Hackers Trick Microsoft Into Signing Netfilter Driver Loaded With Rootkit Malware

Netfilter Driver

Microsoft on Friday mentioned it is investigating an incident whereby a driver signed by the corporate turned out to be a malicious Home windows rootkit that was noticed speaking with command-and-control (C2) servers situated in China.

The driving force, referred to as “Netfilter,” is alleged to focus on gaming environments, particularly within the East Asian nation, with the Redmond-based agency noting that “the actor’s objective is to make use of the motive force to spoof their geo-location to cheat the system and play from wherever.”

Stack Overflow Teams

“The malware permits them to realize a bonus in video games and probably exploit different gamers by compromising their accounts by way of widespread instruments like keyloggers,” Microsoft Safety Response Heart (MSRC) said.

The rogue code signing was noticed by Karsten Hahn, a malware analyst at German cybersecurity firm G Information, who shared additional details of the rootkit, together with a dropper, which is used to deploy and set up Netfilter on the system.


Upon profitable set up, the motive force establishes connections with a C2 server to retrieve configuration data, which gives quite a lot of functionalities equivalent to IP redirection, amongst different capabilities to obtain a root certificates and even self-update the malware.


The oldest sample of Netfilter detected on VirusTotal dates again to March 17, 2021, Hahn mentioned.

Enterprise Password Management

Microsoft famous that the actor submitted the motive force for certification by way of the Home windows {Hardware} Compatibility Program (WHCP), and that the drivers have been constructed by a third-party. The corporate has since suspended the account and reviewed its submissions for added indicators of malware.

The Home windows maker additionally confused that the strategies employed within the assault happen post-exploitation, which necessitates that the adversary should have had beforehand gained administrative privileges in order to have the ability to set up the motive force throughout system startup or trick the consumer into doing it on their behalf.

Moreover, Microsoft mentioned it intends to refine its accomplice entry insurance policies in addition to its validation and signing course of to boost protections additional.

“The safety panorama continues to quickly evolve as menace actors discover new and revolutionary strategies to realize entry to environments throughout a variety of vectors,” MSRC mentioned, as soon as once more highlighting how authentic processes might be exploited by menace actors to facilitate large-scale software program provide chain assaults.

Source link