A new campaign targeting gaming users in China is the latest example of how threat actors are increasingly using sophisticated rootkits to hide malicious payloads, disable security tools, and maintain persistence on victim systems.
The novel rootkit in this instance has a valid Microsoft digital signature, meaning it can successfully load on systems running recent Windows versions without getting blocked or triggering any security alerts. It can download other unsigned kernel mode drivers directly into memory, including one that is engineered to shut down Windows Defender software on target systems so the threat actor can then deploy second-stage malware of their choice — and maintain persistence — on them.
Kernel Mode Driver Threat
Researchers at Trend Micro recently discovered the malicious kernel driver targeting gaming users in China and reported their discovery to Microsoft last month. They believe the unknown threat actor behind it was also behind a similar 2021 rootkit for monitoring and redirecting Web traffic, dubbed FiveSys, that also targeted the Chinese gaming sector.
The new malware is one of a growing number of Microsoft-signed kernel drivers that security researchers have discovered over the past two years. Other examples include PoorTry, a rootkit that Mandiant reported last December, which threat actors are using in different ways including to deploy ransomware; and NetFilter for IP redirection; and FiveSys. Last December, Sophos disclosed a Microsoft-signed Windows driver engineered to kill antivirus software and endpoint security tools on targeted systems. Many believe that attackers are increasingly employing such tools because of how effective endpoint tools have become at detecting threats smuggled in via other vectors.
Many of these tools have targeted the gaming sector in China for purposes like credential theft and geolocation cheating in games. But there is no reason why a threat actor wouldn't be able to use them in other geographies and for a slew of other malicious use cases.
"Despite how complex it is to build such capabilities, it seems that current malicious actors are exhibiting competence and consistent usage of such tools, tactics, and procedures (TTPs), regardless of their final motive and objectives," Trend Micro researchers Mahmoud Zohdy, Sherif Magdy, and Mohamed Fahmy wrote this week.
Universal Rootkit Loader
The researchers identified the new malware they discovered as a standalone kernel driver that functions as a universal rootkit loader. The first-stage driver — the Microsoft-signed one — communicates with command and communications (C2) servers using the Windows Socket Kernel, a kernel-mode network programming interface. "It uses a Domain Generating Algorithm (DGA) algorithm to generate different domains," the three researchers said. "If it fails to resolve an address, it connects directly to fallout IPs that are hard coded inside the driver."
The first-stage driver acts as a loader for a self-signed second-stage driver. Because the second-stage driver is downloaded via the signed first-stage driver, it bypasses the Windows native driver loader and is loaded directly into memory. Then the malware initiates a sequence of steps to maintain persistence and remove any traces of its presence from the disk.
Trend Micro said it was able to tie the new malware to the FiveSys actor because of various similarities between the two malware tools. Both the FiveSys rootkit and the second-stage rootkit associated with the new malware function to redirect Web browsing traffic to an attacker-controlled server. Both can monitor Web traffic and hook file system functions, Trend Micro said.
Rogue Developer Accounts
Microsoft has blamed the issue of Microsoft-signed malicious drivers on rogue developer accounts within its partner program. According to the company, "several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature." In an advisory that accompanied its July 2023 security update announcement, the company said it has suspended all the accounts and released updates for detecting and blocking the malicious drivers.
Meanwhile, in a new twist, Cisco Talos this week said it had discovered threat actors using open source digital signature timestamp forging tools to alter the signing date on kernel mode Microsoft drivers and deploy them by the thousands. The company tied the activity to a loophole in Microsoft's Windows driver signing policy. The policy basically specifies that Windows will not load any new kernel level drivers unless they are signed via Microsoft's Dev Portal. The policy, however, provides an exception that allows "the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015," Cisco said. Threat actors are abusing the loopholes to sign drivers, including expired ones, so they fall within the policy exemption and then are using them to deploy malware.