Microsoft has been in the news lately because of the Windows 11 announcement on June 24 this year. But that’s not the only reason why it has been a topic for discussion among people. There are a couple of other reasons like the many updates it has released along with the malware information that has recently been revealed.
Microsoft Security Response Center (MSRC) has admitted that it accepted a driver which included a malicious Rootkit Malware that was exchanging data with command-and-control (C2) servers in China. It seems certain malicious actors have tricked the Redmond giant into signing a Netfilter Driver which was designed to target gaming environments. The driver was used to hide the geolocation of the player and play from any region.
The first instance of this malware was identified by Karsten Hahn, a malware analyst at German cybersecurity company G Data. “”Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system.” stated Hahn. “Drivers without a Microsoft certificate cannot be installed by default,” he continued.
How Did This Malware Function?
The MSRC explained that people with malicious intent used this malware to exploit other gamers and compromise their account credentials using a keylogger. They could have also managed to hack other information, including debit/credit card info and email addresses.
It is interesting to note that the Netfilter is a legitimate application package that allows users to enable packet filtering and translates network addresses. It also can add new root certificates, set up a new proxy server, and help modify internet settings.
Once the users installed this application on their system, it connected with a C2 server to receive the configuration information and updates. Microsoft also explained that the techniques employed in the attack occur post-exploitation, which indicates that the opponent must first gain administrative privileges and then install the driver during system startup.
“The security landscape continues to rapidly evolve as threat actors find new and innovative methods to gain access to environments across a wide range of vectors,” MSRC said.
Hahn was the main person credited with finding the malware but was joined later on by other malware researchers including Johann Aydinbas, Takahiro Haruyama, and Florian Roth. He was concerned about Microsoft’s code-signing process and doubted if there were other malware hidden with Microsoft’s approved drivers set.
The Modus Operandi of Malicious Actors
Once Microsoft was informed, it has been taking all the required steps to investigate the incident and take preventative measures to ensure that it does not happen again. Microsoft stated that there is no evidence that the stolen code-signing certificates were used. The people behind this malware followed the legit process of submitting drivers to Microsoft’s Servers and also acquired the Microsoft signed binary legally.
Microsoft stated that the drivers were built by a third-party developer and were submitted for approval via the Windows Hardware Compatibility Program. After this incident, Microsoft suspended the account that submitted this driver and started to review all the submissions made by that account on top priority.
Additionally, Microsoft said it will refine its partner access policies as well as its validation and signing process to enhance protections further.
Conclusive points on Microsoft accepts signing in Netfilter driver which was loaded with Rootkit Malware
Microsoft claims that the malware was built to attack the gaming sector in China and seems to be the work of a few individuals only. There are no connections that link an organization or enterprise with the malware. However, it has to be understood that any such misleading binaries can be taken advantage of by anyone to initiate a large scale software
attack. In the past, such attacks have been facilitated like the Stuxnet attack that attacked Iran’s nuclear program. This was because the certificates used for code signing were stolen from Realtek and JMicron.
With Microsoft gearing up for Windows 11 launch, this incident does strike a doubt about the safety and the security Microsoft provides with its operating systems. What do you think? Please share your thoughts in the comments section below. Follow us on social media – Facebook, Instagram and YouTube.