Microsoft signed a driver being distributed within gaming environments that turned out to be a malicious network filter rootkit.
G DATA malware analyst Karsten Hahn first noticed the rootkit, publicly posting the find on June 17 and simultaneously reaching out to Microsoft. Hahn noted that the code – a third-party driver for Windows named Netfilter that has been circulating in the gaming community – connected to an IP address in China.
As Hahn detailed in a security advisory on Friday, G DATA analysts first thought their telemetry had popped up a false positive on a legitimately signed file. But there was nothing wrong with the telemetry, it turned out: It was legitimately malicious, Hahn wrote.
According to WHOIS records, the command-and-control (C2) address – IP 220.127.116.11 – that the malicious Netfilter driver connected to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co. Ltd.
On Friday, Microsoft confirmed the incident, saying that it had launched an internal investigation, has added malware signatures to Windows Defender, and has shared the signatures with security companies. As of Monday morning, 35 security vendors had flagged the file as malicious.
As of Friday, Microsoft was still trying to figure out how a rootkit could slip through the signing process.
What started as a false positive alert for a Microsoft signed file turns out to be a WFP [Windows Filtering Platform] application layer enforcement callout driver that redirects traffic to a Chinese IP. How did this happen?
Third-Party Account Suspended
Microsoft said in its advisory that it’s now investigating a malicious actor that’s “distributing malicious drivers within gaming environments.” The threat actor submitted drivers for certification through the Windows Hardware Compatibility Program (WHCP), which is designed to ensure that Windows-compatible software and hardware run smoothly on Windows 10, Windows 11 and Windows Server 2022 and to provide guidance for developing, testing and distributing drivers.
“Using the Windows Hardware Dev Center dashboard, you can manage submissions, track the performance of your device or app, review telemetry and much more,” according to Microsoft’s site.
And, apparently, you can spread yet more hurt on the already beleaguered gaming industry, which has been pummeled by pandemic-bored attackers. The onslaught has included every Sony PlayStation 3 ID out there being compromised, provoking bans of legit players on the network; hackers cracking pirated games with cryptojacking malware; and the Steam gaming platform being used to host malware.
Microsoft has suspended the malicious-driver-disseminating account and has reviewed the threat actor’s submissions for additional signs of malware.
The Goal: To Cheat at Gaming
Microsoft said the repercussions of this attack are limited. It hasn’t seen any sign of the WHCP signing certificate having been exposed, nor of any infrastructure having been compromised. According to its advisory, the rootkit-spreader is limiting its activity specifically to China and apparently isn’t targeting enterprises. Microsoft isn’t attributing the attack to a nation-state actor at this point.
The company said that the threat actor’s goal is to cheat gaming systems: “To use the driver to spoof their geo-location to cheat the system and play from anywhere,” according to Microsoft’s advisory. “The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers.”
Microsoft said that an important piece of the puzzle is the fact that the techniques used in the attack occur after exploitation: In other words, an attacker must “either have already gained administrative privileges in order to be able to run the installer to update the registry and install the malicious driver the next time the system boots or convince the user to do it on their behalf,” its advisory stressed.
The company said that it plans to share an update regarding how it will refine its partner access policies, validation and the signing process to boost its protections. It said that customers don’t have to take any actions: Just follow security best practices and deploy antivirus software, it recommended.
Bad Certificates = Great Way to Spring Supply-Chain Attacks
Digital certificates allow their owners to cryptographically link ownership to a public key for authentication purposes. They’re one way for threat actors to escape detection as they fool users into downloading malware because it appears legitimate to their systems, as ReversingLabs’ Tomislav Pericin noted back in 2019, when researchers spied cybercriminals duping certificate authorities by impersonating legitimate entities. They turned around and sold the fraudulently purchased certificates on the black market, where they were purchased by other threat actors and used to digitally sign malicious files – mainly, adware.
But malicious actors can ramp it up far past adware, as was evidenced in the SolarWinds attack, in which the component that contained the malware was code-signed with the appropriate SolarWinds certificate, as noted by Ray Kelly, principal security engineer at WhiteHat Security. The signature made the DLL look like “a legitimate and safe component” for SolarWinds’ Orion product, Kelly observed, and from there, it was bundled into a “patch” and distributed across thousands of customers.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.