Hackers Trick Microsoft Into Signing Netfilter Driver Loaded With Rootkit Malware

<div class="separator"><a href="https://thehackernews.com/images/-hVRq98RL8Qk/YNmAnW6w8PI/AAAAAAAADBE/kDGetMEKxekqtZYqw2tNqiFkDqXm7hH5gCLcBGAsYHQ/s0/rootkit-malware.jpg"></a></div> <p>Microsoft on Friday said it’s investigating an incident wherein a driver signed by the company turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China.</p> <p>The driver, called “<a href="https://www.virustotal.com/gui/file/63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0/detection" rel="noopener" target="_blank">Netfilter</a>,” is said to target gaming environments, specifically in the East Asian country, with the Redmond-based firm noting that “the actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere.”</p> <div class="ad_two clear"><center class="cf"><a href="https://go.thn.li/1-free-300-8" rel="nofollow noopener sponsored" target="_blank" title="Stack Overflow Teams"><img alt="Stack Overflow Teams" class="lazyload" src="https://thehackernews.com/images/-UHcDw0TZuOc/YMt1nZpazaI/AAAAAAAA4Qs/d1jlOI8xheYWIFx_O8QJFzDxJI5tRuD7ACLcBGAsYHQ/s300-e100/free-ad-8-300.png"></a></center></div> <p>“The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers,” Microsoft Security Response Center (MSRC) <a href="https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/" rel="noopener" target="_blank">said</a>.</p> <p>The rogue code signing was spotted by Karsten Hahn, a malware analyst at German cybersecurity company G Data, who shared <a href="https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit" rel="noopener" target="_blank">additional details</a> of the rootkit, including a <a href="https://www.virustotal.com/gui/file/d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe/detection" rel="noopener" target="_blank">dropper</a>, which is used to deploy and install Netfilter on the system.</p> <div class="separator"><a href="https://thehackernews.com/images/-MzVIl8vwiIA/YNl5_AgDVYI/AAAAAAAADA8/eNnykyD4CVgwAejZT8cwY-kvJoAQA6scQCLcBGAsYHQ/s0/hack.jpg"><img alt="Netfilter" border="0" data-original-height="472" data-original-width="728" src="https://thehackernews.com/images/-MzVIl8vwiIA/YNl5_AgDVYI/AAAAAAAADA8/eNnykyD4CVgwAejZT8cwY-kvJoAQA6scQCLcBGAsYHQ/s728-e1000/hack.jpg" title="Netfilter"></a></div> <p>Upon successful installation, the driver establishes connections with a C2 server to retrieve configuration information, which offers a number of functionalities such as IP redirection, among other capabilities to receive a root certificate and even self-update the malware.</p> <div class="separator"><a href="https://thehackernews.com/images/-LdauFq345bQ/YNl4djihd9I/AAAAAAAADAw/2f8kfHIC_ns_DHZTDtH8WQZsewzHAAoGQCLcBGAsYHQ/s0/ms-cert.jpg"><img alt="Netfilter" border="0" data-original-height="368" data-original-width="728" src="https://thehackernews.com/images/-LdauFq345bQ/YNl4djihd9I/AAAAAAAADAw/2f8kfHIC_ns_DHZTDtH8WQZsewzHAAoGQCLcBGAsYHQ/s728-e1000/ms-cert.jpg" title="Netfilter"></a></div> <p>The <a href="https://www.virustotal.com/gui/file/115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406/detection" rel="noopener" target="_blank">oldest sample of Netfilter</a> detected on VirusTotal dates back to March 17, 2021, Hahn said.</p> <div class="ad_two clear"><center class="cf"><a href="https://go.thn.li/ransomware_728" rel="nofollow noopener sponsored" target="_blank" title="Prevent Ransomware Attacks"><img alt="Prevent Ransomware Attacks" class="lazyload" src="https://thehackernews.com/images/-azy2o-jUy8I/YLy9OO3scVI/AAAAAAAA4BY/75hsq3eOBOQsJbLGxKzF4tx3ZGV010RVwCLcBGAsYHQ/s728-e100/ransomware_728.jpg"></a></center></div> <p>Microsoft noted that the actor submitted the driver for certification through the Windows Hardware Compatibility Program (<a href="https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/" rel="noopener" target="_blank">WHCP</a>), and that the drivers were built by a third-party. The company has since suspended the account and reviewed its submissions for additional signs of malware.</p> <p>The Windows maker also stressed that the techniques employed in the attack occur <em>post-exploitation</em>, which necessitates that the adversary must have had previously gained administrative privileges so as to be able to install the driver during system startup or trick the user into doing it on their behalf.</p> <p>Additionally, Microsoft said it intends to refine its partner access policies as well as its validation and signing process to enhance protections further.</p> <p>“The security landscape continues to rapidly evolve as threat actors find new and innovative methods to gain access to environments across a wide range of vectors,” MSRC said, once again highlighting how legitimate processes can be exploited by threat actors to facilitate large-scale software supply chain attacks.</p> <p></p> <p>The post <a rel="nofollow" href="https://patabook.com/technology/2021/06/28/hackers-trick-microsoft-into-signing-netfilter-driver-loaded-with-rootkit-malware/">Hackers Trick Microsoft Into Signing Netfilter Driver Loaded With Rootkit Malware</a> appeared first on <a rel="nofollow" href="https://patabook.com/technology">Patabook Technology</a>.</p>

source https://patabook.com/blogs/100150/Hackers-Trick-Microsoft-Into-Signing-Netfilter-Driver-Loaded-With-Rootkit