Attackers have recently found ways to sign malicious kernel drivers, posing a significant threat to Windows systems, the Windows Hardware Quality Lab (WHQL) testing integrity, and endpoint defenses designed to mitigate such threats. According to Jamz Yaneza, a senior threat research manager at Trend Micro, attackers are constantly developing techniques to gain persistence on targeted systems, whether through signed binaries and rootkits or simpler means when defenders make mistakes.
Yaneza explains that adversaries are probing various entry points to inject malicious levers into operating systems and frameworks. This type of attack can be seen as a supply-chain attack, where threat actors abuse the system to obtain a valid certificate that is then applied to a kernel driver, effectively bypassing most defenses.
Although attackers have attempted to exploit other operating systems like Apple’s iOS and Mac OS, they have had less success due to the tightly controlled ecosystem. Trend Micro’s recent investigation revealed that the China-linked group behind the FiveSys rootkit has continued to succeed against code-signing controls. They have recently found ways to install a newly analyzed rootkit using a malicious signed driver as a universal downloader. Trend Micro’s analysis published earlier this month shows that nearly all (96%) of the threat samples included in the analysis involved signed drivers whose signatures had not yet been revoked. This shows the alarming number of signed driver samples discovered in 2022.
Signed malicious drivers hiding rootkits for Windows systems have become a concerning trend. In October 2021, Bitdefender detected a Microsoft-signed rootkit called FiveSys, which redirected traffic from the infected system through a proxy. The attackers’ primary goal in both cases was to steal credentials and hijack in-game purchases.
Bypassing code signatures is not the only trick attackers have recently utilized. Late last year, a malware developer announced the creation of a rootkit called BlackLotus that bypassed Windows Secure Boot. This claim was later confirmed by cybersecurity firm ESET. The boot-level rootkit, or bootkit, could infect motherboard firmware by exploiting a two-month-old vulnerability known as Baton Drop (CVE-2022-21894).
While bootkits that compromise Unified Extensible Firmware Interface (UEFI) firmware are rare and considered sophisticated work, ESET’s malware researcher Martin Smolár raised concerns about the potential for crimeware groups to start using bootkits. With their capabilities for spreading malware using botnets, this would become a significant problem.
In the recent case discovered by Trend Micro, more than 400,000 samples of an unnamed rootkit and downloader were detected. The security firm found that nearly all but 4% of the binaries were signed, posing a significant challenge for defenses to detect and mitigate such attacks.
According to Rotem Salinas, a senior malware researcher at CyberArk, adversaries are able to slip through the automated WHQL process by either bypassing it or using stolen certificates from vendor leaks. CyberArk’s analysis of current rootkit trends outlines several instances of malware signed by WHQL.
Microsoft has taken steps to address the threats posed by signed drivers and rootkits. The company revoked the signature used by the latest rootkit found by Trend Micro in its Patch Tuesday release on July 11. Microsoft also suspended the partners’ seller accounts and implemented blocking detections for all reported malicious drivers to protect customers. The company continues to work on long-term solutions to address these issues.
Many rootkit activities are related to gaming, with attackers targeting gaming servers using rootkit BlackLotus and using digital certificates to bypass game security mechanisms, as observed in Threat Micro’s analysis. Yaneza highlights the significance of the gaming industry, which is worth billions of dollars. He emphasizes the importance of endpoint detection and response (EDR) software in detecting and addressing malware that carries and installs rootkits.
Once a rootkit is installed on a system, it becomes much harder to fix, and behavioral rules may struggle to detect the compromise. Manual analysis, such as looking at memory or kernel dumps and traversing kernel structures for inconsistencies, may be necessary.
In conclusion, the recent wave of attacks leveraging signed malicious drivers and rootkits poses a significant threat to Windows systems and endpoint defenses. Attackers are continually developing new techniques to gain persistence on targeted systems, and the gaming industry has become a prime target. It is crucial for companies to have robust endpoint detection and response solutions in place to detect and mitigate these threats.