In recent months, cybersecurity analysts have unearthed a new, nefarious type of malware targeting the gaming sector: a Microsoft-signed rootkit. This innovative cyberweapon is the handiwork of a malicious actor originating from China, the same group previously linked with the FiveSys rootkit unveiled in late 2021.
Bypassing Verification
This sophisticated malware successfully bypassed the Windows Hardware Quality Labs (WHQL) verification process, obtaining a valid signature. This troubling fact reveals a glaring vulnerability within the review processes of such major software companies.
Variants and Progress
The Microsoft-signed rootkit is not merely a simple, static piece of malware. Multiple variants, clustering into eight distinct categories, have been discovered. Researchers identified 75 such drivers signed using Microsoft's WHQL program in 2022 and 2023 alone. More disturbingly, the presence of debug messages within the source code suggests this operation is still in its infancy, potentially signaling more advanced versions in the future.
Under the Hood: Modus Operandi
The rootkit disables User Account Control (UAC) and Secure Desktop mode by meddling with the registry, establishing network communication with the remote server. By periodically polling the server, it retrieves more payloads, decrypting, and loading them directly into memory. This rootkit functions as a stealthy kernel driver loader, able to bypass detections.
The Second Stage
The malicious software is sophisticated, capable of loading a second-stage unsigned kernel module. Each second-stage plug-in is customized to the victim machine, with some even containing a custom compiled driver for each device. These plug-ins achieve persistence, disarm Microsoft Defender Antivirus, and deploy a proxy on the machine, redirecting web browsing traffic to a remote proxy server.
A Growing Trend
The world of cybersecurity is witnessing an alarming rise in the use of Microsoft-signed malicious kernel-mode drivers for post-exploitation activities. Chinese-speaking threat actors are exploiting open-source software, popular within the video game cheat development community, to bypass restrictions enforced by Microsoft.
Microsoft's Response
So far, these attacks have been largely confined to China, with one suspected entry point being a trojanized Chinese game. Microsoft, in response to the disclosure, has implemented blocking protections and suspended the partners' seller accounts involved in the incident to safeguard users from future threats.
Conclusion: An Evolving Threat
This evolving attack vector highlights how adversaries are innovating to obtain privileged access to Windows machines and sidestep detection by security software. The use of rootkits to hide malicious code, impair defenses, and remain undetected for extended periods is set to continue, posing a serious challenge to cybersecurity teams worldwide.
Keywords & Explanation
Rootkit: A rootkit is a type of malicious software designed to enable access to a computer or an area of its software that would not otherwise be allowed, while at the same time masking its existence or the existence of other software. The Microsoft-signed rootkit is a new variant that bypasses detection by appearing to be a legitimate part of the Microsoft system.
Windows Hardware Quality Labs (WHQL): WHQL is a Microsoft procedure for testing and verifying hardware and drivers' compatibility with Windows operating systems. The fact that the rootkit passed this test suggests a potential loophole in Microsoft's verification process.
User Account Control (UAC): UAC is a security feature in Windows which helps prevent unauthorized changes to the operating system. The rootkit can disable this feature, weakening the computer's defense system.
Kernel Driver Loader: This is the component that loads the core part of the operating system into memory during system startup. The rootkit uses this mechanism to load its malicious payloads into the system memory, making them hard to detect and remove.
Summary
Chinese hackers have successfully deployed a novel Microsoft-signed rootkit aimed at the gaming sector. This malware is unique as it passed through the Windows Hardware Quality Labs process and received a valid signature. Cybersecurity researchers suggest that this operation is still under development and may produce more advanced versions in the future. The malware disables system defenses and establishes a communication channel with a remote server, allowing the attackers to load additional payloads. This development represents an evolving attack vector in cybersecurity, emphasizing the need for continual vigilance and innovation in defense strategies.
Comments