardcoded fallout IPs inside the driver. The first-stage driver acts as a loader for a self-signed second-stage driver. Since the second-stage driver is downloaded via the signed first-stage driver, it bypasses the Windows native driver loader and is loaded directly into memory. The malware then follows a sequence of steps to maintain persistence and remove any traces of its presence from the disk.
Trend Micro was able to link the new malware to the FiveSys actor due to several similarities between the two tools. Both the FiveSys rootkit and the second-stage rootkit associated with the new malware redirect web browsing traffic to an attacker-controlled server. They can also monitor web traffic and hook file system functions.
The issue of Microsoft-signed malicious drivers has been attributed to rogue developer accounts within Microsoft’s partner program. According to Microsoft, several developer accounts for the Microsoft Partner Center (MPC) were responsible for submitting malicious drivers to obtain a Microsoft signature. In response, Microsoft suspended all the accounts and released updates to detect and block these malicious drivers.
In a new revelation, Cisco Talos recently discovered threat actors using open source digital signature timestamp forging tools to alter the signing date on kernel mode Microsoft drivers. This enables them to deploy thousands of drivers. Cisco tied this activity to a loophole in Microsoft’s Windows driver signing policy. The policy specifies that Windows will not load any new kernel-level drivers unless they are signed via Microsoft’s Dev Portal. However, an exception allows the signing and loading of cross-signed kernel mode drivers with signature timestamps prior to July 29, 2015. Threat actors are exploiting this loophole by signing drivers, including expired ones, to fall within the policy exemption and then using them to deploy malware.
The increasing use of sophisticated rootkits and the manipulation of Microsoft’s driver signing policy pose significant challenges for cybersecurity professionals. It underscores the need for continuous research and proactive measures to detect and mitigate such threats effectively.