Microsoft-Signed Rootkit Targets Gaming Environments in China

FiveSys is the second publicly known rootkit since June that attackers have managed to sneak past Microsoft's driver certification process.

2 Min Read
red inscription Rootkit incomputer code
Source: gubernat via Shutterstock

Researchers have identified a rootkit with a valid digital signature from Microsoft being distributed within gaming environments in China.

The rootkit, called FiveSys, is being used to redirect traffic to an attacker-controlled custom proxy server and is likely operated by a threat actor with significant interest in China's gaming market, Bitdefender researchers say in a new report. The rootkit has been targeting users for more than a year; the primary motivation for its use appears to be credential theft and in-app purchase hijacking, the security vendor says.

FiveSys is the second Microsoft-signed malware that security researchers have publicly reported in recent months. In June, G-Data announced it had observed a rootkit named Netfilter that, like FiveSys, targeted gamers in China. Both rootkits are similar in that they somehow made it past Microsoft's driver certification program and targeted the same type of environment. However, the two malware families appear unrelated, says Bogdan Botezatu, director of threat research and reporting at Bitdefender.

"The reason the driver got digitally signed by Microsoft is because the operating system no longer accepts drivers signed by the vendor only," he says. Since 2016, Microsoft has required all third-party drivers submitted via its Windows Hardware Quality Labs (WHQL) testing process to be digitally signed by Microsoft itself. What's unclear is how the adversaries managed to get the company to digitally sign malicious code, he says.

In a report this week, Bitdefender described its researchers as observing a surge in malicious drivers with valid digital signatures issued by Microsoft in recent months. The vendor said it expects to see more of them in the months ahead,

"Rootkits are some of the most powerful and most coveted tools in a cybercrime group's arsenal" because they enable full control of the compromised device, says Botezatu. One of the most effective ways for attackers to achieve this level of control is by sneaking rootkits through a company's third-party software validation program, just like attackers are targeting Microsoft's driver certification process. Similarly, Android malware developers are trying to sneak malicious content into official mobile app markets, he says.

Microsoft's WHQL testing is part of the company's Windows hardware compatibility program. The program is designed to ensure drivers and other third-party software developed for Windows computers are fully compatible with Microsoft technology. Since 2016, the company has insisted on validating and signing all drivers itself as a security precaution.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights