Pernicious Rootkits Pose Growing Blight On Threat Landscape

In recent weeks, attackers have leveraged workarounds that let them sign malicious kernel drivers, dealing a multi-pronged threat to Windows systems, the Windows Hardware Quality Lab testing integrity, as well as endpoint defenses specifically designed to mitigate these kinds of threats.

This emerging threat underscores how attackers continue to develop techniques to gain persistence on targeted systems, whether through signed binaries and rootkits or though simpler means when defenders make mistakes, says Jamz Yaneza, senior threat research manager at Trend Micro.

"Adversaries are constantly probing various entry points in order to front load malicious levers into operating systems and frameworks," he says. "This is essentially a supply-chain attack where somehow the threat actors were able to abuse the system and procure a valid certificate that was then applied to a kernel driver, effectively bypassing any ... monitoring by most [defenses]."

Such attacks have attempted to exploit other operating systems — such as applications for Apple's iOS mobile devices and Mac OS computers — but with less success in the tightly controlled ecosystem.

Trend Micro's recent investigation revealed that the China-linked group behind the FiveSys rootkit continues to have success against code-signing controls, most recently finding ways to install a newly analyzed rootkit via a malicious signed driver to use as a universal downloader. Nearly all (96%) of threat samples included in the analysis involved signed drivers whose signatures had not yet been revoked, with hundreds of thousands of samples discovered in 2022, according to an analysis published by Trend Micro earlier this month.

The research is the latest to identify rootkits hiding out in signed malicious drivers for Windows systems. In October 2021, cybersecurity firm Bitdefender announced it had detected a Microsoft-signed rootkit named FiveSys that would redirect traffic from the infected system through a proxy. In both cases, the attackers aimed to harvest credentials and hijack in-game purchases.

The number of samples of signed malware that was detected by at least one anti-malware engine (Set 2) shot up in 2022. Source: Trend Micro

Bypassing code signatures are not the only recent trick. In another incident late last year, a malware developer announced they had created a rootkit — BlackLotus — that bypassed Windows Secure Boot, a claim that cybersecurity firm ESET confirmed later that month. The boot-level rootkit, or bootkit, could infect the firmware of a motherboard by using a two-month old exploit for an old vulnerability known as Baton Drop (CVE-2022-21894).

Currently, bootkits that compromise Unified Extensible Firmware Interface (UEFI) firmware are rare and considered sophisticated work, but that could change, ESET malware researcher Martin Smolár said on a recent ESET podcast about the BlackLotus discovery.

"When it comes to these bootkits, they are easy to develop and easy to deploy," he said. "So I just hope that crimeware groups won't start using bootkits in their arsenal, because with their capabilities of spreading malware using their botnets, it would be a huge problem, I think."

Signed Drivers Play Outsized Role

In the latest case, Trend Micro detected more than 400,000 samples of the unnamed rootkit and downloader. While nearly three-quarters of samples (74%) could be detected by at least one anti-malware scanning engine, all but 4% of the binaries were signed, according to the security firm.

"[T]his newly discovered malware ... comes as a standalone kernel driver signed directly by Microsoft, which is an evolving attack vector that has been frequently appearing in today’s malware landscape," Trend Micro stated in its analysis. Despite the complexity involved, "current malicious actors are exhibiting competence and consistent usage of such tools, tactics, and procedures (TTPs), regardless of their final motive and objectives."

For the most part, the Windows Hardware Quality Lab (WHQL) process is automated, which means that adversaries have been able to bypass the process, says Rotem Salinas, a senior malware researcher at CyberArk, an identity security firm.

"The WHQL process is mostly automated and in some cases, adversaries are able to slip through, in other cases they are able to use stolen certificates from vendor leaks," he says. CyberArk outlined other instances of malware signed by WHQL in an analysis of current rootkit trends.

Microsoft revoked the signature used by the latest rootkit found by Trend Micro in its regularly scheduled Patch Tuesday release on July 11, noting that the attacks required the attacker to already have administrative privileges and that the attackers were enabled by "the abuse of several developer program accounts and that no Microsoft account compromise has been identified."

"We've suspended the partners' seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat," the Microsoft Security Response Center (MSRC) stated in their guidance on the attack. Microsoft continues to work on long-term solutions, the company added.

Gaming Attracts Rootkits

A great deal of rootkit activity appears related to gaming — attackers used BlackLotus to also target gaming servers, while another threat, NetFilter, used digital-certificates to bypass game security mechanisms, according to the company's analysis.

However, companies should still be vigilant, as perhaps only the attacks on gamers and game makers have been detected. At the very least, getting past anti-cheating security is notable, says Trend Micro's Yaneza.

"We're finding that while the initial target industry field [gaming] may seem small, the stakes are higher — commercial gaming and gambling is a $250 billion industry, while video gaming is almost at $400 billion — either way you slice it, that is a nice piece of pie," he says. "Both of these parallel verticals run various anti-cheat and validation mechanisms on their own, perhaps just a tad lower than security checks under government installations."

The best bet for companies is to catch the malware that carries and installs rootkits, which good endpoint detection and response (EDR) software should address, Yaneza says. Companies can also refer to the "National Security Agency's BlackLotus Mitigation Guide," published in June.

Once a rootkit is installed on a system, the problem becomes much harder to fix, and behavioral rules may have a hard time to detect the compromise, says CyberArk's Salinas.

"It might only leave evidence that could be found by looking at a memory [or] kernel dump ... by manually traversing kernel structures and looking for inconsistencies," he says.